Don't Buy Anyone an Echo


Adam Clark Estes
Tuesday 5th December, 2017 10:28am
Filed to: grinch week, Gizmodo

Three years ago, we said the Echo was “the most innovative device Amazon’s made in years.” That’s still true. But you shouldn’t buy one. You shouldn’t buy one for your family. You definitely should not buy one for your friends. In fact, ignore any praise we’ve ever heaped onto smart speakers and voice-controlled assistants. They’re bad!

What’s challenging about this holiday season is that the futuristic gadgets are just so damn easy to buy. We’ve also given glowing reviews to several smart speakers and especially the Google Home devices. They’re so pretty! Right now, smart speakers are cheaper than ever, too. Both Amazon and Google have slashed $20 off the price of their cheapest smart speakers, the Echo Dot and the Home Mini. That’s $30 for gift that you could wrap and give your cousin and expect a “Wow cool, I always wanted one of these!” If you really want to impress them, you can get the full-sized Amazon Echo or Google Home for $80 a piece—a discount of $20 and $50, respectively. Such savings!

Let me make this point dreadfully clear, though: Your family members do not need an Amazon Echo or a Google Home or an Apple HomePod or whatever that one smart speaker that uses Cortana is called. And you don’t either. You only want one because every single gadget-slinger on the planet is marketing them to you as an all-new, life-changing device that could turn your kitchen into a futuristic voice-controlled paradise. You probably think that having an always-on microphone in your home is fine, and furthermore, tech companies only record and store snippets of your most intimate conversations. No big deal, you tell yourself.

Actually, it is a big deal. The newfound privacy conundrum presented by installing a device that can literally listen to everything you’re saying represents a chilling new development in the age of internet-connected things. By buying a smart speaker, you’re effectively paying money to let a huge tech company surveil you. And I don’t mean to sound overly cynical about this, either. Amazon, Google, Apple, and others say that their devices aren’t spying on unsuspecting families. The only problem is that these gadgets are both hackable and prone to bugs.

Before getting into the truly scary stuff, though, let’s talk a little bit about utility. Any internet-connected thing that you bring into your home should make your life easier. Philips Hue bulbs, for instance, let you dim the lights in an app. Easy! A Nest thermostat learns your habits so you don’t have to turn up the heat as often. Cool! An Amazon Echo or a Google Home, well, they talk to you, and if you’re lucky, you might be able to figure out how to talk back in the right way and do random things around the house. Huh?

You don’t need an artificially intelligent robot to tell you about the weather every day. Just look outside or watch the local news or even look at your phone. You already do one or all of these things, so just keep it up. Same goes for turning on the lights. Use the switch. It works really well! A light switch also doesn’t keep track of everything you’re doing and send the data to Amazon or Google or Apple. What happens between you and the switch stays with you and the switch.

Which brings us back to security and surveillance. I’m not here to be Tin Foil Hat Man and convince you that companies like Amazon are spying on your every move and compiling data sets based on your activity so that they can more effectively serve you ads or sell you products. I am here to say that smart speakers like the Echo do contain microphones that are always on, and every time you say something to the speaker, it sends data back to the server farm. (By the way: If you enabled an always-listening assistant on your smartphone, now’s a good time to consider the implications.) For now, the companies that sell smart speakers say that those microphones only send recordings to the servers when you use the wake word. The same companies are less explicit about what they’re doing with all that data. They’re also vague about whether they might share voice recordings with developers in the future. Amazon, at least, seems open to the idea.

We do know that Amazon will hand over your Echo data if the gadget becomes involved in a homicide investigation. That very thing happened earlier this year, and while Amazon had previously refused to hand over customer data, the company didn’t argue with a subpoena in a murder case. It remains unclear how government agencies like the FBI, CIA, and NSA are treating smart speakers, too. The FBI, for one, would neither confirm nor deny wiretapping Amazon Echo devices when Gizmodo asked the agency about it last year.

Sinister ambitions of governments and multinational corporations aside, you should also worry about the threat of bugs and hackers going after smart speakers. Anything that’s connected to the internet is potentially vulnerable to intrusions, but as a new category of devices, smart speakers are simply untested in the security arena. We haven’t yet experienced a major hack of smart speakers, although there’s plenty of evidence to suggest that they’re hardly bulletproof. Not long after its launch, the Google Home Mini experienced a bug that led to the device recording everything happening in a technology reporter’s house for dozens of hours. You can chalk that up to a very bad screw up on Google’s part, but it’s a tear in the fabric of trust that should encase these kinds of gadgets.

