Amazon tells you they'll delete your voice recordings when you ask. The US government found they kept children's recordings forever, even when parents specifically asked them to delete them. They also kept written copies of what you said after claiming to delete the audio. Amazon says your Echo only listens when you say the wake word. Researchers found it regularly records and sends audio to Amazon's servers when triggered by TV shows and normal conversation — without anyone saying "Alexa". Amazon also removed the option to keep your voice recordings off their servers.
What they claim: Echo Dot is marketed as a smart speaker for playing music, answering questions, and controlling smart home devices. Amazon's privacy page focuses on voice interaction data.
What we found: The Alexa companion app (v2.2.669603.0) requests READ_SMS, SEND_SMS, RECEIVE_SMS, and RECEIVE_MMS permissions — full access to read, send, and receive text messages. It also requests READ_CONTACTS and CALL_PHONE. These messaging permissions go far beyond what a smart speaker requires. Amazon's privacy notice does not prominently disclose SMS monitoring capabilities.
What they claim: Echo Dot is a speaker with no camera. The device hardware contains microphones and a speaker only.
What we found: The Alexa companion app requests CAMERA and FOREGROUND_SERVICE_CAMERA permissions despite the Echo Dot 5th Gen having no camera hardware. The app also requests ACCESS_MEDIA_LOCATION, READ_MEDIA_IMAGES, and READ_MEDIA_VIDEO — access to photos and videos on the phone including their location metadata.
What they claim: Amazon states that Alexa processes requests in the cloud and returns responses. The privacy page implies communication is limited to user-initiated voice requests.
What we found: Hardware teardown reveals 9 hardcoded Amazon cloud endpoints including device-metrics-us.amazon.com (telemetry), unagi-na.amazon.com (analytics), and softwareupdates.amazon.com. The device contacts these endpoints continuously, not just during voice interactions. Combined with four always-on far-field microphones (TI TLV320ADC5140 ADC) and AZ2 neural processor, the device maintains persistent cloud connectivity beyond what voice assistance requires.
What they claim: Echo Dot is a consumer smart speaker. The companion app's permission profile exceeds what the device hardware requires.
What we found: The Alexa app demands 57 permissions including: REQUEST_IGNORE_BATTERY_OPTIMIZATIONS (prevents Android from limiting background activity), RECEIVE_BOOT_COMPLETED (starts automatically when phone boots), SYSTEM_ALERT_WINDOW (can draw over other apps), WRITE_SETTINGS (can modify phone settings), and SCHEDULE_EXACT_ALARM. Combined with background location, SMS, contacts, and camera access, this permission set resembles surveillance software more than a speaker remote control.
What they claim: Amazon privacy page states: "No audio is stored or sent to the cloud unless the device detects the wake word." Amazon also states users can request deletion of voice recordings.
What we found: FTC settlement (2023-05-31): Amazon retained children's voice recordings indefinitely even after parents explicitly requested deletion. Amazon kept text transcripts after deleting audio without informing users. 30,000 Amazon employees had access to Alexa voice recordings without business justification. FTC imposed $25 million penalty for COPPA violations.
What they claim: Amazon's privacy notice states data is shared with "service providers" and for "business purposes." Amazon markets Alexa as a helpful assistant focused on the user's experience.
What we found: FTC found Amazon gave 30,000 employees access to Alexa voice recordings without business justification. Ring employees had unrestricted access to customers' home security camera feeds including bedroom cameras — one employee viewed thousands of recordings from 81 female users. This level of internal access is not disclosed in Amazon's privacy policies.
What they claim: Amazon's Alexa privacy page focuses on voice data collection and does not prominently disclose location tracking beyond IP-based coarse location.
What we found: The Alexa app requests ACCESS_FINE_LOCATION (GPS-level precision), ACCESS_COARSE_LOCATION, and ACCESS_BACKGROUND_LOCATION — continuous GPS tracking even when the app is not in use. Combined with ACCESS_MEDIA_LOCATION (photo GPS data), this enables comprehensive location profiling. A stationary smart speaker has no need for background GPS tracking of the user's phone.
What they claim: The Alexa app includes third-party tracking libraries. Amazon's privacy page describes data processing as being done by Amazon for the user's benefit.
What we found: Exodus Privacy report (v2.2.669603.0, March 2026) detected 3 trackers embedded in the Alexa app: Amazon Analytics (internal analytics), Bugsnag (third-party crash reporting), and Facebook Flipper (Facebook/Meta debugging and analytics tool). The presence of a Facebook/Meta tracker in an Amazon smart home control app is not disclosed in Amazon's Alexa privacy documentation.
What they claim: Amazon's FTC settlement required them to implement better privacy practices and data handling. The company committed to improved privacy controls.
What we found: Despite the 2023 FTC settlement requiring better privacy practices, the Alexa app (v2.2.669603.0, analyzed March 2026) still requests 57 permissions including background location tracking, SMS access, contact reading, and includes a Facebook/Meta tracker. The app's permission scope has not been reduced since the settlement. The AD_ID permission and Facebook Flipper tracker indicate ongoing advertising data collection.
What they claim: Amazon markets the Echo Dot as a secure, trusted device for your home. The Alexa privacy page emphasizes security measures and user control.
What we found: Three CVEs affect Echo devices: CVE-2022-25809 allows an attacker to make the Echo issue commands to itself via a malicious Alexa Skill or Bluetooth pairing ("Alexa vs Alexa" attack) — enabling unauthorized purchases, phone calls, and smart home control. CVE-2017-13077 and CVE-2017-13078 (KRACK) allowed Wi-Fi traffic decryption on Echo devices. Amazon patched KRACK in 2019, two years after disclosure.
What they claim: Amazon privacy page claims: "No audio is stored or sent to the cloud unless the device detects the wake word." The device is marketed as only listening for the wake word.
What we found: Independent research (21-day network traffic study) found Echo Dots record and transmit audio without wake word activation — 70% of recorded instances were triggered by TV sounds and 30% by human voices. Separate 2020 study found 125 hours of Netflix dialogue triggered unintended activations, with Echo Dot 2nd gen staying awake 20-43 seconds per false trigger. In March 2025, Amazon removed the "Do Not Send Voice Recordings" option, forcing all voice data to cloud servers.
What they claim: Amazon Privacy Notice states: "We know that you care how information about you is used and shared, and we appreciate your trust that we will do so carefully and sensibly." Amazon's Alexa page claims users have control over their data.
What we found: In March 2025, Amazon removed the "Do Not Send Voice Recordings" feature from Echo devices, eliminating the last option for users to keep voice data off Amazon's cloud servers. This was done to support the new Alexa+ generative AI service. Previously, Echo Dot 4th Gen and other models could process voice locally. Amazon auto-enabled "Don't Save Recordings" as a replacement, but this still sends all audio to the cloud — it just deletes it after processing.