Q&A:: Alexa may be listening, but will she tell on you?
The Bentonville Police Department in Arkansas has issued a warrant to Amazon requesting data an Amazon Echo seized from a home in connection with a homicide investigation.
Amazon’s Internet-connected home assistant devices can turn on your TV, read you the news and order you an Uber. Law enforcement officials in Arkansas hope an Amazon Echo can help them crack a murder case.
When Bentonville police found the body of Victor Collins inside James Andrew Bates’ home in November, they also discovered a house outfitted with a number of Internet of Things devices, including an Amazon Echo. The gadget is constantly listening for spoken commands, but according to the company only records and stores snippets of conversation following a “wake word” — in the Echo’s case, “Alexa.” Bentonville police say there’s “reason to believe that Amazon.com is in possession of records related to [their] investigation.”
Although Amazon has twice refused to release the data, the warrant is ringing alarm bells for some owners of so-called Internet of Things gadgets. If Alexa is always on and always listening, can she incriminate you?
We spoke to Lee Tien, senior staff attorney at the Electronic Frontier Foundation, a digital rights nonprofit, about the potential privacy risks surrounding “always-on” home devices. The conversation has been edited for length and clarity.
How are the privacy concerns surrounding Amazon Echo different than those involving, say, smartphones?
Traditionally, the home has been the apex of 4th Amendment privacy protection in respect to law enforcement. You know, a man’s home is his castle, that sort of thing. You always need a warrant to get into someone’s house. The tricky thing about a device that’s recording data inside of your home is that you may be transmitting that recording in such a way that the government can directly collect it, or, as in the case we have in Arkansas, it may be that the data is sitting on Amazon’s servers.
What can people do to protect their information when using a device that’s always listening – even if it’s not always recording?
It’s really hard to. You don’t know how they record, and you don’t when they’re recording. We know that there’s supposed to be a trigger word, but what’s not clear to me is exactly what’s going on when you haven’t said it, because in order for a voice command to turn on, it’s got to be on in some sense in the first place.
Amazon says it won’t turn over user information in this case, but if Amazon, or another Internet of Things manufacturer, caved to law enforcement requests, how would it affect consumers?
A story like this highlights that your data doesn’t stay at home — it’s in the cloud. It’s under the control of someone else, and because of the consent you signed or because of a legal process, they might be compelled to share it with the government.
What’s unclear is how much people are aware of that. People may feel a certain amount of confidence or security that Amazon is only listening when they’re specifically addressing the device. If they believe that at no other time is any information gathered by the microphones — and that turns out to be untrue — that may be dissonant with their expectations.
According to Amazon, the company “will not release customer information without a valid and binding legal demand properly served.” Why isn’t a warrant “a valid and binding legal document,” and if it isn’t, what is?
For a warrant to be valid, it has to establish probable cause and describe what they want in particularity. You’re getting into problems if you say you want everything. What struck me about this warrant was the lack of particularity. It seems wrong to say that just because there’s this device that’s always on, that constitutes probable cause to believe that relevant recordings exist. There’s no clear establishment that there was any communication using the trigger word. I’m going to assume that Amazon doesn’t think the warrant has established probable cause, or has asked for more information than they’re entitled to.
Some of the Silicon Valley companies have been known to withhold data unless the warrant is valid. It’s a way to abide by the law and still demonstrate that they’re trying to protect their users. They’re in a tough spot: They want to respond to valid government requests, but at the same time they don’t want to look like they give the government whatever it wants whenever they ask for it. They’re trying to walk this line, which may be even harder when there’s a new technology. It’s a balancing act.
If a court rules that Amazon must comply and release the stored data, will it set a precedent regarding user privacy with “always-on” recording devices?
The precedent that I’m worried about is that there isn’t sufficient probable cause to establish there’s anything of interest.
Right now there are a lot of Internet of Things devices that are connected, but they don’t necessarily record any direct human communications. For example, Fitbits don’t record. But there are a whole lot of implications given that microphones are getting smaller. It won’t be long until other Internet of Things devices are capable of recording audio input.
The prosecutor in this case has said Amazon will “say it’s for privacy reasons, but they don’t have a legal leg to stand on.” How can Amazon fight this?
The easiest way to fight it is exactly what they’ve been doing — simply not giving the government what it’s been seeking, saying “we’ve given what we think is appropriate.” That may end up in a battle of probable cause or particularity, or they may negotiate privately. It’s hard to know.