You could sniff the network connection and see whether it is sending anything home. Of course you'd have to do that again after every update and you wouldn't know if it doesn't activate silent recording for specific key words.
If you want a voice assistant you can trust, you have to build your own out of open hardware and software and run your own hosted service for it, but the thing being hacked would still be a possibility. In the end, the only way to be sure is not to have one in the first place.
> Not really practical with a pinned internal CA and batched uploading.
It's not so much about looking at the payload than it is about whether it's sending anything at all and if it is, what amount. Correct me if I'm wrong, but from everything I've read and heard these devices don't really have much in the way of internal storage capacity (yet). It either has to be uploaded or discarded.
Are you checking the cellular bands, or just your local 802.{3,11}? SoC exist with builtin LTE/CDMA/etc.
edit:
Also, voice compresses really well if you don't care about the quality. With a codec that uses <10 kbit/s (e.g. GSM-HR, AMR), the storage requirements are at most 2.4 MB/hour. A simple gate filter that cuts out quiet periods should cut the storage requirements down to only a few MB/week. A typical flash chip used to store the firmware could easily store years worth of typical household speech in the non-firmware space.
But inside the Echo? It's not my area of expertise, but I'm almost certain that there are people with the expertise that are looking for exactly that and if Google or Amazon had those built in, we'd know about it. I think we can at least rule that one out.
As for the compression, that is very interesting indeed. I had no idea you could compress voice that much. If / When they're going for 24/7 recording, this would be most likely the way to go and it would be extremely hard, if not impossible, to detect.
If you want a voice assistant you can trust, you have to build your own out of open hardware and software and run your own hosted service for it, but the thing being hacked would still be a possibility. In the end, the only way to be sure is not to have one in the first place.