Monday, May 15, 2017

Amazon’s Echo calling has a privacy threat that can let people spam message and call you


Amazon seems to have made a significant oversight in bringing voice calls and messaging to its Echo speakers: there’s no way to block communication that you might not want. So long as someone has your phone number and the Alexa mobile app (which requires an Amazon account), that person can place voice calls, record voice messages, and send text messages that will reach both your Echo device and Alexa app. They’ve got a direct line to a speaker in your home.

As of now, there is no way to block contact from specific people. Nor is there any way of whitelisting only certain individuals for calling and messaging privileges; it’s all or nothing. Elise Oras published a Medium post about the issue. An Amazon spokesperson confirmed via email to her that a block feature "will be available in the coming weeks. We know this is important to customers, and we’re working on it." But it's not available now, even though the calling and messaging features are.

Perhaps most alarming, even if you’ve blocked someone’s phone number from your smartphone, calls to the Echo speaker will still go through. It’s easy enough to stop voice calls from ringing your iPhone, but if you’ve enabled Alexa calling, it’s currently impossible to prevent them from reaching your Echo. This is because Alexa doesn’t use your phone for voice calls. It’s merely using your phone number to identify you.

When you enable the Echo’s calling and messaging features, Amazon accesses your contacts list to determine who else has an Echo device in their home. And it skims your entire contacts database to find this information; there’s no way to limit it to a certain favorites list, for example. Amazon wants Alexa calling and messaging to gain popularity, so it’s taking a broad approach to populate that list quickly.

At best, this will likely result in Alexa displaying “contacts” you have no real interest in calling. But at worst, and as Oras notes, it might show the names of people you’re actively trying to avoid and have labeled accordingly in your contacts. They can see and reach you just as easily. If you want someone off the list, you’ve got to erase them from your contacts altogether. Your phone number is central to all of this, as it’s tied to your Amazon account. And it’s not a two-way handshake; if someone has your phone number, they can reach you — even if that person isn’t in your contacts list. The Verge has confirmed this in testing the new feature.

Before anyone is able to send calls and messages using Alexa, they must authenticate their own phone number by entering a PIN code received via text message. But that, plus the Amazon account prerequisite, are about the only security measures in place. It’s not even clear whether Amazon’s team has the ability to review inappropriate messages delivered with Alexa. This FAQ page currently says that “Amazon Customer Service is not able to see or review your messages, voice messages, calls, or contacts.” Who are you supposed to report inappropriate calls or messages to?

Amazon automatically transcribes voice messages sent to Echo devices and pushes a notification to your smartphone when they’re received. It’s possible to delete these, but there’s no way to permanently stop receiving them from any individual. Alexa also supports text messages, and those similarly cannot be blocked from the recipient’s end. Nor is there any way to hide the message content and view only a sender’s name. Voice messages can be played back by anyone in proximity to your Echo, with no PIN or passphrase required.

Worse still, Amazon makes disabling its new calls and messaging feature difficult once you’ve switched it on. Users must call the company’s customer service to turn off calls and messaging. There’s no simple toggle in the Alexa app’s settings, which is a terrible decision on Amazon’s part.

For now, users have just two choices if they want to avoid unwanted contact through Alexa. You can choose to never turn on calls and messages in the first place, or you can use Alexa’s “do not disturb” to block calls and messages from everyone. That’s Amazon’s best “privacy” suggestion. But even in that case, messages would still appear in your Alexa app; Do Not Disturb only prevents calls and messages from reaching Echo products. There’s no such thing as a simple “Report” button. There’s no block list.

Amazon is likely to make rapid improvements to these new Alexa features. They’re convenient and open new possibilities for Echo devices. But that calling and messaging have launched without some common sense privacy tools is very unfortunate. At least for now, there’s very real potential for harassment and spam.

No comments:

Post a Comment