Government Surveillance, Privacy & Data
Alexa, is Law Enforcement Listening?
Just days after Christmas, news broke that police in Bentonville, Arkansas, had issued a warrant to Amazon to turn over audio recordings from an Echo as part of a hot tub murder investigation. The sensational story brought with it a slate of headlines about new privacy concerns posed by the connected devices and the Internet of Things, but it also demonstrates how unclear legal standards and aggressive law enforcement interest in data can undermine the physical sanctity of our homes and inner lives.
What’s an Amazon Echo and how does it work?
In-home connectivity has become a major selling point for new home owners, and voice-controlled personal assistants like Echo have been designed to serve as the control center of our smarter homes. By itself, an Echo is a fancy speaker, but it is powered by cloud-based software that allows users to query “Alexa” to answer questions and get information – and control in-home devices such as a Nest smart thermostat or lights using just their voice.
While Echo is often considered one of the new breeds of “always on” devices, Alexa Voice Services – like Apple’s Siri and Google Now – only kicks into gear upon hearing a pre-set wake word. The device may be always listening, but its actual data processing (and recording) capabilities prior to being woken up are very limited. After detecting a wake word (“Alexa …”), however, Echo records any following command or question. This information includes voice snippets and transcripts, which are stored on Amazon’s servers. Echo informs users of this recording through a blue light or via an audible tone.
Amazon stores these recordings in order to help Alexa better recognize a user’s specific voice or speech patterns in order to get at understanding voice commands. Importantly, users also have the ability to review – and delete – any recordings made from their Echo. Echo does not currently offer users the ability to record voice memos or send audio messages.
What’s behind the Bentonville police’s warrant?
In November 2015, an Arkansas man was found dead in his friend’s backyard hot tub. Police arrived to find broken glass and dried blood, suggesting a fight had broken out, and there was evidence that the backyard patio had been hosed down to remove blood. Utility records revealed that 140 gallons of water had been used at that location in the middle of the night. The home’s owner, James Andrew Bates, was ultimately charged with murder.
All along, an Amazon Echo sat in Bates’ kitchen, and a police investigation determined that music had been streamed via the Echo onto the backyard patio during the night of the incident. The police obtained a warrant to search and seize Bates’ electronic devices, and concerned that the Echo might be imminently removed from the house, police then obtained search warrants for Bates’ Amazon account information as well as any “audio recordings, transcribed records, or other text records” from the Echo to Amazon’s servers over the course of both November 21 and 22, 2015. While Amazon provided account information, it did not provide any Echo records. An April 2016 police affidavit claims the company “only supplied a portion of what was requested in both search warrants.” In June 2015, police sought another warrant to search the Echo device itself in the hopes it might yield additional data.
The prosecuting attorney has conceded he has no knowledge of whether Bates’ Echo captured anything relevant to the incident, but if the device were used that evening, it is likely some audio files exist either on Amazon’s servers or potentially on the device itself.
What’s the current state of the law?
This kind of case demonstrates how unclear legal rules can undercut longstanding privacy protections in the home. In-home devices and new technologies present a tough challenge for the protections against unreasonable searches and seizures under the Fourth Amendment. The Supreme Court has repeatedly emphasized that “[w]hen it comes to the Fourth Amendment, the home is first among equals,” but what of the smart home?
A contentious legal principle, the third-party doctrine, holds that any information provided to third parties receives no protection under the Fourth Amendment. Even information revealed to a company “confidentially and on the assumption that it will be used only for limited purposes” is fair game. Under this doctrine, police need not get a warrant to obtain power records or, here, evidence of Bates’ water usage. This principle has begun to come under attack with some courts holding that information like email, even when stored with a company, merits constitutional protection. Some courts have extended this protection to location information as well.
But in addition to the courts, Congress can also protect this information and in some cases, it has. The Wiretap Act and Stored Communications Act (SCA) extend some Fourth Amendment-esque protections to electronic communications. The relationship between the two laws is complex, but in general, the Wiretap Act prohibits the interception of oral, wire, and electronic communications while the SCA prohibits the surreptitious access to communications at rest.
Why is this important here?
We do not know why exactly Amazon refused to comply with this warrant. The company’s privacy notice clearly states it will provide information where “appropriate to comply with the law,” but it also released a public statement that it does not release customer data “without a valid and binding legal demand properly served on us. Amazon objects to overbroad or otherwise inappropriate demands as a matter of course.”
It is likely that Amazon views the police warrant as somehow deficient. The legal process required for various means of capturing electronic communications varies depending upon whether the wiretap, stored communications, or trap and trace portions of the Electronic Communications Privacy Act govern. (As CDT has stated repeatedly, ECPA itself is ripe for reform.)
For example, the Wiretap Act includes detailed procedures for how police are permitted to “intercept” communications. Section 2516’s exacting requirements recognize that listening to our communications should be done only as a last resort, when normal investigative methods have been exhausted. Unfortunately, there is very little consensus over when an “interception” occurs under the Wiretap Act.
Courts have said that interception can occur any time before the initial receipt of a communication’s contents by the intended recipient, but they have also held that voice mails specifically, to which an Echo may be the most obvious analog, are covered by weaker provisions in the SCA. (Section 2703 of the SCA establishes a tiered system with different standards that apply depending upon a number of factors, such as how long information has been stored, whether the information has been accessed by a user, whether the information is content or not, or if the customer has received advanced notice.)
What does this mean for my Echo?
Amazon is to be commended for going to bat for its users’ privacy to the fullest extent possible, but this case also serves as a potential wake-up call to individuals. As an initial matter users need to become aware and take advantage of tools that give them control over how and where their communications are kept. But beyond that, we need new policy approaches and clearer legal standards.
It can be easy to sympathize with law enforcement’s desire for information to get the bad guys, but as more and more data is collected for longer periods of time, that data must have robust protection. Part of the initial animating concern behind ECPA was that the investigative methods of law enforcement did not always comport with individual’s reasonable privacy expectations. As we have seen over and over again, government officials have sought new avenues to identify, surveil, monitor, track, and otherwise gain access to user information. Now, basic household appliances demonstrate how, as the White House has acknowledged, the “physical sanctity” of the home may soon become “an empty legal vessel.” One can assume that no one purchasing an Amazon Echo did so in the hopes of that.