Hacker News new | past | comments | ask | show | jobs | submit login
NH judge orders Amazon to give Echo recordings in murder case (wmur.com)
221 points by danso 5 months ago | hide | past | web | favorite | 179 comments

I know that this article itself doesn’t have much content but I’m interested in what the police are actually requesting, and what they end up getting. Do they assume/suspect that Echo/Amazon continuously records and logs audio, akin to a security camera? Or do they have evidence that Echo was actually activated around the time of the murders, or afterwards by the suspect himself?

I was also interested in this quote:

> "I think most people probably don't even realize that Alexa is taking account of what's going on in your house, in addition to responding to your demands and commands," said Albert Scherr, a professor at the University of New Hampshire School of Law.

What is it that users don’t realize? Anecdotally, just about everyone I know who has refused to have an Echo do so because they believe Echo is doing far more surreptitious surveillance and analysis, i.e. not just listening for the trigger word. Though I’m sure most users don’t realize that when Alexa does trigger, she sends the audio to the Amazon mothership, which are then stored/analyzed for an indefinite time. Though most people don’t realize the most basic things about data, like how when you friend someone on FB, FB actually stores a log of your friends, and any other kind of stated interaction, such as the users you’ve blocked

To answer my own question, other outlets have some extra bits of info:


The Union-Leader quotes the district attorney's request, which seems to have cognizance of how Echo works:

> On Oct. 30, Senior Assistant Attorney General Geoffrey Ward asked Houran to direct Amazon.com to produce any recordings made between Jan. 27 and Jan. 29, 2017, suggesting evidence of the crime of murder and/or hindering apprehension of prosecution could be found on the device.

> “As part of the normal functioning of an Echo electronic device activated either intentionally or accidentally by ‘wake up words,’ audio recordings are made of the moment when the device is activated,” Ward wrote.

> “Specifically, when the Echo detects a ‘wake up word(s),’ the device begins audio recording through its integrated microphones, including recording the fraction of a second of audio before the ‘wake up word(s),’” Ward continued.

> The motion, which was made in lieu of an application for a search warrant, also asks for information identifying cellular devices that were paired to that smart speaker in that time period.

If there's one thing these kinds of stories have effected in me, it's the knowledge that I should scream "Alexa!" (or maybe Siri/OK Google depending on which room) right before I get murdered in my own home.

What does it even mean to record? Saving to disk? You can’t start recording after hearing a trigger word and somehow get sound from before the trigger word unless you’ve already got it... I imagine a FIFO stream or buffer that only writes to disk if a trigger word is present.

Also, there may be trigger words that cause recordings even if no actions need to be taken...

I sincerely doubt people don't realise that anything after the trigger is sent home, since a "feature" of alexa is that the app let you see each request you made, how alexa answered, and let them know if she got it wrong.

I think it's more a case of "don't care" / "don't realize the risks"

I'd think the absolute vast majority would not have spent any time wondering about that the slightest. And most that do would just assume that the app asked alexa and retrieved a local log.

So much of what is collected today completely hinges on the fact that the public doesn't even grasp the feasibility nor the desirability of keeping track of them.

People perhaps assume all audio is processed locally and/or isn't stored except ephemerally.

I'd imagine there's a default "we store your data for AI training purposes" that would allow them to keep all audio.

> People perhaps assume all audio is processed locally and/or isn't stored except ephemerally.

Is there info on this from Amazon? I'd assume they do what you mention, have the speech recognition in the Alexa and just send up the words, not the entire audio stream.

Interesting implication of that in this case: if the actual audio is gone and you just have the transcription, is that valid as evidence? Or is it something closer to hearsay

It's cloud based. The device recognizes the wake-word offline and starts streaming to the recognition service. You can access a log of recordings through the app, so they are kept at least for a while.

For the tech crowd, most probably. For the average person, I'd wager most think it's magic and the device is doing all of the vocal processing. I'm assuming this just due to how many friends/family I have to explain how their Siri actually works.

A surprisingly large part of the population is completely oblivious to all of this and they don’t care unless the effects are so directly in their faces they can no longer ignore it.

On going into the app to let it know when it gets things wrong: I’d love to have it just listen for a “thank you” for a few seconds after it does whatever it thinks we’ve asked it to do.

I’m too sarcastic and deadpan for that to be an accurate metric for me.

I have several Alexa devices in my house. I don't care. I'm just not that interesting.

> Though I’m sure most users don’t realize that when Alexa does trigger, she sends the audio to the Amazon mothership, which are then stored/analyzed for an indefinite time.

Additionally, Amazon receives several seconds of audio _before_ the trigger word was used

Edit: I can't find a source for this, but IIRC this was part of the initial Echo roll out, and one of the reasons I decided not to purchase. Perhaps Amazon has changed this so now it only listens and sends data after the wakeword.

It does appear to have been updated: "When you use the wake word, the audio stream includes a fraction of a second of audio before the wake word, and closes once your request has been processed."[0]

[0]: https://www.amazon.com/gp/help/customer/display.html?nodeId=...

The recorded hotword is sent to allow more sophisticated hosted models to reject false positives.

> What is it that users don’t realize?

You answered yourself in an exemplary fashion, but I'll state it explicitly (and simply). People don't think about it. I'd like to imagine anyone who realises the implications of owning such a device would refuse to own one, although I know I'm mistaken.

I don't mean that people should know better (although ofc they should), but new technology is all too easily likened to any household appliance nowadays. Alexa is a utility, for better and worse.

It's my opinion that we should very much attempt to educate the non-professional about the realities of these spy-machines, in much the same way we don't teach people about dishwashers.

As for the article: I find it morbidly curious that I could tell Alexa who is murdering me. A benign 1984 for now I suppose.

“the implications of owning such a device would refuse to own one, although I know I'm mistaken.”

You are mistaken. I use my Alexa everyday. I suppose if someone creates a better version that doesn’t phone home, I’ll switch. In the meantime, I really enjoy having this type of device.

By the way, last year I blogged about the need for HN users to constantly complain about Alexa’s privacy.


If you could take that energy and build an open source replacement, that would be more worthwhile.

You are mistaken. The utility of Alexa/Google Home is worth any privacy intrusion for me. I simply don't care. Convince me otherwise.

Though the person is being a slight jerk with the last sentence in this comment, there's no reason to mass-downvote someone just because they don't value their privacy as much as anyone else. The poster is not telling people they should not value privacy, only that the poster does not in exchange for utility.

Even without that last sentence, the comment is not helpful. We’re not told what the user sees as the benefits of Alexa, and we don’t know what he sees as the privacy trade offs. It’s possible he uses Alexa for some lifesaving utility that far outweighs even if Amazon were illegally violating his privacy. Or maybe he’s ignorant tot he specifics of what Echo and Amazon do/don’t collect. And anyone who replies is forced to play the annoying game of read-my-mind/how-dare-you-assume-that’s-what-I-meant.

It is a useful comment in an echo chamber like HN's. And seeing the downvotes it has received, it's double useful.

I think they have been massively downvoted because they were being a jerk, not because they (don't) value their privacy.

That’s interesting. Can you elaborate a bit? Are you not worried because you think the information is not sensitive or do you think the risk of it being abused, lost or stolen is negligible? I’m really curious to know (and while I have a different opinion I think yours is legitimate as well).

All of the above. I don't think it's sensitive and I think the risk is negligible but even if it happened I still think it's worth it. Like I said in my sibling comment I'm against mass-surveillance in general because then you have no choice but here I'm actively deciding to expose myself because I find the utility worth it.

I agree.

We talk about the "identity theft" problem here quite a bit. One time someone wrote about how there is no such thing as identity theft. If someone persuaded a bank to give them money by pretending it was me, the thief didn't steal anything from me. The bank gave the thief money and should try to recover it themselves. I'm not a part of that equation.

I think it is stupid to establish any kind of causality based on the things I search online or the things I do on the computer. The problem isn't that Amazon is recording my activity. The problem is that somehow we allow this to be admissible in a court of law. My shower thoughts don't make me a criminal. I'm innocent until proven guilty. Searching for nitroglycerine or whatever is not the same as the proverbial trout in cow milk that prosecutors claim to be. What's next? Private diaries as evidence that I killed someone?

Edit: spelling

> What's next? Private diaries as evidence that I killed someone?

Well if your diary contains perpetrator's knowledge then obviously yes? Even if not, it may count as circumstantial evidence.

I anal but in my not so humble opinion it can at best establish motive not that I did it.

I've been hearing recently about how the forensic "science" we allow in the court room isn't all that scientific either. I think our law enforcement and our prosecutors are just too lazy. I'd not mind so much if they let criminals free but it seems they will try to frame someone who is plausible and let "science", "evidence", and "experts" do the talking which is not good.

I think we should provide proper incentives for our prosecutors. We clearly can't lean on their moral compass.

What kind of utility do you derive from Alexa/Google Home that is so vital to you?

I'm genuinely curious because your comment made me think I might be entirely missing the point of those devices.

Yes, I agree but for me personally I don't care even if that dystopia happened. It's still worth it for me, again, personally. I'm against mass-surveillance because then it affects everyone, whether you agree on it or not but in this case I'm actively buying this thing and expose myself to it.

>Yes, I agree but for me personally I don't care

That is contradictory.

It is not. The difference is choice. Mass surveillance does not offer you a choice about participating, or ties that choice to some everyday activity. Putting an Echo in your home is a choice.

Choice can be a very weak consolation. Just like how not driving isn't really a viable choice in many regions (although nobody is technically being forced to drive), if choice makes surveillance acceptable, that choice could easily be eroded to the point of being merely a theoretical option. "You want to live without surveillance? Your choice, because we respect that choice so much we have set up special surveillance free zones in Pennsylvania"

What he probably meant to say: "I do care, but only because of others who may need/want privacy."

What will you do if a friend who does care and does not want the privacy intrusion comes over to visit? Do you at least give people the courtesy to inform them and ask their permission to have recordings of their voice sent to a third party service?

If enough of these devices are installed, having every utterance recorded will become a fact of life. You might not care, but when people believe they are being recorded they become less willing to challenge authority. That might be something society is willing to accept, but according to your individualistic view, society will not be asked -- it would only take a minority of people installing these devices to create a world of widespread surveillance, and the majority of people would never have been asked for their consent.

> What will you do if a friend who does care and does not want the privacy intrusion comes over to visit?

If a friend has really idiosyncratic and unusual preferences, they should be good enough to announce those when they visit. Of course a normal host would be willing to unplug their Google Home or Amazon Echo.

Counter argument: It’s not just you. When your privacy is invaded, that data can be used to damage all of us. Just as we saw happen during Brexit and the 2016 US election, where data collected on individuals was used to microtarget propaganda.

See Cory Doctorow on how privacy invasion socializes risk.


Obviously you weighted the risks/ benefits and made your choice, and that's perfect. The problem with these type of devices is people who are totally oblivious to the workings of it and the implication and that will click "i agree" without even read anything. Personally i prefer control over pseudo-convenience on anything.

