Ride the Lightning

Craig Ball: “Alexa, Preserve ESI.”

March 17, 2016

John and I have been delighted to see our friend Craig Ball return to blogging. Missed you Craig.

His subject a few days ago was Amazon Echo's Alexa, the new woman in his life.

As he puts it, "Alexa streams music, and news updates. Checks the weather and traffic. Orders pizzas and Ubers. Keeps up with the grocery and to do lists. Tells jokes. Turns on the lights. Adjusts the temperature. Answers questions. Does math. Wakes me up. Reminds me of appointments. Of course, she also orders stuff from Amazon." No doubt Craig, no doubt.

She is hands free, which is a great benefit and she plays well with many applications. She is darn convenient. There is a hitch. She is always listening. Alexa only transmits and records what she hears when her name is called. But, as she becomes an omnipresent interface to everything, Alexa will know an awful lot about Craig's activities and interests. She records every interaction, including an audio recording of the person issuing instructions. Craig can view a list of every interaction since Alexa first came into his life, and listen to each recording of the instruction, including background sounds. Others may call this "creepy." Craig calls it "evidence."

This is where John and I are also keenly following Alexa, Cortana, Siri, etc. While they collect a lot of data, they don't make it easy to preserve what they've collected when there is a legal duty to do so.

As Craig says, "I can access each of thousands of interactions with Alexa and listen to the recording of the command. One-by-one. From the standpoint of spoliation, the Alexa app allows commands to be selectively deleted from a user's history and the entire history to be purged; but, insofar as preserving the history when it's potential evidence, Alexis is deaf and dumb."

Amazon has a means to collect and produce the data in criminal matters. But in civil matters, a subpoena will likely prompt no more than a form denial. Account holders have no self-directed mechanism to download a delimited (e.g., spreadsheet-compatible) copy of their data, the only option being an untenable screen-by-screen capture of data, coupled with recording the audio on some other device.

We agree with Craig. Users need an effective, self-directed means to preserve and collect their own data when legal and regulatory duties require it. Google has an excellent take-out mechanism. Twitter's archive does, too. Facebook also allows you to download your own posts and photos. However, most app and service providers offer nothing at all.

This is untenable in the digital world. We need a reasonable means of complying with litigation holds and discovery. And we love Craig's line, "Alexa, are you listening?"

Like Craig, we know of no good way (currently) to achieve these objectives. If any RTL readers do, we would love to hear about it. And be mindful of what you say to these personal assistants – say the wrong words and it is quite possible all you've said will never be forgotten – or forgiven.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson