Why you should pull the plug on Alexa

George Rosamond
October 23, 2020

Stating what should be obvious, a March 20th article in Bloomberg News’ Cybersecurity section exclaimed “Locked-Down Lawyers Warned Alexa Is Hearing Confidential Calls.

You may have one of those listening, smart home devices, meant to ease your ability to complete a wide array of tasks with voice commands. But such devices have prompted industry concerns about privacy, particularly those in security and privacy professions.

The principle that you design privacy and security, and can’t assure it, is a critical axiom.

Sellers of these devices, and of peripheral IoT products such as baby monitors and video doorbells, can declare they won’t inhibit confidentiality and privacy unless you opt in, unless you click a particular setting, or only if you trigger with a particular word, but they operate counter to those assurances.

If a device listens for a particular word, then it has to be listening all the time. That should be obvious for one and all, not just the attorneys referenced in the article.

The real question to raise about these devices, is the benefit of having them at all worth the privacy and security trade-offs? In thinking about the trade-offs, don’t just think about a particular adversary, say, an attorney from the other side in a civil case. Imagine something more mundane. There are plenty of conversations in the average household that, taken out of context, could prompt legal issues. We all tend to speak in hyperbolic declarations when heated or we have sarcastic moments to be humorous. The times we rant to family and friends, with our inhibitions unmuted, have always harmlessly faded with memory. But the recordings made for Alexa’s benefit may not be able to retain the tone, let alone the offline context: “Don’t record me, Alexa, when it is a private conversation about work, but go ahead and record me when I need new printer paper for work.”

Home automation listening devices remove that usual venting and exaggeration, and turn it into a potential liability.

Self-censoring is less common when we chat among family and friends in our own private homes. Do you want to start making a new house rule about which conversations you can have in front of Alexa and which ones you cannot? How do you distinguish? Yes, I would love to muzzle that dog next door, but what if something does happen to that dog? Am I now a suspect?

There’s a phrase in the privacy field called “function creep.” It often references a new technology that we’re justifiably excited to use, but that new technology has hidden trade-offs to privacy and security that are not immediately apparent.

Rewinding back to the pre-smart phone era provides the example. When you bought that first GPS-enabled device in 2013, did the label tell you that it would not only be tracking you, your location and interactions, but also that your data would be a full-blown industry in itself? Collecting your data wasn’t the selling point for smart phones as we moved from simpler flip phones, but it was certainly bundled with the sale.

Smart home devices are following the same path except that they are listening at all times in order to “hear” your command. If you want to protect your company’s confidential information then unplug Alexa during this working from home period of time, at least during business hours.