Luckily for those of us that do care about privacy, we have HonePod. Not quite as comprehensively creepy as Alexa, but of similar utility and definitely better when it comes to audio quality.

How are they useful? I watch their commercials on TV and frankly I don't understand why I should use one even if all processing would happen inside the device.

Statitstics and non-biased double blind emphereal fictitious studies show that those who don't care about privacy, usually have not fully developed privacy awareness intelligence due to social constrictions nominally developed during the abstraction formance and concretion phase of the multi-hemispherical expansion of the brain. Often, this leads to higher overall social acceptance, integration, and adjustment- with loss of self awareness and self identity,giving over completely to the social hive mind indications and constructs, usually producing characteristics similiar to, but not nearly as developed as, the common bee, with hyponitic driven intelligence and pre-defined scripted actions produced from the social feedback loop of the group. Privacy is then regards as a trivial concept, as the social feedback never identifies individual self actions, rather group activity motions to accomplish group goals, not individual self goals. Integration of personal self into the hive is almost impossible because to be part of the hive one must sacrifice the self and individualism , conversely, the hive cannot exist as a individual only a selfless group of commonality- it cannot bee otherwise.(please forgive the pun)

I don't know why people will happily carry a cell phone (which is a microphone attached to a transmitter, with location tracking to boot) but recoil at an Echo device in their home. Both are equally capable of surveillance, but the phone certainly more so as it's not limited to Wifi (which I could also monitor if I was worried about Echo sending a constant data stream).

Apple lets me select which apps can access to both the microphone and the GPS. Of course you have to trust Apple, though they've made a big thing about privacy, as the biggest public company in the world, I don't think they'd risk lying about that.

Phones are accepted as common carrier devices, even if people don’t completely understand who gets access to the data, they know it’s been decently reviewed and “battle proven”.

The Echo is a completely new device from a company that has very few oversight and regulation, and laws and usages are not really up to date for these use cases.

Are you kidding? A secured cell phone (like a modern iphone) is a hell of a lot harder to turn into a bug than a quasi-smart device that needs the cloud for all its processing

> Do they assume/suspect that Echo/Amazon continuously records and logs audio, akin to a security camera?

Yes, I think random non-technical homicide detectives might very well assume this. They're fishing for anything they can get, even if it's a 1% chance. Almost certainly the subpoena response from Amazon will be that they are not in possession of a recording.

Is there any suggestion that a system is in place to lie openly and hand over a recording privately? Or is that only for national security cases?

If a comment were keeping recordings they weren't allowed to make, and just lied to deny it is there a verification process that could reveal the lie?

> she

It. Alexa is a a device, not a person.

As are ships. But we still often say she.

I think using pronouns reserved for humans on a ship (engineered mass of wood/metal that doesn't spy on you and you can own) is more acceptable than using it on a company (which spies on you, is not something you own, etc).

Good luck lecturing people what to call things...

You must not have been anywhere near the tech community for, oh, the last five years or so... :-)

Alexa is a service, accessed [via an app] through devices. I have it on my phone and on an Amazon FireTV stick.

It's a matter of taste whether to apply a gendered pronoun to an object. Some people refer to their car as she or he.

Clearly from Amazon's pov it's a marketing thing, but I think you'll be aiming against a rather vicious current of you refuse to use gendered pronouns for tech that we interact with in a human manner.

Last time I stayed in an Airbnb rental, I discovered an Amazon Echo device in the room. I immediately unplugged it and then wondered whether the landlord has violated my privacy as a tenant. The consensus on a couple of forums I found discussing it was that the Echo doesn't record anything unless explicitly activated by the user, and so it's not anything like a wiretap. Some landlords were pretty condescending and dismissive of any claims to the contrary. I felt differently. I can't audit the device hardware/firmware/software to verify that it isn't tracking and recording information about me that I don't consent to be tracked or recorded when I'm in my rental unit.

> Do they assume/suspect that Echo/Amazon continuously records and logs audio, akin to a security camera? Or do they have evidence that Echo was actually activated around the time of the murders, or afterwards by the suspect himself?

They're looking for any scrap of information. It could be that someone task Alexa with something that becomes pertinent to determining motive, or opportunity, or even just presence or absence of an individual.

They're not necessarily (or even imaginably) thinking they'll get wiretap or bug type recordings. It's more like getting phone records - who did they call? Then following up those leads.

>Echo is doing far more surreptitious surveillance and analysis, i.e. not just listening for the trigger word

This should be trivial to prove.

It has been demonstrated that it does not send network traffic apart from requests made to it; e.g. it is not continuously streaming data. Of course that could be changed at any time with a software update that you have no choice about accepting. To prove it is not recording locally could be much more difficult, but there are practical questions there. What media is it recording to, and if the recordings are never sent to the cloud, what is the purpose of keeping them?

That does not demonstrate anything. It could "buffer" the data it wants to send and only send it after the trigger word is detected, precisely to trick such naive analysis.

That would result in a much larger payload, and a payload size that is variable depending on how long it has been, and how much audio was record-able between requests. But if instead we observe a small payload of constant size given the same request, regardless of how long between requests, then we can reasonably be assured the device is not doing this.

Or you can be reasonably sure the device is only sending a payload of max size N at a time, padding your requests with some recording data when it can

Any smart tv could be doing the same thing. Why do you think that Amazon in particular is likely to be conducting a massive, secret and illegal surveillance operation?

>Any smart tv could be doing the same thing.

And many have been found to, which kind of proves my point.

>Why do you think that Amazon in particular is likely to be conducting a massive, secret and illegal surveillance operation?

Uhm, because it makes money? Isn't that the answer to any "why" in our current economic system?

