Amazon to pay over $30 million for Ring and Alexa privacy violations
The latest: A lawsuit filed by the Department of Justice on behalf of the FTC said Wednesday Amazon violated the Children's Online Privacy Protection Act by retaining voice and geolocation information from young users for years despite parents' requests that they delete the data.
- The lawsuit said the company sought to retain the data for "its own potential use," despite repeatedly assured its users that they could delete voice recordings collected from its Alexa voice assistant and geolocation information collected by the Alexa app.
- Under the FTC's proposed settlement with Amazon, which must be approved by a federal court, the company would have to pay a $25 million civil penalty and delete inactive child accounts and certain voice recordings and geolocation information.
Separately, the FTC's complaint against Ring says that the company, despite emphasizing security in promotional materials, had no safeguards in place to prevent employees and hundreds of contractors from having full access to videos from every customer.
Zoom in: Civil rights groups and others have in recent years criticized the company — which has sold millions of doorbell and indoor cameras — for both its security practices and its close ties with law enforcement
- All of the videos were stored unencrypted on Ring’s network and could be downloaded, viewed, shared or disclosed by any employee or any contractor, "regardless of whether the employee or contractor actually needed that access to perform his or her job function," according to the complaint.
- The complaint highlights one Ring employee who viewed "thousands" of recordings from 81 women, some of whom were other Ring employees, between June and August 2017.
- "The employee focused his prurient searches on cameras with names indicating that they surveilled an intimate space, such as 'Master Bedroom,' 'Master Bathroom,' or 'Spy Cam.'"
Of note: Because of its failure to implement security measures, more than 55,000 U.S. customers faced attacks from hackers that compromised Ring devices between January 2019 and March 2020, the FTC said.
- The attacks gave hackers access "to hundreds of thousands of videos of the personal spaces of consumers’ homes, including their bedrooms and their children’s bedrooms," the complaint reads.
- Hackers disproportionately targeted cameras that the company advertises for indoor use.
What they're saying: "Ring's disregard for privacy and security exposed consumers to spying and harassment," said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.
- "The FTC’s order makes clear that putting profit over privacy doesn’t pay," he added.
- Ring and Amazon said in a statement to Axios that it disagreed with the FTC’s allegations and denied violating the law.
- By going after the popular Ring video doorbell service and Alexa, the agency can finally say it tackled parts of Amazon's grip on consumer data and tried to reel in a Big Tech player's means of surveillance.
The big picture: The commission's proposed settlement with Ring, which must be approved by a federal court, would require the company to pay $5.8 million in consumer refunds as well as delete data from videos it unlawfully reviewed
- The company would also have to create a privacy and security program to safeguard users' videos and data.
- It would also have to alert the FTC about incidents of unauthorized access or exposure of customers’ videos.
Editor's note: This article has been updated to include details of the FTC's action against Amazon Alexa and a statement from Amazon.