Not legal advice. This site is an editorial reference. Laws change — always confirm with a qualified attorney in the relevant jurisdiction before recording, and check each page’s last reviewed date.

Storage and Security

A recording is a physical thing. It lives somewhere. The disciplines that apply to other sensitive files apply to recordings too — encryption, access control, deletion — and a few apply more sharply.

The recording you make is a file. The file has a location. The location has access. The location persists until you change it. None of this is exotic; it is true of any other sensitive document. But recordings are easier to forget than documents. A document looks like a thing you store on purpose; a recording looks like a thing you made and is now somewhere.

Encrypted at rest

On a phone, full-disk encryption is the default and is sufficient for ordinary personal recordings. On a laptop, FileVault or BitLocker should be on; on a server, the storage volume should be encrypted. Cloud services have their own at-rest encryption; you trust the cloud provider to implement it competently. For sensitive recordings — clinical sessions, journalistic sources, legal client communications — consider whether the cloud’s default encryption is enough and whether you want an additional layer (client-side encryption, a password-protected container).

Who has access

Default cloud-sync behavior is the dangerous part. A recording made on a phone often syncs automatically to a personal cloud account, where it is accessible from any other device on that account, where it appears in backups, and where it persists after the user thinks they have deleted it from the device. For sensitive recordings, turn off automatic cloud-sync for the folder that contains them. For organizational recordings, the access list should be deliberate, named, and reviewed.

Metadata

Audio files carry metadata: timestamps, device names, sometimes geolocation if the recording app captures it. Metadata travels with the file unless deliberately stripped. For most recordings this is fine; for sensitive ones — a source recording where the location reveals the source, a medical recording with a patient identifier in the filename — the metadata can leak more than the audio.

Transcripts

Transcripts are searchable; audio is not. A transcript on a cloud service that supports full-text search is a different kind of object than the audio file. For sensitive recordings, treat the transcript as a separate disclosure decision: where the audio lives, the transcript should live with at least the same protections.

Sharing

Sharing a recording is republishing it. The recipient’s storage is now your concern — not because you control it, but because a copy of your file is now in someone else’s possession. Send through channels you trust; consider expiring share links rather than email attachments; consider whether the recipient actually needs the audio or whether a transcript with the relevant portion suffices.

The cloud-backup trap

Many people who think they have deleted a recording have not deleted the cloud copy, the backup, or the messaging-app cache. iCloud Photos retains screen recordings of FaceTime calls; Google Drive retains files marked “deleted” in the Trash for thirty days; Slack, Teams, and email retain attachments according to organization-wide policies the recorder may not control. For sensitive recordings, the deletion exercise has multiple steps, and the cloud copy is the one most often forgotten.

A few concrete questions

  • Where, exactly, is this recording stored? Name the locations.
  • Who has access to those locations — in addition to me?
  • What metadata travels with the file?
  • If I deleted the file today, would all copies be gone?
  • Do I have a deletion plan for when I no longer need this?

Related