Amazon will pay $30.8 million and implement new privacy and security programs to settle dual privacy breach claims made against its Alexa and Ring services.
The Federal Trade Commission accused home security camera company Ring, which Amazon acquired in 2018, of “egregious violations of users’ privacy” for a range of failings including not restricting staff access to customers’ private videos.
Under the first of two settlements announced by the FTC on May 31, Ring will pay $5.8 million and delete data and algorithms derived from videos it unlawfully reviewed.
Amazon, the world’s largest online retailer and a major cloud service provider, will pay a further $25 million and implement “stringent privacy safeguards” to settle a complaint relating to its Alexa voice assistant filed by the Justice Department on behalf of the FTC.
The DOJ and FTC allege Amazon violated a law aimed at protecting the online privacy of children and deceived parents and users of the Alexa service about its data deletion practices.
The two settlements are the latest in a series of actions taken by the FTC to crack down on privacy violations by large tech companies, especially where breaches impact young people.
Ring staff and contractors spied on customers
In its complaint against Ring (PDF), the FTC alleged the company deceived its customers by failing to restrict employees’ and contractors’ access to videos taken by its cameras, used customer videos without consent to train its algorithms, and failed to implement security safeguards.
According to the complaint, one Ring employee viewed thousands of video recordings belonging to female users of Ring cameras over a period of several months. The cameras were in intimate spaces in the customers’ homes including their bathrooms or bedrooms.
“The employee wasn’t stopped until another employee discovered the misconduct,” the FTC said.
“Even after Ring imposed restrictions on who could access customers’ videos, the company wasn’t able to determine how many other employees inappropriately accessed private videos because Ring failed to implement basic measures to monitor and detect employees’ video access.”
The FTC alleged Ring also failed to implement standard security measures to protect consumers’ information from credential stuffing and brute force attacks, despite warnings from employees, outside security researchers and media reports.
Despite experiencing multiple credential-stuffing attacks in 2017 and 2018, Ring failed to implement common tactics, such as multifactor authentication, until 2019, the FTC said.
“Even then, Ring’s sloppy implementation of the additional security measures hampered their effectiveness. As a result, hackers continued to exploit account vulnerabilities to access stored videos, live video streams, and account profiles of approximately 55,000 U.S. customers.
“Bad actors not only viewed some customers’ videos but also used Ring cameras’ two-way functionality to harass, threaten, and insult consumers—including elderly individuals and children—whose rooms were monitored by Ring cameras, and to change important device settings.
“For example, hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom,” the FTC said.
As well as being required to delete data and algorithms derived from videos it unlawfully reviewed, Ring must implement a privacy and security program “stringent security controls, such as multi-factor authentication for both employee and customer accounts”, under a proposed order (PDF), that requires federal court approval before it takes effect.
“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.
“The FTC’s order makes clear that putting profit over privacy doesn’t pay.”
In a statement, Amazon said Ring had “promptly addressed these issues on its own years ago, well before the FTC began its inquiry. While we disagree with the FTC’s allegations and deny violating the law, this settlement resolves this matter so we can focus on innovating.”
Amazon kept and used kids’ Alexa voice recordings
In its complaint about Alexa (PDF), the DOJ alleged Amazon prevented parents from exercising their deletion rights under the Children's Online Privacy Protection Act (COPPA) Rule, kept sensitive voice and geolocation data for years, and used it for its own purposes without properly securing it.
“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” Levine said.
“COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.”
Under a proposed court order (PDF), Amazon will be required to delete inactive child accounts and certain voice recordings and geolocation information, and will be prohibited from using such data to train its algorithms.
The FTC said Amazon “prominently and repeatedly” assured its users, including parents, that they could delete voice recordings collected by Alexa devices and geolocation information collected by the Alexa app.
“The company, however, failed to follow through on these promises when it kept some of this information for years and used the data it unlawfully retained to help improve its Alexa algorithm.”
The FTC said Amazon failed to put in place an effective system to ensure it honored users’ data deletion requests and to give parents meaningful notice about deletion.
Under the terms of the settlement, Amazon will be prohibited from using geolocation and voice information subject to consumers’ deletion requests to create or improve any of its data products. It will also be required to create and implement a geolocation information privacy program.
In a statement, Amazon said while it disagreed with the FTC’s claims and denied violating the law, the settlement puts an end to the matter.
“We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa,” the company said.
“As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.”
In December 2022, the FTC announced a settlement with Epic Games, maker of the Fortnight video game, involving the payment of a record $275 million for violating COPPA, as well as $245 million in refunds for tricking users into making unwanted charges.
In 2019, Google agreed to pay a $170 million penalty to settle charges from the FTC and the attorney general of New York that it had violated children’s privacy on YouTube.