One of the most popular stories in my twitter feed this week has been the Arkansas murder case in which Amazon has been served warrants requesting data from a suspect’s Echo. From what I can gather, Amazon has been served two warrants requesting all audio and text data from Amazon’s servers. So far, Amazon has refused to turn over at least some of the requested information, and interestingly almost nothing has been written about what Amazon has actually handed over.
Amazon and its Alexa service are receiving a bulk of the attention in this and the general feeling in my neck of the woods is that this was inevitable. Judging by the recent behavior of US law enforcement, it absolutely was inevitable that they would subpoena data from the manufacturer of a device which is constantly monitoring the sound in a room and capable of recording and transmitting any of it. While in this particular case its hard to see how the Echo could be helpful in the investigation, it does bring up a whole litany of questions to ponder.
After reading the warrants, the case itself is absolutely terrifying. From what I gathered, a young man had some friends over to watch a Razorbacks football game1 and do some drinking. The suspects states that after the game a few of them hung out in his hot tub and continued drinking until around 1 am when he retired for the night. He offered for his two friends to spend the night on the couches as they were feuding with their wives. The next morning as he’s cleaning up the beer cans and such he goes out on his porch and discovers one of his friends laying face down in the hot tub. When he goes to pull at him, its clear his friend has deceased and he calls the authorities.
The warrant goes on to describe the scene which show some signs of a struggle, as well as the victim whose face was bruised and hint at an assault. Blood was found in a number of places around the scene and a broken shot glass was found in the hot tub. It also notes that the suspect has absolutely no signs of bruising or any evidence he was involved in any physical altercation.
I have no way to begin to verify the story, but it certainly sounds plausible that the suspect had no idea his friend had passed away that night and awoke to pretty much the worst way his day could play out. As many publications are pointing out, it doesn’t seem reasonable that Amazon has anything in the way of useful information in this case. The authorities already have taken the Echo and extracted the audio from the device itself. The Echo only records and transmits audio to Amazon’s servers when the wake word is spoken and it seems highly improbable that anyone shouted out Alexa during a struggle.
The suspect owned a number of smart appliances, including a water heater which recorded 140 gallons of water were used somewhere between 1 and 3 am on the morning in question. Considering the average 5 minute shower uses around 25 gallons, this seems worthy of note. I think what’s even more interesting is that none of the publications I’ve read have even broached the subject of what this case would look like if the suspect had owned one of the expanding market of home surveillance cameras. The warrant mentions at least 4 other smart appliances that the owner had, including door monitoring alarms and motion sensors, it certainly seems to me it was only a matter of time until the suspect would’ve owned one of these video systems.
One of the defenses I’ve seen presented for why Amazon should not turn over more information is that since the data is not guaranteed to be accurate, how could it be used in court? In this context it seems to be attributed to the vagaries of audio recordings, but I’m thinking of it more in the context of my recent article about the lack of proper security for smart appliances. Psychologists and law enforcement have increasingly come to discover just how inconsistent eye witness testimony can be. I’m concerned that it’ll be much easier for judges and juries to treat information gained from these smart appliances as exact and accurate. In the example of a door lock which can keep track of who is allowed entry and when, an attacker could make it appear that any time they entered the house it was actually the home owner. The ramifications of this kind of behavior seem rather limitless.
I’m not a lawyer, so I’m not going to go to guess on what can be shared with whom. I’ve only spent a few hours with the documents, but a few things pop out at me reading through them. For one, it strikes me as funny that Amazon states in the privacy section that they are not in the business of selling your information to partners. I’m struggling to see how that is not exactly what Amazon is in the business of doing. At its core Amazon is a marketplace for connecting potential customers to various goods and service providers, Amazon then gives the customers information to the seller in exchange for money.
It also strikes me as extremely unfair that all of these terms and conditions are presented in a way which is completely inaccessible from the device itself. The whole concept of the Alexa devices is that their user interface is all voice. Reading through these documents, Amazon has put considerable effort into ensuring you can make purchases with a simple voice command and they are not legally responsible for any issues with this process. Meanwhile, seemingly no effort has been put into allowing you to access any other device settings or information via this interface. I for one feel it would be reasonable to demand that the terms of service for a computer be able to be delivered in the device’s primary interaction model.
A final thing I’d like to mention around this case is that seems to be another example where its unclear that law enforcement knows what its asking for. An Echo only “hits record” on the sound waves flowing through its microphones starting a few milliseconds before the wake word was spoken. This audio file is sent to Amazon where it is decoded. There is effectively nothing in the way of public information with what Amazon does with that information and how its stored. There’s certainly thousands of research papers and patents showing what you could do with it, but exactly what Amazon does with it is basically the definition of the companies intellectual property. Law enforcement states they want all audio and text derived from the users queries. Who has any idea what that information would look like? How would it be presented?
I understand the idea is that as an investigator you need to do due diligence and ideally should have access to the necessary information to make an informed decision. When subpoenaing information, it seems like a necessary bound should be understanding what it is you are actually requesting to know. In reading this warrant, there’s no way the document is clear about what information Amazon is supposed to have and should be handing over. This is intrinsically different than, say, asking a company to provide its surveillance tapes for a public space. In that scenario, you aren’t asking for anything other than a copy of the original recording, there’s a clear bound on what you are asking for (a couple hours of video) and how it would be delivered (in a video file or on a disc or some other physical media for video). As companies continue to expand into machine learning and cloud computing, it seems like some boundaries need to be defined in how a constantly evolving database of algorithms related to your personal information can be requested in a dispute.
1 Looking at the box score for the Razorback’s game on November 21st, 2015 vs Mississippi State was a one point loss with Dak Prescott who lead the Bulldogs to 20 points and two go-ahead touchdowns in the fourth quarter. Would love to see how the prosecution uses this information in their case.