The Amazon Echo personal assistant may have a new title that raises privacy concerns for consumers and business users: Murder witness.
Police investigating a murder in Bentonville, AR, recently filed a search warrant asking Amazon to provide “electronic data in the form of audio recordings, transcribed words, text records and other data” from the Echo. The case began when an Arkansas man named Victor Collins was found dead in November 2015 in a hot tub at the home of James Bates, and a detective from the Bentonville Police Department found an Amazon Echo on the kitchen counter.
Bates was arrested on suspicion of first-degree murder in February 2016, and police said they believe the device may have recorded more useful evidence about the events of the evening, the New York Times reported.
The Echo is always listening for a command word (often “Alexa”). The device records what is said after this activation until the request has been processed, and streams it to the cloud, where it is stored until a user deletes it.
While Amazon released some account details to police, it has yet to offer any data from its servers, according to the New York Times. “Amazon will not release customer information without a valid and binding legal demand properly served on us,” the company said in a statement. “Amazon objects to overbroad or otherwise inappropriate demands as a matter of course.”
SEE: Here are the biggest IoT security threats facing the enterprise in 2017
“This reflects the significant privacy issues associated with this always-on, always-listening device,” said Joel Reidenberg, founding academic director of the Center on Law and Information Policy at Fordham University. “In this case, the prosecutor has reason to believe the Echo was in effect witness to a murder. As such, it is discoverable information.”
The Arkansas case is reminiscent of that in San Bernardino, CA, last year, in which Apple refused a court order to unlock the iPhone used by shooter Syed Farook for the FBI to assist with their investigation. The FBI was ultimately able to unlock the phone without Apple’s assistance.
Personal assistants and other Internet of Things (IoT) devices that can record conversations in the home will likely be targets for subpoena in civil litigation going forward, such as divorce proceedings, Reidenberg said.
In July 2015, the Electronic Privacy Information Center wrote a letter to the US Justice Department, expressing concern that the growing number of always-on consumer devices (including those from Google, Microsoft, Samsung, and Amazon) that record conversations in the home “may constitute unlawful surveillance under federal wiretap law.”
“Americans do not expect that the devices in their homes will persistently record everything they say,” the letter stated. “By introducing ‘always on’ voice recording into ordinary consumer products such as computers, televisions, and toys, companies are listening to consumers in their most private spaces.” The center urged the Federal Trade Commission to undertake an investigation of these technologies.
It’s likely that we will soon see state legislation looking more carefully at eavesdropping statutes, Reidenberg said. “Most states have eavesdropping statutes, but the problem is, most device owners have consented to the eavesdropping,” he said. In a majority of states, with that implicit consent, this recording could be used in court, he added.
Enterprise privacy risk
More than half of major new business processes and systems will incorporate some element of IoT by 2020, according to a Gartner report. The spread of IoT devices in the office raises substantial security concerns for companies, Reidenberg said, “in that they become tools for the exfiltration of confidential business data very easily.”
“While IoT devices are designed to make the enterprise more efficient and life at home easier, they also bring legal headaches, including data privacy concerns,” said David Horrigan, director of legal content at kCura. “One issue is that the IoT has the potential to generate large volumes of data, which, in some cases, enterprises must legally retain and possibly review and produce in the case of an investigation, regulatory request, or lawsuit.”
In the Arkasas case, Bates’ counsel argued that Bates had a reasonable expectation of privacy in data collected by his Echo, Horrigan said. “But it’s unlikely that businesses could make the same argument,” he added. The Federal Rules of Civil Procedure, which govern civil proceedings in US district courts, have generally treated all data within the enterprise as potentially discoverable–meaning if this were a civil matter, the Echo data would probably be deemed relevant to the case, and make it into evidence, Horrigan said.
This means business leaders need to be aware of what devices are deployed in their office, and set rules for employees on what is allowed in the workplace, Reidenberg said. They may also want to set rules about where listening devices are permissible–perhaps an Echo is allowed at the reception desk, but not in the boardroom where highly sensitive matters are discussed, he added.
“The thing to keep in mind with this case, and similar ones that will come down the road, is that the developers of these personal assistants will have opportunities to re-engineer the technologies to try and avoid some of the problems,” Reidenberg said.
The 3 big takeaways for TechRepublic readers
- Police from Bentonville, AR, recently issued a search warrant to Amazon, asking the company to release audio recordings and other data from an Echo device that was in a home when a murder allegedly took place.
- Amazon stated that it would refuse to release this information without a “valid and binding legal demand.”
- The case highlights the need for more privacy legislation around the Internet of Things, for both home consumers and business users.