If you received one of those home digital assistants, like Amazon Echo or Google Home, over the holidays, you might want to listen closely. Privacy experts are keeping a close watch on the case of a Bentonville, Arkansas, man who was charged with murder after prosecutors obtained a warrant to receive data from his Amazon Echo, a voice-activated device that’s always listening and often recording. James Andrew Bates says he’s innocent of the murder of Victor Collins, who was found strangled in Bates’s hot tub. Prosecutors hope to search audio recordings on Bates’s Amazon Echo for clues.
So far lawyers for Amazon have refused to comply with the warrant, and experts say it’s unlikely the device was recording at the time of the murder. But the case has drawn national attention and alarmed civil liberties groups. Bates’ lawyer, Kimberly Weber, told USA Today, “I have a problem [that] a Christmas gift that is supposed to better your life can be used against you. It’s almost like a police state,” she said.
Marc Rotenberg talking:
These are a category of consumer devices that we refer to as always-on devices. To operate, they literally have to be listening to the user to interpret the instruction and to act on it. The companies say that they rely solely on the wake words, which, for Echo, for example, might be “Alexa”; for Apple, it might be “Siri.” But the problem turns out to be quite a bit more complex, because, first of all, the devices are easily triggered. People have had the experience—when a radio is on in the background, for example, it can alert the device. Also, we have found that in a number of these new consumer products, when companies say that the privacy protection measures work, in fact, they don’t. A very famous example of that occurred with Snapchat. Snapchat was telling its users that it would delete photos, that they would literally vanish once they were sent. But, of course, that’s not what Snapchat was doing. They were simply changing filenames, and the photos could be retrieved. We had a similar experience, by the way, with a search company called AskEraser. It said it was deleting all search queries—except for the ones that law enforcement wanted.
So, this is the reason that, actually, more than a year ago, EPIC went both to the Federal Trade Commission and the U.S. Department of Justice, and we said, “You really need to look closely at these products.” We’re obviously not against new technology that helps consumers and is certainly a bit of fun, but at the same time we need a better understanding of how they operate. What information about the user is being collected? How reliable are these wake words? And most significantly in this case, how can it be that the company is actually in possession of information that could be useful to law enforcement? Because, of course, if you play back the tape a little bit and think about what Mr. Snowden showed us regarding the collection and use of telephone logs, for example, it would be quite easy to imagine a company such as Amazon could persistently retain this type of data on all of its users and make it available to law enforcement in a whole variety of circumstances unrelated to criminal investigations. So there are a lot of important policy issues here, a lot of important legal issues here, that we think both the Federal Trade Commission and the Department of Justice need to look at much more closely.
when we go into these investigations, the companies often say, “Well, we can’t tell you exactly what type of information we’re retaining on our consumers. We can’t tell you exactly the technique of the wake word or how much data is being retained.” And this immediately, I think, should be a warning to those who do public oversight and help enforce important privacy safeguards, that if the companies can’t establish that the products work as they’re supposed to work—for example, they only record when the wake word is being used—then there’s a real problem.
And another point which I think is important to keep in mind is that this is not just a debate about law enforcement access to personal information. I think we’re familiar with that debate. We’ve had it also around the Apple iPhone. These are also devices in the home that can be exploited by criminal hackers. In other words, once you put a device like a Echo in your home, someone can gain remote access to that device and may be able to listen into private communications. This has certainly been the experience with webcams on laptops and the reason that a lot of people are now placing post-it notes on top of those webcams to prevent that type of surreptitious remote recording. But this can also happen with audio devices in the home. And it’s the reason that we think law enforcement and the FTC actually have a responsibility to protect consumers from that type of unwanted listening.
next week the Senate Judiciary Committee will hold two days of hearings on Senator Sessions to be the attorney general. I think it is absolutely vital for that committee to ask the nominee his views about privacy, about some of these new surveillance techniques, about what the appropriate limitations should be. I don’t think there’s any real dispute that for a proper criminal investigation or even for a national security matter, where there’s legal authority and a judicial determination, that searches are appropriate. But if we’ve learned anything in the last few years, it’s that these techniques can be used for the public at large. And there is a real risk right now, with the growing use of these consumer devices connected to the internet—it’s not just Alexa, it’s thermostats, it’s, you know, connected toys—that the government will take advantage of all this personal data that’s being collected for the type of mass surveillance that I don’t think we could permit. So the attorney general really needs to be asked about this issue. And we need to get—I should say, in fact, the nominee to be attorney general should be asked about this issue, and we should get his views.
executive director of the Electronic Privacy Information Center.
— source democracynow.org