Many smart TVs have already been found to spy on you. Which answers your question.

How do we know your laptop is not doing this? Or your phone? Or your TV?

In fact, it seems more likely that your laptop would be doing this give that it probably has far more electronics inside it.

I would hope the researchers were competent enough to space out their explicit uploads with varying periods of noise, while also finding a decent approximation of how much data is uploaded per x seconds of audio.

Sure, Amazon could use all sorts of tricks to attempt to throw off reverse engineering, but it would be pretty hard to do so with a large enough set of tests.

I still don't understand why this is possible.

I've frequently seen the claim that an Echo only records brief snippets, looking for the wake word.

If that's so, there's next to nothing for Amazon to hand over.

It’s not possible. This is a classic example of the legal system confusing reality with science fiction.

You can monitor Echo itself over your network and quickly realize that it’s not sending a constant stream of voice data. For the most part the device is off until it hears its name.

Maybe they're hoping one of the parties involved yelled "Alexa!" as the crime was taking place. /s

Why sarcasm? If I was being attacked and remembered I would absolutely do that.

And the next question, what would you say to ensure it was recorded, identifiable, sent to the right person and had the right phrasing to ensure it could be used in court?

Well in that situation I'm dead, and have had a brief moment of lucidity to try and ensure my killer goes down after the fact.

It's the same reason you should try and bite the person attacking you and scratch the hell out of them.

"Alexa, John Smith is murdering me.".

Now, on my cell phone in the Alexa app, this text is present, regardless of anything else. Amazon also has this data. They absolutely have every command/request sent to them, even if the request was not understood/processed.

"Alexa, call the police"? Would that work?

Well now I want to try this with my Echo, but I'm too afraid it'll actually call the police and I won't know how to stop it haha

If you stay on the line and calmly tell the operator it was an accident or test call, it is absolutely fine.

I used to do telcom work for a machine shop. Part of my job was doing two 911 test calls every week (with and without an extra 9 for an outside line).

No, but calls to Alexa could at least establish certain timeframes when someone was doing something or was present at home.

Alexa, call the police! #### is here, and he's trying to hurt me!

Seems like a pretty good use for a voice-activated service.

"Alexa, lock the doors!" also sounds useful in this context.

Attacker: Alexa unlock the door for me.

I'm sorry Dave, I can't do that.

Does Alexa need Star Trek-style command codes.

"Alexa, unlock the door, command override Janeway alpha-two-phi."

The way a thief can unlock your phone, you mean?

not if you are trying to escape :X

It could be possible that Alexa was accidentally triggered and recorded interesting snippets as a side effect.

iFixit reports that it has 4GB of storage onboard [1]. That's room for 97 hours of mp3 96kbps audio [2], and if we're going full conspiracy they could have put an entirely different flash chip in there with the wrong markings.

[1] https://www.ifixit.com/Teardown/Amazon+Echo+Dot+Teardown/613... [2] https://soundandpicture.com/2011/06/audio-memory-cards-how-m...

It would be super sketchy if it records any audio, since there's no real reason or need to do that for the features it provides.

Also, if we're going conspiracy mode: we're all surrounded by devices with very good microphones that are always on, primarily our phones.

It's not really a conspiracy. The CIA actively uses vulnerable phones, televisions, and other devices as clandestine listening devices.

99.9% of HN readers are just too boring (read: not terrorists or foreign officials) to have to worry about it.


There's a very simple reason why phones cannot be recording all the time - it would have an impact on the battery life. But an always plugged in device like the echo does not have such limitation.

On the other hand, if the government comes to Amazon with a valid sealed court order, are you willing to bet they'll stand up rather than start streaming audio recordings home?

Amazon winning DoD cloud business is actually the smartest thing the US government could do to align interests.

> a valid sealed court order

If the government show up with a valid court order, generally they can do what the hell they want? That's how justice works in a democracy?

I mean, yes? The need for a valid court order is so that the executive branch (e.g. law enforcement) can’t unilaterally surveil and detain people. The court makes this decision by looking at the laws, which are passed by the legislative branch. If the elected legislature passes a law that vastly lowers the barrier for govt intrusion, well, it’s not a great situation, but it is possible under democratic principles.

My comment was unclear, and I agree that this is how it's meant to work.

Democracy has nothing to do with it. But yes, it's how most if not all governments operate.

What would even be the legal basis for such a court order?

Terrorism related investigations.

It's not a legal stretch to extend CALEA wiretaps to IoT devices. And if the device manufacturer cooperates (in the same way ATT does), then the hurdles shrink drastically.

You don't see any distinction between

A) Giving the government access to communications that provider already has legal access to.

B) Collecting additional data from inside homes by exploiting current legal access to the software?

When the only difference is Amazon making a silent firmware push, or endangering $10B+ of business?


What does their business situation have anything to do with it?

If I hosted 10 billion dollars worth of unrelated business functionality, then told you to provide me with access for widespread surveillance purposes in an unrelated vertical of your business, you would think that is justifiable?

I beg your pardon, but what color is the sky where you are? Business doesn't work that way. Neither does ethics or morality.

Profit does not whitewash societal harm. It may create other business opportunities to remedy negative externalities, but there is no guarantee that the nature of the harm inflicted has a profitable capitalism compatible remediation.

This is one of those cases.

Who said anything about widespread surveillance?

The "government wants to listen to every Echo user" idea is paranoid fantasy.

The "government would really like to listen to these individuals, but doesn't want to go through full court proceedings" is less fanciful and not without precedent.

It's not just profit. It's the morass of backroom bargains to stave off regulation, honest desire to "do good", future contracts, and political goodwill.

