Quick Links

Everyone's been talking about Bloomberg's report that Amazon workers are listening to the voice recordings created when you speak to Alexa. But Amazon is far from alone. Here's how tech companies can---and have---looked at that private data you upload.

From Reading Your Notes to Stalking Minors

Let's talk about some examples, from Evernote employees talking about reading your private notes to Google and Facebook employees stalking people.

  • Evernote gave its employees permission to read your private notes to "Improve your experience" in a change to its privacy policy made in January 2017. Evernote changed its mind and promised employees would request permission first after many users became upset. But this illustrates the issue---Evernote can easily give its employees access. And, even if you shared data with Evernote expecting that company policy would keep it safe, the company can change that policy whenever it likes.
  • Google once fired a Site Reliability Engineer for using his access to Google servers to stalk and spy on several minors, tapping their call logs in Google Voice, accessing their chat logs, and unblocking himself on one teenager's buddy list. Site Reliability Engineers have access to everything because they need it to do their jobs---and it's possible for employees to go rogue and abuse that access, as this engineer did in 2010.
  • Facebook fired a security engineer who used his access at Facebook to stalk multiple women online in 2018. Motherboard reported that other employees had been terminated for stalking their exes and other similarly creepy things.
  • We recommend against giving apps access to your email. But, if you do, those apps might have people reading your email---whether it comes from Gmail, Outlook.com, or any other email account. The Wall Street Journal reported that human engineers who worked for some companies responsible for those apps were looking through hundreds of thousands of emails to train their algorithms.

This isn't an exhaustive list. Facebook once had a bug that exposed private photos to app developers and your employer can read your private messages in Slack---in other words, they're not so private. Even the NSA has reportedly had to fire people for using government surveillance systems to spy on their exes. And every company that has your data will hand it over to the government when a warrant arrives, as Amazon did when Alexa overheard a double murder.

The Cloud Is Just Someone Else's Computer

When you use a service that uploads your data to a "cloud" service, it's just storing that data on a company's servers. And that company can see the data if it wants to.

This is simple enough, but reports about employees listening to our voice recordings still feel shocking somehow. Maybe we all assume there's just too much data and people couldn't examine it, or perhaps we think there must be some kind of law that prevents tech companies from peering at this stuff. But, in the US at least, we're not aware of any law that would prevent companies from looking at this data---as long as they're honest about it, perhaps by disclosing this fact in a terms of service document no one reads.

Even with voice assistants, however, it isn't just Amazon. As Bloomberg itself says, even privacy-focused Apple has people listening to Siri recordings to help train the algorithms that make these voice assistants work. And Bloomberg says some Google reviewers listen to recordings made with Google Home devices, too.

Legitimate Reasons People Might Look at Your Data

Setting the creepy stalkers and other people abusing their access aside, here are some valid reasons a company employee might have to examine your data:

  • Government Requests: A warrant may compel a company to look through your data for something relevant and turn it over to the government
  • Training Algorithms: Due to the way machine learning works, algorithms used in software need some human input during the training process. That's why people are listening to Alexa and Siri recordings, and it's why Evernote wanted people to look through your notes.
  • Quality Assurance: Companies might examine recordings or other data to find out how their service is working. Even if you're talking to a robot, someone else might listen to the recording later to see how it went.
  • Customer Support: A company might ask for permission to view your data to help you if you need support. At least, the company will hopefully only do this with your permission---which can be as easy to grant as sending a tweet, as it was with Google Photos.
  • Reported Violations: A company might look at your data to look into reports of violations. For example, let's say you're having a private, one-to-one conversation on Facebook. If the other person reported you for harassment or another violation, Facebook would look into the conversion.

The Only Way to Stop This: End-to-End Encryption

This all happens because of the way the internet works. Despite all the talk about "encryption" securing your data, data is generally only encrypted when it's sent between your devices and the company's servers. Oh sure, the data may be stored encrypted on that company's servers---but in such a way that the company can access it. After all, the company needs to decrypt the data to send it to you.

The only way to prevent this is by using end-to-end encryption or client-side encryption. This means the software you use would encrypt the data on the devices you use, storing only the encrypted data on the company's servers in a way that the company couldn't access it. Your data would be yours.

But this is less convenient in a lot of ways. Services like Google Photos wouldn't be possible, as they couldn't automatically perform tasks on your photos on the company's servers. Companies wouldn't be able to "deduplicate" data and would have to put more money into storage. For voice assistants, all the processing would have to happen locally, and companies couldn't use the voice data to train their assistants better.

If you lost your encryption key, you wouldn't be able to access your data anymore---after all, if the company could give you access to your files again, that means the company could access your files in the first place.

Related: Why Most Web Services Don't Use End-to-End Encryption