Always On Microphones are Always On

Reader Steve T. sent me a link to story confirming my decision to not own smart speakers. A woman going by the name my.data.not.yours on TikTok (I guess this is the new hip surveillance social media network) sent a request to Amazon for all of the data the company had on her. The result? Exactly what you would expect (I sanitize the TikTok link embedded in the source so I’ll apologize here if it doesn’t work):

TikToker my.data.not.yours explained: “I requested all the data Amazon has on me and here’s what I found.”

She revealed that she has three Amazon smart speakers.

Two are Amazon Dot speakers and one is an Echo device.

Her home also contains smart bulbs.

She said: “When I downloaded the ZIP file these are all the folders it came with.”

The TikToker then clicked on the audio file and revealed thousands of short voice clips that she claims Amazon has collected from her smart speakers.

Smart speakers like the ones provided by Amazon have an always on microphone to listen for voice commands. The problem isn’t necessarily the always on microphone but the fact that most smart speakers don’t perform on-site audio analysis (or only perform very limited on-site analysis). Instead they record audio and send it to an off-site server for processing. Why is the audio moved off-site? Ostensibly it’s because an embedded device like a smart speaker doesn’t have the same processing power as a data center full of computers. Though I suspect that gaining access to valuable information like household conversations has more to do with the data being moved off-site than the accuracy of the audio analysis.

The next question one might ask is, why is the data being stored? This is why I suspect moving the data off-site has more to do with gaining access to valuable information. Once the audio has been analyzed and the commands to be executed transmitted back to the smart speaker, the audio recording could be deleted. my.data.not.yours discovered that the audio isn’t deleted or at least not all of the audio is deleted. But even if Amazon promised to delete all of the audio sent to its servers, there would be no way for you as an end user to verify whether the company actually followed through. Once the data leaves your network, you lose control over it.

The problem with Amazon’s smart speakers is exacerbated by their proprietary nature. While Amazon provides the source code necessary to comply with the licenses of the open source components it uses, much of the stack involved with its smart speakers is proprietary. This means you have no insight into what your Amazon smart speaker is actually doing. You have a black box and promises from Amazon that it isn’t doing any shady shit. That’s not much of a guarantee. Especially when dealing with a device that is designed to listen to everything you say.

One VPN Provider to Rule Them All

When somebody first develops an interest in privacy, the first piece of advice they usually come across is to use a virtual private network (VPN). Because their interest in privacy is newly developed, they usually have little knowledge beyond that they “need a VPN.” So they do a Google (again, their interest in privacy is new) search for VPN and find a number of review sites and providers. Being a smart consumer they read the review sites and choose a provider that consistently receives good reviews. What the poor bastard doesn’t know is that many of those review sites and providers are owned by the same company (a company, I will add, that is shady as fuck):

Kape Technologies, a former malware distributor that operates in Israel, has now acquired four different VPN services and a collection of VPN “review” websites that rank Kape’s VPN holdings at the top of their recommendations. This report examines the controversial history of Kape Technologies and its rapid expansion into the VPN industry.

If you’re not familiar with Kape Technologies, the linked report provides a good overview. If you want a TL;DR, Kape Technologies has a history of distributing malware and now owns ExpressVPN, CyberGhost, Private Internet Access, and Zenmate. Because of Kape Technologies’ history, I would advise against using one of its VPN providers. It’s not impossible for a company to turn over a new leaf, but with other options available (at least until Kape buys them all), why take chances?

If you’re a person with a newfound interest in privacy and looking for recommendations, I unfortunately don’t have any good recommendations for review sites. The handful of review sites that I used to trust have either disappeared or been bought by VPN providers (which by itself doesn’t necessary make a review site untrustworthy, but I’m always wary of such conflicts of interest).

As far as VPN providers go, I use Mullvad and I like it. It supports WireGuard (my preferred VPN protocol), doesn’t ask for any personally identifiable information when signing up for an account, accepts anonymous forms of payment (including straight cash mailed in an envelope), and seems determined to remain independent (at least for now).