For several years, Amazon had been telling the tech world their Echo home devices don’t “…actually do anything with your voice until you say their “wake word,” which is usually just … ‘Alexa’”
There was a big story that threatened to poke a hole in that narrative. Specifically, that an Amazon echo device’s recordings were needed to solve a murder case.
Amazon initially pushed back against releasing the recorded data, claiming “the First Amendment’s free speech protection applies to information gathered and sent by the device”, but eventually agreed to release the data after “after the user… consented to the disclosure”. The murder case was eventually dismissed, but there was never any explicit information on how much data Amazon handed over to the police regarding the investigation or what the data entailed.
The core issue remains. How exactly would an Echo device be useful in solving a murder case if it remains “off” until it is activated by the “wake word”? Why would the police want an Echo’s supposedly limited recordings?
A new finding in a very interesting tweet from Matteo ( @geminiimatt ) a few days ago might shed some light on that discrepancy.
On examining the extracted data from an Amazon Echo device…
We are walking through the extracted data on an Amazon Echo. The device keeps the last 60 seconds of recording (stored in the cloud), app & device. wifi username/password. sqlllite database contents. @B1N2H3X is giving us the tour. pic.twitter.com/FCyU6WyShG
— Matteo (@geminiimatt) April 14, 2018
Amazon Echo devices keep 60 seconds of recording and stores it “in the cloud”.
What is not stated at all is the length of retention or what happens to the data once it arrives “in the cloud”.
With this new finding that Echo devices keep 60 seconds of recording, and combined with Amazon’s admission they do “retain” Alexa interactions, I think it is time to ask a few questions.
Off the top of my head…
- Is this data stored in perpetuity?
- Is there any way for any person to review the data sent from an Echo device?
- Who has authority to review data sent from an Echo device?
- Is there a backup of this data?
- Is this data “mined”?
- How is this data secured?
- Is this data shared with any other party outside of Amazon?
Here’s my “worst case” thinking. Amazon pulls 60 seconds from an Echo device and uploads it to the cloud. Then “deletes” the previous 60 seconds on the local device and starts a new 60 second pull. The data uploaded from the local Echo device to the Amazon servers is never deleted on the Amazon servers. The data is stored forever, stamped by device name, location, wifi username and password, and sqlllite database contents. Every 60 seconds on every Echo device.
If this isn’t the case, if Echo devices really do just wait for the “wake word” and the findings by the community and the beliefs of the police are in error, a clear and detailed statement from Amazon on the Echo’s data retention would go a long way.