There's a rich history of US technology companies enabling the government / military for all of the above reasons.

"Amazon/verizon - tell themagician's Alexa to start recording now. And don't tell themagician."

Jokes on them, I keep the Echo in the bathroom because I mainly use it to sing in the shower. So they can listen to me shit and sing “Call me Maybe”.

> You can monitor Echo itself over your network

No, you can't. The SSL certs are pinned.

You can determine the metadata and quantity of data transferred, but not the contents.

This is the point - a constant stream would be easily detected from metadata alone.

There is no need for constant stream.

don’t know why you’re being downvoted. That device already has a ton of space to buffer updates.

Unless they have invented some kind of magic compression then I can. The Echo either sends nothing or tiny pings. If they’ve invented some kind of subspace coms channel that can stream an hour of voice over 12kb, then props.

Just because there's "next to nothing" doesn't mean there's actually nothing. The speech recognition sometimes has false positives on the wake word. Also there's the tiny chance that the victim yelled out Alexa in an attempt to get evidence to the police.

That information would likely be on the device itself, which the police have. However, this is about requests for information over on the Amazon servers - where it would be surprising to find they have anything of significance.

Huh? I haven't heard of the device itself storing any significant amount of data. And if it does, it would likely be somewhat difficult for the police to figure out how to get it.

On the other hand, it's widely documented that Amazon stores recordings on their servers every time the watch word activates. And Amazon provides users an easy interface to listen to those recordings.

> On the other hand, it's widely documented that Amazon stores recordings on their servers every time the watch word activates.

Right. And it doesn't look like that happened. This is some sort of fishing expedition based on the premise that Amazon gets more than just wake-word activated data.

>And it doesn't look like that happened.

What indication of that is there? My original comments were listing scenarios in which the wake word might have activated.

>based on the premise that Amazon gets more than just wake-word activated data.

I don't see that at all. It seems to me the police are saying "there's a chance the wake word activated, let's check, and if so, get those recordings".

> What indication of that is there? My original comments were listing scenarios in which the wake word might have activated.

And what indication do you have that it has happened?

> I don't see that at all. It seems to me the police are saying "there's a chance the wake word activated, let's check, and if so, get those recordings".

Well, no.

> "The court directs Amazon.com to produce forthwith to the court any recordings made by an Echo smart speaker with Alexa voice command capability, FCC ID number ZWJ-0823, from the period of January 27, 2017 to January 29, 2017, as well as any information identifying cellular devices that were paired to that smart speaker during that time period."

The key information for the police would probably be the device-pairings. It'd be more likely to occur and more helpful in proving the suspect was on-site at the time they're alleging.

My allegations are based on police misunderstanding how the device works.

> Prosecutors believe there are Echo recordings capturing the attack on Sullivan and removal of her body that could be found on the server maintained by Amazon.

... They believe the Echo recorded the entire attack, and then continued recording whilst the body was removed. That's a fair while for the Echo to continue recording after a wake word, especially one that is unlikely to be clear. Especially when, as far as I know, the Echo times out after 10 seconds when not given a valid command.

Unfortunately what you are quoting is text written by a journalist, not a direct quote of a prosecutor. Since journalists often misunderstand everything about the subject of their discourse, there is no way to know what prosecutors are actually hoping to find.

Sending voice data constantly is easy to catch on the user's side, by simply monitoring the traffic. So once they got caught, it is going to cause them a huge fortune and completely meltdown in terms of customer trust. And on the technical side, this makes very little sense either, they only needs to have the Alexa keyword detected then went through the backend ASR service, otherwise the cost is going to be overwhelming.

Well, the recording could be near-continuous, but compressed and stored until a user makes a request. Therefore, you’d need to record the amount of data transmitted over a certain time period and set an upper bound based on that.

Of course, if you could install a custom cert on the device, you could just MiTM the connection and see exactly what is sent...

Technically possible? Sure. However, it just makes zero economical sense for them to do so. Sooner or later, they would get caught (reverse engineering, ex-employee, ...).

Now, if the device were to get compromised, it would be an entirely different story (and this is why I don't have one, despite trusting Amazon in that regard).

Why would you need voice? Just translate to text and send that. It’d be a very very small payload.

The Alexa device itself is rather cheap and the running a relative huge model on 'edge' device is still fairly expensive and remains an open question. Again it falls into economic side of things, it makes sense to adapt a layered model in this case, to delay more expensive processing to the server side.

A defense lawyer would have a ton of fun poking holes in the accuracy of speech-to-text, especially on a small device. (You could easily determine if the device is doing this kind of processing by looking at power draw or thermals. This stuff takes a lot of crunch).

Amazon isn't stupid. They know that if a back-door is found in these devices, or if they have bugs that allow them to be compromised, that they are toast in the market. I'd be surprised if they didn't have internal briefs and a bunch of planning on many scenarios like this.

Amazon has almost certainly made the most secure device it can, knowing it will be under intense scrutiny, and will have prepped its legal teams appropriately.

My phone, a several-year-old Moto G, a middling phone even when new, does a decent job at text to speech without noticable thermal or power issues. And I don't have mobile data so it can't be that it's offloading it to a server.

The Alexa hardware is cheap and doesn't have a lot of computational horsepower, so you can get better accuracy by doing the speech recognition on the server side.

There most likely is nothing for Amazon to hand over, but the prosecution is asking on the speculation that there might be, and Amazon probably won't even answer that question without the legally-binding demand.

My company responds to subpoenas with a wiki article on how client side encryption works

This is a glib and unhelpful response. Does your company potentially have access to data that may be useful in a legal investigation? Do you provide server side voice recognition services as accurate as Alexa/Google?

