Amazon has agreed to pay the Federal Trade Commission (FTC) $30.8 million to settle claims that it allowed employees and third-party contractors of its Ring video camera doorbell unit to surveil customers in their homes and illegally retained children’s voice recordings through its Alexa app.
According to an FTC press release, Amazon’s Ring doorbell company was charged with compromising its customers’ privacy by allowing employees and third-party contractors, including some based in Ukraine, to access consumers’ private videos, and use the videos to train algorithms without their consent. It buried information claiming it had a right to use such recordings for “product improvement and development” in its Terms of Service and Privacy Policy.
In one such example of violations of users’ privacy, one company employee allegedly watched thousands of video recordings belonging to one female customer who had purchased Ring cameras and placed them in “intimate” places across her home, including in her bedroom and bathroom.
“The employee wasn’t stopped until another employee discovered the misconduct,” the FTC said. “Even after Ring imposed restrictions on who could access customers’ videos, the company wasn’t able to determine how many other employees inappropriately accessed private videos because Ring failed to implement basic measures to monitor and detect employees’ video access.”
Ring also failed to implement basic privacy and security protections to prevent customers from falling victim to threats such as “credential stuffing” and “brute force” attacks, despite warnings from employees and outside security researchers.
Credential stuffing involves hackers using credentials such as usernames and passwords, obtained from a consumer’s breached account, to gain access to other customer accounts, while brute force attacks allow hackers to guess passwords, typically by cycling through breached credentials, to gain access to an account.
The lack of basic privacy and security protections also allowed hackers to take control of consumers’ accounts, cameras, and videos, the FTC said, including the accounts of approximately 55,000 U.S. customers, some of whom were subsequently threatened, harassed, and insulted by the hackers, the agency said.
Ring Hackers Taunt Customers
“For example, hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom,” the FTC said.The agency said California-based Ring LLC, which was purchased by Amazon in February 2018, has agreed to pay $5.8 million to settle the claims of violations of the FTC Act that prohibits unfair or deceptive business practices.
Under a proposed order—which still needs to be approved by a federal court—the home security camera company will have to delete all data, models, and algorithms derived from videos it “unlawfully reviewed.”
It must also implement a privacy and security program with “novel safeguards on human review of videos” and various other stringent security controls, including multi-factor authentication for both employee and customer accounts.
“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”
In a separate press release Wednesday, the FTC said Amazon had agreed to pay $25 million to settle charges that it violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) and “deceived” parents and users of the Alexa voice assistant service with regards to its data deletion practices.
The Department of Justice filed the Alexa complaint and proposed settlement in Washington state federal court on behalf of the FTC, noting that more than 800,000 children under the age of 13 have their own Alexa profiles.
The DOJ alleged that Amazon prevented parents from exercising their rights to delete voice recordings of its young users collected by its Alexa voice assistant and geolocation information collected by the Alexa app; instead storing the sensitive information for years and using it to improve its Alexa algorithm.
Amazon Denies Violating Law
On its official website, Amazon claims its Alexa service and Echo devices are “designed to protect your privacy” and states that parents and other users can delete voice recordings.According to the FTC, Amazon also said it allows users to do the same for geolocation data.
However, the company instead held onto children’s recordings indefinitely unless a parent specifically requested that the information be deleted, according to the complaint.
Even when a parent requested that the information be deleted, Amazon did not delete transcripts of what children said from all its databases, instead opting to use the information to train the Alexa algorithm and ultimately benefit its bottom line “at the expense of children’s privacy.”
Despite the FTC notifying Amazon of its failures with regard to deleting geolocation data, the FTC said the e-commerce giant repeatedly failed to fix the issues.
“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” said Levine in a statement. “COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.”
In total, both settlements amount to $30.8 million.
In a statement to The Epoch Times, an Amazon spokesperson said the company disagrees with the FTC’s claims regarding both the Alexa virtual assistant technology and its app as well as its Ring doorbell unit, and denied violating the law.
“These settlements put these matters behind us,” the spokesperson said, adding that the company takes responsibilities to its customers and their families “very seriously.”
“Our devices and services are built to protect customers’ privacy, and to provide customers with control over their experience,” the spokesperson continued. “We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa. As part of the settlement, we agreed to make a small modification to our already strong practices and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.
“Ring promptly addressed the issues at hand on its own years ago, well before the FTC began its inquiry. Our focus has been and remains on delivering products and features our customers love while upholding our commitment to protect their privacy and security,” the spokesperson added.