June 24, 2019 Feature

Alexa, Are You a Snitch?

Jason Beahm and Cameron Bowman

Would you trade the security of your clients for minor conveniences? At some point, society made this decision: We gave up privacy for convenience, and now we willingly give our information away. As lawyers, we must always protect our clients’ confidential information—it is one of our central duties. Yet, many lawyers are cavalier when it comes to their willingness to install Amazon Echo, an Internet-connected microphone, potentially filled with security flaws, inside their law office. Devices such as the Amazon Echo, which connects to the virtual assistant Alexa, and Google Home, which connects to its Google Assistant, do have a clear potential upside, but they also have the potential to be a Trojan horse and the source of a malpractice complaint.



Why Use Alexa?

Comment 8 to Rule 1.1 of the ABA Model Rules of Professional Conduct explicitly imposes the duty of technological competence on lawyers; therefore, lawyers should proceed with caution with confidential communications around Alexa because the potential for inadvertent disclosure is real.

One lawyer from a major legal tech company that we spoke with at ABA TECHSHOW 2019 in Chicago said he would throw an Alexa device in the garbage if anyone brought it into his office. “Why would I bug my own office?” he asked. “What next, do you think I am going to run a live stream of my client meetings on Facebook?” It felt like an extreme reaction, but is it?

We have found zero attorneys using Alexa or Google Assistant for something even approaching groundbreaking or innovative. Groundbreaking uses could certainly be on the horizon when it comes to billing, legal research, and case management—but they are not here yet.

The strongest points we have been able to find in favor of using devices at the office essentially amount to lawyers saying, “Well, I like using it because it is more convenient since I don’t have to use my hands.” Not an especially convincing argument. At most, these lawyers are using Alexa as an egg timer or having it read them a daily briefing of the news. Nice to have, but is it worth the privacy risk?

It is nice to get traffic times and the weather without having to use your hands, but given the huge downside if the devices are not secure, how can it be worth it, especially considering that these lawyers already have devices that can do the exact same things? One reason to get Alexa: It allows for a potential reduction in screen time and increase in performance, such as when people use it to listen to music, instead of a phone or computer. Over time, it seems possible, maybe even likely, that performance concerns will be alleviated as these other devices get better. Then what will be the arguments against this?

Hidden Dangers

On the other hand, aren’t law offices already loaded with microphones? What are the issues that we have with Alexa that we don’t have with a cell phone? According to hacker and security expert Jonathan Brossard, there is a huge difference in the security of a cell phone versus Alexa. Alexa operates via a microphone placed prominently in your office as part of a device that can be easily controlled by a hacker, according to Brossard. “Cell phones are much more sophisticated devices to take control of, and hacking a cell phone requires a far more sophisticated kind of hacker,” Brossard said, over laughter.

With a device using a digital assistant such as Alexa, anyone can walk into your office and get your information; most people are not protecting their devices in any way—there is no pin code, password, or two-factor authorization. Someone can walk into your office and ask the device for information, and it will give it to them. They are literally wide open to physical control.

(The good news: You can delete all voice data from your Alexa device with the click of a mouse. Go to amazon.com/myx, sign in, and click Your Devices. Click on your Alexa device, and then click Manage Voice Recordings.)

But in truth neither Alexa nor a cell phone are secure. There is a reason why cell phones are not allowed in the Situation Room at the White House: they are vulnerable. If you take your security seriously, consider this: Edward Snowden disabled the GPS, camera, and microphone on his cell phone. Why do you think he did this? Do you owe the same kind of consideration to your clients?

Brossard shared an anecdote regarding an executive at Google with whom he was close. Whenever they would retire to her home for a romantic evening, she would first unplug and power down all her Google and other electronic devices. “She told me that she assumed someone was always watching,” Brossard shared.

But this would never happen to you, would it? Alexa couldn’t, say, accidently record a client meeting and then send it to opposing counsel, right?

Or perhaps you believe that you do not have to worry because your device is only activated once you say the “wake word” of “Alexa,” but that is no reassurance at all. If someone can gain access to your device, that hacker will be able to listen to every conversation you are having at your office, and you will have been the one who planted the bug in your own office.

We spoke to Lee Tien, senior staff attorney at the Electronic Frontier Foundation, a digital rights nonprofit, about the potential privacy risks surrounding “always-on” home devices. “One of the biggest concerns I have is that we are essentially bringing surveillance technology into every facet of our life.”

Tien notes that people are now bringing all sorts of devices into their midst without realizing some basic privacy concerns about them:

Think about all the different forms that data is being collected about you. Cars are a great example. Today’s cars are basically becoming a huge pot of gold when it comes to data collection. It’s like Google Street view on steroids. How is this information being stored, who has access to it? These are the questions we should be asking. . . . Between Alexa, Fitbit, smart cars, we are bringing surveillance technology into every facet of our lives.

We asked Tien about the issue of whether the so-called “wake word” is an adequate protection. Is the device off when not summoned in that way? Or is it always silently recording in the background?

That’s the $100,000 question, isn’t it? What are we opening ourselves up to? What is that technology doing? There is no way for this to be in between. Either it’s listening to you or not. I know that there’s supposed to be a trigger word, but what’s not clear to me is exactly what’s going on when you haven’t said it, because in order for a voice command to turn on, it’s got to be on in some sense in the first place.

Tien notes that asking questions like this would have been considered paranoia only a few years ago. But now it’s just smart to ask questions about what type of information is being collected by companies and how it is being stored. “A few years ago, if you said that your phone was recording you or that the camera on your laptop might be on, you’d be dismissed as a crank. But then again Google just announced that their Nest had a secret microphone the whole time. Amazing.”

Tien is referring to Google’s popular Nest security system. In early February 2019, Google announced a software update that allows Nest devices to double as Google Home Assistants. However, when Google announced the new upgrade, it inadvertently revealed that Nest cameras actually had a hidden microphone in the system the entire time. As Business Insider reported, the existence of the microphone was never disclosed in any of the device’s product materials, including online or on the packaging.

Google claims that the microphones were never meant to be a secret and that the microphone had only been placed in the device for potential future upgrades (like listening for breaking glass).

The Electronic Privacy Information Center sent a letter to the Federal Trade Commission requesting that it take action against Google. The concerns raised in the letter are ones that anyone considering using these devices should heed: “It is entirely unclear whether Google, a remote hacker, or anyone else enabled the microphones in the Nest devices after they were installed by customers in their homes,” EPIC said in the letter.

As Tien points out, “Consumers don’t really know how their information is being processed by corporations. In the old days you had an answering machine at home. Now your voice mail is held by the phone company. The cloud is a great thing and allows for an amazing amount of technology, but it changes the privacy equation as to who is holding the information. We need to have strong laws around this privacy information.”

This may not be paranoia. In May 2018, a Portland, Oregon, family contacted Amazon to investigate after a private conversation in their home was recorded by Alexa and the recorded audio was sent to the phone of a random person in Seattle, who was in the family’s contact list.

Asked for more details, Amazon provided the website Recode with the following explanation:

Echo woke up due to a word in background conversation sounding like “Alexa.” Then, the subsequent conversation was heard as a “send message” request. At which point, Alexa said out loud “To whom?” At which point, the background conversation was interpreted as a name in the customers contact list. Alexa then asked out loud, “[contact name], right?” Alexa then interpreted background conversation as “right.” As unlikely as this string of events is, we are evaluating options to make this case even less likely (tinyurl.com/y8boblf9).

Search Warrants and the Third-Party Doctrine

This leads to the biggest question of all: When do police have legal access to the personal information that smart devices collect?

In 2016, an Arkansas man, James Bates, was arrested when a friend of his was discovered dead in his hot tub. Bates was charged with murder when a “smart meter” showed a huge amount of water used during a two-hour period near the estimated time of death. Police believed that Bates murdered the friend, hosed down his patio, and then placed him in the hot tub to make it look like an accident.

As the case proceeded, prosecutors sought to force Amazon to turn over recordings that Bates’ Amazon Echo made before and after he said he found the body. Amazon resisted, and Bates agreed to voluntarily turn over the recordings. Before the legal issue was decided, prosecutors dismissed the case for lack of evidence.

However, the question remains: Are people bringing these devices into a workplace or home inviting in an informant?

As with a lot of today’s technology, the technology is moving so fast that the law and courts have not caught up to it.

Consider this. Under the Fourth Amendment, courts have generally ruled that police can’t search your home without a search warrant based on probable cause that they will find evidence of a crime. But does this apply to listening devices?

We can expect that police and prosecutors will claim that recordings taken in this way will fall under what is called the “Third-Party Doctrine.” The Supreme Court has established a broad exception to the need for a search warrant in cases where an individual has shared information voluntarily to a third party (such as a bank, Internet provider, or phone company). The legal theory is that people who turn over information voluntarily to a third party no longer have a “reasonable expectation of privacy” in it.

Is It Worth the Risk?

We asked Lee Tien for his bottom line. Would he put Alexa in his office or home?

Listen, you don’t invite an eavesdropper into your home if you can avoid it. I think the question everyone needs to ask themselves, is, “Do I really need to have this device?” Everyone must make their own decision about how useful a device like this is as opposed to the potential privacy interests involved.

Further, when we observed lawyers attempting to use these devices, the amount of time and energy wasted due to misunderstandings between lawyers and the device was substantial. If you are not a native English speaker, you are going to have serious issues using Alexa. If your WiFi is spotty, it won’t work well. If your office is noisy, it won’t work at all. If you have an open-office plan or share offices, it is distracting to use around your co-workers.

With two exceptions, every lawyer we know who has tried to make use of these devices in their offices has given up on the idea that they are helpful.

The promise of a hands-free, voice-controlled office is certainly appealing, and it is understandable that lawyers would want to take advantage of the potential gains in efficiency. Perhaps that day will come, perhaps it is even on the horizon. At the moment, however, the lack of security with Alexa should give lawyers serious pause before installing an Alexa device in their offices. In the meantime, there is tremendous opportunity for the development of encrypted, enterprise-level voice-controlled devices.


By Jason Beahm and Cameron Bowman

Jason Beahm (jbeahm@beahmlaw.com) is a criminal defense lawyer in San Francisco, California. His firm, Beahm Law (beahmlaw.com), has won SF Weekly’s “Best of San Francisco” award four out of the past five years. Beahm is the co-host of the Festival Lawyer Podcast and has spoken at festivals and events across the United States. Beahm is also a DJ and lover of hotels, travel, and rewards points. Beahm’s clients include musicians, venue owners, agents, and managers. His most recent event was Coachella Valley Music and Arts Festival in Indio, California. Cameron Bowman (cbowman@viblaw.com) is a criminal defense lawyer at VIB Law (viblaw.com) in San Jose, California. Prior to working as a defense attorney, Bowman was a deputy district attorney in Santa Clara County for 16 years. In 1998 he was named “Trial Attorney of the Year” for that office. In addition to his love of the law, Bowman is a former DJ and drummer and avid traveler and festival goer. He often writes about issues related to cannabis, technology, concerts, and music festivals under the pen name “The Festival Lawyer.”