Many of the things we take for granted in our daily lives would have been straight-up science fiction not so long ago. Wristwatch-based communications? Check. Rockets that come back to earth and land? You betcha. Even fundamental technologies like cellular phones and touch-screen tablets and phones exist in the real world because fans were inspired by seeing similar devices on “Star Trek.”
Another innovation that would have seemed outlandish and nearly magical a few short years ago is voice assistant technology like Apple’s Siri and Amazon’s Alexa. Having an electronic valet to do your bidding is still new enough to feel slightly surreal. Of course, novelty can also feel threatening, and new technologies often have legitimate downsides. You might have heard or read stories of Alexa spying or eavesdropping on users, for example. So should you be worried?
Is Alexa Spying?
If you’re a fan of old movies, you’ve probably seen conspirators shush each other with the muttered caution that “the walls have ears.” That kind of paranoia about eavesdropping would have been rather theatrical in a day when snoops had to resort to literally pressing their ears to a wall or door, but it’s decidedly less so when you deliberately bring a (potential) surveillance device into your living room.
Like your phone, your Amazon Echo devices are equipped with a microphone, and it’s always listening in case you ask it to do something (that’s what it’s for, after all). If you have an Echo Show device, those contain a camera as well and could theoretically be co-opted to watch you or even record you.
You don’t need a degree in marketing to know that these concerns could rapidly torpedo a product like Alexa unless it was secured very well indeed. Amazon, accordingly, employs a lot of smart people to do just that. So spying shouldn’t be a major worry for you if you love your Alexa device. But there are a few specific things you need to be aware of.
Amazon’s Quality Assurance Program
Amazon draws on its machine-learning AI to process the commands you give to your Alexa device, and they’re pretty good at this. Even the best AI needs to be verified, though, and to do that Amazon culls random, anonymized interactions between Alexa devices and their users. Those audio clips are assessed by live humans, who rate how well the software actually interpreted the users’ wishes.
That’s an important and legitimate part of what makes Alexa work so well, but if you’re privacy-minded it might rub you the wrong way. Amazon allows for this, so you can opt out in your device settings if you wish (we’ll come back to that shortly).
You Can Accidentally Trigger Alexa
Voice assistants are always listening for their audio trigger or wake word, which in Amazon’s case is simply “Alexa” (and “echo” as well, on Echo devices). If you’ve installed additional apps, or skills as Amazon calls them, those will usually have their own wake words. It’s entirely possible, and in fact common, to accidentally trigger your device when you say something that sounds like your wake word.
Use of that word in conversation (“So her little girl says, ‘Hey, Alexa, order me some chocolate ice cream’…”) will do it, and even a mention of Alexa on the news can activate your device. The more skills you install, the greater the number of words (and soundalikes) will bring it to life.
In one freak example, an Alexa device accidentally activated in this way recorded a couple’s conversation and sent the file to a contact of theirs. It’s unlikely, and it’s certainly not a case of Alexa spying, but it was still a significant privacy breach.
You Might Install a Malicious Skill
You may have seen headlines about malicious apps that find their way into the App Store and Play Store, despite Apple and Google’s best efforts, and then steal personal information from their unwitting users. In 2021, security researchers in the U.S. and Germany successfully demonstrated that it was possible to infect Alexa devices with malicious skills in similar ways.
Once installed, skill-based malware might be able to capture personal information from your settings or designate the same wake word as another popular, widely used skill (“skill-squatting”), so you’ll activate the bogus skill along with the real one. A malicious skill could hypothetically make Alexa spy on you by recording audio or video, though it’s more likely any ill-intentioned criminals would be out to steal your identity instead (personal information is more immediately, and reliably, marketable).
Amazon vets its skills aggressively, and the specific vulnerabilities uncovered by these researchers have long since been plugged (and the researchers pointed out that there was no evidence of them being exploited “in the wild”), but the rapid rise in smart speakers’ popularity makes them a high-value target. It’s reasonable and prudent to expect that attackers will occasionally get through.
It’s Not Alexa Spying, but Someone You Trust
Ultimately any voice assistant does what it’s told to, so the likeliest reason for Alexa spying is that it’s been told to by someone with access to your device: a friend, a family member, your significant other or perhaps even just a contact. Even this isn’t necessarily easy or effective, but it’s much more feasible for an insider. The key feature that’s open to misuse is what Amazon calls its “Drop In” capability.
Drop Ins are impromptu virtual “visits” with your contacts, by audio on standard Echo devices or in full video on Echo Show speakers, with their screens and video cameras. Your visitors choose to Drop In on you from their own device or Alexa app, and you can visit with them just as if they’d stopped by your house unannounced.
