We live in an age of hackers.
They are employed by our government and deployed by foreign powers. They are freelancers with goals ranging from netting big consulting fees in exchange for the discovery of potentially damaging vulnerabilities before they make the evening news, to sending a message, to righting a perceived wrong, to outright criminal activity.
While the various hacker camps are different, they present the same conundrum to all of us: Is anything safe?
A recent murder case has highlighted the need for an answer to this question at the enterprise level before popular concern outpaces smart adaptations to the privacy quicksand that continues to be a persistent issue in the digital marketplace.
In November 2015, a former Georgia police officer named Victor Collins was found floating dead in a hot tub owned by Bentonville resident James Andrew Bates. The smart meter at the crime scene revealed that 140 gallons of water had been used on the night of Collins’ death, which was in keeping with an attempt to get rid of evidence. There were traces of blood at the scene. After conducting an autopsy, a coroner determined Collins had been murdered.
While there was plenty of physical evidence at the scene, the prosecutor working the case wondered if there was any evidence to be found on an Amazon Echo that had been streaming music at the crime scene when Collins was killed. Amazon was approached for help accessing whatever evidentiary data might exist, and the company declined.
“There would be a lot to be gained by identifying the households where the phrase ‘We really need a new washer and dryer’ was spoken,” Eric Hodge, the director of consulting at my company Cyberscout said. “Would it be legal to capture household conversations, search them for keywords, and use that information to develop marketing campaigns?”
Remember back in 2013 when news broke that the FBI could watch you without you knowing it? The story wasn’t about some hypothetical “you.” The news affected anyone with a webcam-equipped laptop. Hackers had acquired the ability to turn on the webcams of a computer without triggering the indicator light.
The upshot of that news is an inexpensive giveaway that my company uses to promote its services: a two-piece sliding frame that allows you to cover your webcam without resorting to the piece of tape that Mark Zuckerberg made famous on 60 Minutes.
There is a reason that a webcam cover giveaway exists. There has been no patch invented that can allow a user to have an uncovered webcam with absolute certainty no one is watching.
As with the webcam, one must assume there is a similar capability to snoop when it comes to digital assistants, whether at Amazon, Google, Microsoft, Apple or the NSA. That doesn’t take into account what we must assume is already a capability at the national spy program level, both foreign and domestic. I asked Amazon about this concern twice over the past week, and received no comment.
According to reports, the Amazon Echo records less than 60 seconds of ambient sound before the device detects the activation word, or trigger, “Alexa.”
The possibility that the recorded content of conversations may exist somewhere in Amazon’s cloud at the very least begs a question: Are they capturing and retaining some information gathered through the Echo device. It goes without saying that a retail operation like Amazon would be able to mine the data that a recording device in consumer homes could provide.
Is it possible that Amazon is gathering metadata based on anything that is said in your home after someone says, “Alexa?” If we have learned only one thing in recent years, anything is possible.
Even scarier, is it possible information is being gathered–by Amazon or any other party–without anyone having to say, “Alexa?” The technical capability exists. And as such, it is time industry rises to the challenge of providing real solutions to the consumer privacy quagmire that threatens not only all Americans, but to connected citizens around the world.