The Amazon Echo speaker in our bedroom is all ears. The voice-activated device is always at attention, waiting for commands. Fine with me. But my wife, who is from the Democratic Republic of Congo and lived much of her life under a dictator, isn’t the trusting type. So when we’re talking and Echo randomly butts into our conversation with “I’m sorry. I didn’t understand,” my wife shoots it a look, convinced that someone at Amazon.com is spying on us.
No, they aren’t, and Amazon isn’t recording our conversations, just those questions we ask it directly. But its popularity heralds a new threat to our privacy, from a houseful of Echo-compatible gadgets that record everything we do.
Something like 5 percent of US homes now contain an Echo or some other product that uses Amazon.com’s Alexa speech-recognition system. That’s millions of gadgets designed to respond to oral requests for music, news, or a good chili recipe. Alphabet Inc. has a similar product, Google Home, and more are coming, all constantly paying attention to us. We’d better start paying attention, too.
The Echo is a gateway to the Internet of Things (IoT), a global cloud of networked computers built into cars, appliances, and anything else with a power switch. The Echo and its Alexa software have become the Model T of the IoT, the first such system to become a mass-market hit. You can get Alexa-compatible products to switch on your lights, unlock the front door, or warm up the car.
This raises privacy questions we have yet to answer — including whether some of this information is even ours to protect.
We’re accustomed to the privacy challenges of personal computers and smartphones. My wife switches off her phone’s location-tracking feature; I run a program to delete tracking cookies from my Web browsers.
But what to do when everything in the house keeps tabs on you?
IoT devices turns mundane activities into data events to record, from turning on the radio to running hot water for a bath. And just like those Web searches on your laptop, they are subject to scrutiny by marketing experts — or to subpoenas from the police.
Consider that much-discussed murder case in Bentonville, Ark., in which police asked Amazon to hand over voice recordings from an Echo located at the scene of the crime. The police hope the device recorded conversations that might provide evidence. Amazon has refused, saying the police haven’t obtained a proper warrant. Moreover, the company says there’s no chance the Echo captured any damning audio data.
An Alexa-compatible device isn’t recording until it hears the wake-up word, “Alexa.” Then it records the ensuing phrase, such as “Alexa, what’s the weather?” This recording is shipped off to an Internet data center, which recognizes the command and responds with an audio weather report.
The system isn’t perfect; it sometimes interrupts conversations with my wife, thinking we were talking to it. Amazon keeps a copy of each recording, to help it improve the accuracy of its speech recognition. But that’s all Amazon keeps. The Arkansas suspect would seem to have nothing to fear, unless he said something like, “Alexa, kill!”
But another gadget in that Bentonville household has already given up its secrets: The suspect’s home has a smart water meter, and police obtained data from it alleging showing that between 1 and 3 a.m. on the day of the crime, someone used 140 gallons of water. That, police said, suggested a cleanup at the murder scene.
Utilities have been deploying smart meters for years. They can reveal remarkable details about our daily lives: how long we run the furnace or what day we do the laundry. It’s data of great value to utility companies, appliance makers, and sometimes the police. And it’s information that either didn’t exist before or wasn’t in a usable form, until someone figured out a way to record it.
If Alexa is connected to a houseful of smart devices, it becomes a smart meter for the Internet of Things. Users will impress their friends by using speech commands to switch on the TV, preheat the oven, or pop open the trunk of the car. And each of these actions is now recorded in a data center perhaps halfway around the world. Inside your nondigital home, privacy is the default setting. In the IoT world, it’s the other way around.
What to do?
The Aspen Institute, a Washington think tank, has a few sound suggestions. For instance, limit the personal data these devices can capture. Apple’s Siri speech-recognition system is a good example. Siri stores voice recordings based on a randomly generated code, not the user’s name. And it discards the recordings after two years.
The Institute also argues IoT device makers should let users opt out of sharing their information with advertisers, data brokers, or sometimes even with the manufacturer. I should be able to remotely control my air conditioner without telling Whirlpool or Kenmore about it. And, of course, any user should have the right to see his own data file.
On its Alexa app, Amazon keeps a log of your activity, but lets you choose what to delete or save.
I don’t share my wife’s near-paranoia about the Amazon Echo. But it’s early days on the Internet of Things, and that’s the right time to start making device privacy a habit.