Amazon Halo Band

Warning: *Privacy Not Included with this product

Amazon Halo Band

Amazon
Bluetooth

Review date: Nov. 9, 2022

|
|

Mozilla says

|
People voted: Super creepy

Amazon's Halo fitness band--there's no display, it's just a fitness tracking band packed full of sensors and microphones--tracks the usual: steps, heart rate, sleep, calories, and more. The Halo's microphones listen to you and use machine learning to measure the tone, energy, and positivity of your voice to "help strengthen communication." Not gonna lie, Amazon tone policing you (sorry, "tone of voice analysis" is how they frame it) sounds a little creepy. But that's not even the creepiest part! Amazon also asks you to take pictures of yourself in your underwear so it can measure and track your body fat. Yeah, no thanks. Giving Amazon a picture of yourself in your underwear sounds like a truly terrible idea, even if they claim it will automatically be deleted from the cloud after it is processed. It's nice they put a little note on the product page talking about how seriously they take your privacy. With everything this device collects, we sure hope that's true. This fitness tracker also requires a $4 a month subscription to access all features. But yeah, from a privacy perspective, this device seems to land on the creepy scale.

What could happen if something goes wrong?

In 2020, when Amazon came out with the Halo Band, we were like, Amazon, you've done it. You've taken creepy to a whole new level. The problem isn't that all the data this device collects will be kept insecurely, Amazon generally does a good job securing your data. The problem is what Amazon could potentially use all this data for. Amazon says they don’t share any personally identifalbe Halo health data to third parties with your agreement (not sure exactly what that agreement looks like though). But they can share anonymized, aggregated data with third parties. Now is a good time to remind you that it's been found to be pretty easy to de-anonymize these data sets and track down an individual’s patterns, especially with location data.

And the Halo Band collects a lot of personal body-related information about you--including potentially listening to what you say and measuring your tone. What can give you insights into your health, could also potentially give others information about things like your emotional state while you are looking at something, how attracted you are to someone, or even if you've been drinking. That level of personal information is not something we want Amazon--or any other tech company--potentially knowing.

We aren’t alone in our concerns about the Halo Band. Others raised them as well. One journalist even asked Amazon if they would consider an independent privacy audit of the Halo Band. They did not take him up on the offer. Shoot, this fitness tracker even scared some members of the US Congress enough to address it.

Here’s what to know about Amazon’s privacy practices. Amazon proudly states they are not in the business of selling your personal information to others. True. But, Amazon doesn’t need to sell your data to others when they have their own advertising and retail juggernaut to use your data to sell you more stuff. Because Amazon is in the business of selling you more stuff. And it’s not just Amazon hoping to sell you stuff. Amazon has a whole program for others to sell you stuff on on their sites too. And those sellers get to use that data Amazon collects on you to target you with the stuff they want to sell. So, while Amazon might not be in the business of selling your personal information, they are in the business of selling access to your information to others to target ads to sell you more stuff.

And to do this, Amazon likes to collect an enormous amount of data on you. Things like: records of your shopping habits, Alexa search requests, the TV shows you watch and when you watch them, the music you stream, the podcasts you listen to, when you turn your lights on and off, when you lock your doors, identifiers such as your name, address, phone numbers, or IP address, your age, gender, your location, audio and visual information like those Alexa-requests or photos you take, the names and numbers of people listed in your contacts. The list goes on and on and on.

And what do they do with all that personal information they collect on you? Well, they use it to target you advertising, of course. Lots and lots of advertising. They do say they don’t use information that personally identifies you to display interest-based ads (of course, we have to trust them on this). They also use your personal information to identify your preferences and personalize products and services to keep you using those products and services as much as possible. And they say they can share that personal information with a number of third parties.

And when we say a number, we don’t exactly know how many third parties because Amazon doesn’t share that information. We must assume it’s a lot of third parties because they say they can share your data with everyone from all the companies they use to provide third party services. That means the companies that do things like help them with marketing, manage credit risk, analyze data, send mail and email, and more. Then there’s the third parties that offer services, products, apps, and Alexa skills through Amazon Services. And then there’s the business affiliates and other companies Amazon buys that could get access to your data too. Given that Amazon is a vast empire -- think Ring, Blink, Eero, Whole Foods, and beyond -- that’s potentially a lot of places your data could end up.