My company would respond to a similar subpoena by explaining that we make archery bows from wood. That also doesn't add anything to the HN discussion.

> My company would respond to a similar subpoena by explaining that we make archery bows from wood. That also doesn't add anything to the HN discussion.

I believe your parent's comment is relevant to this HN discussion, quite unlike your company's occupation. Your parent's comment suggests their company's users upload data (albeit encrypted client-side) to the company, so a judge could — without an understanding of client-side encryption — reasonably subpoena the company for user data. Compared to that, it is quite unlikely a judge would mistake a company that makes wooden archery bows for a company that collects much user data, or believe that the former fact has much to do with the latter supposition.

And if the judge is feeling especially generous, they'll respond to you with a Wikipedia article on contempt of court.

No, because the point of client-side encryption is that the service provider does not have the data to hand over.

I think the point is, if all they sent was a wiki article, they wouldn't be responding to the spirit of the subpoena. Instead they'd be expected to write up an explanation that they don't keep full data, and they would probably still be required to hand over metadata that might be useful.

And to be fair, the original commenter didn’t say that the only thing sent was the wiki article. It might be one of a dozen URLs included in the company’s reply boilerplate.

What stops your users from getting subpoenaed via their ISPs?

Presumably, their users have the right to not incriminate themselves.

The US right against self-incrimination does not protect against being required to provide records which already exist.

It only protects against being required to give incriminating statements of a testimonial nature.

As an extremely contrived example, if you've spontaneously written a confession to a crime and the cops learn of this, they can subpoena you and order you to hand it over. But they can't just require you to write out a confession or speak one in court.

(Cops do get people to confess, of course, but there is some element of persuasion and choice involved in that decision.)

As a much more common example, with the right level of evidence to motivate this request they can require your fingerprints as part of a criminal investigation. This is true even if they do not arrest you and even if the fingerprints will incriminate you. But they can't require you to answer incriminating questions.

This doesn't work for client-side encryption, though–I cannot be forced to give up my keys or passwords.

Client-side encryption doesn't always solve this.

Two main exceptions:

First, if the encryption is unlocked by a physical device that doesn't require a memorized code, or by your personal biometrics, they can get that without violating your right against self-incrimination.

Second, if they know what information is being hidden by the encryption and just need a copy of it to prove their case, the foregone conclusion doctrine lets them demand it anyway. (They are not demanding the key or password in this case, just a decrypted version of information they already know exists.)

But sure, in other cases it can have the effect you say.

> Second, if they know what information is being hidden by the encryption and just need a copy of it to prove their case, the foregone conclusion doctrine lets them demand it anyway.

Note that they are then not allowed to use the fact that you could unlock it against you.

True, but they can do that with the actual contents of the information itself, and also with the fact (if true) that you owned or possessed the encrypted device on which it was stored. Just not the fact that you knew how to unlock it.

There was a recent successful challenge to the "foregone conclusion" bit (in Florida?)

I'd be surprised if that decision survives another level of appeals court.

Do you mean G.A.Q.L. v State of Florida, decided last month by their state court system's Fourth District Court of Appeal? Here's a link to that opinion:


It doesn't actually challenge the foregone conclusion doctrine as applied to the data behind the passcode!

It simply concludes that the order to produce the passcodes itself would be forbidden testimonial self-incrimination under the Fifth Amendment, and that the state didn't show that they knew "with particularity" what the passcode was protecting, so they couldn't order production of that under the foregone conclusion doctrine.

It appears that does it reject the foregone conclusion as a means to get the passcode itself, because that's not what the state is really trying to do. Matthew Heiman agrees with you here that this may not be a correct decision: http://reason.com/volokh/2018/11/05/foreign-governments-will...

My understanding is that, while the question of compelling passcode disclosure is not fully settled law at the SCOTUS level or in most US circuit courts of appeals, the trend of rulings mostly grants first amendment rights to them. Do you know otherwise?

(Note I'm not a lawyer, just a former law student who continues to geek out about this stuff.)

Can you replace the link with this one? https://apnews.com/ebe802c103d64412aaef707e8719e946

The existing link is a spamfest.

The existing link is also blocked in Germany. Your link, however, functions.

rather i guess the site is blocking access from europe because of the GDPR

I don't see what the problem is here. Amazon is required to just send some files to the court which is fine.

It's not like the iphone case where FBI wanted a sort of permanent backdoor that could be used for everyone.

If a murder happened in your house, the police should receive your echo logs from amazon.

Somebody or other's rule of action/expectation: If they can, they will.

The only brake is significant enough fear of repercussions to themselves.

I guess now I should RTFA. But seriously, put a monitoring device in your home ("Smart TV's, too; whatever), and it will be monitored.

P.S. I hope I don't sound callous about the particular circumstance. Just, from an HN perspective, I think of more and ubiquitous technological oversight. And when I think e.g. of insurance companies measuring every last thing I do...

Where is the limit between the right to privacy and the need to help justice? Is the right to privacy immutable?

> Sorry, this content is not available in your region.

In a surprise to no one, recording devices installed in users’ homes have recordings used in a court of law against the homeowner.

In a surprise to no one, the third party doctrine means a warrant isn’t even required to demand these recordings from the cloud provider.

In a surprise to no one, the NSA can intercept these recordings (and associated speech to text transcripts), load all the associated data into their monster correlation engine, mine the shit out of it, and say they didn’t “collect” anything because they haven’t actually put a bag over your head, driven you to a black site, and waterboarded you. Yet.

Did we read different articles?

