COMMENTARY ON LAW AND TECHNOLOGY

Amazon Echo in Dorm Rooms and Privacy Concerns

28-Aug-2018

As the fall semester begins, students of Saint Louis University will soon find a new amenity, the Amazon Echo Dot, in each of their dorm rooms. Echo Dot is a voice assistant device developed by Amazon and enabled by the artificial intelligent service, Alexa. The university has decided to deploy over 2,300 of these devices in all student residences on campus to provide students with easier access to campus-related information. For example, students can ask the voice assistant about library hours and building locations.It is the first time that a university has put these voice assistant devices in student living spaces. Not surprisingly, despite the conveniences they provide, there are privacy concerns with these devices.

So, let us look at how the Amazon Echo Dot works. The device responds to a wake word chosen by its user, such as Alexa, by default. After hearing the wake word, the device records the user’s voice, sends it to the virtual assistant, Alexa, and performs a corresponding action. For example, a student may ask the Echo Dot in his dorm room to create a reminder for a personal event, which may be private information. The device will then send the voice recording to Alexa to create the reminder, as instructed. But, voice recordings like this will not be deleted upon the completion of requests.Instead, they are stored on Amazon’s server. Saint Louis University states that the Alexa-for-business platform, which is a work space solution, is used to manage the Echo devices provided to students and no personal information will be collected. According to Amazon, devices enabled by Alexa-for-business are not associated with personal accounts. It means that any data sent to the server, including voice recordings, is anonymous, and not attributable to individual students. Alexa-for-business does not give the university any access to these audio files except the ability to delete them.Thus, students’ voice recordings are anonymous and inaccessible to the school. Amazon has also been implementing controls in compliance with the EU’s General Data Protection Regulation, the GDPR, to secure customer data.

However, even though the university does not seem to pose a threat to students’ privacy, and Amazon says protecting customer data is its top priority, it is difficult to guarantee that all the conversations near Echo devices will be safe, because sometimes things do not work as intended, especially when it comes to technology. A few months ago, an Oregon family discovered that a private conversation was recorded by their Echo device and sent to a random person on their contact list because the device misheard the wake word and the following command.This incident tells us that voice recognition is not always reliable.Under the GDPR, data accuracy is an essential requirement, and users are given the right to correct any false information.But voice assistants like Amazon Echo usually do not give users enough time to correct the misinterpreted commands before these commands are executed and an impact is made, and there is not enough visual confirmation to help users understand how their data will be processed either.

Another source of risk is the vulnerabilities in these devices. Security experts had successfully exploited Echo devices and turned them into wiretaps that could continuously listen and record by either modifying the hardware or running malicious software. Although these exploits are already fixed, new vulnerabilities maybe discovered and utilized by attackers.

Other than these intrinsic risks residing in voice assistant devices, Saint Louis University is considerate about students’ privacy, and students can either mute the microphone or just unplug it and put it in a drawer for the rest of the school year.

I’m Jay Kesan.