Let’s talk for a minute about Alexa itself. Amazon’s helpful artificial intelligence that’s built into everything from your Echo Dot smart speaker to your headphones to your thermostat comes with its own set of questions and concerns. Amazon does make it possible to automatically delete voice recordings immediately after they are processed. That's a nice feature after the controversy around human reviewers listening in to Alexa voice recordings. However, Amazon says when you delete your voice recordings, they still can keep data of the interactions those recordings triggered. So, if you buy a pregnancy test through Amazon Alexa, Amazon won't forget you bought that pregnancy test just because you ask them to delete the voice recording of that purchase. That record of the purchase is data they have on you going forward and may use to target you with ads for more stuff.

And then there are Alexa Skills, those little apps you use to interact with Alexa. These Skills can be developed by just about anyone with the, uhm, skill. And with too many of the Skills, third-party privacy policies are misleading, incomplete, or simply nonexistent, according to one recent study. When your data is processed by an Alexa Skill, deleting your voice recordings doesn’t delete the data the developer of that Skill collects on you. With over 100,000 Alexa Skills out there, many of them developed by third parties, now your data is floating around in places you might never have imagined.

Oh, let’s not forget Amazon’s track record at protecting and respecting their customers' data. That raises some red flags too. Here are a few of the problems we’ve seen over the last few years. There’s the Amazon employee who was caught stealing the personal information of over 100 million CapitolOne customers. And that’s not the only time Amazon employees with access to lots of customer data were caught leaking customers personal information. It’s happened quite a few times, actually. And then there’s the Alexa security bug that opened the door for hackers to potentially access users personal information and even their conversation history. These are some of the known privacy and security issues Amazon has had (there could be more unknown ones as well). And we get it, Amazon is a huge company with many products and employees and it’s impossible to secure everything's 100% of the time. But that’s the point. When you collect such a vast amount of personal information on people, you’ve got to be super, duper, extra careful to secure it everywhere, all the time. Amazon has shown they can’t always do that.

So, what’s the worst that could happen? Well, you could turn on Amazon Halo’s tone policing features and they could listen to you all day long and determine that if you’re a man, your tone was “opinionated” and if you’re a woman your tone was “dismissive” or “condescending” and you could believe that and as a woman, think you should speak up less and as a man think you should speak up more, and hey, that is not at all what the world needs right now.

One more note on Amazon from a privacy researcher’s point of view. Trying to read through Amazon’s crazy network of privacy policies, privacy FAQs, privacy statements, privacy notices, and privacy documentation for their vast empire is a nightmare. There are so many documents that link to other documents that link back even more documents that understanding and making sense of Amazon’s actual privacy practices feels almost impossible. We wonder if this is by design, to confuse us all so we just give up? Or, if maybe even Amazon’s own employees possibly don’t know and understand the vast network of privacy policies and documentation they have living all over the place? Regardless, this privacy researcher would love to see Amazon do better when it comes to making their privacy policies accessible to the consumers they impact.

Tips to protect yourself

  • Remember that Amazon privacy preferences are device specific, so you need to set your privacy preferences on all your Amazon devices individually. What, you had nothing better to do this weekend, right?
  • Set up Anonymous Mode when using the app to protect your data
  • When starting a sign-up, do not agree to tracking of your data.
  • Do not sign up with third-party accounts. Better just log in with email and strong password.
  • Chose a strong password! You may use a password control tool like 1Password, KeePass etc
  • Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
  • Keep your app regularly updated
  • Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
  • Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
  • mobile

Can it snoop on me? information

Camera

Device: No

App: No

Microphone

Device: Yes

App: Yes

Tracks location

Device: No

App: Yes

What can be used to sign up?

What data does the company collect?

How does the company use this data?

We ding this product for using personal data for targeted advertising purposes, and combining data about you with data it receives from third parties for targeted advertising purposes.

Amazon combines data on its users with data from third parties, for advertisement purposes: "Some third-parties may provide Amazon pseudonymized information about you (such as demographic information or sites where you have been shown ads) from offline and online sources that we may use to provide you more relevant and useful advertising."

"In the twelve months prior to the effective date of this Disclosure, Amazon has not sold any personal information of consumers, as those terms are defined under the California Consumer Privacy Act. "

"Information about our customers is an important part of our business, and we are not in the business of selling our customers' personal information to others."

