Amazon hired thousands of people in Romania, Costa Rica, India, and Boston to listen to what you said to Alexa. Bloomberg reported in April 2019 that reviewers heard couples having sex, domestic violence, children talking alone, people singing in the shower. The internal tools showed account numbers and first names right next to the recordings. One worker heard what sounded like a sexual assault. Amazon told them it wasn't their job to interfere. Amazon never mentioned human review in Alexa's terms of service -- not until Bloomberg forced them to. You thought you were talking to a machine. You were talking to a room full of strangers with your account number on their screen. Parents told Alexa to delete their kids' recordings. Amazon said OK -- then kept the transcripts and the AI models trained on children's voices. The delete button was a lie. In May 2023, the FTC fined Amazon $25 million for violating children's privacy law. The FTC's words: "Amazon's hollow promises are not good enough." Amazon also kept children's geolocation data indefinitely -- where your kid was, when, for how long. The same week, Amazon paid another $5.8 million for Ring privacy violations. $30.8 million in fines in one week. The FTC ordered Amazon to delete the children's data AND destroy the AI algorithms trained on it. Your child's voice was training Amazon's AI. The delete button just hid it from you.
What they claim: Amazon states that Echo devices only send audio to the cloud "after the device detects the wake word." Wake word detection is described as running locally on the device.
What we found: Research from Northeastern University and Imperial College London (2020) found that smart speakers including Alexa regularly activate and record audio without the wake word being spoken. The study documented up to 19 false activations per day, with each false activation sending 20-43 seconds of audio to Amazon's cloud servers. Common triggers included words and phrases that phonetically resemble "Alexa" -- dialogue from TV shows, conversations, and background noise. Each false activation creates a recording that is stored on Amazon's servers and subject to human review. With 100 million+ devices active, even a small false activation rate means millions of unintended recordings per day. Amazon added an auto-delete option in 2020 (3 or 18 months) but left the default as "save everything."
What they claim: Amazon markets the Alexa-Ring ecosystem as "home security made easy" and emphasizes user control over video footage and who can access it.
What we found: Ring doorbell footage is accessible through Alexa-enabled devices, creating a unified surveillance ecosystem. Amazon's Ring had partnerships with over 2,000 police departments for footage sharing. In July 2022, Senator Ed Markey revealed that Amazon admitted Ring gave video footage to police WITHOUT warrants or user consent in at least 11 cases, citing "emergency requests." Markey called Ring "a perfect surveillance network." The $5.8 million FTC settlement (May 2023) found Ring employees had unrestricted access to customer videos and that Ring failed to implement adequate security, allowing hackers to take over cameras and harass users, including a case where a hacker spoke to an 8-year-old girl in her bedroom through a Ring camera. The Alexa-Ring integration means your doorbell, your indoor cameras, and your voice assistant feed the same data pipeline.
What they claim: Amazon markets Drop-In as a convenient way to "check in on your kids" and "connect with family members" through instant two-way communication between Echo devices.
What we found: Alexa's Drop-In feature enables instant two-way communication between Echo devices with no ringing and no acceptance required from the receiving end. The only indication is a brief green light on the Echo device. Domestic abuse organizations including the National Network to End Domestic Violence have flagged Drop-In as a surveillance tool used by abusive partners. An abuser can place an Echo in any room and listen in at any time from their phone. The feature normalizes in-home surveillance under the marketing language of family connectivity. Children's bedrooms with Echo devices are continuously monitorable by any family member with Drop-In permissions. Amazon's marketing positions surveillance of family members -- including children -- as a feature, not a concern.
What they claim: Amazon's Alexa privacy page states users have "control over your voice recordings" and can "review, hear, and delete your voice recordings" at any time.
What we found: Amazon's default Alexa setting retains ALL voice recordings indefinitely -- every command, every false activation, every background conversation captured by mistake. In 2020, Amazon added auto-delete options (3 months or 18 months), but the default remained "Don't automatically delete." Users must navigate to Settings > Alexa Privacy > Manage Your Alexa Data to find the option. With 90 billion+ interactions annually, the default creates one of the largest audio surveillance archives in history. Amazon uses retained recordings to train Alexa's AI models, meaning your 2018 voice commands are still training algorithms today unless you manually deleted them. The "control" Amazon offers requires users to actively find and change a setting that Amazon deliberately defaults to maximum data retention.
What they claim: Amazon's Alexa privacy page told parents they could delete their children's voice recordings and that Amazon complied with COPPA. The Alexa parental controls offered a deletion tool.
