Back in September, we wrote about how the GDPR could actually undermine privacy, when Jean Young noted that, when someone hacked into her Spotify account, they were able to download her entire data history. And now there's another example of the privacy implications: Amazon recently responded to a GDPR data export request by sending 1,700 voice recordings... to the wrong user.
Following the passage of the European Union’s General Data Protection Regulation, or GDPR, any EU resident may demand a company send them the entirety of the data collected about them through both internet services and hardware products like an Alexa-equipped Echo smart speaker. One German user, under the alias “Martin Schneider,” did just that in August of this year. What he got back from Amazon, however, were thousands of Alexa voice recordings, which was strange considering he didn’t own an Alexa device.
Upon listening to the files, Schneider discovered they were the recordings of another Alexa user. After failing to get in contact with Amazon about the issue, the man brought the files to c’t, where reporters were able to piece together who the Alexa user was. Among the files were commands to control Spotify, the person’s home thermostat, and alarms. There were also recordings that indicated the Alexa user also owned a Fire TV, and that they had a spouse who appeared to live in the home.
There are, of course, many different ways of thinking about this. On the whole, it's a good thing that companies are giving users more access to data, and allowing them to not just see what's being held, but to download it as well (it would be nice if things were more standardized, and it would enable easier shifting between services, but... baby steps). But, it also needs to be recognized that this creates new privacy challenges.
This isn't necessarily good or bad, but is a useful reminder that, contrary to what many GDPR supporters will tell you, the GDPR itself doesn't actually do much to "protect" your privacy, and could make your data even more vulnerable. Again, there are potentially good reasons for this, but way too many people keep insisting that the GDPR is about protecting privacy, and it is important to understand where and how it fails in that regard, and how it could even make much of your data more vulnerable.