Skip to content
Naked Security Naked Security

Alexa is listening to what you say – and might share that with developers

How do you feel about the possibility of your recorded requests to Alexa being shared with third-party developers? Here's what we know about that - and some tips to manage your data

Amazon is considering handing transcripts of what people say when using Alexa applications over to third-party developers, according to sources close to the matter cited in a report from The Information.

One developer who used to be a product head on Amazon’s Alexa team, Ahmed Bouzid, says that current access only gives developers “70% of what they need to know” to get better at doing customers’ bidding. The Information reports that some teams already have access to full recording data, though it’s not clear which developers get added to that list and why.

This would be the first time that full transcripts from Amazon’s voice assistant were shared with third-party developers.

Amazon told CBS This Morning that it wouldn’t do this kind of thing without opt-in:

We do not share customer-identifiable information to third-party skills [apps] without the customer’s consent.

That’s not particularly reassuring. It’s common for data-gorging companies to point to a lack of identity details and equate that lack to a privacy shield. But in these days of Big Data, the claim has been proved to be flawed. After all, as we’ve noted in the past, data points that are individually innocuous can be enormously powerful and revealing when aggregated. That is, in fact, the essence of Big Data.

Take, for example, the research done by MIT graduate students a few years back to see how easy it might be to re-identify people from three months of credit card data, sourced from an anonymized transaction log.

The upshot: with 10 known transactions – easy enough to rack up if you grab coffee from the same shop every morning, park at the same lot every day and pick up your newspaper from the same newstand – the researchers found they had a better than 80% chance of identifying you.

At any rate, at this point, Amazon’s smart assistant only records what’s said to it after it’s triggered by someone saying “Alexa” (or one of the other trigger words you can choose for the device).

But it’s certainly possible that the voice assistant can be triggered by mistake. In January, San Diego’s XETV-TDT aired a story about a six-year-old girl who bought a $170 dollhouse and a small mountain  of cookies by asking her family’s Alexa-enabled Amazon Echo, “Can you play dollhouse with me and get me a dollhouse?”

Viewers throughout San Diego complained that after the news story aired, their Alexa devices responded by trying to order dollhouses.

The Google Home voice assistant has its own history of miscues: a Google Home ad, which aired during the Super Bowl in February, featured people saying “OK Google,” causing devices across the land to light up. As well, in April, fast-food restaurant Burger King aired a TV ad that triggered Google Home devices.

Arkansas police, for their part, are hoping that an Amazon Echo found at a murder scene in Bentonville might have been accidentally triggered on the night of a murder. If by any chance it was set to record, the recordings could help with an investigation into the death of a man strangled in a hot tub.

Amazon’s fight to keep Echo recordings out of court was rendered moot when the murder suspect voluntarily handed them over. But the case raised a bigger question: with Echo/Alexa, Siri, Cortana and Google’s Home assistant in many homes these days, and knowing that some of the technology is listening and recording, who might be able to exploit that?

In the Arkansas case, we know that it’s law enforcement who were after device recordings. But in the future, it could be hackers. In Amazon’s case, it’s looking like third-party developers are going to be in on the pony show. With all these ears eager to listen in on us, it’s smart to know the risks and take the appropriate defensive measures.

We’ve passed on these tips for locking down voice assistants in the past, and they’re worth repeating:

  • Not currently using your Echo? Mute it The mute/unmute button is right on top of the device. The “always listening” microphone will shut off until you’re ready to turn it back on.
  • Don’t connect sensitive accounts to Echo On more than a few occasions, daisy chaining multiple accounts together has ended in tears for the user.
  • Erase old recordings If you use an Echo, then surely you have an Amazon account. If you go on Amazon’s website and look under “Manage my device” there’s a handy dashboard where you can delete individual queries or clear the entire search history.
  • Tighten those Google settings If you use Google Home, you’re already aware of the search giant’s appetite for data collection. But Google does offer tools to tighten things up. Like the Echo, Home has a mute button and a settings page online, where you can grant or take away various permissions.

You can also delete your existing Alexa recordings. Here’s how:

To delete specific recordings:

  • Open the Alexa app on your phone
  • Select Settings
  • Select History
  • Choose the recordings you’d like to delete

To delete entire history:

  • Open
  • Select Manage My Content
  • Click on Alexa
  • Delete entire history


“You can also prevent an Alexa device from storing recordings. Here’s how:” ….those instructions are not how to PREVENT recordings. Those are how to delete ones that are already stored.


I’m old (68), so it really doesn’t matter about me in the big scheme of things. But there are two things that I don’t do: no social media, ever.
No Internet of Things, ever !( unless I’m somehow tricked into it.)


The opening paragraph is factually incorrect and a correction should be issued. It not correct that: “Amazon is considering handing transcripts of everything Alexa hears over to third-party developers, according to sources close to the matter cited in a report from The Information.”

Any given developer of a given skill may obtain a transcript of what the customer said to THAT skill. This is actually available today, and is available on Alexa, Google, and Cortana.

And what is available is similar to a FB/iOS/Android developer getting what users type/click/like when users use a app deployed on the FB/iOS/Android platforms.

Your piece is factually incorrect. Please don’t mislead your readers.


Thanks for the correction, Ahmed. I apologize for my initial inaccuracy regarding how the transcripts are collected. We’ve edited the story to change “everything Alexa hears” to what you suggested in our Twitter conversation: “transcripts of what people say when using Alexa applications.”


Has anyone done an actual packet capture on a echo to see what was being sent across the network. Controlling for when the wake word was spoken and when it is not?


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!