Does the Amazon Echo protect your privacy?

We keep hearing more and more about “the connected home,” where devices such as thermostats, cameras and even refrigerators are wirelessly connected and controlled. But what are the privacy considerations for these new types of devices?

The Amazon Echo, aka Alexa, whose tagline is “Always-ready, connected, and fast. Just ask,” is both a microphone and a speaker that acts as a type of virtual home assistant. In wake mode, the Echo is constantly listening for your commands, and performs a range of duties. Echo plays music and news, checks your calendar, manages your to-do lists, controls wireless appliances, makes calls, and answers questions, among other things.

The Echo can also connect to third parties, such as banks, enabling additional services. Given that the Echo sits in your home listening, and then transmits data to third parties, we knew it was time to do a deep dive into privacy and the Echo. What exactly is the Echo doing

with our information and what precautions should we take?

To find out, we turned to Robin Nunn, a partner at Davis Wright Tremaine LLP and an expert in privacy law.  She is a graduate of Dartmouth College and The University of Chicago Law School, and has extensive experience in regulatory, enforcement, and litigation actions.  Robin’s experience includes work with both corporate and individual clients in matters initiated by government regulators, as well as private civil litigation and internal investigations (she can be reached at robinnunn@dwt.com).

1. What information specifically does the Alexa collect from us?

Thanks for the warm introduction.  Privacy and Alexa, the chatty personality that makes the Amazon Echo smart, so fun and exciting, is a great topic as we get closer to the holidays.  Let’s begin by talking about how Alexa works.  The device is a voice-controlled cylindrical appliance that can tell you the temperature outside, give you traffic conditions, play music, control connected lights, and – of course – buy things from Amazon.  It needs an internet connection to function.  When enabled, it dutifully sits in your home, listening for its “wake word.”  This word triggers Alexa to “turn on” and respond to the question or command being asked. The wake word is the assistant’s name, Alexa, followed by input commands tied into a “skill” or something Alexa is programmed to perform after being commanded.

So, in response to your question, after you make a voice request including the magic word “Alexa”, Alexa-enabled devices record or stream audio clips of what you say. Specifically, it takes a few seconds of recorded data before the wake word and holds about 60 seconds in recorded data overall.

2. Where does Amazon store the information?

Let’s say you are in voice range of your device and you say the word “Alexa”; the voice assistant generally jumps to life to record whatever you say after the word Alexa.  That voice request data is stored locally and sent up to the cloud for analysis.  When transmitted to Amazon Web Storage (AWS) storage, these queries are encrypted.  The data is then reviewed by Alexa Voice Services (AVS) in the cloud and a response is formulated.

The recorded clips are associated with your user account, which you can view later when you login.  So, if one day you feel like listening to your past queries, you can listen to short clips of yourself asking to translate “pillow” into Kiswahili or whether it is going to snow today.  There is a list of each user’s queries in the Alexa app.  If you own several Alexa devices, each one has its own listenable queue of requests.

3. How long does Amazon keep the information? Indefinitely?

For now, your Amazon histories stay there at least until you decide to delete them.

4. Amazon has rolled out third party apps for Alexa. How does Amazon share information with third parties? Do they have your voice files, for example?

One of the coolest things about Alexa is its ability to have other apps integrate with it.

Amazon has created a framework called Alexa Skills Kit (ASK), which is a collection of third party requirements on how to develop a custom skill or function into Alexa.  These custom integrations don’t have to stay on AWS and can be hosted elsewhere as long as they’re communicated securely to Amazon’s servers.  It’s with these Skill Kits that Alexa is able to communicate with home devices and custom content.

There are hundreds of skills that can connect your data to third parties.  Some skills let you purchase things or services outside of Amazon. For instance, there’s a Starbucks skill for ordering a Soy Latte, a Lyft skill for ordering a ride, a Domino’s Pizza skill for ordering a medium pizza with extra mushrooms, and more.

At this time, Amazon transmits your request to third parties but does not share recordings with third party developers.  It has been reported that Amazon is considering granting third-party app developers access to transcripts of audio recordings saved by Alexa-powered devices (like some of its competitors currently do).

5. What information does Amazon share with third parties?

When you use a skill, Amazon provides the developer the information they need to process your request.  Amazon does not share customer identifiable information to the third-party skills without the customer’s consent.

