Amazon sent private Alexa voice interactions from Echo smart speaker to the wrong customer

After one German user requested a copy of their Alexa voice history under the GDPR, he got another user's data in the process.

Video: Your Amazon Echo fears may be more real than you think

Among the provisions in the EU General Data Protection Regulation (GDPR) is the ability to request personal data stored by companies. This ability, paired with smart speaker devices, creates a voluminous amount of information on how people live their daily lives. According to a report in German computer magazine c't (translated by their publisher, Heise), an Amazon customer requested a copy of the personal data the company had on file, but mistakenly received another customer's voice interaction file instead.

Amazon provided a 100 MB ZIP file, of which "about 50 of the zipped files contained data relating to everyday things like Amazon searches, but there were also around 1,700 WAV files and a PDF cataloging unsorted transcripts of Alexa's interpretations of his voice commands," according to the report. This came as a sizable shock, as the customer in question does not use Alexa, and owns no Echo speakers or other Alexa-enabled devices, it noted.

SEE: 21 technical Alexa skills IT pros should know (Tech Pro Research)

The customer emailed customer service informing the of the error, and inquired about who the files in question belonged to, though received no reply, and later found that the download link to the file was dead. Following this, the customer contacted c't, providing a saved copy of the files to the magazine. Staff at the magazine proceeded to use the data to piece together the identity of the person recorded by Alexa, using recordings taken from an Echo speaker, a Fire TV box, and the Alexa phone app.

We were able to navigate around a complete stranger's private life without his knowledge, and the immoral, almost voyeuristic nature of what we were doing got our hair standing on end. The alarms, Spotify commands, and public transport inquiries included in the data revealed a lot about the victims' personal habits, their jobs, and their taste in music.

Using these files, it was fairly easy to identify the person involved and his female companion. Weather queries, first names, and even someone's last name enabled us to quickly zero in on his circle of friends. Public data from Facebook and Twitter rounded out the picture.

Magazine staff could not find a phone number, and resorted to asking on Twitter for the victim to contact the magazine. According to c't, he "called back immediately" and "was audibly shocked" by the series of events, and "confirmed that we had correctly identified his girlfriend." Further, the victim indicated that Amazon had not contacted him to disclose the leak of his personal information.

In a statement to c't, Amazon indicated this was an "unfortunate mishap" caused by human error, and that it had resolved the issue with both customers.

The magazine followed up with both parties, and found that three days after c't contacted Amazon, the customer who made the initial GDPR request received a phone call "to explain that one of their staff had made a one-time error." The victim was told the series of events which led to his data being leaked, though c't notes that Amazon "claimed that they had discovered the error themselves."

Users of voice assistants and smart speakers-including Amazon's competitors, like Google Home-consent to having their queries stored for data analysis and refinement of voice recognition algorithms, as part of the terms of use of those services. This is a known quantity. For an industry leader like Amazon-which amasses huge amounts of user data-to be this ill-equipped to disclose data as part of the GDPR should be of significant concern.

The big takeaways for tech leaders:

  • A user requesting a copy of their personal data from Amazon received voice recordings of Alexa interactions from a different customer.
  • The German magazine c't analyzed the recordings and personally identified the other customer, who was not informed of the data breach.

Also see

Image: Tyler Lizenby/CNET