"The personal information that Amazon disclosed to the third parties identified in the “Does Amazon Share Your Personal Information?” section of the Amazon Privacy Notice about consumers for a business purpose in the twelve months prior to the effective date of this Disclosure fall into the following categories established by the California Consumer Privacy Act, depending on which Amazon Service is used:
- identifiers such as your name, address, phone numbers, or IP address, for example if we use a third party carrier to deliver your order;
- personal information, such as a credit card number, for example if we use a third party payment processor;
- your age, gender, or other protected classifications, for example if you choose to participate in a survey distributed by a survey provider;
- commercial information, such as the details of a product or service you purchased if a third party service provider is assisting to provide that product or service to you;
- internet or other electronic network activity information, such as if we use a service provider to help us gather crash reports for analyzing the health of our devices and services;
- geolocation data, such as providing a delivery partner the location of your vehicle in order to deliver a package if you use Amazon Key;
- audio or visual information, for example if a service provider reviews recordings of customer service phone calls for quality assurance purposes, or if we use a service provider to fulfill your order to print images from your Amazon Photos account;
- education information, for example coursework you may direct us to share with the operator of an educational Alexa skill; and
- professional information, for example if we provide your account details to a service provider for verification as part of enrollment for an Amazon Business account."

Amazon says they do not sell your personal information. They combine your voice data with third-party data to answer your requests as well as to train Alexa's speech recognition. You can choose to not save any voice recordings, but it will cost you some features.

While voice recordings won't be used for ad personalization, the transcripts of recordings, and the list of actions that Alexa did in response to your voice commands, may be.

How can you control your data?

We ding this product for not guaranteeing all users have the same right to access and delete their data, regardless of where they live.

The CCPA Disclosures mentions right to request access to or deletion of personal information for California residents, though with certain limitations: "You may have the right under the California Consumer Privacy Act to request information about the collection of your personal information by Amazon, or access to or deletion of your personal information. If you wish to do any of these things, please visit here or contact Customer Service. Depending on your data choices, certain services may be limited or unavailable."

For users outside of California and Europe, Amazon is not clear if they can excercise their deletion rights: "In addition, to the extent required by applicable law, you may have the right to request access to or delete your personal information. If you wish to do any of these things, please contact Customer Service. Depending on your data choices, certain services may be limited or unavailable."

"Halo customers can review, download, and delete their Halo health data at any time directly from the Amazon Halo app."

A user can chose to not send voice recording to the Cloud. You can review and delete your voice recordings, one by one, by date range, or all at once. You can also set up an auto-deletion to automatically delete recordings older than 3 or 18 months. You can choose to not save any voice recordings, at the cost of some features. If you choose not to have any voice recordings saved, the text transcripts of your requests will be still retained for 30 days, after which they will be automatically deleted.

Retention details:
"When you delete voice recordings associated with your account from Voice History, we will delete the voice recordings that you selected and the text transcripts of those recordings from Amazon’s cloud. If you choose not to have any voice recordings saved, the text transcripts of your requests will be retained for 30 days, after which they will be automatically deleted. We retain those text transcripts to allow you to review the requests you make to Alexa in your Voice History, and to improve your Alexa experience and our services. You can delete the text transcripts at any time in the Alexa app by going to Settings > Alexa Privacy > Review Voice History.

We may still retain other records of your Alexa interactions, including records of actions Alexa took in response to your request. This allows us, for instance, to continue to provide your reminders, timers, and alarms, process your orders, remember the things you've taught Alexa, and show your shopping and to-do lists and messages sent through Alexa Communications. If your request was processed by an Alexa skill, deleting your voice recordings does not delete any information retained by the developer of that skill (skill developers do not receive voice recordings)." This is problematic, because a big share of more than 100,0000 skills are developed by third parties that are not necessarily bound by Amazon’s privacy policies. The research by North Carolina State University found that "23.3% of 1,146 skills that requested access to privacy-sensitive data either didn't have privacy policies or their privacy policies were misleading or incomplete. For example, some requested private information even though their privacy policies stated they were not requesting private information." In addition to misleading privacy policies, issues included things like developers being able to claim fake identity ('Samsung', 'Apple'), multiple skills sharing the same Alexa trigger words, etc. "

What is the company’s known track record of protecting users’ data?

