Warning: *privacy not included with this product
Amazon Halo Band
Amazon's Halo fitness band--there's no display, it's just a fitness tracking band packed full of sensors and microphones--tracks the usual: steps, heart rate, sleep, calories, and more. The Halo's microphones listen to you and use machine learning to measure the tone, energy, and positivity of your voice to "help strengthen communication." Not gonna lie, Amazon tone policing you (sorry, "tone of voice analysis" is how they frame it) sounds a little creepy. But that's not even the creepiest part! Amazon also asks you to take pictures of yourself in your underwear so it can measure and track your body fat. Yeah, no thanks. Giving Amazon a picture of yourself in your underwear sounds like a truly terrible idea, even if they claim it will automatically be deleted from the cloud after it is processed. It's nice they put a little note on the product page talking about how seriously they take your privacy. With everything this device collects, we sure hope that's true. This fitness tracker also requires a $4 a month subscription to access all features. But yeah, from a privacy perspective, this device seems to land on the creepy scale.
What could happen if something goes wrong?
In 2020, when Amazon came out with the Halo Band, we were like, Amazon, you've done it. You've taken creepy to a whole new level. The problem isn't that all the data this device collects will be kept insecurely, Amazon generally does a good job securing your data. The problem is what Amazon could potentially use all this data for. Amazon says they don’t share any personally identifalbe Halo health data to third parties with your agreement (not sure exactly what that agreement looks like though). But they can share anonymized, aggregated data with third parties. Now is a good time to remind you that it's been found to be pretty easy to de-anonymize these data sets and track down an individual’s patterns, especially with location data.
And the Halo Band collects a lot of personal body-related information about you--including potentially listening to what you say and measuring your tone. What can give you insights into your health, could also potentially give others information about things like your emotional state while you are looking at something, how attracted you are to someone, or even if you've been drinking. That level of personal information is not something we want Amazon--or any other tech company--potentially knowing.
We aren’t alone in our concerns about the Halo Band. Others raised them as well. One journalist even asked Amazon if they would consider an independent privacy audit of the Halo Band. They did not take him up on the offer. Shoot, this fitness tracker even scared some members of the US Congress enough to address it.
Here’s what to know about Amazon’s privacy practices. Amazon proudly states they are not in the business of selling your personal information to others. True. But, Amazon doesn’t need to sell your data to others when they have their own advertising and retail juggernaut to use your data to sell you more stuff. Because Amazon is in the business of selling you more stuff. And it’s not just Amazon hoping to sell you stuff. Amazon has a whole program for others to sell you stuff on on their sites too. And those sellers get to use that data Amazon collects on you to target you with the stuff they want to sell. So, while Amazon might not be in the business of selling your personal information, they are in the business of selling access to your information to others to target ads to sell you more stuff.
And to do this, Amazon likes to collect an enormous amount of data on you. Things like: records of your shopping habits, Alexa search requests, the TV shows you watch and when you watch them, the music you stream, the podcasts you listen to, when you turn your lights on and off, when you lock your doors, identifiers such as your name, address, phone numbers, or IP address, your age, gender, your location, audio and visual information like those Alexa-requests or photos you take, the names and numbers of people listed in your contacts. The list goes on and on and on.
And what do they do with all that personal information they collect on you? Well, they use it to target you advertising, of course. Lots and lots of advertising. They do say they don’t use information that personally identifies you to display interest-based ads (of course, we have to trust them on this). They also use your personal information to identify your preferences and personalize products and services to keep you using those products and services as much as possible. And they say they can share that personal information with a number of third parties.
And when we say a number, we don’t exactly know how many third parties because Amazon doesn’t share that information. We must assume it’s a lot of third parties because they say they can share your data with everyone from all the companies they use to provide third party services. That means the companies that do things like help them with marketing, manage credit risk, analyze data, send mail and email, and more. Then there’s the third parties that offer services, products, apps, and Alexa skills through Amazon Services. And then there’s the business affiliates and other companies Amazon buys that could get access to your data too. Given that Amazon is a vast empire -- think Ring, Blink, Eero, Whole Foods, and beyond -- that’s potentially a lot of places your data could end up.
Let’s talk for a minute about Alexa itself. Amazon’s helpful artificial intelligence that’s built into everything from your Echo Dot smart speaker to your headphones to your thermostat comes with its own set of questions and concerns. Amazon does make it possible to automatically delete voice recordings immediately after they are processed. That's a nice feature after the controversy around human reviewers listening in to Alexa voice recordings. However, Amazon says when you delete your voice recordings, they still can keep data of the interactions those recordings triggered. So, if you buy a pregnancy test through Amazon Alexa, Amazon won't forget you bought that pregnancy test just because you ask them to delete the voice recording of that purchase. That record of the purchase is data they have on you going forward and may use to target you with ads for more stuff.
And then there are Alexa Skills, those little apps you use to interact with Alexa. These Skills can be developed by just about anyone with the, uhm, skill. And with too many of the Skills, third-party privacy policies are misleading, incomplete, or simply nonexistent, according to one recent study. When your data is processed by an Alexa Skill, deleting your voice recordings doesn’t delete the data the developer of that Skill collects on you. With over 100,000 Alexa Skills out there, many of them developed by third parties, now your data is floating around in places you might never have imagined.
