AGerman man who made a routine data request to Amazon found it strange when the firm sent back Alexa voice recordings — since he didn’t own any Amazon Echo devices.
That’s because what he actually received were around 1,700 Alexa voice recordings of another user, which Amazon had apparently sent to him by mistake.
The blunder was first reported by German magazinec’t, who withheld the receiver’s name but gave him the alias “Martin Schneider.”
Back in August, Schneider asked Amazon for a copy of all the data the company had recorded on him. That’s a request made possible by the passage of the General Data Protection Regulation (GDPR) in the European Union.
Schneider took a listen to the files and realized that they were audio files recording interactions that another user — a complete stranger — had had with Amazon’s ubiquitous digital assistant.
Among those voice recordings were simple requests like Spotify, thermostat and alarm commands. Another user, a woman, also spoke to the Amazon Echo device.
Schneider contacted Amazon to let them know about the mistake but never received a response. Instead, he found that the download link for the audio files was simply removed.
But Schneider had saved the files locally to his computer. He contacted c’t in mid-November and provided it with the files, worried about the privacy implications and the fact that Amazon had gone silent — potentially without notifying the victim.
C’t, for its part, was actually able to track down the mystery user and his female companion. That’s because those voice recordings contained weather questions, first names and even someone’s last name. That allowed the publication to track down the victim’s circle of friends.
Apparently, both men had filed GDPR data requests with Amazon. But somehow, they had received each other’s data reports.
In a statement to media organizations, Amazon called the mistake a result of “human error” and an “isolated incident.”
This isn’t Amazon’s first privacy blunder. Earlier this year, an Echo recorded a couple’s private conversation — and promptly sent it to a contact.
While you can’t request a full GDPR data report if you’re outside of the EU, you canactually listen to recordings of your own interactions with Alexa via the Alexa app.