Needs Improvement

In 2022, Paige Thompson, a former Amazon employee accused of stealing the personal information of 100 million customers by breaching banking giant CapitalOne in 2019, was found guilty by a Seattle jury on charges of wire fraud and computer hacking.

In July 2021, the Luxembourg National Commission for Data Protection issued a 746 million euro fine to Amazon for allegedly violating the European Union’s General Data Protection Regulation (GDPR).

In August 2020, security researchers from Check Point pointed out a flaw in Amazon's Alexa smart home devices that could have allowed hackers access to personal information and conversation history. Amazon promptly fixed the bug.

In October 2020, Amazon fired an employee for leaking customer email addresses to an unnamed third party.

In October 2019, Forbes reported that Amazon employees were listening to Amazon Cloud Cam recording, to train its AI algorythm.

In April 2019, it was revealed that thousands of employees, many of whom are contract workers and some not even directly employed by Amazon, had access to both voice and text transcripts of Alexa interactions.

Child Privacy Information

Amazon does not sell products for purchase by children. We sell children's products for purchase by adults. If you are under 18, you may use Amazon Services only with the involvement of a parent or guardian. We do not knowingly collect personal information from children under the age of 13 without the consent of the child's parent or guardian. For more information, please see our Children's Privacy Disclosure.

Can this product be used offline?

No

User-friendly privacy information?

No

Amazon has a complicated and difficult to navigate mess of privacy policies, privacy notices, privacy FAQs, and other privacy information.

Links to privacy information

Does this product meet our Minimum Security Standards? information

Yes

Encryption

Yes

All Amazon Halo health data is encrypted in transit, including going to and from the cloud or between the customers’ Halo Band and the Halo app on their phone. Amazon Halo health data is also encrypted while being stored securely in the Amazon cloud. In addition, Amazon Halo health data is stored securely on the customer’s smartphone, including using available full disc encryption and any other protections provided by their phone’s manufacturer. You can learn more about Amazon Halo privacy features here. Additionally, the published privacy white paper on Amazon Halo (link available on the Amazon Halo privacy page) provides additional technical details about privacy and security for Amazon Halo.

Strong password

N/A

Halo customers have the option to set up a PIN on-device as an added layer of privacy and security. The PIN is required to be 6 numbers, selected from 0-4 numerical characters. If device PIN protection is enabled, customers will be prompted to enter a PIN when they remove their Halo View from their wrist. By locking their device when customers aren’t wearing Halo View, the PIN helps prevent others from seeing information on their screen, such as their Halo health data and text message notifications.

Security updates

Yes

Manages vulnerabilities

Yes

Amazon has a bug bounty program, which means that anyone who finds a security issue and discloses it responsibly may get paid. Security researchers can report a vulnerability here.

Privacy policy

Yes

Does the product use AI? information

Yes

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

The feature of the Amazon Halo is AI-powered health to track your wellness (body fat, activity levels, sleep, and tone of voice/emotions.) The AI will also rate your tone for “positivity” and “energy.” The model associates those emotional ratings with vocal qualities like pitch, intensity, tempo, and rhythm.

Questions have been raised about bias in Amazon Halo algorithms.

Is the company transparent about how the AI works?

Yes

Does the user have control over the AI features?

Yes

*Privacy Not Included

Dive Deeper

  • Amazon’s new health band is the most invasive tech we’ve ever tested
    Washington Post Link opens in a new tab
  • Amazon’s Halo tests the limits of personal privacy, and offers a glimpse of the future of health
    Geek Wire Link opens in a new tab
  • Senator Klobuchar, spooked by Amazon Halo, asks for new health-tracker privacy protections
    Washington Post Link opens in a new tab
  • Amazon Halo Band review: Creepy yet unobtrusive and useful for quantified self health data junkies
    Larry Dignan Link opens in a new tab
  • Amazon Halo review: Affordable but questionable fitness band
    Digital Trends Link opens in a new tab
  • Following Privacy Concerns Surrounding Amazon Halo, Klobuchar Urges Administration to Take Action to Protect Personal Health Data
    Sen. Amy Klobuchar Link opens in a new tab

Comments

Got a comment? Let us hear it.