Amazon has acknowledged that it retains the voice recordings and transcripts of customers’ interactions with its Alexa voice assistant indefinitely. The admission raises questions about how long companies should be able to save highly-personal data collected from voice assistant devices.
After U.S. Senator Chris Coons (D-Del.) demanded Amazon outline its data privacy policies, Amazon in a letter that was publicly disclosed on Tuesday said that consumers have the option to delete their recordings – but even if they do, the company or third-party developers may still save records of customers’ interactions with Alexa.
“Amazon’s acknowledgement has only left users with further concerns regarding the privacy of their data,” Tim Mackey, principal security strategist, with Synopsys’ Cybersecurity Research Center (CyRC), told Threatpost. “That it took an official request from a U.S. Senator to uncover this data retention policy indicates that data collection and retention policies were not readily available to the public… Had Amazon originally disclosed that Alexa retained transcripts of all data processed by the service for an indefinite time, it’s likely that Alexa adoption wouldn’t be what it is today.”
Amazon said that it keeps data “to provide the Alexa service and improve the customer experience” for its Echo devices. The company also said that it needed to retain certain “records” regardless of whether the audio and transcripts had been deleted by the consumer or not. For instance, if a consumers uses Alexa to request a car from Uber or order a pizza from Domino’s, Amazon or the applicable skill developer would keep a record of that transaction.
“When a customer deletes a voice recording, we delete the transcripts associated with the customer’s account of both of the customer’s request and Alexa’s response,” according to the letter by Brian Huseman, vice president of Public Policy at Amazon. “We already delete those transcripts from all of Alexa’s primary storage systems, and we have an ongoing effort to ensure those transcripts do not remain in any of Alexa’s other storage systems… However, we may still retain other records of customers’ Alexa interactions, including records of actions Alexa took in response to the customer’s request.”
The fact that Amazon saves this data is a “clear example” of why data retention is a key component of regulations like General Data Protection Regulations (GDPR), Mackey said. For instance, Article 5 of GDPR establishes that data retention should be “for no longer than is necessary for the purposes for which the personal data are processed,” he said.
“Clearly an indefinite retention in any form is far longer than is necessary for Alexa to respond to a request for a Skill,” said Mackey. “An example of a more customer centric policy might be if Amazon had only retained transcripts of failed Skills activations for the purposes of improvement for a period not longer than the update cycle for Alexa software. In that case, the policy aligns with customer objectives and has a clear end date.”
In a tweet, Coons said he was still concerned about data privacy on Echo devices: “Amazon’s response leaves open the possibility that transcripts of user voice interactions with Alexa are not deleted from all of Amazon’s servers, even after a user has deleted the voice recording.”
I wrote Amazon in May with concerns about the privacy practices for Alexa devices. I’m encouraged that Amazon's response demonstrates an understanding of the importance of and a commitment to protecting users’ personal information. However, I still have concerns.
— Senator Chris Coons (@ChrisCoons) July 2, 2019
The level of data being saved and shared by Amazon is heightening concerns about privacy policies when it comes to voice assistant devices – but it’s not just Amazon.
Google for its part also acknowledged that its saves a history of user voice interactions with Google Home voice assistant devices until consumers choose to delete them – and, like Amazon, may also retain customer interaction data even if that has been manually deleted from the account.
“When you delete items from My Activity, they are permanently deleted from your Google Account,” according to Google’s privacy policy. “However, Google may keep service-related information about your account, like which Google products you used and when, to prevent spam and abuse and to improve our services. ”
Neither Google nor Amazon immediately responded to a request for comment from Threatpost.
Amazon continues to find itself in hot water regarding privacy policies around its Echo devices. In April, Amazon came under fire after a report revealed the company employs thousands of auditors to listen to Echo users’ voice recordings. Last year Amazon inadvertently sent 1,700 audio files containing recordings of Alexa interactions by a customer to a random person –and later characterized it as a “mishap” that came down to one employee’s mistake.