Browse all articles

Privacy and Security Evaluation of the Amazon Echo Dot smart speaker

Learn about the Amazon Echo Dot Kid's Edition privacy and security features

Girard Kelly | November 26, 2019

The Common Sense Privacy Program evaluates the privacy policies of popular consumer and education technology applications and services that are currently used by millions of children at home and in the classroom. The Privacy Program evaluated the privacy practices of a popular smart tech device called Amazon Echo Dot Kids Edition, which contains a virtual assistant called Alexa.

In addition, we also performed a hands-on basic security test of the device for parents and teachers to learn more about its security practices and how they compare to other popular smart speakers with virtual assistants. When evaluating whether to use smart tech paired with a mobile app at home or in the classroom, parents and teachers need a comprehensive understanding of both the privacy and security practices of a smart device. Our approach lets us compare what the smart tech company says they do with data with what our limited testing can observe about what they actually do with data. We can observe what data goes to and from the device, but we can't necessarily see what happens with the data when it reaches the external destination. Our findings are intended to help parents and teachers make better informed decisions about whether to buy this device or similar smart devices for use with their children at home or with students at school.

What is smart tech? 

The category of smart devices, or the Internet of Things (IoT), covers all the objects or devices used in your home, office, or school that are connected to the internet. More and more of these smart devices are being used by children as toys at home and with students as learning tools in the classroom every day. Smart tech companies claim their devices provide greater convenience and new learning opportunities for children and students, but they also collect and share more information than ever. Connected devices and household gadgets can collect all kinds of sensitive information -- anything from audio and visual recordings of your home to the names of shows you watch, the number of steps you've taken, your child's precise location, how and when you sleep, and even the foods you eat.

Product Details

Company:

Amazon

Name: 

Echo Dot Kids Edition

Link:

https://www.amazon.com/All-New-Echo-Kids-designed-Rainbow/dp/B07Q2MXPH6

Price:

$69

Category:

Smart Speakers and Virtual Assistants

Description: 

Echo Dot Kid's Edition is a kid-friendly smart speaker device that integrates Amazon's virtual assistant, Alexa.

Intended Audience

 

Home

School

Consumers (over 18)

None.

None.

Kids (under 13)

Kids can use Alexa at home to play music, hear stories, call approved friends and family, and explore a world of kid-friendly skills.

Kids can use Alexa in the classroom to ask questions, play music, tell jokes, listen to audiobooks, and play games.

Students (K-12)

Students can use Alexa at home to help answer homework questions, hear the news, set timers, play study music, or listen to audiobooks.

Students can use Alexa in the classroom to answer questions during the lesson, translate languages, or even learn how to program with the Alexa Skills Kit for developers program.

Bottom Line

Best Content for Kids: The product offers great music, videos, and audiobooks for kids with FreeTime Unlimited, but parents and teachers should use with caution because of its potential to collect a large amount of data about children or students without parental consent.

 

Pros

Cons

1.

Data Secure: User data is encrypted between the device, the mobile app, and the cloud.

Third-party App Support: Alexa allows for the use of third-party app "skills," many of which do not meet minimum requirements for privacy or security and could put a child's personal information at risk.

2.

No Ads or Tracking: Policy states that Amazon will not use information about a child's account profile for advertising or tracking purposes.

Amazon FreeTime Unlimited Subscription: Amazon encourages a paid automatic subscription to FreeTime Unlimited to allow children to get the best experience out of their Echo Dot Kids Edition device.

3.

Great Content: Amazon provides quality kid-friendly books, movies, TV shows, educational apps, audiobooks, and games.

Expensive: Need to have both Wi-Fi internet access and a mobile device to set up and use the Amazon Echo Dot with a paid FreeTime Unlimited subscription.

Software

The Amazon Echo Dot Kids Edition is bundled with the following apps:

 Alexa (iOS, Google Play)

 Amazon FreeTime Unlimited (iOS, Google Play)

 Amazon Music (iOS, Google Play)

Device Set-up

The Alexa mobile application launches with a welcome screen. The app prompts the user to set up their new Echo Dot device and provides links to Amazon's privacy policy and terms of use for review. Don't worry, we already read the privacy notice and terms and conditions for you and summarize our findings in the privacy evaluation below. In addition, the Alexa mobile app connects to the Echo Dot device over Wi-Fi. Once connected, the app allows the user to customize their Echo Dot experience.

         

Create an Account

A user is prompted to enter their existing Amazon username and password to personalize their Echo Dot. If a user does not have an Amazon account, they can create a new Amazon account and are asked to enter their full name, email address, and password. Once a user confirms that they have access to the email address registered with their new Amazon account, they are then prompted to set up Alexa and their new Echo Dot device. However, it appears there is no age-gate or attempt to require a user to enter a birth date to confirm the user's age beyond the privacy notice and conditions of use stating that users must be over 18 years of age to register. Therefore, a user under 13 years of age can create a new Amazon account and interact with their new Echo Dot without parental consent. However, a parent can provide consent through the FreeTime Unlimited app settings of their Amazon account, where they can create a child profile for a user under 13 years of age.

         

Parental Controls

Once a parent or guardian user logs in with their existing Amazon account on the Alexa mobile app, they are prompted to set up Amazon FreeTime Unlimited on the Echo Dot. Parents should be aware that the FreeTime Unlimited service automatically enrolls the Amazon account holder into a paid but one-year-free subscription that automatically renews on a monthly basis after the one-year trial period has expired. It is not clear from the Amazon FreeTime pop-up privacy notice how much the FreeTime Unlimited service actually costs after the one-year trial period has expired, but Amazon does provide pricing information on its FreeTime Unlimited product page. The user is then prompted to enter their child's first and last name, gender, and birth date, and choose an avatar. In addition, the parent is asked to provide consent for the collection of their child's voice recordings and is shown information about parental controls through the Parent Dashboard. Lastly, the new child profile is associated with the Amazon account holder as their parent or guardian.

         

FreeTime Unlimited

The Alexa app includes a Children's Privacy Disclosure notice, describes how FreeTime Unlimited works with Alexa, and provides the option to change FreeTime settings. In addition, the app provides a short video explaining the features of the Echo Dot Kids Edition that includes kid-friendly music, audiobooks, premium third-party apps, and communication features with drop-in calling, announcements, and messaging within the household.

         

Download FreeTime Unlimited

The Echo Dot prompts the user to download the FreeTime Unlimited. The app can be downloaded from the iOS and Google Play app stores with a paid subscription and offers kid-friendly books, movies, TV shows, music, and parental controls within the parent dashboard.

         

Personalize Alexa

The Alexa app also provides a tour of the different ways to personalize Alexa, including the ability to browse and play music and audiobooks, manage smart home devices, manage privacy settings, and customize the user's home screen with articles.

       

Getting Started

After Alexa is activated with the Echo Dot, the Alexa app prompts the user to enter their first and last name, and to allow permission to access the user's mobile contacts in order to make and receive phone calls on the Echo Dot and send notifications with Alexa.

            

More Features

The Alexa app provides FAQs that give more information about Alexa and the device. A user can then start playing kid-friendly music stations with Amazon Music, try the drop-in communication feature between devices, or use the other communication features.

      

Custom Settings

In order to learn about all the new features of Alexa, the Alexa app encourages the user to browse music and audiobooks, add a new smart home device and group, and try out a new feature called Alexa Guard that turns the device into an always-on listening sentry device that alerts users with notifications when the device detects a noise when the user is away from home. 

       

Hardware

The Amazon Echo Dot hardware is packed with new technologies, which also means that the device has data-collection capabilities that raise privacy and security concerns. Learn more about what's inside the Amazon Echo Dot and read our tips on privacy and security below.

Device Collection Details

 

Listening Indicator

Personal Information

Camera Access

Video Access

Microphone Access

Location Access

App:

Yes

Yes

No

No

Yes

Yes

Device:

Yes

Yes

No

No

Yes

Yes

What can all that hardware do?

Amazon Echo Dot has a "brain" with a Texas Instruments digital media processor chip. That means the Echo Dot can hear voice commands over the music playing and can quickly collect and process information within the device itself.

Tip: The more information collected and processed, the more privacy and security risk there is for that information.

