Now is certainly the Amazon Echo’s time in the sun, isn’t it?
Christmas sales in 2016 were up nine times compared to the year before. It was the darling of the Consumer Electronics Show, integrated into everything from fridges to cars. It’ll probably be the plot of the next Terminator movie.
It also might snitch you out to the cops.
At least, that’s either the hope or fear, depending on which side of the law you’re on. In late 2016, as Amazon was on the verge of its global takeover, a case from Bentonville, Arkansas made headlines. Police thought they might have stumbled upon a witness to a crime: Alexa, the digital assistant that powers the Amazon Echo. Police are trying to extract information from the voice-enabled assistance in the hopes that they can pull some evidence in the murder of Victor Collins.
Outside of this specific case, there’s a wider debate going on: Just how much do our connected devices know about us – with and without our permission – and who, exactly, has access to that information?
Is Alexa always listening?
Whether you’re talking about standalone products like the Amazon Echo or Google Home, or virtual assistants on our phones and computers (Apple’s Siri, the Google Assistant, Microsoft’s Cortana, or the non-Echo version of Alexa), there’s one key to this debate: The wake word.
Each assistant is activated with a certain word or phrase (or, in the case of phones, with the touch of a button). You can say, "Okay, Google," to ask your phone a question, or wake your Echo with a, "Hey Alexa." (Side note: The Echo also lets you change your wake word. They’ve recently introduced "Computer" as a wake word in a nod to Star Trek, which seems infinitely inconvenient.)
This can cause some problem, like the issue of dollhouses allegedly being ordered after Echoes picked up a "Hey Alexa" from a newscast. These devices ostensibly only act upon hearing their wake word, but it also brings up the point that these devices must be constantly listening in order to hear a wake word being said. There’s a fear that, if these devices are "always on" there’s a chance that other things – anything – is being recorded and stored somewhere in the cloud. It’s worth noting that experts haven’t found evidence of devices recording without the wake word being invoked.
Who can access my Amazon Echo data?
Then you also have to consider what can actually be pulled from a given device. Echoes have 250MB of RAM on which it can record data. There isn’t any way to easily export that data – no USB port or floppy disk drive that you can plug into – and removing the storage is a delicate process of removing circuit boards. The RAM is also wiped simply by restarting the device. That makes getting information directly from an issue a difficult process.
Finally, there’s a chance that authorities (or hackers) can get data directly from whatever Amazon stores in the cloud. Unfortunately that’s a bit of a black box – Amazon surely stores user data, but exactly what data is unknown – and there are countless examples of tech companies not complying with helping the government access user data, the most prominent involving Apple and the 2015 San Bernardino shooting.
But what about the information we knowingly share with digital assistants? The Amazon Echo comes with a phone app that helps you set up and tweak your device. If you open the Alexa app, you can see every request you’ve given the Echo. This is to make using the device a better experience – you can see if what Alexa heard matches what you said, and give feedback on whether or not it did what you wanted – but also means that authorities have a trove of information readily available.
But is it useful? Is anyone going to follow "Hey Alexa" with "Where’s the best place to hide a body in the greater tri-state area?" And if a defense attorney can prove that Alexa’s transcriptions are unreliable, and the "murder" that showed up in the Alexa app was actually their client rocking out to "Bird is the Word," that’s enough to cast some serious doubt.
The larger Internet of Things debate
The Bentonville case is still open, and it remains to be seen if their search warrant request for Echo data will amount to anything. But it brings up a larger point in that we have a whole lot of things connected to the internet now.
The so-called Internet of Things has connected our phones, scales, fridges, and breast pumps to each other. That means that potential points of vulnerability have increased exponentially. That’s how Twitter, Netflix, Reddit, and a ton of other popular sites were taken down last year: Numerous internet-connected devices were used to overload services and cause a "chain reaction."
We’ve argued this ourselves. Internet-connected devices are almost always vulnerable to attack. Researchers have been able to hack thermostats and refrigerators. That puts our finances at risk, since more and more devices have access to our financial information (how else will your fridge be able to know to automatically buy you more mayo when you’re out?).
There are other issues involved – fragmentation means it’s hard to get smart devices to play nice, and if companies give up on supporting a device it can make it obsolete or unsecure – that really make you wonder...how much trouble is the Internet of Things worth?
How to protect yourself
So whether or not your Echo is actually a criminal informant, you might find yourself at risk. Here’s what you can do to make sure you at least have a base level of protection.
Keep your devices up to date. Some devices are easier to update than others. Phones and computers, for example, typically get monthly security updates – for a time, at least. Be sure to update any devices you’re able to with the latest security patches, and be aware of how long device manufacturers will support their products (Google, for instance, only provides security updates for three years). In fact, that might be a good way to decide when you’re going to upgrade – do it when it’s no longer secure to own your current phone. This is also on the shoulders of device manufacturers; they have to be more aware of security vulnerabilities and be willing to support them rather than just do what’s easiest or best for their bottom line.
Choose secure passwords. Again, this won’t apply to every device, but for the devices where you’re creating a password, make it a good one. We give some tips here, but the easiest thing you can do is just use a password manager. These create secure passwords for all of your accounts, and you only have to remember the master password that unlocks the manager. That means no need to remember multiple passwords, and no need to reuse any passwords.
Maybe don’t connect everything to the internet. Do you need a fridge connected to the internet? What about a bathroom scale? Should you have a dozen Amazon Dash buttons scattered around your home? As expert Bruce Schneier argues, we should pick and choose what we connect to the internet. That’s partly on us as consumers – if we keep buying, manufacturers will keep selling – and it’s hard to say it that will happen. But the next time you’re looking for a toothbrush, maybe the killer feature should be color-changing bristles instead of wifi.
For the time being, you’re probably safe from your Amazon Echo testifying against you. But that doesn’t mean that there aren’t other dangers out there. Manufacturers and consumers have to work together – probably along with some regulation – to make sure that our data and privacy are taken seriously.
And, of course, there’s one surefire way of making sure Alexa doesn’t disclose your crimes: Don’t commit them in the first place.