Amazon Alexa and Data Protection

Amazon Alexa – Big Brother is watching you

Nowadays, many households have voice assistants that are designed to make life a little easier and more convenient. There is a wide range on offer and many market players offer intelligent voice recognition systems in various designs and performance classes. "Every Apple user is probably familiar with 'Siri', Samsung users swear by 'Bixby' and the software giant Microsoft also offers its software in the form of 'Cortana'. Amazon relies on "Alexa", which only requires a stable internet connection and can also be operated via an existing Amazon account. The data protection factor in particular is often discussed with the virtual assistant "Alexa" and will be examined in more detail in this article.

How can "Alexa" support people?

Once "Alexa" has been set up, the voice assistant is ready to receive and execute spoken commands at any time. Amazon Music users, for example, swear by the prompt delivery of their desired music tracks, which are played by voice command. If the Amazon password is given, every command is sent to the Amazon cloud and processed there. Alexa" uses a blue light to signal to the user that data is being transmitted in encrypted form.

Alexa can be an excellent support for people in many areas. By connecting to Amazon, orders can be placed by voice command, the connection to Amazon Music opens up a gigantic music library, knowledge can be called up, and "Alexa" also offers fun and games for boring hours. Third-party providers can also offer functions via so-called skills, which the user can call up at any time and thus enormously enrich the "Alexa" offering. At the same time, "Alexa" also offers control of household appliances, voice messages can be sent and telephony is also possible. 

"Alexa" is being criticized regarding data protection

"Alexa" undoubtedly offers many advantages in the home, but even the best voice assistant is not above criticism and therefore data protectionists see "Alexa" as an invasion of privacy, which should be examined in terms of data protection law.

How should data transfer with Alexa be assessed?

Of course, applications and services that the user wants to obtain from "Alexa" must be exchanged via data transfer. This will set alarm bells ringing for any data protection officer, as the information is stored on servers located in the USA and is therefore also stored and processed there. As the USA is not an EU/ERW country, this step can be viewed more than critically from a data protection perspective.  

Third-party providers - the so-called "Alexa skills"

"Alexa" is growing with the "skills" it offers, which can be called up by third-party providers. A large-scale study, in which over 90,000 skills were analyzed and evaluated, shows that there is often a lack of transparency as to which third-party providers are involved. Although the third-party providers and the skills they offer are certified by Amazon, it is quite possible to change the skills later on and thus obtain further user data. This is an undesirable scenario, particularly in the credit card sector, but one that should always be borne in mind. At the same time, the analysis found that many third-party providers have gaps in their data protection declarations and should therefore be classified as inadequate. 

Big Brother in the house - is "Alexa" listening to us?

Of course, Alexa's microphones are permanently active to receive voice commands - but this means that Alexa is also processing and utilizing data and information around the clock. This permanent presence is viewed with suspicion by data protectionists.

The fact is that when the voice assistant "Alexa" is used for the first time, a full and explicit declaration of consent to the terms of use is obtained. This declaration is made by Art. 6 para. 1 lit. A GDPR and this should at least sufficiently satisfy the information obligations under Art. 13, 14 GDPR. Sufficient means that the privacy policy is rather vague and the company could be held fully controller in this regard. Fines of four percent of the annual turnover are to be imposed for infringements, but so far nothing has ever happened in this regard.

There are many critical voices regarding the privacy policy, as "Alexa" can also make mistakes when evaluating the code word, as some words are very similar, and therefore security is not fully guaranteed. If an incorrect code word is accepted by "Alexa", an immediate data processing procedure starts that is not covered by the declaration of consent. In this case, the user is unintentionally bugged and the data obtained is further processed by Amazon in the USA - a clear and unwanted invasion of the privacy of the person concerned! 

Does "Alexa" also listen to visitors and guests?

Visitors are not included in the user's declaration of consent and therefore "Alexa" records all existing conversations and noises after activation. Children in particular are not exempt from this procedure and data protection experts are therefore questioning the legal basis of the recording and use. If children are affected, their legal guardians must consent to the data processing. At the same time, "Alexa" also receives and processes data and personal data relating to intimacy and privacy that is not intended for processing. 

What does Amazon use the collected information and data for?

Amazon uses all the information and data it receives to optimize the system, so the voice command does not just execute an intended action. According to Amazon, the optimization should, for example, improve individual speech recognition and better adapt the assistant to the user.

Under data protection law, it should be noted that Amazon employees listen to voice recordings for this reason, evaluate them, and improve the recognition quality of the commands.

‍The extent of the eavesdropping activities is unknown and Amazon is keeping a low profile in this regard. It is also unclear who has access to the available user data. The fact is that Amazon creates a user profile to tailor advertising and offers to the user. 

Personal data and the use of "Alexa"

Amazon uses all the data it receives to generate a personal profile that is as accurate as possible. This data is a valuable basis for marketing campaigns and consumer research. However, any conclusions drawn about a specific person must be processed by the principles of the GDPR.

Every user of the voice assistant also has the right to information by Art. 15 of the GDPR. This means that the user can request all data collected by Amazon.‍

The user accepts that the assistant receives information about family circumstances, hobbies, surfing behavior, music tastes, and even manages and uses bank details - but companies like Amazon use the data in an even more sophisticated way and want to be able to evaluate and use the user's overall behavior. 

Many people invoke data protection and pass on as little information and data as possible to external persons, but when it comes to a surveillance object within their own four walls, their understanding of the protection of personal data comes to an end. The "Alexa" user tolerates the spy in their own home and willingly feeds it with new, sensitive data. A key fact here is that over 56% of Germans are internally upset about companies that act as data octopuses and believe that personal data is inadequately protected. If you look at this opinion research, you will see that despite this negative sentiment, more and more people are turning to voice assistants and sales figures have long since reached dizzying heights. 

Amazon is aware of the carefree use of users and would like to provide even more information in the future and thus more knowledge about the valuable commodity that is the human being. Amazon has applied for a new patent in this regard, which will invade privacy and therefore also personal information. 

The voice assistant should be able to recognize the emotional and health condition of the user and thus draw conclusions about the personal condition. These conclusions are to be turned into hard cash, meaning that an audibly ill user is more likely to receive advertising and recommendations to buy medication rather than being offered vacation trips or sun cream. According to Amazon, the solution will even become aware of keywords such as "I like" or "I love". What this information is needed for is still unclear, but Amazon will certainly convert these statements into cash.