FTC Slams Amazon with $30.8M Fine for Privacy Violations Involving Alexa and Ring

Jun
03,
2023Ravie
LakshmananPrivacy
/
Technology

The
U.S.
Federal
Trade
Commission
(FTC)
has
fined
Amazon
a
cumulative
$30.8
million
over
a
series
of
privacy
lapses
regarding
its
Alexa
assistant
and
Ring
security
cameras.

This
comprises
a
$25
million
penalty
for
breaching
children’s
privacy
laws
by
retaining
their
Alexa
voice
recordings
for
indefinite
time
periods
and
preventing
parents
from
exercising
their
deletion
rights.

“Amazon’s
history
of
misleading
parents,
keeping
children’s
recordings
indefinitely,
and
flouting
parents’
deletion
requests
violated

COPPA
and
sacrificed
privacy
for
profits,”
FTC’s
Samuel
Levine
said.

As
part
of
the
court
order,
the
retail
giant
has
been
mandated
to
delete
the
collected
information,
including
inactive
child
accounts,
geolocation
data,
and
voice
recordings,
and
prohibited
from
gathering
such
data
to
train
its
algorithms.
It’s
also
required
to
disclose
to
customers
its
data
retention
practices.

Amazon
has
also
agreed
to
fork
out
an
additional
$5.8
million
in
consumer
refunds
for
breaching
users’
privacy
by
permitting
any
employee
or
contractor
to
gain
broad
and
unfettered
access
to
private
videos
recorded
using
Ring
cameras.

“For
example,
one
employee
over
several
months
viewed
thousands
of
video
recordings
belonging
to
female
users
of
Ring
cameras
that
surveilled
intimate
spaces
in
their
homes
such
as
their
bathrooms
or
bedrooms,”
the
FTC

noted.
“The
employee
wasn’t
stopped
until
another
employee
discovered
the
misconduct.”

The
consumer
protection
authority,
besides
faulting
Amazon
for
failing
to
adequately
notify
customers
or
obtain
their
consent
before
using
the
captured
recordings
for
product
improvement,
called
out
the
company
for
not
implementing

adequate
security
controls
to
protect
Ring
user
accounts.

The
“egregious”
violations
exposed
users
to
credential
stuffing
and
brute-force
attacks,
enabling
miscreants
to
take
control
of
the
accounts
and
gain
unauthorized
access
to
video
streams.

“Bad
actors
not
only
viewed
some
customers’
videos
but
also
used
Ring
cameras’
two-way
functionality
to
harass,
threaten,
and
insult
consumers—including
elderly
individuals
and
children—whose
rooms
were
monitored
by
Ring
cameras,
and
to
change
important
device
settings,”
it

explained.

“Hackers
taunted
several
children
with
racist
slurs,
sexually
propositioned
individuals,
and
threatened
a
family
with
physical
harm
if
they
didn’t
pay
a
ransom.”

More
than
55,000
U.S.
customers
are
estimated
to
have
had
their
accounts
compromised
between
January
2019
and
March
2020
as
a
result
of
these
lax
policies.

The
proposed
settlement
further
requires
Amazon
to
purge
all
customer
videos
and
facial
data
that
it
unlawfully
obtained
prior
to
2018,
and
also
take
down
any
work
products
it
derived
from
those
videos.

While
both
settlements
must
be
approved
by
a
court
to
take
effect,

Amazon

said
“we
our
responsibilities
to
our
customers
and
their
families
very
seriously”
and
that
it’s
“consistently
taken
steps
to
protect
customer
privacy
by
providing
clear
privacy
disclosures
and
customer
controls,
[…]
and
maintaining
strict
internal
controls
to
protect
customer
data.”

The
development
comes
weeks
after
the
FTC

accused
Meta
of
“repeatedly”
violating
its
privacy
promises
and
misleading
parents
about
their
ability
to
control
with
whom
their
children
communicated
through
its
Messenger
Kids
app
between
late
2017
and
mid-2019.

The
regulator
is
also
seeking
a
blanket
ban
that
would
prohibit
the
company
from
profiting
off
of
children’s
data.
Meta
has

labeled
the
allegations
as
a
“political
stunt”
and
said
it
operates
an
“industry-leading
privacy
program.”