This really should not be big news, I’ve been stating it since Alexa came out. The MIC is open all the time unless you “Mute” it and data is saved and transmitted to Amazon. Make sure you understand the technology before you start adding all of these types of IoT devices in your home, as I call them “Internet of Threats”
The call that started it all: “Unplug your Alexa devices right now.”
Amazon confirmed an Echo owner’s privacy-sensitive allegation on Thursday, after Seattle CBS affiliate KIRO-7 reported that an Echo device in Oregon sent private audio to someone on a user’s contact list without permission.
“Unplug your Alexa devices right now,” the user, Danielle (no last name given), was told by her husband’s colleague in Seattle after he received full audio recordings between her and her husband, according to the KIRO-7 report. The disturbed owner, who is shown in the report juggling four unplugged Echo Dot devices, said that the colleague then sent the offending audio to Danielle and her husband to confirm the paranoid-sounding allegation. (Before sending the audio, the colleague confirmed that the couple had been talking about hardwood floors.
After calling Amazon customer service, Danielle said she received the following explanation and response: “‘Our engineers went through all of your logs. They saw exactly what you told us, exactly what you said happened, and we’re sorry.’ He apologized like 15 times in a matter of 30 minutes. ‘This is something we need to fix.'”
Danielle next asked exactly why the device sent recorded audio to a contact: “He said the device guessed what we were saying.” Danielle didn’t explain exactly how much time passed between the incident, which happened “two weeks ago,” and this customer service response.
When contacted by KIRO-7, Amazon confirmed the report and added in a statement that the company “determined this was an extremely rare occurrence.” Amazon didn’t clarify whether that meant such automatic audio-forwarding features had been built into all Echo devices up until that point, but the company added that “we are taking steps to avoid this from happening in the future.”
This follows a 2017 criminal trial in which Amazon initially fought to squash demands for audio captured by an Amazon Echo device related to a murder investigation. The company eventually capitulated.
Amazon did not immediately respond to Ars Technica’s questions about how this user’s audio-share was triggered.
Update, 5:06pm ET: Amazon forwarded an updated statement about KIRO-7’s report to Ars Technica, which includes an apparent explanation for how this audio may have been sent:
Echo woke up due to a word in background conversation sounding like “Alexa.” Then, the subsequent conversation was heard as a “send message” request. At which point, Alexa said out loud “To whom?” At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, “[contact name], right?” Alexa then interpreted background conversation as “right.” As unlikely as this string of events is, we are evaluating options to make this case even less likely.
Amazon did not explain how so many spoken Alexa prompts could have gone unnoticed by the Echo owner in question. Second update: The company did confirm to Ars that the above explanation was sourced from device logs.