An Oregon family’s encounter with Amazon Alexa exposes the privacy problem of smart home devices

“I am listening.”
“I am listening.”
Image: (AP Photo/Elaine Thompson)
We may earn a commission from links on this page.

Here’s the latest nightmare scenario for the tech-phobic: A woman in Portland, Oregon found out that her family’s home digital assistant, Amazon’s Alexa, had recorded a conversation between her and her husband without their permission or awareness, and sent the audio recording to a random person on their contacts list.

The person who received the recording (an employee of the husband who lived in another state) called the family to warn them, according to the initial report. “Unplug your Alexa devices right now,” she said. “You’re being hacked.”

Amazon later acknowledged the incident, but told Recode that it wasn’t a hack, offering this narrative of what happened:

Echo woke up due to a word in background conversation sounding like “Alexa.” Then, the subsequent conversation was heard as a “send message” request. At which point, Alexa said out loud “To whom?” At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, “[contact name], right?” Alexa then interpreted background conversation as “right”. As unlikely as this string of events is, we are evaluating options to make this case even less likely.”

The scenario isn’t so inconceivable to Alexa users who might have noticed the blue ring on their Echo device randomly appearing in the middle of a conversation or TV program, an indication that Alexa “is streaming to the Cloud,” according to Amazon’s explanation of the device. (It’s possible for users to review and delete any voice recordings by going to “history” in the settings of the Alexa mobile app, though Alexa’s responses cannot be deleted.)

The new incident, while bizarre, is just one more reminder that these internet-connected devices are not flawless. About one in 10 people in the US today owns a smart home speaker, and that percentage is likely to increase in the next several years, even as sales are expected to level off.

Any data or information about you on the internet is valuable to advertisers, and tech companies are actively developing technologies for smart home devices to make sure that they can gather more. As Quartz has reported, Google has filed a patent that describes how the smart-home system can identify emotions through “audio signatures of crying, laughing, elevated voices, etc.,” and alert parents when their kids display unusual behaviors. A patent by Amazon demonstrates the ability to understand a phone conversation between two people, which could be used to feed ads according to the content.

Your message left on the cloud can also be searched by governments when that’s deemed necessary. An Arkansas man was arrested in 2016 as a suspect in a first-degree murder case, based on information left on his Amazon Echo devices. The US government does not need a search warrant in most cases to get personal information that’s already shared voluntarily with somebody else, like a bank or internet provider or utility, according to reporting by the Marshall Project.

What’s more, internet-connected devices like Amazon Echo or Google Home can be hacked. Last year, for example, security researchers discovered a vulnerability in Echo models developed before 2017, which made it possible for a home’s visitor to attach a malicious SD card and turn the Echo into a listening device, as well as gain access to the user’s entire Amazon account.