After the EU’s GDPR passed earlier this year, tech companies have been required to let users request all the data kept on file. Now, we’re hearing about an unfortunate case where Amazon sent 1,700 Alexa voice recordings to the wrong user in Germany.
GDPR has had a number of benefits to end-users, not just in the EU, but worldwide. One of the main changes is companies offering the ability for users to download all of the data it has stored connected to their account.
This is useful in a number of ways even beyond security and privacy concerns, like how Apple users can take their data and kick out a report to visualize their listening habits on Apple Music. But there’s also the risk of all your personal data landing in the wrong hands when tech companies respond to user data requests.
As reported by German magazine c’t (via The Verge), Amazon sent 1,700 Alexa voice recordings to the wrong individual this past August. After making a user data request to Amazon, one man got the Alexa recordings, even though he didn’t have an Alexa-enabled device.
However, instead of getting in touch with Amazon, he worked with reporters at c’t to try and uncover who the recordings belonged to.
Upon listening to the files, Schneider discovered they were the recordings of another Alexa user. After failing to get in contact with Amazon about the issue, the man brought the files to c’t, where reporters were able to piece together who the Alexa user was. Among the files were commands to control Spotify, the person’s home thermostat, and alarms. There were also recordings that indicated the Alexa user also owned a Fire TV, and that they had a spouse who appeared to live in the home.
It didn’t take long to solve the mystery with first and last names being revealed. And it what happened was a criss-cross of the reports.
“Using these files, it was fairly easy to identify the person involved and his female companion; weather queries, first names, and even someone’s last name enabled us to quickly zero in on his circle of friends,” the report reads. “Public data from Facebook and Twitter rounded out the picture.” It turns out that the victim in this case also filed a data request under the new GDPR rules, c’t reports, but somehow the two men received each other’s reports.
Amazon gave The Verge a statement saying that this was an “isolated incident.”
“This was an unfortunate case of human error and an isolated incident. We have resolved the issue with the two customers involved and have taken steps to further improve our processes,” an Amazon spokesperson told The Verge. “We were also in touch on a precautionary basis with the relevant regulatory authorities.”
While Amazon has a leg up on Apple when it comes to smart speakers in a few aspects, privacy blunders like these likely give users more confidence in using Apple services.
- Review: Amazon’s $29 Echo Wall Clock packs modern tricks in classic tech with a few limitations
- Amazon promises Apple Music integration coming to third-party Alexa-enabled speakers after Echo exclusivity