In addition to the third parties you select to interact with, Amazon has been asked to share information with law enforcement agencies.  However, Amazon publicly fought police over what it deemed to be an overly broad request for Alexa audio logs.  And, Amazon complied with the request only after the suspect voluntarily said he was willing to provide them.

6. How do third parties access the information?

Alexa facilitates communication with third-party services.  But Amazon doesn’t actually get access to the transactions themselves. For example, in the case of Capital One Bank, the bank says the system is fully encrypted, and the Alexa skill includes a user-created passcode to prevent unauthorized access.

7. What rights do I have to knowing the specific information that Amazon collects?

This is a great question.  I often get asked, “Is Alexa always listening?”  While someone always listening to you at home might sound a little creepy, Amazon would probably say the answer to that question is no.  The idea is that Alexa isn’t always listening but instead is always ready to respond.  Ambient conversations—i.e., the things you say before “Alexa”—aren’t stored or sent over a network.In fact, Amazon has gone to great lengths to build a product that customers will trust and feel comfortable using in their homes.

There are a few things that I’d like to mention that might help you understand your rights. First, like any website, Alexa collections information about how customers interact with it.  You should think of it as like how browsers use cookies to collect info on your browsing preferences.  Once you start using your Echo, Amazon will know what you like to order, what you listen to, and what products you have connected to it, and anything else you tell it.  Presumably, that information may be used, at some point, to market more products and services to you. Second, Amazon built an experience where there’s an indication that Alexa is now listening. It shows customers when listening has started and when it has stopped on the actual device. The mute button electronically disconnects the microphone. Lastly, and perhaps most importantly, Amazon gives you access to a broad range of information about your account and you can see everything that Alexa has recorded. You can update the information on your account and delete any recorded utterances one at a time or you can delete them all. These are examples of how you can know what information Amazon has collected.

8. Can I have Amazon delete my information?

Alexa voice recordings can be deleted one entry at a time on the app or on a larger scale by visiting amazon.com/myx.

9. Considering all of the major data breaches (Equifax, Uber, etc.), what should consumers be concerned about with the level of data collection and the personal nature of it?

There’s been an explosion of personal home assistants in addition to Amazon’s Alexa, which has become very popular.  In general use, you’re probably not likely to be risking more than you are with other connected services.  But if you are looking for privacy from your Amazon Echo device, you can use the mute button which will turn off the device’s microphones when you don’t want to be heard. The Power LED light will be red when the microphones have been switched off.

Amazon puts multiple comments in their privacy policy letting you know that they are not responsible for any risks. For example, the policy states:

“We do not guarantee that Alexa or its functionality or content (including traffic, health, or stock information) is accurate, reliable, always available, or complete. You may encounter content through Alexa that you find offensive, indecent, or objectionable. Amazon has no responsibility or liability for such content.”

The complete privacy policy can be found here.

10. What should consumers be most concerned about?

One of the biggest downsides is privacy.  Voice assistants are able to hear everyone within microphone range input by default.  That core function broaches a series of privacy risks:

The microphones are always able to hear you unless physically muted.

Someone can gain access to your Amazon password and listen to your interactions with Alexa.

Your recordings are stored on cloud servers indefinitely.

Targeted advertising, in all likelihood, is the ultimate goal of the data collected through your device.

Amazon could, at some point, share your data with third parties without your knowledge.

Finally, it is not just Amazon, hackers, government agencies, and trusted third parties that you have to be concerned about.   On some level, you must also trust everyone who has access to your home, including dog walkers, house cleaners, nannies, family members and other guests.

11. What should consumers do to protect themselves?

Despite the potential risks, there are some simple precautions owners can take to make Alexa more private and more difficult for third parties to profile you:

1. Mute the Echo when you are not using it.  A physical mute button is located on the top on the machine.

2. Set up voice recognition so the device can tell you apart from others in your home.

3. Delete old recordings.  Take advantage of the option to log onto your Amazon account and delete queries.

4. When you set up your Alexa, set up an “end of request” tone that will make a noise to let you know the Echo has stopped listening for information.

5. Don’t share your Amazon password with others.

6. Consider not connecting your most important accounts to your Echo.  If you can resist the urge, try to refrain from giving Alexa access to anything with money or sensitive information.

All of this will keep your private information more secure and make you harder to profile.