Data protection with Alexa Amazon: How secure are we?
Alexa is Amazon's digital voice assistant, whose software is integrated into dozens of smart speakers (e.g. Amazon Echo, Echo Dot). Alexa has a range of functionalities and skills, including controlling and coordinating the smart home, managing to-do lists, playing music or audio books, shopping on Amazon or researching information or current events. In addition to all the advantages of a smart home, however, the question of Alexa and data protection or how data protection Alexa and Amazon fit together is becoming increasingly important.
As voice assistants find their way into more and more households, the issue of privacy invasion and Alexa and data protection is becoming more frequent One of the most common complaints concerns the ongoing processing and linking of a lot of data and users' fears of being bugged by smart speakers.
To be able to execute voice commands, Alexa must be able to hear and recognize them. That is why she always has an open ear to respond to possible voice commands. In practice, the microphones are permanently active so that Alexa can respond to the activation code (e.g. "Alexa"), which triggers the processing of the voice command. The information is processed and transmitted to Amazon's backend servers only after the activation code has been spoken.
From an Alexa privacy perspective, there is always a risk of unintentional activation of the data transmission by saying a word that is similar to the correct activation code (e.g. "Alexander" instead of "Alex"), which could lead to an unwanted invasion of the privacy of those being listened to (the Alexa user, their guests or their cohabitants). The consumer advice centers have already pointed out these problems and risks in a comprehensive investigation/study[1].
A concern regarding the use of voice assistants also relates to the control that data subjects have over their data. According to Recital. 7 GDPR, data subjects should have control over their own data. Considering the amount, the sensitivity (the "voice" is a biometric file within the meaning of Art. 9 GDPR) and the interconnection of the data processed, the initial and further purposes of the processing (e.g. the execution of the command, the improvement of the service, the creation of personalized user profiles), the number of parties involved in the data processing (the provider and third parties), the data subjects could lose control over their data.
It is therefore extremely important to comply with data protection principles (data minimization, storage limitation, purpose limitation) and to enable data subjects to exercise their data protection rights, in particular the right of access and the right to erasure. The voice recordings can already be managed by the data subjects in the Alexa app (access to the stored data; option to automatically delete the data or set a limited storage period, etc.).
In order to enable data protection-friendly use of voice assistants, the European Data Protection Board[2] ("EDPB") and the French supervisory authority[3] have published the main challenges in complying with the GDPR compliance rules and made recommendations. Alexa and data protection or data protection Alexa Amazon therefore go together under certain conditions.
Sources:
- [1] Consumer advice center, "On the ball or all ears? Data protection with Amazon Echo and Google Home", March. www.verbraucherzentrale.de/sites/default/files/2019-11/hintergrundpapier_digitale_sprachassistenten_technisch_2.pdf
- [2] The European Data Protection Board, Guidelines 02/2021 on virtual voice assistants, July 7, 2021. edpb.europa.eu/system/files/2021-07/edpb_guidelines_202102_on_vva_v2.0_adopted_en.pdf
- [3] CNIL, Exploration des enjeux éthiques, techniques et juridiques des assistants vocaux, September 2020. www.cnil.fr/sites/default/files/atoms/files/cnil_livre-blanc-assistants-vocaux.pdf