Alexa privacy fail highlights risks of smart speakers

Worries crop up about privacy issues surrounding personal info captured by Amazon's virtual assistant and competitors' similar connected speakers.

Amazon's Alexa enabled Echo Dot.Charlie Schuck / Amazon
SHARE THIS —

Alexa, can I trust you?

The revelation that a woman in Portland, Oregon, had her private conversations secretly recorded by the voice-controlled Amazon virtual devices in her home and then sent to a random contact in Seattle has caused mounting concern about vulnerabilities behind the burgeoning technology of so-called smart speakers.

The concern is warranted, said Jennifer King, director of consumer privacy at the Center for Internet and Society at Stanford University, because this type of advanced technology is not fully understood by consumers.

"We are basically testing fodder as they roll out more and more technologies that are based on artificial intelligence," King told NBC News. "These companies are crowdsourcing these algorithms. As a consumer, you're basically helping them learn as they go."

Though the Portland incident appears to be a rarity, there have been other issues with Alexa. The program is designed to start listening when its triggered by a “wake word,” but it doesn't always hear it correctly. There have been reported cases where Amazon Echoes randomly started laughing, a glitch attributed to the device mishearing speech.

One of the biggest problems with all this technology is that the emphasis is on ease of use over security, said Rebecca Herold, CEO of the the consulting firm Privacy Professor.

"In this case, relaying only the word 'Alexa' can get the digital assistant to start communicating and acting," Herold said. "It's the security equivalent of using a computer password that's 1-2-3."

Considering these devices listen on a continuous loop, "I would have grave concerns about using one in my own home as a privacy researcher," King added.

Amazon introduced its Echo product in November 2014, an oddity at the time that also featured the company's Alexa virtual assistant. Since then, connected speakers have become one of the fastest-growing technical innovations in the tech industry. Despite questions about digital privacy issues that come with putting internet-connected microphones around their homes, 44 percent of adults in the U.S. said they planned to purchase a smart speaker, according to the Consumer Technology Association.

In the growing battle for that consumer base, Google and Apple have released their own counterparts, and Facebook reportedly is developing its own version.

Isabelle Olsson, Google's Head of Industrial Design for Home, speaks about the Google Home Mini during a launch event in San Francisco on Oct. 4, 2017.Stephen Lam / Reuters file

All of these companies started out on the Internet, which has traditionally had a culture of launching products before they're entirely ready and debugging in real time, King said.

The upside of these devices is that they offer a simple user interface and unique capabilities, such as regulating temperatures in different rooms, turning on lights, sending emails, ordering pizzas and much more.

Those features, however, can overshadow the security issues inherent in providing access to a home network.

Herold points to the backlash in 2015 when parents discovered that Hello Barbie, an interactive toy that recorded children and sent the data over the internet, was vulnerable to hackers who could access that information.

More Americans are becoming wary of technology and concerned about cybersecurity — especially in the wake of the Portland incident and other high-profile data security issues such as Facebook's Cambridge Analytica scandal.

Amazon didn't provide the most reassuring explanation either.

"Echo woke up due to a word in background conversation sounding like 'Alexa.' Then, the subsequent conversation was heard as a 'send message' request. At which point, Alexa said out loud, 'To whom?' " a rep for the online giant said in a statement to the tech site Ars Technica.

"The background conversation was interpreted as a name in the customer's contact list. Alexa then asked out loud, '[contact name], right?' Alexa then interpreted background conversation as 'right.' As unlikely as this string of events is, we are evaluating options to make this case even less likely."

Experts say that these virtual assistants must do a better job at partitioning different types of information with different layers of security to prevent private information from being so easily shared. Not that the concerns are slowing down the rapid growth of the technology: One homebuilder is working on integrating Amazon’s Alexa through entire houses; Toyota is adding Alexa to its cars; and Amazon announced that there will be Alexa for workplaces.

"I advise my friends that have them, if you don't think you are going to need it at the moment, unplug the devices," Herold said. "That might defeat some of the ease of use, but, seriously, what takes longer: 20 seconds to plug your device back in or weeks of trying to undo a mistake that occurred by something that was misinterpreted by a smart device that didn't turn out to be so smart?"