Newsflash: Internet-Connected Devices Are Not Private

Last week, Amazon confirmed that it’s Alexa-powered Echo device may, in fact, listen in on private conversations, whether or not the device had been intentionally activated by a user. In this “extremely rare occurrence,” a couple’s private conversation was not only recorded, but was sent to a random number in the user’s address book without their permission. Earlier this year, users also reported “unexpected and unwarranted bursts of robotic laughter,” which many found to be extremely “creepy,” and which Amazon characterized as the result of a “false positive.”

While this most recent event has created a stir, it certainly is not the first time an Internet-connected device was found to eavesdrop on private conversations. In 2015, for example, Samsung warned that its SmartTVs “captured and transmitted [spoken words] to a third party” in connection with voice recognition features. That same year, reports that Google “does record audio from microphones all the time” raised similar privacy concerns. fact, The Guardian has reported that Amazon has filed patent applications for “always listening” functionalities, “such as an algorithm that would analyze when people say they ‘love’ or ‘bought’ something. The patent included a diagram where two people have a phone conversation and were served afterwards with separate targeted advertisements.” Few can deny that the word “love” can be used in extremely private situations.

In light of GDPR, some commentators have asked whether the unauthorized transmission of a personal conversation triggers a reporting obligation. Under the new Regulation, “In the case of a personal data breach, the controller shall, without undue delay, and where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Some could conclude that the “rights and freedoms” of the user, who described the incident as “a total privacy invasion,” may have been violated, and that there is a “risk” of recurrences.

The solution devised by users “creeped out” by these recent events has been certified as 100% effective and foolproof – unplugging the device. Any connected device, in addition to errors by manufacturers and service providers, would also eliminate the opportunity for hacking and spying by malicious attackers. Users are well advised to weigh the benefits of connectivity against the costs associated with significant privacy invasions