Amazon will fork over nearly $31 million in penalties to settle federal lawsuits filed this week over privacy violations, perhaps signaling a further warning to the security industry about the consequences of mishandling access to customer information.
The Federal Trade Commission charged Amazon Wednesday with a host of privacy violations related to its Ring and Alexa products that included tens of millions of dollars in penalties. The settlements must still be approved by a federal court.
The FTC alleged that Ring compromised its customers’ privacy by allowing any employee or contractor to access consumers’ private videos. In one case, an employee watched thousands of video recordings of females in the bedrooms or bathrooms of their homes before they were caught.
Hackers also used Ring cameras’ two-way functionality, the government said, to harass, threaten and insult consumers, including taunting children with racist slurs, sexually propositioning individuals, and threatened a family with physical harm if they didn’t pay a ransom.
Under a proposed order, Ring must pay $5.8 million, which will be used for consumer refunds. The company will also be required to delete any customer videos and face embeddings, data collected from an individual’s face, that it obtained prior to 2018, and delete any work products it derived from these videos.
It must also implement a privacy and security program “with novel safeguards on human review of videos as well as other stringent security controls, such as multi-factor authentication for both employee and customer accounts.”
The proposed order also will require Ring to alert the FTC about incidents of unauthorized access or exposure of its customers’ videos and to notify consumers about the FTC’s action.
“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”
Data Never Deleted
Another lawsuit filed Wednesday by the U.S. Department of Justice on behalf of the FTC is requiring Amazon to overhaul its deletion practices and implement stringent privacy safeguards to settle charges the company violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) and deceived parents and users of the Alexa voice assistant service about its data deletion practices.
According to the complaint, Amazon prevented parents from exercising their deletion rights under the COPPA Rule, kept sensitive voice and geolocation data for years, and used it for its own purposes, while putting data at risk of harm from unnecessary access.
The COPPA Rule requires, among other things, that an operator of a commercial website or online service directed to children under 13 years of age notify parents about the information they collect from children, obtain parents’ consent for the collection of that data, and allow them to delete that information at any time. In addition, such a service is prohibited from retaining the information collected from children under 13 for longer than is reasonably necessary to provide the service.
The FTC said the company failed to put in place an effective system to ensure that it honored users’ data deletion requests and to give parents meaningful notice about deletion. Even when Amazon discovered its failures to delete geolocation data, the FTC said that Amazon repeatedly failed to fix the problems.
Levine alleged Amazon has a history of misleading parents and keeping children’s recordings indefinitely. “COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms,” he said.
Under the proposed federal court order Amazon will – in addition to paying the $25 million in penalties -- be required to delete inactive child accounts and certain voice recordings and geolocation information and will be prohibited from using such data to train its algorithms. This order must also be approved by a federal judge.
Oher provisions of the proposed order will:
- Prohibit Amazon from using geolocation, voice information and children’s voice information subject to consumers’ deletion requests for the creation or improvement of any data product;
- Require the company to delete inactive Alexa accounts of children;
- Require Amazon to notify users about the FTC-DOJ action against the company;
- Require Amazon to notify users of its retention and deletion practices and controls;
- Prohibit Amazon from misrepresenting its privacy policies related to geolocation, voice and children’s voice information; and,
- Mandate the creation and implementation of a privacy program related to the company’s use of geolocation information.
Ring Security Failures
The FTC notes that in the Ring case, the employee who was viewing women in their homes through internal cameras wasn’t stopped until another employee discovered the misconduct.
Even after Ring imposed restrictions on who could access customers’ videos, the company wasn’t able to determine how many other employees inappropriately accessed private videos, the FTC said, because Ring failed to implement basic measures to monitor and detect employees’ video access.
The FTC also alleged Ring failed to take any steps until January 2018 to adequately notify customers or obtain their consent for extensive human review of customers’ private video recordings for various purposes, including training algorithms.
“Ring buried information in its Terms of Service and Privacy Policy, claiming it had a right to use recordings obtained in connection with its services for ‘product improvement and development,’” according to the complaint.
The FTC said Ring failed to protect consumers’ information from two well-known online threats — “credential stuffing” and “brute force” attacks — despite warnings from employees, outside security researchers and media reports.
Despite experiencing multiple credential-stuffing attacks in 2017 and 2018, Ring failed, according to the complaint, to implement common security tactics — such as multifactor authentication — until 2019.
But due to Ring’s “sloppy implementation” of the additional security measures hackers continued to exploit account vulnerabilities to access stored videos, live video streams and account profiles of approximately 55,000 U.S. customers, the FTC’s complaint said.
In a statement, Amazon said the company takes its responsibilities to customers and their families very seriously.
"Our devices and services are built to protect customers’ privacy, and to provide customers with control over their experience. While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us.
"We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa. As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them."
The company added, "Ring promptly addressed the issues at hand on its own years ago, well before the FTC began its inquiry. Our focus has been and remains on delivering products and features our customers love, while upholding our commitment to protect their privacy and security.”
