In the course of a murder investigation, the police department of Bentonville, AR filed a search warrant with Amazon to get voice information sent from an Echo device located near the scene of the crime. There is no doubt that Amazon stores your vocal queries and commands, you can listen to them here. But supposedly, while the Echo is always “listening” locally, it doesn’t transmit until the wake word is issued.Amazon has not turned over any information in the case, citing it as overbroad. It is dubious if they have anything of value to the case, but regardless, the outcome will have implication for IoT security down the road.
The issue of this goes beyond just Amazon. While it’s doubtful that Echo devices will become commonplace in an enterprise setting, there is the possibility that always listening internet connected devices will. If that becomes the case (and some would say it is with IP phone systems), what is the expectation of privacy?
I can make general assumptions about this, but ultimately, organizations won’t know until these kind of cases hit higher courts. While the particular case in Bentonville probably won’t go very high up the judicial foodchain, if law enforcement is aggressive in pursuing this kind of voice information, it shouldn’t be too long before Amazon or Google force the issue.
Based on prior cases of privacy, the issue comes down to what is the reasonable expectation of privacy. In the case of being in a private conversation in an office, where a IoT listening device was in use, on the part of the conversant parties, privacy would be assumed. I believe this would be the case even if the conversation were stored locally on the device for diagnostic purposes. In the case where a consumer knows that an IoT device, like an Echo, would transmit data to a third-party when a wake word is spoke, all bets are off. The issue becomes that transmission to any other party deprecates the expectation of privacy. Email is a classic example. The Supreme Court has ruled that the sender has an expectation of privacy, this is diminished when it is received by the recipient, due to the nature of how it was sent. Because it must be addressed and routed, there is some thought that this is no longer strictly private.
So the conversations you have around IoT devices may be considered private (given the appropriate physical context), but not once it is transmitted. Now, there are several ways an enterprise could help maintain an expectation of privacy. IoT devices might have to be required to do local processing of voice commands, perhaps only sending back anonymized metadata to the service provider. This metadata would not have an expectation of privacy perhaps, but the actual content could not be subpoenaed in a case since it wouldn’t be present.
The other option would be to implement a scheme to make the actual content somehow actionable but unreadable to the host company. This would probably mean voice commands with the service would be limited to binary actions within a device, not much more that On/Off.
While not a prevention of this, networks will also have to be configured to account for these devices. Having specific IoT access points on a wireless network would at a minimum allow organizations to see the volume of traffic going out from them, and potentially zero in to see if this was coming from sensitive areas. This could then perhaps also be preferentially routed, perhaps to have this data cloned locally for review. Still not an ideal solution.
I don’t think too many enterprises are foaming at the mouth to get IoT devices deployed across their offices. This is doubly true for consumer focused devices like the Amazon Echo. While this may be true, the number of devices with these kind of capabilities is only going to increase. It’s not a matter of if sensitive conversations will accidentally be transmitted, it’s when. Enterprises need to be thinking of how to work these into their networking and security practices now.