Amazon Echo Dot can “feel” with an action, mute, and volume button on top of the device. That means the Echo Dot can collect information about which button was pressed in order to control the device and interactions with apps on the mobile device.

Tip: Information collected about a child’s or student's use of a product's features over time is typically called "usage information" or "behavioral information."

Amazon Echo Dot has "ears" with a seven-microphone array for listening for voice commands. That means the Echo Dot can listen to and process multiple conversations at the same time, filter out music when listening to voice commands, and focus on the direction voices and sounds are coming from. 

Tip: Audio information about the duration, tone, pitch, and content of voice communications, as well as when and where those communications happened, may contain personal or sensitive information. This is a risk to a greater number of people's privacy when the Echo Dot is used in a public place, office space, or classroom than when it's used in a private home. For example, houseguests should have the right to know that smart speakers are in use before entering the home, and students should know that smart speakers are in use before entering the classroom.

Amazon Echo Dot has a voice that is spoken through its speakers that make synthesized sounds and respond to commands. That means the Echo Dot knows which sounds it makes and the content of the synthesized conversations it has with users..

Tip: Information about the duration and content of spoken responses the Echo Dot gives to users, and when and where the Echo Dot gives those responses, may contain personal or sensitive information and may be audible to others. This is a risk to a greater number of people's privacy when the Echo Dot is used in a public place, office space, or classroom than when it's used in a private home.

Amazon Echo Dot has a "face" (sort of) with its companion iOS and Google Play Alexa mobile app. That means the Echo Dot can display images to children and students on a mobile device or tablet through the digital screen.

Tip: Information visually displayed to users may contain personal or sensitive information and be visible to others. This is a risk to a greater number of people's privacy when the Echo Dot is used in a public place, office space, or classroom than when it's used in a private home.

Amazon Echo Dot has connectivity with 802.11n Wi-Fi and Bluetooth 4.0 for sending and receiving audio. That means the Echo Dot can send and receive information it has collected or processed.

Tip: Wi-Fi connections on a smart device or mobile device can send collected information to the cloud for processing and must be encrypted while in transit and while stored in the cloud to remain secure.

Amazon Echo Dot always has energy with an electrical cord that needs to be plugged into a wall outlet at all times. That means the Echo Dot is always listening for a “wake word” to activate and can collect and process information for an unlimited amount of time.

Tip: The longer a device is operational, the more information it can collect and process.

Amazon Echo Dot connects with other apps and smart home products through Alexa Skills. That means other third-party apps and compatible smart home products can connect to the Echo Dot through Alexa and can collect and use personal information from the Echo Dot and Alexa app for a different purpose.

Tip: Devices that allow installing third-party apps can increase the risk that malicious apps are installed that can steal sensitive personal information. Other apps may not have the same privacy and security protections as Amazon and may be able to collect personal data including passwords, or also eavesdrop on users even after they think the Echo Dot is no longer listening.

 

Security Lab Testing

The Privacy Program conducts a hands-on basic security assessment of the 10 most critical security concerns about the collection and sharing of information from a smart device, a mobile application, and the internet. Parents and educators should be aware of the following security risks for this smart device:

Data Sharing

Evaluating data sharing takes into consideration best practices of keeping personal data inside the application or smart device to help protect privacy. Connecting social media accounts could allow people to share personal information with other people and with third-party companies. In addition, installing third-party apps with a smart device could allow the collection and use of personal information for a different purpose.

 

Social Media Accounts

Third-Party App Store

App:

N/A

Yes

Device: N/A Yes
Method: N/A Alexa Skills

Device Safety

Evaluating device safety takes into consideration best practices of using privacy protections by default and limiting potential interactions with others. It’s better to start with the maximum privacy that the app or device can provide, and then give users the choice to change the settings. In addition, users talking to other people through the app or device might permit sharing personal information with strangers.

 

Privacy-Protecting Default Controls

Social Interactions

App:

Yes

Yes

Device:

Yes

Yes

Method: Opt-in Drop-in, messages, and phone calls

Account Protection

Evaluating account protection takes into consideration best practices of using strong passwords and providing accounts for children with parental controls. Strong passwords can help prevent unwanted access to personal information. Children under the age of 13 may not understand when they are sharing personal information, so they should be required to create special accounts with more protection under the law. Lastly, parents can help children under the age of 13 use a device or app with digital well-being protections in mind by using parental controls.

