“Hey Alexa, are you a U.S. Person?” Imagine this. A conference call with your foreign-based customer is about to begin. Today’s agenda includes technical discussions of recent upgrades and changes to the designs of some ITAR-controlled items. Your Trade Compliance Officer has reviewed the material and confirmed that export authorizations are in place approving the subject matter to be discussed with your customer. All attendees on the call have been identified and Restricted Party Screening has already occurred, per your company’s compliance program. The call is ready to begin, but what about that device on your desk? The one that answers your questions, provides weather updates, and queues your favorite playlists? “Alexa, are you a U.S. Person?”
Recently, Amazon admitted that thousands of their employees located around the world are listening to conversations through Alexa and transcribing excerpts of these conversations. This is not just a privacy issue. It also raises potential questions and concerns about export violations. Amazon admits that the employees who listen, monitor and transcribe conversations are located outside of the United States. (Specifically, they have mentioned Costa Rica, India and Romania. However, there was nothing to indicate that these are the only foreign locations. China, anyone?) With that in mind, it’s not difficult to imagine that Amazon’s employee transcribers could meet the definition of “Foreign Persons,” and that these persons might not be approved on export authorizations to participate in technical discussion about controlled items. If that is the case, it means the Amazon employees have no authority to participate in or transcribe information discussed that is export controlled. And if that doesn’t give you enough pause, then consider the following: Where do these transcriptions go? Where are they stored? Who reads them? Are these persons also “Foreign Persons” under the regulations?
While Amazon attempts to make a case for privacy stating that: “Employees do not have direct access to information that can identify the person or account as part of this workflow”, it was reported in Bloomberg that “recordings sent to the Alexa reviewers don’t include your full name and address. However, they are linked with an account number, as well as a device serial number and your first name.”
Privacy concerns aside, the content contained in these transcriptions – and how that content may be controlled by U.S. export regulations – is a serious issue. It is not good enough to simply assume that all of the discussions/transcriptions have to do with “benign” topics like shopping lists and household errands. Consent Agreements between the U.S. government and others have been reached on far less. Consider the recent Consent Agreement between DDTC and FLIR, which confirmed that Foreign Person Employees had access to Technical Data and that access did not mean that the employees viewed the Technical Data, but rather, they had the ability to view the Technical Data. Is Alexa providing this same capability to Amazon employees?
Many IT systems today have safeguards to prevent unauthorized access and retrieval of export controlled information without authorizations. That said, conversations that occur outside of the secure networks – and the subsequent retrieval/distribution of export-controlled information – opens a whole new aspect to the question of how much security is required when discussing export controlled information?
So, the next time you want to know the weather in Buford, Wyoming, before beginning a conference call with your foreign customers, go ahead and ask Alexa. Then unplug her.