Listen up: Alexa isn't spying on you, and this 'spying' skill only proves it

It’s fair to say there’s a certain amount of fear around smart speakers at the moment, as these tiny devices that we put on our coffee tables and bookshelves have the potential to listen in on our every conversation. 

It harks back to the fear at the center of George Orwell’s dystopian classic 1984. Perhaps even further back, to something more primal, to the monster under the bed, the unseen but seeing. 

It’s easy to draw the 1984 parallel because, like the ever-present screens in the sci-fi masterpiece, our smart speakers (and even more similar smart displays) are swiftly working their way into every corner of our lives.

No matter the protestations from the companies that are making these speakers that claim they are only listening for ‘wake’ words, and only send information back to their servers when they’ve been decidedly activated, we still cling to the fear that Amazon (or Google, or Microsoft, or Apple) is spying on us. 

Follow the data

It doesn’t help that there are freaky news stories like Echo devices laughing for no reason, the Echo being hacked, and even news that it's being manipulated to be a spying device by just using a normally-produced skill. 

But here’s the thing – and try to keep an open mind when reading this – it’s more likely that they’re not spying on you, than they are. The problem is that these companies will never be able to prove to you that they aren’t spying on you, because it is almost impossible prove a negative.

That whole ‘can’t prove a negative’ thing is the exact reason that in most judicial systems around the world, the burden of proof lies always with the claimant. 

I could accuse you, dear reader, of dressing up as a giant tuna fish, and without providing footage of yourself at every moment of your life, you can’t prove that you don’t. That’s an unfair burden.

As the claimant, the burden of proof lies with me to provide pictorial evidence of your fishy endeavors in order to make my accusation stand. And so far, no one has managed to prove that smart speakers are spying on you. 

The recent news that security firm Checkmarx created a skill that allowed it to turn Echo speakers into spy devices (below) actually does more to disprove than prove the theorem. 

In the skill, Checkmarx took advantage of a vulnerability (which has now been fixed) that used Alexa’s ‘I didn’t quite get that’ feature, where it can keep listening after a request. The team muted the line from Alexa, so the speaker continued recording without audibly telling you that it was. 

The team then adjusted the recording length so that this second ‘secret’ recording could last an indefinite amount of time (although it would automatically cut out after a couple of minutes). 

The first thing worth noting is that it wasn’t totally secret, as the Echo speaker would still have its ‘listening’ light on. The second is that this would only give you a couple of minutes of information after the interaction with a maliciously coded skill that the user would have to want to use.

The third, is that the attacker would only be able to receive a written transcription of the conversation. Amazon does have the ability to receive recorded audio (stay calm), but the sheer amount of server space needed to process recorded audio from the millions of Echo speakers around the world would make constant spying an absolute technical impossibility. 

There was a patent filed by Amazon that would circumnavigate this issue by using emotive words as triggers, so every time you say you 'like', 'love', or 'hate' something, your Echo would be able to monitor what that was and tailor your ads based on those preferences. 

While worrying, this is only a patent not a statement of intent, and if you took every creepy patent (those are three separate links) at face value, you'd have some pretty big questions about all the companies you give your custom to. 

Put down the pitchfork

Now, that’s not to say that the requests you make of Alexa don’t get logged and your data used by the company, but that’s your choice. It’s the same thing as you giving your data to Facebook every time you share a video, or Google every time you search for unicorn onesies. 

I want to make it clear that I'm not saying smart speaker spying definitely isn’t happening, or that it’s not possible for it to happen with the advancements in quantum computing and AI we're currently seeing, but just that if you’re currently working from the assumption that they are spying on you just because you’re afraid of it, then you should probably challenge that assumption. 

Via Wired

Andrew London

Andrew London is a writer at Velocity Partners. Prior to Velocity Partners, he was a staff writer at Future plc.