Deleting Alexa Recordings Won’t Rescue Your Data from Amazon

Journalist:
July 7, 2019

Amazon’s Alexa is one of the most widely used home assistants in North America. However, in a country where privacy is a highly-cherished right, users may be sacrificing this privilege without their knowledge or consent.

Two months ago, U.S. Senator Chris Coons (D-Del.) sent a letter to Jeff Bezos inquiring about Amazon’s data retention policies for voice records – particularly transcripts of Alexa recordings.

“I am very concerned by reports that suggest that text transcriptions of these audio records are preserved indefinitely on Amazon’s servers and users are not given the option to delete these transcripts. The inability to delete a transcript of an audio recording renders the option to delete the recording largely inconsequential and puts users’ privacy at risk.”

What Happens When You Tell Amazon to Delete Your Alexa Recordings?

Amazon’s response to Mr. Coon came a month later, partially confirming his suspicions. Regarding the duration of transcriptions and recordings on Amazon’s servers, the company said:

“We retain customers’ voice recordings and transcripts until the customer chooses to delete them.”

This means that the obligation for actively deleting the data is exclusive to the user. And there’s more: When it comes to third-party apps, Amazon said that the way they deal with this information isn’t its responsibility, and each developer decides how to handle this data (with some limitations established in each contract).

“When a customer deletes a voice recording, we delete the transcripts associated with the customer’s account of both of the customer’s request and Alexa’s response … However, we may still retain other records of customers’ Alexa interactions, including records of actions Alexa took in response to the customer’s request. And when a customer interacts with an Alexa skill, that skill developer may also retain records of the interaction.”

Something else that is relevant to note is that while Amazon guarantees it will delete transcripts from its “primary storage servers” – when and if a user follows the proper steps – they won’t necessarily do the same on other servers. Amazon explains that this is still an “ongoing effort.” without elaborating anymore on this issue.

In other words, when somebody orders an Uber, books a hotel room, or uses an app integrated with Alexa, they cannot be 100% certain whether it will be private, deleted, or forever stored on some “secondary storage server.”

So, according to the letter, Amazon is implying that it may keep some of its users’ data even if its clients do everything on their side to delete that information.

Alexa’s Thorny Record on Privacy Matters

According to Amazon’s Privacy Notice, by using Alexa, the customer gives Amazon access to personal information, which can be shared with – or enriched by – third parties.

Among the information that Amazon can save are logins, passwords, timezone settings, purchase history, the user’s address, purchases from third-party stores, search history, and even credit information.

And Amazon doesn’t have a spotless track record in handling that treasure trove of data. Users have reported that Amazon Echo recorded and sent their conversations to relatives without their knowledge and consent. Less than a year ago, C’T Magazine reported that Amazon mistakenly sent a file containing 100MB of personal data from one user to another.

In that incident, Amazon sent 1,700 WAV files and a PDF cataloging unsorted transcripts of another user’s interaction with their Alexa device. He complained, and Amazon took down the link, but it may or may not delete such information from its database.

“Alexa was obviously able to hear our ‘subject’ in the shower, and commands given to thermostats and the like showed that he uses Alexa to control various smart home appliances. He uses Alexa at home, on his smartphone, and when he is out and about …”

“We were able to navigate around a complete stranger’s private life without his knowledge … The alarms, Spotify commands, and public transport inquiries included in the data revealed a lot about the victims’ personal habits, their jobs, and their taste in music. Using these files, it was fairly easy to identify the person involved and his female companion. Weather queries, first names, and even someone’s last name enabled us to quickly zero in on his circle of friends. Public data from Facebook and Twitter rounded out the picture.”

So even though Amazon wants to make sure that users trust its services, not everyone has the clout of a sitting U.S. senator to obtain answers about the privacy and security of their personal data.

In the face of this situation, you should exercise caution, especially when, in a nutshell, Amazon is saying that it will not guarantee with 100% reliability your ability to completely – and irrevocably – delete your private data.

Tags: amazon
Jose Antonio Lanz @jaldps

Lawyer, specialist on strategic planning, professor and Bitcoin enthusiast.