Amazon promised you could delete your children's voice recordings, but the government found they kept those recordings forever — even after parents asked them to delete. Fire TV uses the same Alexa system. Amazon was fined $25 million for this, and 30,000 employees could listen to recordings without any reason. Amazon says they don't sell your data, but the Fire TV remote app tracks your precise GPS location and the device constantly talks to Amazon's advertising servers. A TV remote doesn't need to know where you are — the location data is used for targeted advertising.
What they claim: The Fire TV companion app requests RECORD_AUDIO for voice remote functionality.
What we found: The companion app requests RECORD_AUDIO, but the device also connects to api.amazonalexa.com and avs-alexa-na.amazon.com. The FTC found that Alexa retained voice recordings indefinitely and gave 30,000 employees access. Mozilla found that even deleted voice recordings don't erase transaction data. The app also requests COLLECT_METRICS and CUSTOMER_ATTRIBUTE_SERVICE — custom Amazon permissions for data harvesting.
What they claim: Amazon's ACR page states it collects viewing data "to improve products and services" and reduce repetitive ads.
What we found: Mozilla rates Fire TV as "Very creepy" and found Amazon collects: precise geolocation, biometric data (voice profiles), sensitive classifications (age, gender, race, sexual orientation), shopping habits, and viewing data. ACR captures audio fingerprints of content across all inputs. Amazon shares data with "numerous third parties including advertisers and subsidiaries (Ring, Blink, Eero)." The stated purpose of "fewer repetitive ads" understates the scale of data collection.
What they claim: Fire TV Stick is certified as a simple "Digital Media Receiver" by the FCC.
What we found: The FCC filing certifies the device as a "Digital Media Receiver" supporting Wi-Fi 6E and Bluetooth. But Bitdefender found three security vulnerabilities (CVE-2023-1383, CVE-2023-1384, CVE-2023-1385) that allowed unauthorized device control, arbitrary JavaScript execution, and service registration bypass. The device's always-on Alexa integration and ACR system make it far more than a passive media receiver — it's an active surveillance and advertising platform with documented security flaws.
What they claim: Amazon Privacy Notice states users can request deletion of their data and children's data.
What we found: FTC/DOJ found Amazon violated COPPA by retaining children's Alexa voice recordings indefinitely even after parents requested deletion. Amazon gave 30,000 employees access to voice recordings without business need. Over 800,000 children had Alexa profiles. Settlement: $25 million penalty. Fire TV uses Alexa as its primary voice interface.
What they claim: Amazon states it does not sell personal data and uses interest-based ads responsibly.
What we found: The Fire TV companion app requests ACCESS_FINE_LOCATION and ACCESS_COARSE_LOCATION for a TV remote control app. The device contacts aax-us-east.amazon-adsystem.com and mads-eu.amazon.com (Amazon advertising endpoints). Amazon's advertising revenue exceeded $46 billion in 2023, making Fire TV primarily an ad delivery platform.
What they claim: Amazon describes Fire TV as a "streaming media player" focused on entertainment.
What we found: FCC filing describes the device as a "Digital Media Receiver" but firmware contains hardcoded connections to device-metrics-us.amazon.com (telemetry), fls-na.amazon.com (analytics), mads-eu.amazon.com (mobile ads), and aax-us-east.amazon-adsystem.com (ad exchange). The device's ACR system captures audio fingerprints of everything you watch. Amazon's ad revenue ($46B in 2023) dwarfs hardware revenue.
What they claim: Amazon states that ACR data collection is optional and can be disabled.
What we found: While ACR can be toggled off in settings, the device still contacts device-metrics-us.amazon.com, fls-na.amazon.com (analytics), and mads-eu.amazon.com (ads) regardless of ACR settings. App usage data, search queries, voice commands, and navigation patterns are collected separately from ACR. Disabling ACR only stops content fingerprinting — it does not stop the extensive background data collection.
What they claim: The companion app includes Bugsnag crash reporting tracker.
What we found: Exodus Privacy identified Bugsnag as a tracker in the Fire TV app. The Alexa app (which also controls Fire TV) includes 3 trackers: Amazon Analytics, Bugsnag, and Facebook Flipper. The Alexa app requests 113 permissions including READ_SMS, SEND_SMS, READ_CONTACTS, CALL_PHONE, CAMERA, and ACTIVITY_RECOGNITION. Mozilla notes that over 100,000 third-party Alexa Skills operate under separate privacy policies with inconsistent protections.
What they claim: Amazon claims Fire TV is secure and that "we take security seriously."
What we found: Bitdefender discovered three CVEs in Fire TV devices in December 2022 that were not patched until April 2023 — four months of exposure. CVE-2023-1385 allowed unauthorized device takeover via PIN brute forcing. CVE-2023-1384 allowed arbitrary code execution. The FTC separately found that Amazon gave 30,000 employees access to Alexa voice recordings and the $5.8M Ring settlement showed systemic security culture failures across Amazon's device ecosystem.
What they claim: Amazon claims to minimize data collection to what is necessary for the service.
What we found: The Fire TV companion app requests READ_PHONE_STATE (access to phone number, IMEI, call status), GET_ACCOUNTS (access to all accounts on the device), READ_EXTERNAL_STORAGE / WRITE_EXTERNAL_STORAGE (full file system access), and custom permissions like CALL_AMAZON_DEVICE_INFORMATION_PROVIDER and CAN_CALL_MAP_INFORMATION_PROVIDER. A TV remote control needs none of these.