Amazon says the Echo Show is designed to protect your privacy, but the companion app demands access to your text messages, phone calls, contacts, and background location — capabilities that go far beyond controlling a smart display. Amazon promises you can delete your voice recordings and control your data, but the FTC caught them keeping children's recordings forever — even after parents asked them to delete them. Amazon was fined $25 million. They also removed the option to keep voice recordings off their servers entirely.
What they claim: Amazon states Visual ID "uses on-device facial recognition" processed locally on the AZ1 chip, not sent to cloud. The privacy page emphasizes that "Visual ID data stays on your device."
What we found: The Echo Show 10 connects to at least 9 known Amazon cloud endpoints including device-metrics-us.amazon.com, api.amazonalexa.com, and dp-gw-na.amazon.com. DFRWS USA 2024 forensic analysis of Echo Show 15 found local artifacts including Visual ID movement and user detection logs, suggesting the device maintains detailed records of when it detects and identifies people. The camera must remain always-on for Visual ID and motion tracking to function — creating continuous visual surveillance of the home environment.
What they claim: Echo Show 10 includes a 13MP camera on a motorized base that rotates +/- 175 degrees to track and follow users around the room. Amazon markets this as "auto-framing" for video calls.
What we found: FTC's Ring settlement (2023) found Amazon allowed employees unrestricted access to camera feeds — one employee viewed thousands of recordings from 81+ female users' bedroom and bathroom cameras. Combined with Echo Show 10's motorized tracking camera, this demonstrates a pattern: Amazon deploys increasingly capable camera hardware while maintaining inadequate internal access controls. The device's rotation motor (BLDC, 27 slots, 30 poles) enables physical surveillance tracking that no other consumer device offers.
What they claim: The Echo Show 10 is a smart display with voice assistant, camera, and smart home hub capabilities. Its core functions are: displaying information, video calls, music playback, and smart home control.
What we found: The Alexa app requests SMS permissions (READ_SMS, RECEIVE_SMS, SEND_SMS, RECEIVE_MMS) despite the Echo Show 10 having no cellular modem or SIM card. It requests CALL_PHONE and ANSWER_PHONE_CALLS despite being a Wi-Fi-only device. The firmware shows radio capabilities limited to WiFi, Bluetooth, Zigbee, and Amazon Sidewalk (LoRa) — no cellular connectivity. These phone/SMS permissions can only function by accessing the paired smartphone's capabilities, effectively turning the phone into a surveillance relay.
What they claim: Amazon's Alexa Privacy Hub states the device has a "microphone/camera off button" and physical camera shutter for privacy control. Amazon emphasizes "controls you can see, hear, and touch."
What we found: The Alexa app includes Facebook Flipper as an analytics tracker, alongside Amazon Analytics and Bugsnag. The app requests FOREGROUND_SERVICE_CAMERA, FOREGROUND_SERVICE_MICROPHONE, and FOREGROUND_SERVICE_LOCATION — allowing camera, microphone, and location access to persist even when the app is in the background. Physical privacy controls on the device do not disable the companion app's ability to access the phone's own camera, microphone, and location.
What they claim: The Alexa app collects AD_ID (advertising identifier) and includes Facebook Flipper and Amazon Analytics trackers.
What we found: Amazon's Alexa Privacy Hub claims privacy is a core design principle, yet the companion app includes a Facebook debugging/analytics framework (Flipper) that can expose app internals and user interaction data. The FTC's 2023 settlement found Amazon used children's data to train algorithms in violation of COPPA. The presence of advertising identifiers and third-party trackers in an app used to control a device with an always-on camera and microphone contradicts Amazon's privacy-first messaging.
What they claim: The Echo Show 10 runs a Chromium-based browser engine for displaying web content, Skills interfaces, and visual responses.
What we found: ZDI-20-537 (CVSS 8.8) demonstrated remote code execution on Echo Show via an integer overflow in the Chromium engine. The device was running an outdated browser version. Check Point Research (2020) found XSS vulnerabilities in Alexa subdomains enabling account takeover, voice history access, and skill installation without consent. Combined with the app's 57 permissions and the device's camera/microphone, a browser-based exploit could compromise both the device and the paired smartphone's data.
What they claim: Amazon's Alexa Privacy page states that Alexa only listens after detecting the wake word, and that the "streaming indicator" (blue light) shows when audio is being sent to the cloud.
What we found: CVE-2018-11567 demonstrated that malicious Alexa Skills could use empty reprompts to silently continue listening without triggering the streaming indicator. CVE-2022-25809 (AvA attack) showed Echo devices can be made to issue voice commands to themselves. Research found Echo Dots record and transmit audio without wake word activation — 70% triggered by TV sounds, 30% by human voices. A 125-hour Netflix test triggered unintended activations with the device staying awake 20-43 seconds per false trigger.
What they claim: Amazon Privacy Hub states Echo devices are "designed to protect your privacy" with "multiple layers of privacy and security." Alexa Privacy page emphasizes user control over the Alexa experience.
What we found: The Alexa companion app (com.amazon.dee.app) requests 57 permissions including READ_SMS, RECEIVE_SMS, SEND_SMS, RECEIVE_MMS, READ_CONTACTS, CALL_PHONE, ANSWER_PHONE_CALLS, ACCESS_BACKGROUND_LOCATION, and GET_ACCOUNTS. These permissions grant access to text messages, phone calls, contacts, and persistent location tracking — far exceeding what is needed for a smart display.
What they claim: Amazon Privacy Notice states users can request deletion of their data and voice recordings. Alexa Privacy Hub claims "You are in control of your Alexa experience" with options to manage and delete recordings.
What we found: FTC found (Case 192-3128, May 2023) that Amazon violated COPPA by retaining children's Alexa voice recordings indefinitely even after parents requested deletion. Amazon gave 30,000 employees access to user voice recordings without business need. $25 million settlement. Separately, as of March 2025, Amazon removed the "Do Not Send Voice Recordings" option, eliminating users' ability to keep voice data off Amazon's cloud.
What they claim: The Echo Show 10 supports Amazon Sidewalk (902.5-926.5 MHz LoRa) alongside WiFi, Bluetooth, and Zigbee — six wireless protocols total, creating a mesh network that extends beyond the user's home.
What we found: FCC filing 2AUPE-8959 confirms Sidewalk radio capability at 902.5-926.5 MHz ISM band. Amazon Sidewalk shares a portion of the user's internet bandwidth with neighbours' Amazon devices, creating a neighbourhood mesh network. This was enabled by default without explicit opt-in. The FCC filing describes the device as a "Digital Media Receiver" — no mention of mesh networking, bandwidth sharing, or neighbourhood-scale data relay capabilities that Sidewalk enables.