The case of the user who asked Amazon for his activity data and received 1,700 audio recordings from a stranger by mistake.
What would they do if one day they make public the conversations that their virtual assistant stores through a “smart” speaker? Well, this nightmare, worthy of a movie script, happened to an Amazon user in Germany, who would have asked the company for information about his activity on the service. The worrying thing is that in return he received access to information from a person who was not him.
According to the German magazine c’t, last August a user requested from Amazon, covered by the General Data Protection Regulation of the EU, all the data that the company had stored related to their personal activity on the site Web. Two months later, he received a link to download a file containing audio files of conversations with Alexa and other documents from a stranger, as this user did not own an Echo device and had never used Alexa before.
Audios that allowed to find its owner, without even mentioning his name
According to the information, the file, a ZIP of approximately 100 MB, contained little more than 1,700 WAV files and a PDF with all the audio transcripts. Apparently, these were conversations between a user and Alexa.
This user, not knowing the voices in these files, ** contacted Amazon to report the error and ask for an explanation of what had happened **. As mentioned, the response did not arrive but the link to download the file was removed. However, I had already downloaded the information and the next thing was to try to notify the person who appeared in the recordings.
This is how he contacted c’t magazine to help with the investigation. According to those responsible for the magazine, these audios yielded a clear picture of the user, where they managed to determine that he had only one Echo device, a Fire TV and that he sometimes spoke with a woman, which they could even hear when he took a shower.
According to the magazine, hearing all this was like delve into the private life of a complete stranger, where they learned about his musical tastes, the public transport he used and at what time, the addresses where he was going, as well as the names, sometimes with surnames, of the people with whom he regularly spoke. Thanks to this, they managed to find the identity of the person and his girlfriend.
The next thing was to contact him to inform him of the failure committed by Amazon, who confirmed to be the person of the recordings and mentioned that the company never contacted him to inform him of this error. With all this information in hand, the magazine contacted Amazon to request a statement on the matter.
Three days later, Amazon contacted both users to offer an apology and mention that one of his staff members had made a mistake and it was the first time something like this had happened. On the other hand, Amazon issued the following statement:
“This was an unfortunate case of human error and is an isolated incident. We have resolved the issue with the two customers involved and have taken steps to improve our processes. We also contacted the relevant regulatory authorities as a precautionary measure.”
The above can serve as an example to get an idea of how the companies that offer these services can store so much information from our daily life, and above all how simple it can be that they fall into the hands of others due to “human error”.
