12.22.21

Amazon Alexa: privacy concerns and best practices for IoT devices

The internet of things (IoT) is very big. In fact, it’s growing every day. As homes and businesses continue to embrace digital technology, IoT devices are soaring in popularity.

Smart devices, like Amazon Alexa, are especially leading this charge. In 2020, Amazon announced it had sold well over 200 million Alexa devices worldwide — double the number they shared just one year prior.

Indeed, Amazon’s industry-leading virtual assistant is a trailblazer for the future. Following in its path, however, are a hoard of concerning privacy implications. Being that Alexa — and its Echo counterparts — actively listens to what you’re saying, consumers have plenty of reason to be concerned. Here’s a rundown of what you need to know about Amazon Alexa and how you can keep your privacy safe.

Alexa is always listening

A big part of Alexa’s basic functionality is that it listens to your voice. When users make a request, they first need to say their device’s wake word (“Alexa,” “Echo” or “Computer,” for example). This wake word communicates to the device that you’re making a request, preparing Alexa to take action as quickly as possible.

Through a technology called keyword spotting, Alexa is constantly listening for that wake word. This means that even when your device is not in use, it’s still listening to anything you say. Sometimes, Alexa misidentifies a phrase as containing the wake word, leading to accidental activation. In fact, researchers at Northeastern found that Alexa, Echo and similar smart devices accidentally respond to incorrect wake words up to 19 times per day.

You’re being recorded (sometimes)

Considering Alexa’s active listening, this prompts a very important question: are your conversations being recorded?

The short answer is yes — Alexa does record your voice. But it only records a short snippet of audio whenever it detects the wake word. Those recordings are automatically sent to the cloud, where they’re accessible to the user through the Alexa app.

If those recordings were ever compromised by hackers, it’d be an unprecedented breach of privacy. There’s no telling what personal, professional or financial information could be obtained from those recordings. If the wrong information fell into a scammer’s hands, ransomware attacks could rise.

Furthermore, Amazon employs a team of quality assurance specialists to comb through recordings, according to TIME. Although it’s just a small sample, thousands of workers are accessing recorded interactions.

Amazon Alexa: privacy concerns and best practices for IoT devices
Smart home devices, like Amazon Alexa, may be a significant risk to privacy.

Alexa’s skills lack protection

Skills are essentially apps for your Alexa device. Through the Amazon Skills store, users can download tools designed by developers to “teach” their Alexa new capabilities and features. However, the majority of the over 100,000 available skills are designed by third-party developers. How those developers handle user data prompts a number of significant privacy concerns.

For example, researchers from NC State found that 23.3% of skills that requested privacy-sensitive information did not have a complete privacy policy. In other words, those developers neglected to address exactly how user data will be accessed, used and protected. What’s more, those researchers also discovered that many skills use the same wake up word. Consequently, users may inadvertently share information with the wrong developer.

Perhaps worst of all, Amazon doesn’t verify the developers on their skills store. In other words, phishing scammers could pose as legitimate developers to fool unwitting consumers into sharing private information.

Alexa best practices

To mitigate these privacy concerns, you need to know some best practices:

  • Routinely delete your voice recordings: At the end of every day, ask Alexa to delete your recordings. You can also choose to delete your entire history of recordings in the Alexa app.

  • Review your history to see what was recorded: In the Alexa app you can listen to your entire history of voice recordings to understand what information may have been collected.

  • Opt out of the quality assurance program: This is how you can ensure your recordings aren’t being sampled and exposed to Amazon’s team of specialists.

  • Mute the microphone when not in use: By physically turning off your Alexa device’s microphone, you won’t be able to make requests, but you also won’t risk unwanted recording.

For more information about online security, check out our Total Defense Security Blog or contact us to speak with an expert.