This article originally appeared in Threatpost on April 25, 2019.
An auditing program for the voice assistant technology exposes geolocation data that can be personally identified, sources said.
Employees at Amazon can access geolocation information for Alexa users, according to reports – thus uncovering their home addresses and even satellite pictures of their houses generated from a service such as Google Earth.
Alexa is the built-in voice assistant shipped with devices like Amazon Echo, Amazon Dot, Fire TV and some third-party gadgets. Confidential employee sources speaking to Bloomberg said that the global team that manually audits Alexa’s accuracy in understanding voice commands can “easily find” a customer’s home address, by combining the GPS coordinates that they have access to with public mapping services.
This division, known as the Alexa Data Services Team, is tasked with listening to random samplings of voice commands – and then matching up Alexa’s response to them to see if the voice-recognition technology is working the way that it should. In theory this is anonymized, but location information in the form of GPS coordinates is captured in order to provide localized search results. For instance, if a user asks for the weather forecast, or a review for a restaurant, the geolocation data is necessary to carry out the requests.
Five Amazon employees confirmed to Bloomberg that the division has access to the location data, and two members of the Alexa team said that they felt they have been given “unnecessarily broad access” to personal information.
They also shared a demo, demonstrating that by plugging in longitude and latitude of a device to Bing Maps or Google Maps, it’s possible to bring up an address and even an image of the Alexa-owner’s house.
“Often an individual piece of data might be innocuous, but the connected-ness of the world today means that no data can be viewed in a vacuum,” Tim Erlin, vice president of product management and strategy at Tripwire, told Threatpost. “GPS coordinates aren’t personally identifiable on their own, but when coupled with a freely accessible system that translates them into an image of that location, they certainly are.”
For its part, Amazon downplayed the issue.
“Access to internal tools is highly controlled, and is only granted to a limited number of employees who require these tools to train and improve the service by processing an extremely small sample of interactions,” Amazon said in a statement to media. “Our policies strictly prohibit employee access to or use of customer data for any other reason, and we have a zero-tolerance policy for abuse of our systems. We regularly audit employee access to internal tools and limit access whenever and wherever possible.”
It’s unclear how many employees have access to the information, but the sources said that the Data Services Team numbers in the “thousands of employees and contractors,” located in Boston, India and Romania.
The employees also said that there is a second internal Amazon Alexa team for “annotators and verifiers,” who are privy to the information that customers input into the Alexa app when setting up a device. That includes home and work addresses, phone numbers, and any entered contact names, numbers and email addresses. This smaller team is responsible for making sure that Alexa correctly identifies contacts when someone asks her to “call my mom,” for example.
All of that said, Amazon appears to have restricted some data access in the wake of a previous Bloomberg report revealing the existence of the Alexa Data Services Team, the outlet said.
Not everyone is concerned about the news.
“This is overblown. There is no reason to doubt that Amazon is sincere in its claim that only a select few employees have access to consumers’ information and use it in order to perform their job,” said Mike Bittner, manager for Digital Security and Operations at The Media Trust, via email.
“Features referenced in the article (suggested restaurants, etc.) require geolocation tracking, suggested products and targeted advertising require purchase and browser/cookie tracking, daily reminders require calendar tracking. All of these features are products of the continued trailing, recording and analysis of user behavior and undoubtedly make the smart home a more convenient tool,” wrote Bittner.
Thus, the situation once again brings up the thorny issue of balancing consumer benefit with potential privacy abuse. It makes sense for Amazon to audit how well Alexa is performing – but is a flawless Alexa experience worth the data exposure for consumers?
“Amazon employees listening to private conversations recorded by Alexa speaks to the very fears that many of us have about smart-home devices,” Harold Li, vice president at ExpressVPN, told Threatpost in an interview. “These revelations will no doubt make consumers think twice before buying, as our research has shown that privacy concerns and brand trust are crucial in the smart home space.”
He added, “It’s more than reasonable for consumers to expect that companies like Amazon do not invade the sanctity of private conversations in their own homes, and we should demand that companies respect that.”