Amazon Sends Alexa Voice Recordings to a Random Person
In August, an Amazon customer in Germany (going by the alias “Martin Schneider” for purposes of the report) made use of his rights under the recently passed EU General Data Protection Regulation (GDPR) to ask for copies of the personal data Amazon has on file about him.
Amazon complied, sending Schneider a 100MB ZIP file which, among other things, contained about 1,700 Alexa audio files along with transcripts of Alexa voice commands. There was just one problem – Schneider doesn’t use Alexa. After listening to a few of the files, they were clearly of someone else speaking, so he concluded that Amazon sent him the data in error. But Amazon didn’t respond to his efforts to contact them about the problem, he said, so he contacted Heise Media’s c’t publication in mid-November.
[…]
“Using these files, it was fairly easy to identify the person involved and his female companion; weather queries, first names, and even someone’s last name enabled us to quickly zero in on his circle of friends,” according to the report. “Public data from Facebook and Twitter rounded out the picture.”
It’s great to have the right to see data that’s stored about you, but on the other hand I would feel safer if the policy were to never send the data to anyone.