Amazon

Amazon will pay $30 million in fines to settle allegations of privacy violations related to the operation of its Ring video doorbell and Alexa virtual assistant services.

According to a Federal Trade Commission (FTC) complaint, the company's Ring home security camera subsidiary has been allegedly engaging in unlawful surveillance of customers and failing to prevent hackers from gaining control of users' cameras.

Ring will now have to pay $5.8 million in refunds to consumers and will be barred from profiting from unlawfully obtained consumer videos.

The FTC also alleges that Ring compromised its customers' privacy by granting access to private videos to its employees and contractors. It also allegedly neglected to implement basic privacy and security measures, allowing hackers to gain control of consumers' cameras and videos by breaching their accounts.

"In pursuit of rapid product development, before September 2017, Ring did not limit access to customers' video data to employees who needed the access to perform their job function (e.g., customer support, improvement of that product, etc.)," the FTC's complaint reads.

"To the contrary, Ring gave every employee—as well as hundreds of Ukraine-based third-party contractors—full access to every customer video, regardless of whether the employee or contractor actually needed that access to perform his or her job function."

It also highlights a specific instance where an Amazon employee viewed thousands of video recordings of female users in private spaces like bathrooms and bedrooms over several months. This incident went unnoticed by the company's security team until another employee discovered and reported it.

FTC also points out that Ring failed to implement essential safeguards like multifactor authentication (MFA) until 2019, although aware of multiple credential-stuffing attacks that targeted its customers in 2017 and 2018.

Furthermore, even after Ring added support for MDA, the inadequate implementation compromised their effectiveness.

Fined $25 million for ignoring requests to delete children's data

In a separate case, the FTC and the U.S. Department of Justice (DOJ) charged Amazon with violating children's privacy laws after failing to delete their voice recordings and geolocation information on their parents' requests.

Under a proposed order, Amazon must pay $25 million and delete the children's data per their parents' requests.

It will also prohibit Amazon from using children's data to train its algorithms and require deleting inactive child accounts and linked voice recordings and geolocation data.

"Amazon also failed for a significant period of time to honor parents' requests that it delete their children's voice recordings by continuing to retain the transcripts of those recordings and failing to disclose that it was doing so, also in violation of COPPA," the complaint reads.

"Finally, Amazon failed to delete users' voice information and geolocation information upon request and instead retained that data for its own potential use."

In December 2022, the FTC slapped Fortnite maker Epic Games with a $245 million fine for violating children's privacy laws and using dark patterns to trick millions into making unintentional in-game purchases.


Update: An Amazon spokesperson shared the following statement after the article was published:

At Amazon, we take our responsibilities to our customers and their families very seriously. Our devices and services are built to protect customers’ privacy, and to provide customers with control over their experience. While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us.

We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa. As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.

Ring promptly addressed the issues at hand on its own years ago, well before the FTC began its inquiry. Our focus has been and remains on delivering products and features our customers love, while upholding our commitment to protect their privacy and security.

Related Articles:

Ireland fines LinkedIn €310 million over targeted advertising

Marriott settles with FTC, to pay $52 million over data breaches

FTC exposes massive surveillance of kids, teens by social media giants

Amazon seizes domains used in rogue Remote Desktop campaign to steal data

Amazon says 175 million customers now use passkeys to log in