Tag: security theater

Security Theater – Alexa Edition

Amazon announced a new privacy feature where you can ask an Alexa device to delete the day’s recordings. Not like “at 23:59:59, delete everything from today” and not “delete everything for the past 24 hours” but delete everything from 00:00:00 to right now when I’m asking you to delete it. Curious how this works in a discovery scenario. How deleted is deleted? And what happens when the next hot-tub murder scenario Alexa records is immediately followed by “hey, delete my recordings for the day”?

I expect this is in response to the poor reception news of human audio reviewers engendered. Can’t say I was shocked to hear they have humans reviewing recordings … I’ve got the same basic thought about Amazon employees/contractors listening to my recordings as I relayed to employees who were concerned that we were reading their e-mail back when I actively maintained the e-mail system. (1) They’re not that bored and (2) I’m not that interesting. I expect there’s an algorithm that flags specific scenarios for review — hopefully every time the thing wakes up and hears “cancel” because that wasn’t the wake word it just heard, probably some percentage of instances where the response is “i don’t understand that”, some other flags, and some small percentage by a pseudo-random selection.

Amazon is probably paying these reviewers a pittance, but they’re still paying them something. And Amazon isn’t paying for someone to be entertained by my daughter singing to the speaker. Are there people posting links to funny and embarrassing recordings? Sure. I also knew people who worked in a call center that contracted out to credit card companies for customer support — people who got busted for extortion because they’d read through six months of account statements after every call. Find something that might be embarrassing/suspicious & call the dude (i.e. poor sap who had rung up for assistance with his account) and demand money not to tell his wife about the affair. Or his gambling. Or what he spends at S&M clubs. Of all of my data that’s out there, smacking into the wall and yelling “bugger” as I check the temp while running out the door just doesn’t rate.
That being said, I’d just as soon not have a company retain audio recordings every time I check the time or weather. But let’s be honest — who is really going to incorporate “oh, delete today’s recordings” into their night-time routine? Once or twice, whatever. Every single day? Not gonna happen. Which is, I expect, the point. Amazon can tout this option to give you control. But they know there’s no way people would opt in to have their recordings retained. And there’s probably a significant number of people who would go through the effort of setting up retention that would automatically purge recordings after 24 hours. But this sounds like a privacy feature but is too much of a pain to use. We’ll check to see if we can purge the daily recordings via an API call, and if not we’ll have a speaker in the house play a MP3 file each night. But that’s not normal user kind of stuff … so Amazon will lose a few days worth of recordings for people who check it out, all recordings for a few uber-techs or super-security-conscious folks. A statistically significant number? Probably not. Security theater.
Worst part, though … you cannot just delete the recordings by voice. Oh, no! You’ve got to enable the function. Because it would be awful if some friend was screwing around with my device and deleted today’s recordings!? I mean, I get not wanting pranksters/kids/pets to order merchandise — which is why you can add an ordering pin for your account . But if there were some API bug which allowed any random Internet user to delete my recordings (not retrieve, not listen to … just delete), I wouldn’t care. The small subset of “every random Internet user” that actually gets within voice range of my house!?! Not exactly somewhere worthy of high security.
Amazon’s self-serving “keeping your recordings extra safe” policy means logging into the Alexa website, going to settings, scrolling down to “Alexa Privacy” (granted a fairly obvious selection), being popped over to another page which you could have hit directly if only you’d known this is where it would send you, going to “Review Voice History” (not a fairly obvious selection) and enabling voice-sourced deletion. This is, conveniently, the same place no one ever went to blow away recordings before voice deletion was an option.

Immigration

I know everyone has a gut reaction to the efficacy of the immigration ban – be it ‘total rubbish’ or ‘great job securing our borders’ – but a few organisations have bothered analysing the historic actions that would have been eliminated by the travel ban.

The Cato Institute, libertarian leaning but certainly not a left-wing think tank, finds no benefit to national security. The nations included in the ban account for seventeen convictions for attempted terrorist attacks – and exactly zero deaths. Now “attempting” a terrorist attack could be anything from planning to trying to actually execute an attack. Bad, but ZERO people died. A few of the banned countries (Libya and Syria) did not account for a SINGLE attempted attack. They provide a illuminating breakdown of what appears to be selectively picked data published by Senator Jeff Sessions — Trump’s pick for Attorney General. 6.9% of the list (over 500 accounts) were foreigners planning attacks on US soil. Even if I assume Senator Sessions hasn’t selected data to make a couple of countries look particularly bad, the travel ban fails to prevent 93.1% of PLANNED attacks.

A common argument is that stopping one attempt is worth it (questionable considering the disruption caused by the travel ban – doctors are unable to enter the country to take up residency at hospitals, scientists are unable to enter the country to take research positions at universities, but value cannot be ascribed to a life so arguing is a bit of a bad job). What cannot be determined, though, is how much anger does this move engender? How many people BEGIN providing material aid to terrorist organisations because of this ban? How many people are going to end up dead because of this action?

I’ve said before – it would be one thing to decree the entire immigration process insecure and shut down ALL immigration (travel tourism too. bad for, say, people who own hotels) for a period of time while a new process is deployed. Selectively banning countries based on history of terrorist activity — which this certainly IS NOT — only causes different people to undertake terrorist activities. It’s a little like the aeroport security scanners – they’re looking for everything previous terrorists have tried. Makes people feel better (even as they complain about the inconvenience) that the government is “doing something” to keep them safe. I guess this falls into the same category, but we aren’t even selecting countries to ban on historic data. We’re selecting them on some guy’s perception of risk. Or some guy’s investment portfolio. Or some guy who threw darts at a map of the Middle East.