Once Again, GDPR Is A Potential Privacy Nightmare: Amazon Sends 1,700 Voice Recordings To The Wrong User In GDPR Request

from the privacy? dept

Back in September, we wrote about how the GDPR could actually undermine privacy, when Jean Young noted that, when someone hacked into her Spotify account, they were able to download her entire data history. And now there's another example of the privacy implications: Amazon recently responded to a GDPR data export request by sending 1,700 voice recordings... to the wrong user.

Following the passage of the European Union’s General Data Protection Regulation, or GDPR, any EU resident may demand a company send them the entirety of the data collected about them through both internet services and hardware products like an Alexa-equipped Echo smart speaker. One German user, under the alias “Martin Schneider,” did just that in August of this year. What he got back from Amazon, however, were thousands of Alexa voice recordings, which was strange considering he didn’t own an Alexa device.

Upon listening to the files, Schneider discovered they were the recordings of another Alexa user. After failing to get in contact with Amazon about the issue, the man brought the files to c’t, where reporters were able to piece together who the Alexa user was. Among the files were commands to control Spotify, the person’s home thermostat, and alarms. There were also recordings that indicated the Alexa user also owned a Fire TV, and that they had a spouse who appeared to live in the home.

There are, of course, many different ways of thinking about this. On the whole, it's a good thing that companies are giving users more access to data, and allowing them to not just see what's being held, but to download it as well (it would be nice if things were more standardized, and it would enable easier shifting between services, but... baby steps). But, it also needs to be recognized that this creates new privacy challenges.

This isn't necessarily good or bad, but is a useful reminder that, contrary to what many GDPR supporters will tell you, the GDPR itself doesn't actually do much to "protect" your privacy, and could make your data even more vulnerable. Again, there are potentially good reasons for this, but way too many people keep insisting that the GDPR is about protecting privacy, and it is important to understand where and how it fails in that regard, and how it could even make much of your data more vulnerable.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data, downloads, echo, gdpr, privacy, voice recordings
Companies: amazon


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. This comment has been flagged by the community. Click here to show it
    identicon
    Wally Charger, 28 Dec 2018 @ 9:50am

    Not GDPR. Amazon.

    Little detail ya missed makes your take delightfully insane.

    Again you wish to throw out the privacy concerns of 300 million over one incompetent corporation.

    Stiff fines should ensure against a repeat, and if not then JAIL executives starting with Bezos since he profits the most.

    Next mistaken premise, please. I spent more time concocting screen name than you did this.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 28 Dec 2018 @ 9:56am

    And this sort of idiocy wont stop or change while we've got stupid politicians introducing laws at the behest of certain industries (for money, no doubt!) whrn they haven't got any idea what they're doing or simply dont care the consequences! Grandstanding and making monumental fuck ups seem to be far more important than using sense and taking notice of experts who DO know!

    link to this | view in thread ]

  3. icon
    hij (profile), 28 Dec 2018 @ 10:00am

    What should the person have done?

    What were the requirements under GDPR for the person who received the recordings? Did the person break the rules by sharing the data? Is the person required to take the same precautions as Amazon was supposed to take?

    If someone send you this information on accident what kind of burdens does the GDPR impose on you?

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 28 Dec 2018 @ 10:24am

    Re: Not GDPR. Amazon.

    The first part is literally discussed in the article. Next time read before commenting.

    link to this | view in thread ]

  5. icon
    nohillside (profile), 28 Dec 2018 @ 10:37am

    So, basically, Amazon fucked up

    Don't shoot the messenger (aka GDPR)!

    In a nutshell Amazon just fucked up. They blame operator error, but can we be sure about that? Or did this GDPR request just show that Amazon stores user-related data much longer than really needed, is still able to link it back to a user but doesn't have the operational stability in place to ensure that a users sees only their data?

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 28 Dec 2018 @ 11:06am

    "Massive corporations should be given a free pass on the invasion of user privacy due to the fact that they're also horribly incompetent"

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 28 Dec 2018 @ 4:11pm

    Re: jhonny boy has a full nappy again

    Nice quote. Where’s you get it from?

    link to this | view in thread ]

  8. identicon
    Rekrul, 28 Dec 2018 @ 5:09pm

    The takeaway from this should be that using Alexa is basically opening up your life for a corporation to spy on.

    I guess Orwell never envisioned that all you need to do to get people to accept 24/7 surveillance is to offer a little convenience with it and make them pay for the privilege of being spied on.

    link to this | view in thread ]

  9. icon
    Killercool (profile), 28 Dec 2018 @ 5:51pm

    Re:

    Oh, man! People were being spied on?!

    Oh, wait, no. The thousands of Alexa commands were all of the requests made after someone activated their device.

    While they can be used to identify someone (obviously, since the guy did it), that's not what I would consider "spying." Not unless you categorize your auto parts dealer having receipts and an order history "spying," too.

    Even I would agree that the blame is on Amazon, not GDPR, in this particular instance. However, 24/7 surveillance (or surveillance at all), this is not.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 29 Dec 2018 @ 10:05am

    Amazon now owes a fortune to the person whos data that is.

    You don't under GDPR have to prove 'harm' just that the breach actually happened.

    Gonna cost them a few million ££££.

    Now, where's that GDPR information request form? :)

    link to this | view in thread ]

  11. identicon
    Rekrul, 29 Dec 2018 @ 1:02pm

    Re: Re:

    Oh, wait, no. The thousands of Alexa commands were all of the requests made after someone activated their device.

    Alexa records more than just your commands. People have accessed Alexa's recordings and found that they included parts of conversations, phone calls, etc.

    In order to respond to your commands, Alexa is always listening to you. Any voice controlled device is always listening for commands, which means it's listening to everything you say.

    Is it being sent back to the company? Maybe, maybe not. Have there been any indepth investigations into this to prove that it isn't sending everything you say back to the company?

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 30 Dec 2018 @ 7:13pm

    Re: So, basically, Amazon fucked up

    In a nutshell Amazon just fucked up.

    Exactly.

    This is a case of multi-billion dollar international corp implementing a new policy due to the legal / political environment around them changing, and doing it wrongly as virtually everyone would expect.

    TFS is also a case of click-bait, decrying legislation that makes it harder for companies to silently profit off of unsuspecting consumers, by claiming it does the exact opposite and using poorly cherry picked examples.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.