An Amazon user in Germany was accidentally sent 1,700 audio recordings of someone he didn’t know after he requested his own data file, exercising his rights under the EU’s GDPR.
What happened: The man asked for a copy of all the data Amazon holds on him. He got a 100-megabyte file back two months later. Some of the files related to his own Amazon searches, but there were also hundreds of audio files and Alexa transcripts, even though he doesn’t own any Echo devices. He reported this to Amazon and asked for information, but answer came there none. He saved the files and shared his story with Germanys’ C’t magazine.
Voyeur’s paradise: The magazine listened to the files and was able to put together a detailed picture of the other user and his personal habits. They worked out which devices he owns, which music he likes, and who his girlfriend is, and even listened to him in the shower. They tracked down the victim, who confirmed it was he and said that Amazon had not informed him about the leak.
Amazon’s response: Amazon said a staff member had made a one-time error. But the company could be liable for fines under EU law.
Who’s listening? The story taps into fears about whether we can really trust the virtual assistants present in nearly a quarter of households in the US. Amazon insists its Echo devices are not always listening and only start recording upon hearing the word “Alexa.” There have been proven cases of it recording without users knowing, but Amazon has generally managed to explain them away as anomalies.