What we found: In May 2023, the FTC fined Amazon $25 million for violating the Children's Online Privacy Protection Act. The FTC found that when parents used Alexa's deletion tool, Amazon deleted the voice recordings but kept the transcripts and derivative data -- the actual valuable data for training AI models. Amazon retained children's geolocation data indefinitely regardless of deletion requests. The FTC complaint stated: "Amazon's hollow promises are not good enough." Combined with a $5.8 million Ring settlement announced the same week, Amazon paid $30.8 million total. Amazon was ordered to delete ALL improperly retained children's data AND the algorithms trained on that data -- a rare requirement that acknowledged the data's value extended beyond storage into AI model weights.
What they claim: Amazon's Alexa-specific privacy policy and FAQ state Alexa does not use voice recordings for targeted advertising. Amazon has repeatedly told NBC and the New York Times that Alexa does not use voice for ad targeting.
What we found: A peer-reviewed study (Your Echos are Heard, UC Davis / arXiv, Best Paper at ACM IMC 2023) found Amazon processes Alexa interactions to infer user interests and those inferences drive ad targeting — with up to 30x higher ad auction bids for profiled users. Amazon updated its privacy policy only after the preprint was released in April 2022, confirming the practice was not previously disclosed. In class action litigation (Gray & Horton v. Amazon), Amazon defended itself by arguing the general Amazon.com privacy policy, not the Alexa-specific policy, contains the advertising disclosure — and that users should have read it.
What they claim: Amazon's Alexa for Shopping marketing describes the agent as the world's best, most personalised AI assistant for shopping and states shopping history and device conversations flow in both directions. Amazon's privacy page tells users they have meaningful control via the Alexa Privacy Dashboard.
What we found: The Alexa for Shopping agent combines purchase history, browsing patterns, voice command history from Echo devices, saved payment credentials, and delivery information into a unified cross-platform profile that can autonomously execute financial transactions (Auto-Buy) without per-transaction confirmation. The system launched free for all signed-in Amazon customers with no separate consent step. The About You privacy control only covers declared preferences; it does not allow users to prevent purchase-intent data from feeding advertising. Amazon's state-specific disclosures confirm it shares advertising identifiers and ad value estimates with third-party ad companies.
What they claim: Amazon's Alexa FAQ stated voice recordings are processed by automated systems and that "Alexa lives in the cloud." The original terms did not disclose human review of recordings.
What we found: Bloomberg reported in April 2019 that Amazon employs thousands of workers in Romania, Costa Rica, India, and Boston to listen to and transcribe Alexa voice recordings. Reviewers reported hearing recordings of sexual encounters, domestic violence incidents, children talking, and people singing in showers. Internal tools showed account numbers and first names of users alongside recordings. One reviewer reported hearing what sounded like a sexual assault and was told by Amazon that "it wasn't Amazon's job to interfere." Amazon did not disclose human review in Alexa's terms of service until after Bloomberg's report forced the issue. Amazon's response -- that reviewers don't have "direct access" to identifying information -- was contradicted by their own internal tools displaying account numbers.
What they claim: Amazon describes Sidewalk as "a shared network that helps devices work better" and states users can opt out through Alexa app settings.
What we found: In June 2021, Amazon automatically enrolled every Echo, Ring, and Tile device into Amazon Sidewalk -- a mesh network that donates up to 500 MB of your home internet bandwidth per month to Amazon's network. The enrollment was opt-out, not opt-in. No consent screen appeared. A firmware update silently enabled the feature. Your Echo became a relay node for strangers' devices, and their devices could route through your network. The opt-out was buried four menus deep: Settings > Account Settings > Amazon Sidewalk. Security researchers raised concerns about the expanded attack surface of a neighborhood-wide mesh network routing through residential routers. Amazon's "you can opt out" defense requires you to know the feature exists, find a setting buried four levels deep, and actively disable it on every device.
What they claim: Amazon's Buy for Me feature was presented as a convenience tool for customers, completing purchases on behalf of users from other retailers' websites. Amazon framed it as expanding choice. Amazon simultaneously sued Perplexity AI for using an AI agent to scrape Amazon's website and make purchases on behalf of users — calling it unauthorised access.
What we found: Starting in January 2026, more than 180 small businesses reported receiving orders from buyforme.amazon email addresses for products they had never listed on Amazon. Amazon's agent scraped product images, pricing, and descriptions from retailers' own websites without notice, opt-in, or commission arrangement. Amazon's own lawsuit against Perplexity made the identical accusation — that an AI agent was masking its bots to scrape Amazon pages and complete purchases without authorisation. Amazon's opt-out process required emailing a separate address; affected merchants reported the process was slow.