Hackers pretty much set that fabric on fire. A few months ago, Wired reported that a hacker successfully installed malware on an Amazon Echo and turned it into an always-on wiretap. The malware let the hacker stream all audio from the Echo to a remote server, which is some serious badass spy shit when you really think about it. This particular exploit only worked on devices made before 2017 and required the hacker to have physical access to the Echo. Nevertheless, it’s sort of the worst possible scenario for anyone who’s worried about having an always-on microphone in their home.

This is all to say that there are risks involved with owning a smart speaker. It’s not as risky as, say, running a meth lab out of your basement. But keeping an internet-connected microphone in your kitchen is certainly more trouble than owning a simple Bluetooth speaker that just plays music. You might be comfortable taking that risk for yourself. Think long and hard about buying an Amazon Echo or a Google Home for your friends and family. They might not like it. In my opinion, they shouldn’t.
Curious  - comments anyone?
Here tinker with the Echo and lately the Samsung Smartthings Hub
Personally the Samsung hub now has taken the moniker from GE (in a downward spiral) about bringing good things to life.
Recently removed the Echo from the master bathroom due to WAF (it spooked her after she spoke to it).
Re-enabled the touchscreen in the master bathroom.
That's pretty much my opinion too. My inlaws think nothing of having an Amazon Echo in their small living room while giving their credit card info to make payments over the phone. Crazy.
I use ours primarily for listening to Internet Radio while cooking in the kitchen.
It's well suited for that.

I just added voice control of lights a Tstats, but see that as making the option available, not as a primary means of control. There are situations when my hands are full, or dirty, or the switch is on the other side of the room, where voice control is more convenient.
Same with something like my exterior perimeter flood lights. I can turn them on instantly from anywhere in the house.

I think relying on the internet is actually a hindrance. I'd like to see it store the last 100 voice commands so it could respond instantly or if it loses connectivity by using the internal cache of commonly used phrases. Shouldn't need to go offsite unless it is fetching data like news, weather, etc.
pete_c said:
Curious  - comments anyone?
I do miss the good-old-day when you picked up an article and it contained actual news from a reporter that actually researched it over a period of days. Today other than the NY Times and Washington Post, and a very few list of others, that no longer exists. :angry:  Every other article is either one of two type; 1) A regurgitated version of one of the real news articles from one of the reliable sources or 2) Some "opinion" piece written by one of the junior people to fill space and designed to get "clicks."  Be sure to check out my article "Why your Echo could spontaneously explode and why your insurance company might not pay for the damages."