> recording devices installed in users’ homes have recordings used in a court of law against the homeowner

I didn't read that Amazon have said they have recordings of the incident? Did they? It seemed like they "might". Was the alleged murderer the home-owner, or the victims? In the latter, it looks like they've been used to support justice for the homeowners?

> the third party doctrine means a warrant isn’t even required

The article I read said that a "judge has ordered Amazon to turn over recordings". That sounds a lot like a warrant to me, and if it isn't, it sounds like it isn't only under a technicality of some sort?

> the NSA can intercept these recordings

I also didn't get that from the article you're replying to?

>Was the alleged murderer the home-owner, or the victims?

It’s funny because the answer to this reveals a lot with respect to OPs comment about “being used against the homeowner in court”.

1. The homeowner was a known drug dealer to police and one of the victims was his girlfriend. (Normally these facts might make the homeowner a suspect)

2. As it turns out (maybe directly related the his reputation with police) he had surveillance cameras, so even without Alexa the video surveillance actually showed the defendant with the women before their death.

Not to say OP isn’t right and voice assistant recordings will regularly be used in court against their owners interest, but in this case it only helped and the home owner already had video surveillance.

How do the particulars of this case have any relevance as to;

1) The implication of widespread proliferation of these types of recording devices

2) The accessibility/retention of the recordings for law enforcement

3) The long-standing legal framework around the third party doctrine and the NSA’s willingness to abuse third-party private data for data mining

It smacks of “think of the children!” to talk about what a bad guy they’re using the tech to help catch. Of course the early cases are sympathetic!

It’s not hard to see what’s coming when they put large blinking neon signs like this case up for us.

It just so happens that the company that makes these devices will be deriving a large portion of its profits in the coming decades from the same government which will very deeply want access to these records.

It also just so happens the company that makes these devices has already demonstrated how eager it is to hawk its panopticonic AI to that very same government for the purposes of mass surveillance.

> How do the particulars of this case [etc]

> It smacks of “think of the children!”

Your original comment of "against the homeowner" reads to me as a similar appeal to emotion.

> The accessibility/retention of the recordings for law enforcement

The particulars here seem to be that they probably don't have recordings, and those recordings -- if they exist -- were only obtainable under court supervision. You muddled -- deliberately or accidentally -- both of these points in your post.

> the NSA

Who were mentioned precisely zero places in the original article.

> It’s not hard to see what’s coming when they put large blinking neon signs like this case up for us

Except you've created a gigantic strawman:

* Law abiding citizen

* Warrantless seizure

* Referring to these devices as recording devices, where that's a serious distortion of the functionality they offer, and it's entirely unclear if there are any saved audio files, anywhere

* Claiming that the NSA would refer to diverting recordings from this as non-collections

And then attacked that.

No, I think the grandparent post was arguing about slowly eroding privacy. If they set a precedent, they could abuse it later.

I think we can all get behind privacy as a right. Making bad arguments for it doesn't help anyone though.

>How do the particulars of this case have any relevance as to...

Because the facts of this case are direct counter examples to all your points.

You claim no one is surprised Alexa is used in court against homeowners. Surprise Alexa (and video surviellence) are actually being used as a alibi for the homeowners innocence and potentially helping bring the murderer of the homeowners girlfriend and friend to justice.

You bring up warrantless searches. Again in this case no warrant would be needed because the homeowner would want to voluntarily waive their rights and turn over any and all recording that might help prove his innocence and bring the murderer to justice.

It’s strange you would question why I would bring up the facts of the case and call that a think about the children arguement. Whereas ignoring the facts to make arguements that are contradicted by the facts of this case is exactly that...a think about the children [privacy] arguement.

Well for one thing the police still had to get a court order to get the data. That's not "warrantless".

IANAL but this is a surprise to me. Ignoring the obvious issue of whether Echo actually is continuously recording and storing audio, SCOTUS ruled just a few months ago [0] that police need a warrant to obtain cell phone data, which is a setback to the idea that all digital info sent to the cloud is up for grabs to the U.S. gov.

And it would be a surprise to me if the NSA spent its time intentionally and broadly intercepting and analyzing the domestic recordings of the kind described in this case. Not just because it would be illegal, but pointless for their institutional mission, which they seem barely able to manage as is.

[0] https://www.wired.com/story/carpenter-v-united-states-suprem...

Cell-site location data is collected by cell phone companies incidentally but inseparably as a side-effect of using the phone. And using a phone is no longer seen as an optional device to carry around.

The Alexa recordings are collected as a primary function of the device purchased and setup at the whim of the owner specifically for the purpose of capturing audio in their own home for advanced processing and analysis by a third party.

The precedent you cite is unfortunately not going to protect this data, in my opinion, because the specific rationale the Supreme Court used to start requiring a warrant for cell site data are perfectly avoided in this case.

As for the NSA doing things that are illegal or “pointless for their institutional mission”, which also happen to massively infringe on basic human privacy rights,... it would seem from recent history that that is exactly what they are most likely to do.

I agree that the SCOTUS case cited is not in itself the fatal blow against third party doctrine. But it's a major step in the courts recognizing that pre-digital doctrines need adaptations/concessions to apply to a digital society. Again, IANAL, but if the third party doctrine includes Alexa requests, then why have police (at least in other jurisdictions) needed search warrants to get account info and content and emails from Facebook/Google? [0] Though I'm probably naive in hoping that there's a conclusive distinction; the third party doctrine would seemingly apply for the U.S. mail, but doesn't seem to.