The potential for this to be misused is pretty clear. Alexa gives you audible and visible alerts when someone asks to Drop In, and you’ll have an opportunity to reject them. If you’re not in the room at the time, though, and don’t reject the call, that contact could eavesdrop or even capture video without you noticing. This kind of thing is catnip for jealous, controlling partners especially, so it’s something to be aware of if you’re in a problematic relationship.
Securing Your Alexa Device
In short, the chances of Alexa spying on you are minimal, but not zero. As with any similar device (including your phone), there are a few things you can do to reduce any potential vulnerabilities.
Opting Out of Amazon’s Human-Review Process
In your Alexa settings (on the app, Amazon’s website or on a touch-screen device) look for a header called Help Improve Alexa. You’ll see a line that says “Use of Voice Recordings,” with a toggle next to it. Slide that to “Off.”
Limiting Skills’ Permissions
Look under Settings for “Alexa Privacy” and then “Manage Skill Permissions.” Go through the list and see which permissions skills have been requested, and turn off any that seem unnecessary (a smart-thermostat skill shouldn’t need access to your contacts, for example).
Limiting the Drop In Feature
There are several ways to limit use of the Drop In feature. You can go into Settings and disable it outright, or use the Do Not Disturb option to temporarily suspend it. You can also grant or deny access to your contacts individually, so only your closest friends and family can use it.
Limiting Your Contacts
When you set up your Alexa device, it will ask for access to your full contacts list. It’s convenient if you want the option of making calls directly to all of your contacts, but otherwise, you’re better off manually choosing which contacts you actually want or need to have on your Alexa device.
Being Aware of Your Alexa Device
A big step in reducing your risk is simply being more aware of the Alexa device. Your Echo lights up the microphone button when the mic is “live,” for example. You can also deliberately mute the mic yourself when the device isn’t in use, and slide the privacy shutter over the camera on an Echo Show. Turn up the volume, so if Alexa is triggered accidentally, you’ll hear it confirm your command.
Reviewing and Deleting Voice Recordings
Your Alexa device will record audio after it hears its wake word, so it can quickly communicate with Amazon’s servers and make sure it understands what you’re asking. Under the Alexa Privacy menu you can choose “Review Voice History” to listen to those recordings and delete them by dragging individual recordings to the trash can or choosing “Delete All” or “Delete Last Seven Days.”
Alternatively, you can tell Alexa to delete everything you’ve ever said and then make it a part of your bedtime routine to say, “Alexa, delete everything I’ve said today.”
Reset Your Alexa Device Before Selling It
Nobody needs to spy on you if you unwittingly give them your information, and that can happen too. Security researchers at Northeastern University bought a batch of used Amazon devices to test, and found that the previous owners sold 60% of them without first performing a factory reset. That’s a really bad idea.
When you set up an Alexa device, it stores a ton of information, including your Wi-Fi passwords, your router’s address and your Amazon credentials, so you’re essentially giving away access to your Amazon account and home network. Your Amazon credentials, in turn, give access to your name and home address, your purchase history, the addresses of friends and family you’ve bought stuff for, and — the kicker — your payment information.
So yeah, reset your device before you resell it (or even return it to the store for a refund). Skillful hackers could still theoretically extract information from a reset device, but without a reset, just about anybody could steal your money or your identity.
The Bottom Line? Just Be Prudent
When all is said and done, the likelihood of Alexa actively spying on you is pretty minimal. It can theoretically happen, but it’s not an especially big risk. As with any other connected device, it’s mostly a question of familiarizing yourself with the potential vulnerabilities and managing them.
If you make a point of getting to know your security settings, and actively managing them, you can enjoy the conveniences offered by your Alexa device without having much to worry about.
- Dick Tracy Wiki — 2-Way Wrist Radio
- Forbes — Why Captain Kirk’s Call Sparked a Future Tech Revolution
- Ars Technica — How Star Trek Artists Imagined the iPad…Nearly 30 Years Ago
- Northeastern University — When Speakers Are All Ears
- National Public Radio — Listen Up: Your AI Assistant Goes Crazy for NPR Too
- The Verge — Amazon Explains How Alexa Recorded a Private Conversation and Sent It to Another User
- Christopher Lentzsch, Sheel Jayesh Shah, Benjamin Andow, Martin Degeling, Anupam Das and William Enck — Hey Alexa, Is This Skill Safe?: Taking a Closer Look at the Alexa Skill Ecosystem.
- Tech Crunch — Every Alexa Privacy Setting and How To Change Them
- Ars Technica — Thinking About Selling Your Echo Dot – or Any IoT Device? Read This First
- Amazon Help & Customer Service — Reset Your Echo (3rd or 4th Generation)