Amazon Kindle

Warning: *privacy not included with this product

Entertainment eReaders

Amazon Kindle

Amazon
Wi-Fi Bluetooth

Review date: Nov. 9, 2022

|
Mozilla researched 10 hours
|

Mozilla says

|
People voted: Somewhat creepy

Remember when you actually read books? Back before the days of Twitter and Netflix and your 17-second attention span. The Kindle -- Amazon now offers the Kindle, Kindle Paperwhite, Kindle Oasis, and Kindle Kids -- could be just the thing to get your brain back into book-reading shape. Because that's really all the Kindle does--books. No videos or apps or web surfing. Just books. What a novel idea!

What could happen if something goes wrong?

Amazon proudly states they are not in the business of selling your personal information to others. True. But, Amazon doesn’t need to sell your data to others when they have their own advertising and retail juggernaut to use your data to sell you more stuff. Because Amazon is in the business of selling you more stuff. And it’s not just Amazon hoping to sell you stuff. Amazon has a whole program for others to sell you stuff on on their sites too. And those sellers get to use that data Amazon collects on you to target you with the stuff they want to sell. So, while Amazon might not be in the business of selling your personal information, they are in the business of selling access to your information to others to target ads to sell you more stuff.

And to do this, Amazon likes to collect an enormous amount of data on you. Things like: records of your shopping habits, the books you read, the TV shows you watch and when you watch them, the music you stream, the podcasts you listen to, you Alexa search requests, when you turn your lights on and off, when you lock your doors, identifiers such as your name, address, phone numbers, or IP address, your age, gender, your location, audio and visual information like those Alexa-requests or photos you take, the names and numbers of people listed in your contacts. The list goes on and on and on.

And what do they do with all that personal information they collect on you? Well, they use it to target you advertising, of course. Lots and lots of advertising. They do say they don’t use information that personally identifies you to display interest-based ads (of course, we have to trust them on this). They also use your personal information to identify your preferences and personalize products and services to keep you using those products and services as much as possible. And they say they can share that personal information with a number of third parties.

And when we say a number, we don’t exactly know how many third parties because Amazon doesn’t share that information. We must assume it’s a lot of third parties because they say they can share your data with everyone from all the companies they use to provide third party services. That means the companies that do things like help them with marketing, manage credit risk, analyze data, send mail and email, and more. Then there’s the third parties that offer services, products, apps, and Alexa skills through Amazon Services. And then there’s the business affiliates and other companies Amazon buys that could get access to your data too. Given that Amazon is a vast empire -- think Ring, Blink, Eero, Whole Foods, and beyond -- that’s potentially a lot of places your data could end up.

Let’s talk for a minute about Alexa itself. While your Kindle doesn't come with Alexa built-in (yay!), nearly everything else Amazon sells comes with their helpful artificial intelligence as part of the package -- including everything from your Echo Dot smart speaker to your headphones to your thermostat. And Alexa comes with its own set of questions and concerns. Amazon does make it possible to automatically delete voice recordings immediately after they are processed. That's a nice feature after the controversy around human reviewers listening in to Alexa voice recordings. However, Amazon says when you delete your voice recordings, they still can keep data of the interactions those recordings triggered. So, if you buy a pregnancy test through Amazon Alexa, Amazon won't forget you bought that pregnancy test just because you ask them to delete the voice recording of that purchase. That record of the purchase is data they have on you going forward and may use to target you with ads for more stuff.

And then there are Alexa Skills, those little apps you use to interact with Alexa. These Skills can be developed by just about anyone with the, uhm, skill. And with too many of the Skills, third-party privacy policies are misleading, incomplete, or simply nonexistent, according to one recent study. When your data is processed by an Alexa Skill, deleting your voice recordings doesn’t delete the data the developer of that Skill collects on you. With over 100,000 Alexa Skills out there, many of them developed by third parties, now your data is floating around in places you might never have imagined.

Oh, let’s not forget Amazon’s track record at protecting and respecting their customers' data. That raises some red flags too. Here are a few of the problems we’ve seen over the last few years. There’s the Amazon employee who was caught stealing the personal information of over 100 million CapitolOne customers. And that’s not the only time Amazon employees with access to lots of customer data were caught leaking customers personal information. It’s happened quite a few times, actually. And then there’s the Alexa security bug that opened the door for hackers to potentially access users personal information and even their conversation history. These are some of the known privacy and security issues Amazon has had (there could be more unknown ones as well). And we get it, Amazon is a huge company with many products and employees and it’s impossible to secure everything's 100% of the time. But that’s the point. When you collect such a vast amount of personal information on people, you’ve got to be super, duper, extra careful to secure it everywhere, all the time. Amazon has shown they can’t always do that.

