We live in a world where Amazon will “use stocking stuffers to take over your home,”  in the words of a CNET article, on the same week FBI director James Comey defends putting tape over his computer's webcam.   What is wrong with this picture?   We are on a steep (and getting rapidly steeper) slope to a cloud-enabled world of surveillance, the dark side (with apologies to The Dark Web) of an always-on, always listening world of voice-enabled devices.

Let's examine the unwritten threat of Amazon's Echo Dot at a mere $49.95 or “Buy 5... get one free.”  Amazon wants you to load up on the little hands-free “voice control” speakers for you to start and adjust music and control the smart devices throughout your home without lifting a finger.   Get the six pack at around $250 and you can cover most or all of the house.

The Echo Dot is a marvel of technology, incorporating an array of seven microphones and a powerful processor to hear questions from any direction “even in noisy environments or while playing music.”

It's always listening.  That's not creepy, right?  Not unless you think about it, mind you. Maybe I'm thinking too much.  Or listening to too much Rockwell. Maybe James Comey and I have the same earworm problem.  

“The more you use Dot, the more it adopts to your speech patterns, vocabulary, and personal preferences,” proclaims Amazon's web page, all to improve Amazon's Alexa speech recognition engine. “And because Echo Dot is always connected” – emphasis mine – “[software] updates are delivered automatically.”

Echo Dot also has “skills” in the form of adding capabilities from third-parties – an area that Apple could have owned with Siri if it hadn't been so blinded by being in love with its own walled-garden mentality.  You can ask Alexa to order an Uber ride, send someone flowers, get pizza, and get your account balance from Capital One bank, just to name a few of the “thousands” of skills available in the Alexa app.   

Adding “skills” is also a big vulnerability, because Alexa becomes a sweet spot for third-party interception of one's personal data, with the spot becoming more attractive the more “skills” an individual adds.

Always-on listening isn't a “new” threat. Most new cell phone models have a low-powered always-on mode to trigger the personal assistant, but the twin Achilles heels for using the phone as a spy microphone are data and battery life – sooner or later you might notice you are going over your data plan way to easily or, if you are with T-Mobile, you are just running through battery too often.

In-home devices don't have those warning flags. Some of Samsung's more expensive Smart TV models were called out earlier this year as having the potential for being a home privacy risk by always listening and feeding the voice input to a third party cloud (Nuance) for processing.  You can turn off the always-listening feature, but such opt-in privacy always strikes me as a bit of a failure.

Consider two scenarios - legal intercept and black hat mischief.  The FBI wants more information on a person of interest and it knows a suspected Bad Actor is tech crazy and security blind.  It gets a court order to tap into the always-on voice stream from all the devices in the household, so Amazon and Nuance get letters that are some extension of CALEA or something else.

 In theory, there are legal checks-and-balances to prevent abuse of lawful intercept, but the reality is law enforcement and national security agencies tend to err on the side of more data collection.  The more pragmatic Big Data check to Big Brother is if everyone starts flooding servers with data, data sets grow so large that it becomes expensive to monitor everyone all the time – there aren't enough federal agents in the day to dig through what Joe Citizen is or isn't doing at any particular minute.

However, if you are a Person of Interest to a hacker, all bets are off.  Samsung TV and Alexa become tools to gather information. (Note to self - Ask Alex Baldwin if he's had a cybersecurity audit recently if he's got Alexa in all his homes). The question becomes where and when can a hacker intercept this flow of information and what types of resources are available to evaluate it.  Interception of voice might occur through duplicating streaming audio before it reaches a cloud-processing site – especially if encryption is not involved – or be more one-stop shopping if the third-party's collection, storage, and processing capabilities are compromised through a back door or inside employee.

Is this crazy?  The director of the FBI and Mark Zuckerberg are putting tape over their webcams.   I'm willing to bet they aren't running out to fill their homes with Alexa and other always-on home devices.  Should you worry?  I don't know. What do you have of interest to someone else?