Amazon's Ring and Alexa fined $30m for spying and child privacy abuse

Amazon will fork over $30m in fines for multiple privacy violations, including allowing Ring employees to spy on customers, creating a security atmosphere ripe for hackers, and illegally keeping Alexa recordings of children’s voices.

In the first set of charges, the US Federal Trade Commission (FTC) says Amazon’s home security camera company, Ring, violated customer privacy by allowing any Ring employee or contractor to access consumers’ private videos.

The FTC also charged the online retail giant with failing to implement basic privacy and security protections, thereby enabling hackers to take control of consumers’ accounts, cameras, and videos.

An Amazon spokesperson reached out to Cybernews since publication in an effort to provide context, pointing out that "Ring promptly addressed the issues at hand on its own years ago, well before the FTC began its inquiry."

"Our focus has been and remains on delivering products and features our customers love, while upholding our commitment to protect their privacy and security,” the Amazon spokesperson said.

Ring security turned spy cam

In one 2017 scenario, a now-former Ring employee was found spying on at least 81 separate female Ring customers whose cameras happened to be set up to contain views of private areas such as their bedrooms and bathrooms.

That employee was said to have viewed thousands of video recordings over the course of several months and did not stop until they were reported by another employee.

The FTC said even after discovering the violation, Amazon was unable to determine who else had access or was viewing the sensitive videos due to the lack of any employee policy regarding video access.

Not only did Ring employees have unfettered access to customer videos, the FTC said, “third-party contractors were able to view, download, and transfer customers' sensitive video data for their own purposes."

The FTC also said Amazon did not properly notify customers that their private videos were being viewed as part of employee training purposes, nor did it provide a way for them to consent or decline them being used by the company.

Amazon, which bought Ring in 2018, changed its company policy by February 2019, restricting employee and third-party access to videos only with customer consent.

Amazon Ring Home Security products
Image by Eric Glenn | Shutterstock

Ring was hackers delight

Ring is also charged with failing to implement basic security controls on both its products and workplace environment, giving bad actors an endless playground to hack and harass consumers.

Because of the lax security measures, the FTC said hackers were able to continuously exploit Ring account vulnerabilities.

Bad actors were able to access both stored videos and live streams, changed product device settings, and hack into the individual profile accounts of roughly 55,000 US customers.

Some of the hackers were reported to have even used Ring's two-way camera functionality to harass, threaten, and insult customers in their own homes, including children and the elderly.

The FTC complaint stated that “hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom.”

Ring has also been charged with failing to protect consumers’ information from two well-known online threats – “credential stuffing” and “brute force” password attacks.

This is after warnings from employees, outside security researchers, and experiencing multiple attacks in 2017 and 2018.

Alexa turned parent’s nightmare

In the second set of charges, this time brought by both the FTC and the US Department of Justice, Amazon is accused of violating parent and child rights according to the federal Children's Online Privacy Protection Act (COPPA).

The COPPA Rule, enacted in 1998, is designed to protect the personal information collected from online services and websites of children under age 13.

It also affords parents the right to be able to delete or restrict use of any of the data collected.

The complaint, filed in Seattle federal court, says the Amazon Alexa smart speaker and voice assistant service retained children’s recordings indefinitely, sometimes even after parents requested the voice recordings be deleted.

The recordings also included transcripts and sensitive geolocation data collected by the Alexa devices and kept in Amazon databases.

According to the FTC, Amazon was using the children’s voice recordings without parental knowledge to train its Alexa voice assistant to respond to voice commands and to improve its speech recognition.

Amazon Alexa
Image by Diego Thomazini | Shutterstock

The FTC said Amazon’s data retention practices put the children’s data at risk of harm from unnecessary access and deceived consumers unaware of the privacy violations.

The complaint states the Alexa service and Echo devices falsely claim they are “designed to protect your privacy” and that parents and other users can delete geolocation data and voice recordings.

The FTC also pointed out that Amazon offers these Alexa-enabled devices and services specifically targeted to children, and then collects the child’s personal data and voice recordings while repeatedly reassuring users it can delete the data.

“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” said FTC director Samuel Levine.

“COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms,” he said

In response to the accusations, the Amazon spokesperson told Cybernews, “We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa.

"As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them," the spokesperson added.

The settlements

In total for both cases, Amazon will be forced to pay a total of $30.8 million to the US government.

As part of the Ring settlement, Amazon will be fined $5.8 million over the privacy violations, to be used for consumer refunds.

The settlement, which spans 20 years, will also require Ring to delete any and all customer and face-identifiable videos collected prior to 2018 and notify all customers about the FTC actions and any future privacy incidents.

For the Alexa case, will pay $25 million in fines and be required to delete any inactive child accounts, certain voice recordings and geolocation information.

Amazon will also be prohibited from using such data to train its algorithms.

The entire $30.8 million fine is considered a drop in the bucket for the online retail behemoth.

Amazon, which made $3.2 billion profit in just the first quarter of 2023, has not admitted fault in either case and says it takes its "responsibilities to our customers and their families very seriously."

"While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us,” the Amazon spokesperson said.

More from Cybernews:

Swiss real estate agency fails to put a password on its systems

North Korean spy satellite crashes into sea

Toyota data leak exposes drivers’ details – again

SAS faces new $3m ransom demand to halt ongoing attack

Human extinction by AI is real threat, big tech warns

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked