Joseph Jaquinta, CTO, TsaTsaTzu
Asking consumers to place an “always on” recording device in their living rooms generates, quite rightly, many questions about what the device, and Amazon, have done to ensure a consumer’s privacy. It’s pretty clear, if you look at it with a little detail, that privacy was definitely one of the concerns of the team as it came up with the design for The Echo.
First of all, there is session initiation. All the smarts to do the speech to text translation are not actually encoded into The Echo device itself. Those are done up in the Amazon cloud by the Alexa service. This does not mean that everything The Echo hears is streamed to the cloud for analysis. The hardware of The Echo is just smart enough to recognize two words: Alexa and Amazon; the wake words. So the hardware can sit there and monitor everything said, but it all stays local, possibly with a small buffer in memory, until it recognizes the wake word you have chosen. At that point it begins to stream what you say to the internet.
[This is the primary reason why, despite it being a frequently asked feature, I highly doubt Amazon will ever let you choose custom wake words or broaden them to a wider selection.]
Once The Echo wakes up and starts streaming, the first thing it does is light up. That blue light is a very elegant indicator that it is now alive and listening to you. As long as that blue light is on, it is streaming everything it hears to the internet. When it goes off, it has stopped. It’s a nice visual indicator that you are no longer private.
[Another feature request has been to control the color or behavior of that light. Given its importance in giving feedback about your privacy, my money is on Amazon not letting programmers have access to it.]
Now that Amazon have opened up The Echo to 3rd party developers, it isn’t just Amazon listening to you, but it can be random other developers. However, the interaction model Amazon has chosen [much to the chagrin of the developers] is pretty limited. You have to, to some extent, almost define everything the user could say to the skill, and you only get told when they say one of those things. If the user doesn’t say one of those things within eight seconds, it drops the line. It’s really hard to get it to do something like free recording. And even if you make it as open ended as you can, the transcription errors are pretty bad.
So, by design, Amazon have paid a fair amount of attention to privacy. So (unlike Google) they have made the decision not to spy on your every move. But what about others? After all Google (again) had the best of intentions (mostly) when it downloaded recording software onto every Chromium user’s machine. But it didn’t take long for hackers to work out how to exploit it. Then, despite Google’s “good intentions” they opened up millions of users to privacy violations.
I’m sure this sort of scenario keeps Amazon’s lawyers up at night. But one big difference is that The Echo is a device and its code exists on firmware. It’s a much harder hacking target. You would need to crack the operating system on the device, or corrupt/hijack the firmware upload procedures. That’s not easy.
The device itself uses Secure Socket Layers to communicate to the server. Although slightly more vulnerable than the hardware, that is still a tough nut to crack. They even insist on a particularly secure version of that to communicate with 3rd party skills. [Which causes no end of implementation difficulty.]
So, all being said, The Echo is relatively benign as far as privacy risks go. Sure, someone with the funding of a government could crack it if they devoted time to it (and I’m sure they are), but it is going to be out of the league of your average disgruntled darknet hacker. I’d worry much more about the fact that most Android phones record your every move unless you go through some very complicated opt-out maneuvers and semi-cripple your phone. (Thanks, again, Google.)