So, what’s the worst that could happen? The Kindle eReader actually feels like a fairly safe product. There's no Alexa built in, so you don't need to worry about voice requests being tracked or Alexa skills snooping on you. You can read with both WiFi and Bluetooth turned off. Just be sure you set up a passcode if you travel with this device to protect it from getting stolen and someone buying lots of books on your Amazon account. We do suppose it's possible Amazon could learn all about what books you like to read, only show you romance novels in your shopping recommendations, you read way too many romance novels, develop an unrealistic world view on romantic relationships, nothing ever lives up to those unrealistic expectations, so you live your whole life alone. OK, that's not likely to happen (we hope!). And if you want Amazon to stop trying to sell you more stuff like more romance novels, you can (and should!) opt-out of data collection and processing. Because while Amazon doesn't sell your personal information, they sure do use the heck out of it to target you with more stuff to buy.

One more note on Amazon from a privacy researcher’s point of view. Trying to read through Amazon’s crazy network of privacy policies, privacy FAQs, privacy statements, privacy notices, and privacy documentation for their vast empire is a nightmare. There are so many documents that link to other documents that link back even more documents that understanding and making sense of Amazon’s actual privacy practices feels almost impossible. We wonder if this is by design, to confuse us all so we just give up? Or, if maybe even Amazon’s own employees possibly don’t know and understand the vast network of privacy policies and documentation they have living all over the place? Regardless, this privacy researcher would love to see Amazon do better when it comes to making their privacy policies accessible to the consumers they impact.

Tips to protect yourself

  • Review your privacy setting and opt out of as much data collection and processing as you feel comfortable with.
  • Remember that Amazon privacy preferences are device specific, so you need to set your privacy preferences on all your Amazon devices individually. What, you had nothing better to do this weekend, right?
  • When starting a sign-up, do not agree to tracking of your data.
  • Do not sign up with third-party accounts. Better just log in with email and strong password.
  • Chose a strong password! You may use a password control tool like 1Password, KeePass etc
  • Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
  • mobile

Can it snoop on me? information

Camera

Device: No

App: N/A

Microphone

Device: No

App: N/A

Tracks location

Device: Yes

App: N/A

What can be used to sign up?

What data does the company collect?

How does the company use this data?

We ding this product for using personal data for targeted advertising purposes, and combining data about you with data it receives from third parties for targeted advertising purposes.

Amazon combines data on its users with data from third parties, for advertisement purposes: "Some third-parties may provide Amazon pseudonymized information about you (such as demographic information or sites where you have been shown ads) from offline and online sources that we may use to provide you more relevant and useful advertising."

"In the twelve months prior to the effective date of this Disclosure, Amazon has not sold any personal information of consumers, as those terms are defined under the California Consumer Privacy Act. "

"Information about our customers is an important part of our business, and we are not in the business of selling our customers' personal information to others."

"The personal information that Amazon disclosed to the third parties identified in the “Does Amazon Share Your Personal Information?” section of the Amazon Privacy Notice about consumers for a business purpose in the twelve months prior to the effective date of this Disclosure fall into the following categories established by the California Consumer Privacy Act, depending on which Amazon Service is used:
- identifiers such as your name, address, phone numbers, or IP address, for example if we use a third party carrier to deliver your order;
- personal information, such as a credit card number, for example if we use a third party payment processor;
- your age, gender, or other protected classifications, for example if you choose to participate in a survey distributed by a survey provider;
- commercial information, such as the details of a product or service you purchased if a third party service provider is assisting to provide that product or service to you;
- internet or other electronic network activity information, such as if we use a service provider to help us gather crash reports for analyzing the health of our devices and services;
- geolocation data, such as providing a delivery partner the location of your vehicle in order to deliver a package if you use Amazon Key;
- audio or visual information, for example if a service provider reviews recordings of customer service phone calls for quality assurance purposes, or if we use a service provider to fulfill your order to print images from your Amazon Photos account;
- education information, for example coursework you may direct us to share with the operator of an educational Alexa skill; and
- professional information, for example if we provide your account details to a service provider for verification as part of enrollment for an Amazon Business account."

How can you control your data?

We ding this product for not guaranteeing all users have the same right to access and delete their data, regardless of where they live.

For users outside of California and Europe, Amazon is not clear if they can excercise their deletion rights: "In addition, to the extent required by applicable law, you may have the right to request access to or delete your personal information. If you wish to do any of these things, please contact Customer Service. Depending on your data choices, certain services may be limited or unavailable."

A user can chose to not send voice recording to the Cloud: "On supported devices, you can turn on Do Not Send Voice Recordings, so the audio of your requests to Alexa (for example, “Alexa, what’s the weather?”) will be processed on device and not sent to the cloud. A text transcript of your request will be sent to the cloud so Alexa can respond to your request. You will be able to review and delete those transcripts in your Voice History. Alexa will still send audio to the cloud for features that require the transmission of audio, such as when you make a call or send a message or announcement via Alexa. And, if you create a voice ID, the audio recordings used to teach Alexa your voice will be sent to the cloud. Alexa will also send audio to the cloud if you enable Alexa Guard, including for Smart Alerts and emergency calling with Guard Plus."