Oh, let’s not forget Amazon’s track record at protecting and respecting their customers' data. That raises some red flags too. Here are a few of the problems we’ve seen over the last few years. There’s the Amazon employee who was caught stealing the personal information of over 100 million CapitolOne customers. And that’s not the only time Amazon employees with access to lots of customer data were caught leaking customers personal information. It’s happened quite a few times, actually. And then there’s the Alexa security bug that opened the door for hackers to potentially access users personal information and even their conversation history. These are some of the known privacy and security issues Amazon has had (there could be more unknown ones as well). And we get it, Amazon is a huge company with many products and employees and it’s impossible to secure everything's 100% of the time. But that’s the point. When you collect such a vast amount of personal information on people, you’ve got to be super, duper, extra careful to secure it everywhere, all the time. Amazon has shown they can’t always do that.
So, what’s the worst that could happen? Well, you could turn on Amazon Halo’s tone policing features and they could listen to you all day long and determine that if you’re a man, your tone was “opinionated” and if you’re a woman your tone was “dismissive” or “condescending” and you could believe that and as a woman, think you should speak up less and as a man think you should speak up more, and hey, that is not at all what the world needs right now.
One more note on Amazon from a privacy researcher’s point of view. Trying to read through Amazon’s crazy network of privacy policies, privacy FAQs, privacy statements, privacy notices, and privacy documentation for their vast empire is a nightmare. There are so many documents that link to other documents that link back even more documents that understanding and making sense of Amazon’s actual privacy practices feels almost impossible. We wonder if this is by design, to confuse us all so we just give up? Or, if maybe even Amazon’s own employees possibly don’t know and understand the vast network of privacy policies and documentation they have living all over the place? Regardless, this privacy researcher would love to see Amazon do better when it comes to making their privacy policies accessible to the consumers they impact.
Tips to protect yourself
- Remember that Amazon privacy preferences are device specific, so you need to set your privacy preferences on all your Amazon devices individually. What, you had nothing better to do this weekend, right?
- Set up Anonymous Mode when using the app to protect your data
- When starting a sign-up, do not agree to tracking of your data.
- Do not sign up with third-party accounts. Better just log in with email and strong password.
- Chose a strong password! You may use a password control tool like 1Password, KeePass etc
- Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
- Keep your app regularly updated
- Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
- Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
What can be used to sign up?
What data does the company collect?
Name, email, phone number
Fitness metrics, body fat composition, sleep, and tone of voice, skin temperature, motion, and heart rate
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In 2022, Paige Thompson, a former Amazon employee accused of stealing the personal information of 100 million customers by breaching banking giant CapitalOne in 2019, was found guilty by a Seattle jury on charges of wire fraud and computer hacking.
In July 2021, the Luxembourg National Commission for Data Protection issued a 746 million euro fine to Amazon for allegedly violating the European Union’s General Data Protection Regulation (GDPR).
In August 2020, security researchers from Check Point pointed out a flaw in Amazon's Alexa smart home devices that could have allowed hackers access to personal information and conversation history. Amazon promptly fixed the bug.
In October 2020, Amazon fired an employee for leaking customer email addresses to an unnamed third party.
In October 2019, Forbes reported that Amazon employees were listening to Amazon Cloud Cam recording, to train its AI algorythm.
In April 2019, it was revealed that thousands of employees, many of whom are contract workers and some not even directly employed by Amazon, had access to both voice and text transcripts of Alexa interactions.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Amazon has a complicated and difficult to navigate mess of privacy policies, privacy notices, privacy FAQs, and other privacy information.
Links to privacy information
Does this product meet our Minimum Security Standards?
All Amazon Halo health data is encrypted in transit, including going to and from the cloud or between the customers’ Halo Band and the Halo app on their phone. Amazon Halo health data is also encrypted while being stored securely in the Amazon cloud. In addition, Amazon Halo health data is stored securely on the customer’s smartphone, including using available full disc encryption and any other protections provided by their phone’s manufacturer. You can learn more about Amazon Halo privacy features here. Additionally, the published privacy white paper on Amazon Halo (link available on the Amazon Halo privacy page) provides additional technical details about privacy and security for Amazon Halo.
Halo customers have the option to set up a PIN on-device as an added layer of privacy and security. The PIN is required to be 6 numbers, selected from 0-4 numerical characters. If device PIN protection is enabled, customers will be prompted to enter a PIN when they remove their Halo View from their wrist. By locking their device when customers aren’t wearing Halo View, the PIN helps prevent others from seeing information on their screen, such as their Halo health data and text message notifications.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
The feature of the Amazon Halo is AI-powered health to track your wellness (body fat, activity levels, sleep, and tone of voice/emotions.) The AI will also rate your tone for “positivity” and “energy.” The model associates those emotional ratings with vocal qualities like pitch, intensity, tempo, and rhythm.
Questions have been raised about bias in Amazon Halo algorithms.
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Amazon’s new health band is the most invasive tech we’ve ever testedWashington Post
Amazon’s Halo tests the limits of personal privacy, and offers a glimpse of the future of healthGeek Wire
Senator Klobuchar, spooked by Amazon Halo, asks for new health-tracker privacy protectionsWashington Post
Amazon Halo Band review: Creepy yet unobtrusive and useful for quantified self health data junkiesLarry Dignan
Amazon Halo review: Affordable but questionable fitness bandDigital Trends
Following Privacy Concerns Surrounding Amazon Halo, Klobuchar Urges Administration to Take Action to Protect Personal Health DataSen. Amy Klobuchar
Got a comment? Let us hear it.