Understood Ano. 
Opinionated news appears to attract more people than seemingly boring factual news. (it is the same today for NY Times and Washington Post)
Been getting the same local newspaper delivery now for about 40 years. 
Mostly want it today though for daily change of paper lining the bottom of my parrot's cage.
I switched over to listening to the BBC a few years back and today their news structure has changed much to be similar to rest of media news.
This was a reprint article which came from Gizmodo and reposted over to Bloomberg (think?).
It has not stopped me from automation tinkering. 
Here's a simulated proposed AI video....(real fiction)
and another one reporting current news (real fact)
I don't have a comment so much as some questions about where do you draw the line if you want to be safe?
Sonos speakers provide data back to Sonos regarding what you listen to even if you only listen to your locally stored music files (this is how they gathered the data to decide to focus more on streaming and less on local library management). Is it safe to share this data?
Cell phone microphones are easily exploited to act as surveillance devices. Is it safe to own a cell phone? Same question for Tablets and PCs with built-in cameras.
Any credit monitoring service that "watches" for your Social Security number to be exploited has to store that number in a location that could be hacked, Is it safe to use these services? Same question for password vault services that store all your passwords.
All streaming services track what you watch or listen to when and on what device, essentially profiling what kind of person you are by what media you consume. Are streaming services safe?
Google has mastered the art of using data gathered from browsing for its own purposes and ISPs can watch and (after Net Neutrality ends) control what data can enter and leave your house. Is connecting to the Internet safe?
Credit card companies and banks can track your movements based on transaction time and location. Is it safe to utilize banks and credit cards?
My initial tendency is to say no to all of the above and yet I want a voice controlled home and multi-room music within a reasonable budget, i.e. Alexa plus HUE price range rather than custom hard-wired self contained system price range. So where should I draw the line? I can't prove Alexa is more risky than any of the other areas so why would I single that out as the only thing to be afraid of?
I'd single out the Echo because it is the only one you mentioned that has a factory authorized microphone that is always on and listening.
And most people believe that their homes are the one location where conversations are always private.
Yes, there are technologies to subvert that, but it is *supposed* to require a warrant or, at least, probable cause to do so legally.
kwschumm said:
I'd single out the Echo because it is the only one you mentioned that has a factory authorized microphone that is always on and listening.
While an Echo is "always listening" unless you mute the mic, its not transmitting what you are saying to the Cloud until you say, and it recognizes, the trigger word.  When the top lights blue, then it is transmitting over the web as long as you speak. 
From Amazon:
How do Amazon Echo and Echo Dot recognize the wake word?
Amazon Echo and Echo Dot use on-device keyword spotting to detect the wake word. When these devices detect the wake word, they stream audio to the Cloud, including a fraction of a second of audio before the wake word.
Of course that isn't to say the NSA can't remotely update it to always listen, which they likely can do to any device in your home with a microphone, including any PC or Mac.
Well, everyone can use whatever they want and feel comfortable with.
I've seen enough abuse of peoples private information in my career to not trust any company. It's not necessarily the company, sometimes it's just a few individuals. At one company that did tracking of vehicles for the purposes of stolen vehicle recovery I witnessed control center operators watching people drive around in real time because they were bored. They'd go through the database, find someone they knew or knew of, and then watch where their cars went. Not a big jump to derive from that location when people would be home or away. Others have gathered all sorts of unnecessary information in their databases which were totally insecure, anyone could look at them.
Companies do NOT value or protect your information. Only individuals can do that.
I am perfectly happy with my Echo devices - paranoia does not run in my family and we have nothing to hide.
Frederick C. Wilt said:
I am perfectly happy with my Echo devices - paranoia does not run in my family and we have nothing to hide.
Congratulations. I am perfectly happy without an Echo device - blissful ignorance does not run in my family and we also have nothing to hide.
kwschumm said:
Congratulations. I am perfectly happy without an Echo device - blissful ignorance does not run in my family and we also have nothing to hide.
Ignorance has nothing to do with it - I understand the reality and accept it for what it is - a life without risk is a life not worth living.
How about the xbox kinect? It seems to have more capability to spy on you than a smart speaker device but at least it is only one device in one room. I have an xbox but it is in a room that is usually empty. Anyone spying on us would just see my dog staring out the window or me occasionally cursing at a game and I can live with that.
I won't have Alexa in my house. I even have masking tape over the camera on my laptop.
EDIT  - In light of this conversation I just disabled both the camera and the microphone in my laptop.
Actually this conversation has made me realize what malevolent devices cell phones are and is forcing me to rethink my communications strategy. While Alexa represents a potential security threat with no actual examples yet reported, Cell Phone microphones are known to be exploited on a regular basis both by the NSA and by criminal parties using tools acquired from the dark web. Additionally cell phones are carried on your person and are more likely to be in range of a sensitive conversation than is an Echo sitting in a specific room. You are also not likely to go around reciting your social security number or credit card numbers out loud for Alexa to hear but that data often finds its way into cell phone apps where it can be easily harvested. Cell phones are also starting to experience more telemarketing calls and phone fraud which you don't see within the phone functionality of Alexa.
So my new strategy is this: Over the course of the next year I am going to give Echos as gifts at every opportunity to family and friends and encourage them to communicate with me using the Echo phone features rather than traditional phone lines. Around this time next year I am going to discontinue all cell phone service and make Alexa the only way a person can reach me. This is no hardship for me making outbound calls since Alexa can call any phone number but nobody can call me unless they use Alexa and by then all of the people I care to hear from will have one due to my year of  gifting them. I'm happy to tell any business or other entity who might wish to reach me to get Alexa or get lost so I'm not concerned about that. At this point Alexa is clearly near the bottom of the list of technologies that could potentially be used to harm me so it makes sense to ditch the already compromised platforms and start using something less dangerous.