You can review and delete your voice recordings, one by one, by date range, or all at once. You can also set up an auto-deletion to automatically delete recordings older than 3 or 18 months. You can choose to not save any voice recordings, at the cost of some features. If you choose not to have any voice recordings saved, the text transcripts of your requests will be still retained for 30 days, after which they will be automatically deleted.

Retention details:
"When you delete voice recordings associated with your account from Voice History, we will delete the voice recordings that you selected and the text transcripts of those recordings from Amazon’s cloud. If you choose not to have any voice recordings saved, the text transcripts of your requests will be retained for 30 days, after which they will be automatically deleted. We retain those text transcripts to allow you to review the requests you make to Alexa in your Voice History, and to improve your Alexa experience and our services. You can delete the text transcripts at any time in the Alexa app by going to Settings > Alexa Privacy > Review Voice History.

We may still retain other records of your Alexa interactions, including records of actions Alexa took in response to your request. This allows us, for instance, to continue to provide your reminders, timers, and alarms, process your orders, remember the things you've taught Alexa, and show your shopping and to-do lists and messages sent through Alexa Communications. If your request was processed by an Alexa skill, deleting your voice recordings does not delete any information retained by the developer of that skill (skill developers do not receive voice recordings)." This is problematic, because a big share of more than 100,0000 skills are developed by third parties that are not necessarily bound by Amazon’s privacy policies. The research by North Carolina State University found that "23.3% of 1,146 skills that requested access to privacy-sensitive data either didn't have privacy policies or their privacy policies were misleading or incomplete. For example, some requested private information even though their privacy policies stated they were not requesting private information." In addition to misleading privacy policies, issues included things like developers being able to claim fake identity ('Samsung', 'Apple'), multiple skills sharing the same Alexa trigger words, etc. "

What is the company’s known track record of protecting users’ data?

Needs Improvement

In 2022, Paige Thompson, a former Amazon employee accused of stealing the personal information of 100 million customers by breaching banking giant CapitalOne in 2019, was found guilty by a Seattle jury on charges of wire fraud and computer hacking.

In July 2021, the Luxembourg National Commission for Data Protection issued a 746 million euro fine to Amazon for allegedly violating the European Union’s General Data Protection Regulation (GDPR).

In August 2020, security researchers from Check Point pointed out a flaw in Amazon's Alexa smart home devices that could have allowed hackers access to personal information and conversation history. Amazon promptly fixed the bug.

In October 2020, Amazon fired an employee for leaking customer email addresses to an unnamed third party.

In October 2019, Forbes reported that Amazon employees were listening to Amazon Cloud Cam recording, to train its AI algorythm.

In April 2019, it was revealed that thousands of employees, many of whom are contract workers and some not even directly employed by Amazon, had access to both voice and text transcripts of Alexa interactions.

Child Privacy Information

Amazon does not sell products for purchase by children. We sell children's products for purchase by adults. If you are under 18, you may use Amazon Services only with the involvement of a parent or guardian. We do not knowingly collect personal information from children under the age of 13 without the consent of the child's parent or guardian. For more information, please see our Children's Privacy Disclosure.

Can this product be used offline?

Yes

User-friendly privacy information?

No

Amazon has a complicated and difficult to navigate mess of privacy policies, privacy notices, privacy FAQs, and other privacy information.

Links to privacy information

Does this product meet our Minimum Security Standards? information

Yes

Encryption

Yes

Uses encryption in transit and at rest.

Strong password

Yes

Password-protected Amazon account is needed to set up a Kindle

Security updates

Yes

Manages vulnerabilities

Yes

Amazon has a bug bounty program.

Privacy policy

Yes

Does the product use AI? information

No

*privacy not included

Dive Deeper

  • Tour Amazon’s dream home, where every appliance is also a spy
    The Washington Post
  • I Want You Back: Getting My Personal Data From Amazon Was Weeks of Confusion and Tedium
    The Intercept
  • Here’s How Amazon Tracks You in 2022 (and how to stop them)
    All Things Secured
  • Amazon Alexa Voice Data Tracking Might Lead To Privacy Issues; How To Prevent It?
    Tech Times
  • Amazon demonstrates Alexa mimicking the voice of a deceased relative
    CNBC
  • Does Amazon Sell Your Personal Information?
    DeleteMe
  • Column: Do you really want Amazon’s new drugstore knowing your medical condition?
    Los Angeles Times
  • Amazon Data Breaches: Full Timeline Through 2022
    Firewall Times
  • Alexa records you more often than you think
    Vox
  • Why Amazon is tracking every time you tap your Kindle
    The Verge
  • What type of data does Amazon collect from Kindles?
    Good E-Reader
  • Privacy Settings FAQs for Fire TV streaming media players, Fire TV Edition devices, Fire tablets and Kindle e-readers
    Amazon

Comments

Got a comment? Let us hear it.