I'd imagine that a competent company would keep access to user audio recordings tightly locked down, either because they actually care about privacy or because they care about the bad PR of recordings getting leaked.
But if the GDPR requires them to send the recordings to users upon request, they need to have a way to do that -- either by exposing a service on the web, or by providing access to customer service employees to handle the request. Not sure how I feel about that.
I would assume that if they made a voice print for you personally it would be fine. It should be still recognized as your own personal data, and underly the same laws
Nothing in the article suggests they were linked to any kind of user identifier, all we know is that each recording is linked to the transcription alexa made of it (which makes sense, training and log wise).
The user were easy to identify because if I listen to the last twenty queries you made to alexa between what you ask, what other people say in the background, what you talk about and what noise is in the background that gives me a lot of information; that's exactly how they were able to identify some of the users from their recordings.
> Nothing in the article suggests they were linked to any kind of user identifier
They were able to provide the customer a bundle of his recordings upon request so they must've maintained such a lookup mapping.
Of course that led to the mix up reported here. But I'd argue it's safer if on Amazons side they simply can't fulfill such request themselves due to anonymization.
I suppose that does raise a question of where you draw the line on a company's obligation to anonymize information. Is disassociating a user ID from the data enough? What about data that makes the user identifiable through patterns?
If I say "Alexa, my name is Bob Jones and I have chlamydia," they're not really helping me out by just not associating that audio clip with my username.
But if the GDPR requires them to send the recordings to users upon request, they need to have a way to do that -- either by exposing a service on the web, or by providing access to customer service employees to handle the request. Not sure how I feel about that.