I definitely didn't mean to imply that the NSA is above doing illegal activities. But it seems self-evident that people were very surprised by the Snowden revelations, enough to demand reforms [1] (or at least "gestures", if we want to be cynical). And people would be just as surprised to find out the NSA doing something far more invasive today. Laws and regulations don't mean that illegal activity will cease to exist -- but it makes such activity much more difficult/cumbersome to do, especially on such a wide-scale, without the conspiratorial buy-in from agency managers, leaders, and high-ranking legislators. So I'm not surprised that the NSA has the capability to do massive 1984-like domestic surveillance, but I would be surprised that such a program was approved and implemented. The laws/regulations on paper are what make it possible for anyone to get punished when someone like Snowden whistleblows.

[0] https://www.reviewjournal.com/crime/shootings/unsealed-docum...

[1] https://www.pbs.org/wgbh/frontline/article/how-the-nsa-spyin...

You would think that but you'd be surprised to learn from snowden's leaks that the NSA does "waste time" and resources with a lot of this type of surveillance. We had to pass a new surveillance law just to get the NSA (and FBI) to stop pretending that it needs collect 3-hop phone records (millions) for single investigation and now we allow the to collect "only" 2-hop records (tens of thousands) in one investigation.

The NSA also does a lot of interception for World of Warcraft chats and other stuff like that. And the new FISA law allows 17 agencies (including DEA, IRS, SEC, ETC) to gain access and analyze raw internet data that passed unencrypted through internet cables. Oh and they don't need a warrant to do that either (very likely unconstitutional but still "legal" at the moment). They only need the warrant for the cherry picked data they intend to use in court. And of course we all know the damage against many innocents will already be done by then.

The third party doctrine is such bullshit. People have a (human) right to privacy in their homes. Banks don't get to say the money you put in one of their accounts is "theirs" do they? Why would you not benefit from the same kind of protection for your data?

Law enforcement has managed to convince some judges at the right time in history with their twisted logic and unfortunately the case precedent thing makes this a thing that goes on for decades, even though that old ruling is now being applied to orders of magnitude more data on someone compared to the original case.

Until this changes just minimize or completely eliminate anything that can both record what you say or do and also send it to someone else's servers. Eventually all humans will have to fight for (I guess new) rights that can protect them against overzealous governments using advertising companies, surveillance powers and artificial intelligence against them. I think the 2020's will be the new 50's in terms of fighting for new rights and against government oppression. I don't expect this to go down very peacefully. It almost never does in such cases.

> Banks don't get to say the money you put in one of their accounts is "theirs" do they?

They do. They even give it away to third parties. Legally speaking your bank deposit is a loan to the bank.

Subject to quite a few legal restrictions, of course.

And people looked at you like you were an absolute raving loon if you tried to explain the architecture of the ECHELON program, 15 years ago. Now who's laughing...

I encourage everyone who is not familiar with them to read all of James Bamford's books on the NSA. And Robert Baer's books on the CIA.

> And people looked at you like you were an absolute raving loon if you tried to explain the architecture of the ECHELON program, 15 years ago. Now who's laughing...

I would imagine Australia, Canada, New Zealand, the UK, & the US.

You get it, but it's sad you get down votes instead of good discussion. Let's also not forget: John Kiriakou, Julian Assange, Edward Snowden, Thomas Drake, William Binney, Daniel Elsberg, James Risen, Ray McGovern, Sibel Edmonds, Michael Scheuer, and many more.

Collectively, they point to a much more insidious state of affairs than I think most people want to admit.

But why make the government pay for it, when users will go on Amazon.com and pay to install their very own personal cloud home listening devices all by themselves?!

They're insignificant in all of this compared to smartphones.

This is what I was thinking as well. Slowly creep until they have to power to turn on a persons phone at will to look and listen.

I once drew the ire of a large private security company and could have sworn they had the ability to listen to my cell phone microphone

> Sorry, this content is not available in your region.

Aka: "We're not gonna adhere to privacy shit."

More: we disrespect your privacy and can’t get away with it there.

Or "we're not interested in being regulated by a foreign government".

Is there such thing as foreign in the internet? Can you choose to just not adhere to a law that protects the users? If the law was unfair it would be fair to resist, though.

Yes, there is such a thing as "foreign" on the Internet, a fact that has been dramatically demonstrated by China and North Korea, and also less dramatically by America (copyrights) and Europe (copyrights and privacy regulations). It is easy to forget that the Internet is only as international as governments are willing to allow, and that a government can (and some have) disconnect the domestic network in some country from the global Internet.

Fair is a matter of perspective and opinion and not a universal fact though

It's more like: "our primary business model is collecting information about you so we can show you targeted ads".

This isn't really a shocker. They have been known since 2006[0] that the police(+TLA's) can use your cellphone as a eavesdropping tool.

The biggest problem I fear is that this will become socially acceptable in US as it has with the authoritarian gov't in China.


EDIT: Why is my comment being downvoted? And why can't I edit it?

Why it may be not socially acceptable yet, it is already socially accepted :).

Between smartphone, car computer, video cameras everywhere, license plates readers, credit card records, etc. government has pretty much all the details of my life (in some fusion center by Palantir). Adding smart home, drones and whatever else just incrementally improves the quality of that collection while not changing the already established situation in principle.

I guess it's known in very certain circles on what goes in the 'establishment' but to say that it is now socially acceptable? I doubt it.

Actually, after the Snowden revelations, there was a big political uproar and they almost got enough votes to completely defund the NSA[0]. Unfortunately our constitutional lawyer in charge(obama) was able to defeat the bill.

While they are collecting everything on everyone pretty much(xkeyscore, prism, turbine etc), there's a good chance that things will change when people are aware of it. As we have the right to choose who leads us.

[0]: https://www.washingtonpost.com/news/post-politics/wp/2013/07...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact