I was also interested in this quote:
> "I think most people probably don't even realize that Alexa is taking account of what's going on in your house, in addition to responding to your demands and commands," said Albert Scherr, a professor at the University of New Hampshire School of Law.
What is it that users don’t realize? Anecdotally, just about everyone I know who has refused to have an Echo do so because they believe Echo is doing far more surreptitious surveillance and analysis, i.e. not just listening for the trigger word. Though I’m sure most users don’t realize that when Alexa does trigger, she sends the audio to the Amazon mothership, which are then stored/analyzed for an indefinite time. Though most people don’t realize the most basic things about data, like how when you friend someone on FB, FB actually stores a log of your friends, and any other kind of stated interaction, such as the users you’ve blocked
The Union-Leader quotes the district attorney's request, which seems to have cognizance of how Echo works:
> On Oct. 30, Senior Assistant Attorney General Geoffrey Ward asked Houran to direct Amazon.com to produce any recordings made between Jan. 27 and Jan. 29, 2017, suggesting evidence of the crime of murder and/or hindering apprehension of prosecution could be found on the device.
> “As part of the normal functioning of an Echo electronic device activated either intentionally or accidentally by ‘wake up words,’ audio recordings are made of the moment when the device is activated,” Ward wrote.
> “Specifically, when the Echo detects a ‘wake up word(s),’ the device begins audio recording through its integrated microphones, including recording the fraction of a second of audio before the ‘wake up word(s),’” Ward continued.
> The motion, which was made in lieu of an application for a search warrant, also asks for information identifying cellular devices that were paired to that smart speaker in that time period.
If there's one thing these kinds of stories have effected in me, it's the knowledge that I should scream "Alexa!" (or maybe Siri/OK Google depending on which room) right before I get murdered in my own home.
Also, there may be trigger words that cause recordings even if no actions need to be taken...
I think it's more a case of "don't care" / "don't realize the risks"
So much of what is collected today completely hinges on the fact that the public doesn't even grasp the feasibility nor the desirability of keeping track of them.
I'd imagine there's a default "we store your data for AI training purposes" that would allow them to keep all audio.
Is there info on this from Amazon? I'd assume they do what you mention, have the speech recognition in the Alexa and just send up the words, not the entire audio stream.
Interesting implication of that in this case: if the actual audio is gone and you just have the transcription, is that valid as evidence? Or is it something closer to hearsay
Additionally, Amazon receives several seconds of audio _before_ the trigger word was used
Edit: I can't find a source for this, but IIRC this was part of the initial Echo roll out, and one of the reasons I decided not to purchase. Perhaps Amazon has changed this so now it only listens and sends data after the wakeword.
It does appear to have been updated: "When you use the wake word, the audio stream includes a fraction of a second of audio before the wake word, and closes once your request has been processed."
You answered yourself in an exemplary fashion, but I'll state it explicitly (and simply). People don't think about it. I'd like to imagine anyone who realises the implications of owning such a device would refuse to own one, although I know I'm mistaken.
I don't mean that people should know better (although ofc they should), but new technology is all too easily likened to any household appliance nowadays. Alexa is a utility, for better and worse.
It's my opinion that we should very much attempt to educate the non-professional about the realities of these spy-machines, in much the same way we don't teach people about dishwashers.
As for the article: I find it morbidly curious that I could tell Alexa who is murdering me. A benign 1984 for now I suppose.
You are mistaken. I use my Alexa everyday. I suppose if someone creates a better version that doesn’t phone home, I’ll switch. In the meantime, I really enjoy having this type of device.
By the way, last year I blogged about the need for HN users to constantly complain about Alexa’s privacy.
If you could take that energy and build an open source replacement, that would be more worthwhile.
We talk about the "identity theft" problem here quite a bit. One time someone wrote about how there is no such thing as identity theft. If someone persuaded a bank to give them money by pretending it was me, the thief didn't steal anything from me. The bank gave the thief money and should try to recover it themselves. I'm not a part of that equation.
I think it is stupid to establish any kind of causality based on the things I search online or the things I do on the computer. The problem isn't that Amazon is recording my activity. The problem is that somehow we allow this to be admissible in a court of law. My shower thoughts don't make me a criminal. I'm innocent until proven guilty. Searching for nitroglycerine or whatever is not the same as the proverbial trout in cow milk that prosecutors claim to be. What's next? Private diaries as evidence that I killed someone?
Well if your diary contains perpetrator's knowledge then obviously yes? Even if not, it may count as circumstantial evidence.
I've been hearing recently about how the forensic "science" we allow in the court room isn't all that scientific either. I think our law enforcement and our prosecutors are just too lazy. I'd not mind so much if they let criminals free but it seems they will try to frame someone who is plausible and let "science", "evidence", and "experts" do the talking which is not good.
I think we should provide proper incentives for our prosecutors. We clearly can't lean on their moral compass.
I'm genuinely curious because your comment made me think I might be entirely missing the point of those devices.
That is contradictory.
If enough of these devices are installed, having every utterance recorded will become a fact of life. You might not care, but when people believe they are being recorded they become less willing to challenge authority. That might be something society is willing to accept, but according to your individualistic view, society will not be asked -- it would only take a minority of people installing these devices to create a world of widespread surveillance, and the majority of people would never have been asked for their consent.
If a friend has really idiosyncratic and unusual preferences, they should be good enough to announce those when they visit. Of course a normal host would be willing to unplug their Google Home or Amazon Echo.
See Cory Doctorow on how privacy invasion socializes risk.
The Echo is a completely new device from a company that has very few oversight and regulation, and laws and usages are not really up to date for these use cases.
Yes, I think random non-technical homicide detectives might very well assume this. They're fishing for anything they can get, even if it's a 1% chance. Almost certainly the subpoena response from Amazon will be that they are not in possession of a recording.
If a comment were keeping recordings they weren't allowed to make, and just lied to deny it is there a verification process that could reveal the lie?
It. Alexa is a a device, not a person.
It's a matter of taste whether to apply a gendered pronoun to an object. Some people refer to their car as she or he.
Clearly from Amazon's pov it's a marketing thing, but I think you'll be aiming against a rather vicious current of you refuse to use gendered pronouns for tech that we interact with in a human manner.
They're looking for any scrap of information. It could be that someone task Alexa with something that becomes pertinent to determining motive, or opportunity, or even just presence or absence of an individual.
They're not necessarily (or even imaginably) thinking they'll get wiretap or bug type recordings. It's more like getting phone records - who did they call? Then following up those leads.
This should be trivial to prove.
And many have been found to, which kind of proves my point.
>Why do you think that Amazon in particular is likely to be conducting a massive, secret and illegal surveillance operation?
Uhm, because it makes money? Isn't that the answer to any "why" in our current economic system?
In fact, it seems more likely that your laptop would be doing this give that it probably has far more electronics inside it.
Sure, Amazon could use all sorts of tricks to attempt to throw off reverse engineering, but it would be pretty hard to do so with a large enough set of tests.
I've frequently seen the claim that an Echo only records brief snippets, looking for the wake word.
If that's so, there's next to nothing for Amazon to hand over.
You can monitor Echo itself over your network and quickly realize that it’s not sending a constant stream of voice data. For the most part the device is off until it hears its name.
It's the same reason you should try and bite the person attacking you and scratch the hell out of them.
Now, on my cell phone in the Alexa app, this text is present, regardless of anything else. Amazon also has this data. They absolutely have every command/request sent to them, even if the request was not understood/processed.
I used to do telcom work for a machine shop. Part of my job was doing two 911 test calls every week (with and without an extra 9 for an outside line).
Seems like a pretty good use for a voice-activated service.
"Alexa, lock the doors!" also sounds useful in this context.
"Alexa, unlock the door, command override Janeway alpha-two-phi."
Also, if we're going conspiracy mode: we're all surrounded by devices with very good microphones that are always on, primarily our phones.
99.9% of HN readers are just too boring (read: not terrorists or foreign officials) to have to worry about it.
Amazon winning DoD cloud business is actually the smartest thing the US government could do to align interests.
If the government show up with a valid court order, generally they can do what the hell they want? That's how justice works in a democracy?
It's not a legal stretch to extend CALEA wiretaps to IoT devices. And if the device manufacturer cooperates (in the same way ATT does), then the hurdles shrink drastically.
A) Giving the government access to communications that provider already has legal access to.
B) Collecting additional data from inside homes by exploiting current legal access to the software?
If I hosted 10 billion dollars worth of unrelated business functionality, then told you to provide me with access for widespread surveillance purposes in an unrelated vertical of your business, you would think that is justifiable?
I beg your pardon, but what color is the sky where you are? Business doesn't work that way. Neither does ethics or morality.
Profit does not whitewash societal harm. It may create other business opportunities to remedy negative externalities, but there is no guarantee that the nature of the harm inflicted has a profitable capitalism compatible remediation.
This is one of those cases.
The "government wants to listen to every Echo user" idea is paranoid fantasy.
The "government would really like to listen to these individuals, but doesn't want to go through full court proceedings" is less fanciful and not without precedent.
It's not just profit. It's the morass of backroom bargains to stave off regulation, honest desire to "do good", future contracts, and political goodwill.
There's a rich history of US technology companies enabling the government / military for all of the above reasons.
No, you can't. The SSL certs are pinned.
You can determine the metadata and quantity of data transferred, but not the contents.
On the other hand, it's widely documented that Amazon stores recordings on their servers every time the watch word activates. And Amazon provides users an easy interface to listen to those recordings.
Right. And it doesn't look like that happened. This is some sort of fishing expedition based on the premise that Amazon gets more than just wake-word activated data.
What indication of that is there? My original comments were listing scenarios in which the wake word might have activated.
>based on the premise that Amazon gets more than just wake-word activated data.
I don't see that at all. It seems to me the police are saying "there's a chance the wake word activated, let's check, and if so, get those recordings".
And what indication do you have that it has happened?
> I don't see that at all. It seems to me the police are saying "there's a chance the wake word activated, let's check, and if so, get those recordings".
> "The court directs Amazon.com to produce forthwith to the court any recordings made by an Echo smart speaker with Alexa voice command capability, FCC ID number ZWJ-0823, from the period of January 27, 2017 to January 29, 2017, as well as any information identifying cellular devices that were paired to that smart speaker during that time period."
The key information for the police would probably be the device-pairings. It'd be more likely to occur and more helpful in proving the suspect was on-site at the time they're alleging.
My allegations are based on police misunderstanding how the device works.
> Prosecutors believe there are Echo recordings capturing the attack on Sullivan and removal of her body that could be found on the server maintained by Amazon.
... They believe the Echo recorded the entire attack, and then continued recording whilst the body was removed. That's a fair while for the Echo to continue recording after a wake word, especially one that is unlikely to be clear. Especially when, as far as I know, the Echo times out after 10 seconds when not given a valid command.
Of course, if you could install a custom cert on the device, you could just MiTM the connection and see exactly what is sent...
Now, if the device were to get compromised, it would be an entirely different story (and this is why I don't have one, despite trusting Amazon in that regard).
Amazon isn't stupid. They know that if a back-door is found in these devices, or if they have bugs that allow them to be compromised, that they are toast in the market. I'd be surprised if they didn't have internal briefs and a bunch of planning on many scenarios like this.
Amazon has almost certainly made the most secure device it can, knowing it will be under intense scrutiny, and will have prepped its legal teams appropriately.
My company would respond to a similar subpoena by explaining that we make archery bows from wood. That also doesn't add anything to the HN discussion.
I believe your parent's comment is relevant to this HN discussion, quite unlike your company's occupation. Your parent's comment suggests their company's users upload data (albeit encrypted client-side) to the company, so a judge could — without an understanding of client-side encryption — reasonably subpoena the company for user data. Compared to that, it is quite unlikely a judge would mistake a company that makes wooden archery bows for a company that collects much user data, or believe that the former fact has much to do with the latter supposition.
It only protects against being required to give incriminating statements of a testimonial nature.
As an extremely contrived example, if you've spontaneously written a confession to a crime and the cops learn of this, they can subpoena you and order you to hand it over. But they can't just require you to write out a confession or speak one in court.
(Cops do get people to confess, of course, but there is some element of persuasion and choice involved in that decision.)
As a much more common example, with the right level of evidence to motivate this request they can require your fingerprints as part of a criminal investigation. This is true even if they do not arrest you and even if the fingerprints will incriminate you. But they can't require you to answer incriminating questions.
Two main exceptions:
First, if the encryption is unlocked by a physical device that doesn't require a memorized code, or by your personal biometrics, they can get that without violating your right against self-incrimination.
Second, if they know what information is being hidden by the encryption and just need a copy of it to prove their case, the foregone conclusion doctrine lets them demand it anyway. (They are not demanding the key or password in this case, just a decrypted version of information they already know exists.)
But sure, in other cases it can have the effect you say.
Note that they are then not allowed to use the fact that you could unlock it against you.
I'd be surprised if that decision survives another level of appeals court.
It doesn't actually challenge the foregone conclusion doctrine as applied to the data behind the passcode!
It simply concludes that the order to produce the passcodes itself would be forbidden testimonial self-incrimination under the Fifth Amendment, and that the state didn't show that they knew "with particularity" what the passcode was protecting, so they couldn't order production of that under the foregone conclusion doctrine.
It appears that does it reject the foregone conclusion as a means to get the passcode itself, because that's not what the state is really trying to do. Matthew Heiman agrees with you here that this may not be a correct decision: http://reason.com/volokh/2018/11/05/foreign-governments-will...
My understanding is that, while the question of compelling passcode disclosure is not fully settled law at the SCOTUS level or in most US circuit courts of appeals, the trend of rulings mostly grants first amendment rights to them. Do you know otherwise?
(Note I'm not a lawyer, just a former law student who continues to geek out about this stuff.)
The existing link is a spamfest.
It's not like the iphone case where FBI wanted a sort of permanent backdoor that could be used for everyone.
If a murder happened in your house, the police should receive
your echo logs from amazon.
The only brake is significant enough fear of repercussions to themselves.
I guess now I should RTFA. But seriously, put a monitoring device in your home ("Smart TV's, too; whatever), and it will be monitored.
P.S. I hope I don't sound callous about the particular circumstance. Just, from an HN perspective, I think of more and ubiquitous technological oversight. And when I think e.g. of insurance companies measuring every last thing I do...
In a surprise to no one, the third party doctrine means a warrant isn’t even required to demand these recordings from the cloud provider.
In a surprise to no one, the NSA can intercept these recordings (and associated speech to text transcripts), load all the associated data into their monster correlation engine, mine the shit out of it, and say they didn’t “collect” anything because they haven’t actually put a bag over your head, driven you to a black site, and waterboarded you. Yet.
> recording devices installed in users’ homes have recordings used in a court of law against the homeowner
I didn't read that Amazon have said they have recordings of the incident? Did they? It seemed like they "might". Was the alleged murderer the home-owner, or the victims? In the latter, it looks like they've been used to support justice for the homeowners?
> the third party doctrine means a warrant isn’t even required
The article I read said that a "judge has ordered Amazon to turn over recordings". That sounds a lot like a warrant to me, and if it isn't, it sounds like it isn't only under a technicality of some sort?
> the NSA can intercept these recordings
I also didn't get that from the article you're replying to?
It’s funny because the answer to this reveals a lot with respect to OPs comment about “being used against the homeowner in court”.
1. The homeowner was a known drug dealer to police and one of the victims was his girlfriend. (Normally these facts might make the homeowner a suspect)
2. As it turns out (maybe directly related the his reputation with police) he had surveillance cameras, so even without Alexa the video surveillance actually showed the defendant with the women before their death.
Not to say OP isn’t right and voice assistant recordings will regularly be used in court against their owners interest, but in this case it only helped and the home owner already had video surveillance.
1) The implication of widespread proliferation of these types of recording devices
2) The accessibility/retention of the recordings for law enforcement
3) The long-standing legal framework around the third party doctrine and the NSA’s willingness to abuse third-party private data for data mining
It smacks of “think of the children!” to talk about what a bad guy they’re using the tech to help catch. Of course the early cases are sympathetic!
It’s not hard to see what’s coming when they put large blinking neon signs like this case up for us.
It just so happens that the company that makes these devices will be deriving a large portion of its profits in the coming decades from the same government which will very deeply want access to these records.
It also just so happens the company that makes these devices has already demonstrated how eager it is to hawk its panopticonic AI to that very same government for the purposes of mass surveillance.
> It smacks of “think of the children!”
Your original comment of "against the homeowner" reads to me as a similar appeal to emotion.
> The accessibility/retention of the recordings for law enforcement
The particulars here seem to be that they probably don't have recordings, and those recordings -- if they exist -- were only obtainable under court supervision. You muddled -- deliberately or accidentally -- both of these points in your post.
> the NSA
Who were mentioned precisely zero places in the original article.
> It’s not hard to see what’s coming when they put large blinking neon signs like this case up for us
Except you've created a gigantic strawman:
* Law abiding citizen
* Warrantless seizure
* Referring to these devices as recording devices, where that's a serious distortion of the functionality they offer, and it's entirely unclear if there are any saved audio files, anywhere
* Claiming that the NSA would refer to diverting recordings from this as non-collections
And then attacked that.
