This is some text inside of a div block.

Amazon Alexa and data protection

Amazon Alexa – Big Brother is watching you

In many households today you can find so-called language assistants, which are supposed to make life a little easier and more convenient. The range is large and many competitors offer the intelligent speech recognition systems in different versions and performance classes. "Siri" should be familiar to every Apple user, Samsung users swear by "Bixby" and the software giant Microsoft also offers its own software with "Cortana". Amazon relies on "Alexa", which only requires a stable Internet connection and can also be operated via an existing Amazon account. Especially the factor Privacy policy is often discussed with the virtual assistant "Alexa" and should be examined in more detail in this article.

How can "Alexa" support people?

If "Alexa" is set up, the voice assistant is always ready to accept and execute spoken commands. Amazon Music users, for example, swear by the prompt delivery of the music they want, which can be played by voice command. If the Amazon password is given, every command from this point on is sent to the Amazon cloud and processed here. With a blue light, "Alexa" signals to the user that data is being transmitted in encrypted form.

Alexa can be of great help to people in many ways. The connection to Amazon allows orders to be carried out by voice command, the connection to Amazon Music opens up a gigantic music library, knowledge can be called up and “Alexa” also offers games and fun for boring hours. Third-party providers can also offer functions via so-called skills that the user can call up at any time and thus enrich the “Alexa” range enormously. At the same time, "Alexa" also offers the control of household appliances, voice messages can be sent and telephony is also possible.

"Alexa" is criticized for data protection

"Alexa" undoubtedly offers many advantages in the household, but even the best language assistant is not above all criticism and data protectionists therefore see "Alexa" as an intrusion into privacy, which should be examined in terms of data protection law.

How is the data transfer with Alexa to be evaluated?

Of course, applications and services that the "Alexa" user wants to obtain must be exchanged via data transfer. The alarm bells will ring for every data protection officer, since the information is stored on servers that are located in the USA and are therefore also stored and processed there. Since the USA is not an EU/EEA state, this work step can be viewed more critically from the point of view of a data protection officer.

Third-party providers – the so-called “Alexa Skills”

"Alexa" grows with the "skills" offered, which can be called up by third-party providers. A large-scale study in which over 90.000 skills were analyzed and evaluated shows that there is often a lack of transparency as to which third-party providers are really involved. The third-party providers and the skills they offer are certified by Amazon, but it is certainly possible to subsequently change the skills and thus obtain additional user data. This is an undesirable scenario, especially in the credit card sector, but one that should always be kept in mind. At the same time, the analysis found that many third-party data protection declarations have gaps and can therefore be classified as insufficient.

Big Brother in the house - is Alexa listening to us?

Of course, the "Alexa" microphones are permanently active to receive a voice command - but this means that "Alexa" also processes and evaluates data and information around the clock. This persistent presence is viewed with suspicion by privacy advocates.

The fact is that when using the voice assistant “Alexa” for the first time, a full and express declaration of consent to the terms of use is obtained. This declaration is made in accordance with Article 6(1)(a) GDPR and this should at least adequately meet the information requirements of Articles 13 and 14 GDPR. Sufficient here means that the data protection declaration was formulated rather vaguely and the company could be held fully responsible in this regard. Fines of four percent of the annual turnover are to be imposed for violations, but so far nothing has happened in this regard.

There are many critical voices regarding the data protection declaration, since “Alexa” can also be wrong when evaluating the code word, since some words are very similar and security is therefore not fully guaranteed. If an incorrect code word was accepted by "Alexa", an immediate data processing process starts that is not covered by the declaration of consent. In this case, the user is unintentionally intercepted and the data obtained is further processed by Amazon in the USA - a clear and unintentional intrusion into the privacy of the person concerned!

Does "Alexa" also listen to visitors and guests?

Visitors are not included in the user's declaration of consent and thus "Alexa" records all existing conversations and noises after activation. Children in particular are not exempt from this procedure and data protectionists are therefore questioning the legal basis for recording and exploitation. If children are affected, the legal guardians must consent to the data processing. At the same time, “Alexa” also receives and processes data and personal data that relate to intimate and private spheres and are generally not intended for processing.

What does Amazon use the information and data it collects for?

Amazon uses all the information and data received to optimize the system, so the voice command does not just carry out a desired action. According to Amazon, the optimization should, for example, improve individual speech recognition and better tailor the assistant to the user.

In terms of data protection, it should be noted that Amazon employees listen to voice recordings, evaluate them and improve the recognition quality of the commands for this reason.

The extent of the eavesdropping activities is unknown and Amazon is keeping a low profile in this regard. It is also unclear who has access to the existing user data. The fact is that Amazon creates a user profile in order to tailor advertising and offers to the user.

Personal data and the use of "Alexa"

Amazon uses all data received to generate a personal profile that is as accurate as possible. This data is a valuable basis for marketing campaigns and consumer research. However, conclusions drawn about a specific person must be processed in accordance with the principles of the GDPR.

Every user of the voice assistant also has the right to information in accordance with Article 15 of the GDPR. This means that the user can request all collected data from Amazon.

The user accepts that the assistant receives information about family relationships, hobbies, surfing behavior, taste in music and even manages and uses the bank details - but companies like Amazon use the data even more sophisticated and want to be able to evaluate and use the goods users in their overall behavior.

Many people refer to data protection and pass on as little information and data as possible to external people, but the understanding of the protection of personal data seems to end with a surveillance object in their own four walls. The “Alexa” user tolerates the spy in their own home and willingly feeds them new, sensitive data. A key fact here is that more than 56% of Germans are upset internally about corporations that act as data octopuses and are of the opinion that personal data is only inadequately protected. If you look at this opinion poll, you will see that despite this negative mood, more and more people are relying on language assistants and the sales figures have long since reached dizzying heights.

Amazon is aware of the carefree use of the users and would like to bring more information and thus more knowledge about the valuable commodity human beings in the future. Amazon has registered a new patent in this regard, which penetrates deep into privacy and thus also into personal information.

The language assistant should be able to recognize the emotional and physical condition of the user and thus draw conclusions about the personal condition. These conclusions are to be converted into face value and thus a user who is audibly ill will receive advertising and purchase recommendations for medicines rather than vacation trips or sun creams being offered. According to Amazon, the solution will even pay attention to keywords like "I like" or "I love". What this information is needed for is still unclear, but what is clear is that Amazon will certainly convert these statements into face value.

back to all articles
Follow us on social media for even more data protection news!