Amazon's Alexa reviewers can access private customer information
Access to location data and, in some cases, a customer's home address is concerning from a cybersecurity standpoint.
An Amazon.com Inc. team auditing Alexa users’ commands has access to location data and can, in some cases, easily find a customer’s home address, according to five employees familiar with the program. The team, spread across three continents, transcribes, annotates and analyzes a portion of the voice recordings picked up by Alexa. The program, whose existence Bloomberg revealed earlier this month, was set up to help Amazon’s digital voice assistant get better at understanding and responding to commands.
Team members with access to Alexa users’ geographic coordinates can easily type them into third-party mapping software and find home residences, according to the employees, who signed nondisclosure agreements barring them from speaking publicly about the program. While there’s no indication Amazon employees with access to the data have attempted to track down individual users, two members of the Alexa team expressed concern to Bloomberg that Amazon was granting unnecessarily broad access to customer data that would make it easy to identify a device’s owner.
Location data is more sensitive than many other categories of user information, said Lindsey Barrett, a staff attorney and teaching fellow at Georgetown Law’s Communications and Technology Clinic.
“Anytime someone is collecting where you are, that means it could go to someone else who could find you when you don’t want to be found,” she said. Widespread access to location data associated with Alexa user recordings “would set up a big red flag for me.”
Related: ‘Cybersecurity’ and ‘privacy’ aren’t the same thing
Privacy concerns
In a new statement responding to this story, Amazon said “access to internal tools is highly controlled, and is only granted to a limited number of employees who require these tools to train and improve the service by processing an extremely small sample of interactions. Our policies strictly prohibit employee access to or use of customer data for any other reason, and we have a zero tolerance policy for abuse of our systems. We regularly audit employee access to internal tools and limit access whenever and wherever possible.”
Amazon’s Alexa Data Services team, which manages the scads of recordings of human speech and other data that helps train the voice software, numbers in the thousands of employees and contractors, spread across work sites from Boston to Romania and India.
In a demonstration seen by Bloomberg, an Amazon team member posted a user’s coordinates, stored in the system as latitude and longitude, into Google Maps. In less than a minute, the employee had jumped from a recording of a person’s Alexa command to what appeared to be an image of their house and corresponding address.
It’s unclear how many people have access to that system. Two Amazon employees said they believed the vast majority of workers in the Alexa Data Services group were, until recently, able to use the software.
Amazon appears to have been restricting the level of access employees have to the system. One employee said that, as recently as a year ago, an Amazon dashboard detailing a user’s contacts displayed full phone numbers. Now, in that same panel, some digits are obscured. Amazon further limited access to data after Bloomberg’s April 10 report, two of the employees said.
Related: Is your data in the cloud? It’s still at risk of cyberattack
Copyright 2024 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.