Because the facts of this case are direct counter examples to all your points.
You claim no one is surprised Alexa is used in court against homeowners. Surprise Alexa (and video surviellence) are actually being used as a alibi for the homeowners innocence and potentially helping bring the murderer of the homeowners girlfriend and friend to justice.
You bring up warrantless searches. Again in this case no warrant would be needed because the homeowner would want to voluntarily waive their rights and turn over any and all recording that might help prove his innocence and bring the murderer to justice.
It’s strange you would question why I would bring up the facts of the case and call that a think about the children arguement. Whereas ignoring the facts to make arguements that are contradicted by the facts of this case is exactly that...a think about the children [privacy] arguement.
And it would be a surprise to me if the NSA spent its time intentionally and broadly intercepting and analyzing the domestic recordings of the kind described in this case. Not just because it would be illegal, but pointless for their institutional mission, which they seem barely able to manage as is.
The Alexa recordings are collected as a primary function of the device purchased and setup at the whim of the owner specifically for the purpose of capturing audio in their own home for advanced processing and analysis by a third party.
The precedent you cite is unfortunately not going to protect this data, in my opinion, because the specific rationale the Supreme Court used to start requiring a warrant for cell site data are perfectly avoided in this case.
As for the NSA doing things that are illegal or “pointless for their institutional mission”, which also happen to massively infringe on basic human privacy rights,... it would seem from recent history that that is exactly what they are most likely to do.
I definitely didn't mean to imply that the NSA is above doing illegal activities. But it seems self-evident that people were very surprised by the Snowden revelations, enough to demand reforms  (or at least "gestures", if we want to be cynical). And people would be just as surprised to find out the NSA doing something far more invasive today. Laws and regulations don't mean that illegal activity will cease to exist -- but it makes such activity much more difficult/cumbersome to do, especially on such a wide-scale, without the conspiratorial buy-in from agency managers, leaders, and high-ranking legislators. So I'm not surprised that the NSA has the capability to do massive 1984-like domestic surveillance, but I would be surprised that such a program was approved and implemented. The laws/regulations on paper are what make it possible for anyone to get punished when someone like Snowden whistleblows.
The NSA also does a lot of interception for World of Warcraft chats and other stuff like that. And the new FISA law allows 17 agencies (including DEA, IRS, SEC, ETC) to gain access and analyze raw internet data that passed unencrypted through internet cables. Oh and they don't need a warrant to do that either (very likely unconstitutional but still "legal" at the moment). They only need the warrant for the cherry picked data they intend to use in court. And of course we all know the damage against many innocents will already be done by then.
Law enforcement has managed to convince some judges at the right time in history with their twisted logic and unfortunately the case precedent thing makes this a thing that goes on for decades, even though that old ruling is now being applied to orders of magnitude more data on someone compared to the original case.
Until this changes just minimize or completely eliminate anything that can both record what you say or do and also send it to someone else's servers. Eventually all humans will have to fight for (I guess new) rights that can protect them against overzealous governments using advertising companies, surveillance powers and artificial intelligence against them. I think the 2020's will be the new 50's in terms of fighting for new rights and against government oppression. I don't expect this to go down very peacefully. It almost never does in such cases.
They do. They even give it away to third parties. Legally speaking your bank deposit is a loan to the bank.
I encourage everyone who is not familiar with them to read all of James Bamford's books on the NSA. And Robert Baer's books on the CIA.
I would imagine Australia, Canada, New Zealand, the UK, & the US.
Collectively, they point to a much more insidious state of affairs than I think most people want to admit.
Aka: "We're not gonna adhere to privacy shit."
The biggest problem I fear is that this will become socially acceptable in US as it has with the authoritarian gov't in China.
Between smartphone, car computer, video cameras everywhere, license plates readers, credit card records, etc. government has pretty much all the details of my life (in some fusion center by Palantir). Adding smart home, drones and whatever else just incrementally improves the quality of that collection while not changing the already established situation in principle.
Actually, after the Snowden revelations, there was a big political uproar and they almost got enough votes to completely defund the NSA. Unfortunately our constitutional lawyer in charge(obama) was able to defeat the bill.
While they are collecting everything on everyone pretty much(xkeyscore, prism, turbine etc), there's a good chance that things will change when people are aware of it. As we have the right to choose who leads us.