• Amazon Echo privacy change: Amazon will remove the “Do Not Send Voice Recordings” setting on March 28, sending all recordings to the cloud.
• Security reminder: HIPAA-covered entities should review policies and warn staff to keep Alexa away from sensitive conversations.
• Privacy concerns: Amazon’s past violations, including a $31M settlement, raise doubts about voice data security.

Amazon Ends Privacy Setting on Echo Devices 

Amazon’s recent announcement that it will discontinue the “Do Not Send Voice Recordings” feature for Echo smart speakers on March 28 raises concerns regarding privacy.

Smart assistants with voice-activated controls, such as Amazon Echo, Apple Siri, and Google Assistant Devices, may accidentally activate and record sensitive discussions in hospitals, clinics, or telehealth sessions, exposing protected health information (PHI) to third parties or unauthorized personnel. Most often, the settings on these devices are not configured for privacy, which means these unsecured recording devices may not comply with encryption, access control, and other necessary protections for safeguarding PHI.

“For many years, we have advised HIPAA-covered entities to maintain a written policy—we can provide a sample policy—and to provide staff training that prohibits the use or presence of listening devices such as Alexa or Siri,” said PrivaPlan President David Ginsberg. “These devices can be accidentally turned on and record conversations with protected health information.”   

The “Do Not Send Voice Recordings” privacy feature for Echo smart speakers has allowed compatible Echo devices to process the audio of Alexa requests locally on the device.  After March 28, unless users proactively change their settings, all their voice recordings will be sent to Amazon’s cloud for processing before being deleted. 

“We advise issuing a security reminder to all workforce members, especially those working from home, who may have smart devices in or near their workspace,” said Ginsberg. 

Amazon Alerts Customers to Changes   

Amazon emailed affected users, explaining that the change supports Alexa’s new generative AI features, which require cloud processing. The update impacts 4th-generation Echo Dot, Echo Show 10, and Echo Show 15 devices set to English in the U.S.  

The company noted that fewer than 0.03% of customers used this feature but did not provide the number of customers that percentage equates to. It is estimated that many customers own at least two Echo devices. 

When the “Do Not Send Voice Recordings” setting is removed, those who previously used this setting will be automatically switched to the “Do Not Save Voice Recordings” option. While this enhances privacy, it also means Alexa will no longer be able to recognize individual voices for personalized responses for those who choose this option. 

Past Violations Raise Concerns for Alexa Users 

With over 600 million Alexa devices in use today, Amazon assures users that the Alexa experience is designed to protect customer privacy and data security. However, it is important to note that the best designs sometimes fail. 

In 2023, the Federal Trade Commission and the Department of Justice charged Amazon with violating children’s privacy laws regarding Alexa. The commission alleged that the company kept children’s voice recordings indefinitely and failed to honor deletion requests, resulting in a $31 million settlement.