 

Strong Passwords

Child Age Gate

Parental Controls 

App:

Yes

No

Yes

Method: 

Amazon Account

None

Amazon Parent Dashboard

Device Security

Evaluating device security takes into consideration best practices of securing personal information against unwanted use that is shared between the mobile device, smart tech, and the internet. Keeping personal information encrypted, or masked, protects information while it is on the move. In addition, advertising and tracking requests from the device or app could contain personal information about the user, including what they’re doing with the device or app.

 

Wi-Fi Secure

Bluetooth Secure

Ads

Tracking

App:

Yes

Yes

No

No

Device:

Yes

Yes

No

No

Method:

Encryption

Encryption, but no PIN pairing

None

None

Software Updates

Evaluating software updates takes into consideration best practices of keeping a smart device secure with up-to-date software patches and settings. When a company improves its app or device, better privacy and security should be part of the package and should be automatically updated or easy to update.

 

Software updates automatic

Software updates secure

App:

Yes

Yes

Device:

Yes

Yes

Method: Amazon Update Encryption

Privacy Evaluation

In addition to performing a hands-on basic security test, the Privacy Program also evaluates the privacy policies of each smart tech device. We can only evaluate a limited number of privacy and security features with our hands-on testing, so we also need to look at what each company's privacy policy promises it will do. Looking at the policies for a product enables us to see what the company says it will do with the personal information it collects. This allows us to create a truly comprehensive evaluation process with a full, in-depth, 150-point inspection of the privacy policies of a product as well as a basic hands-on security test of its practices. 

Alexa

Summary:

  • Amazon describes its Alexa product as allowing users to instantly connect to Alexa to play music, control your smart home, and get information, news, weather, and more using just your voice. Amazon's policy states that Alexa will store user messages in the cloud so that they’re available on the user's Alexa app and select Alexa-enabled products. Amazon's policy explains that it will gather personal information, and that the information it learns from customers helps them personalize and continually improve the user's Amazon experience. While the policy indicates that an account is required for the initial setup, for "hands free" devices, like the Amazon Echo, a user can access Alexa by saying the wake word (Alexa, Echo, Amazon, or Computer). The policy indicates that parental controls are available and that parents can add or update certain information.

    Alexa can be accessed through its website and is available for download at the iOS App Store, the Google Play Store, and/or the Amazon Appstore. The Privacy Policy and Terms of Use used for this evaluation can be found on Alexa’s websiteiOS App Store, the Google Play Store, and/or Amazon Appstore. Additionally, other policies used for this evaluation include: Children's Privacy Disclosure. This evaluation only considers policies that have been made publicly available prior to an individual using the application or service.

Privacy Key Findings

Parents and educators should be aware of the following privacy risks for Alexa. The following privacy ratings and evaluation scores are from our privacy evaluations of the policies of Alexa. This product is available on mobile devices and integrated into smart speakers used at home, in businesses, and inside classrooms.

Rating Criteria

The following table illustrates better, worse, and unclear practices with our privacy rating questions. These worse practices can put consumers’ privacy at risk with the use of personal information for third-party marketing, advertising, tracking, or ad-profiling purposes. The color blue means the product's policies disclose better practices, red means they disclose worse practices, and orange means they are unclear as to whether or not the vendor engages in the practice. 

Overall Score (100)

Sell Data

Third-Party Marketing

Behavioral Ads

Third-Party Tracking

Track Users

Ad Profile

54 No No Yes Yes Yes Yes

Concern Scores

In addition to each product's overall score, the more detailed concern category scores in the chart below can help explain a product's rating and can also be helpful in making an informed decision about whether and how to use the product at home, at your company, or in the classroom based on your privacy concerns about the following categories.

Overall Score (100)

Data Collection

Data Sharing

Data Security

Data Rights

Data Sold

Data Safety

Ads & Tracking

Parental Consent

School Purpose

54

35

75

25

55

30

40

65

70

0

If you would like to see how the Amazon Echo Dot compares to other popular smart speakers, read our article comparing the Privacy Practices of the Most Popular Smart Speakers with Virtual Assistants.