The U.S. Federal Trade Commission (FTC) has fined Amazon a cumulative $30.8 million over a series of privacy lapses regarding its Alexa assistant and Ring security cameras.
This comprises a $25 million penalty for breaching children’s privacy laws by retaining their Alexa voice recordings for indefinite time periods and preventing parents from exercising their deletion rights.
“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” FTC’s Samuel Levine said.
As part of the court order, the retail giant has been mandated to delete the collected information, including inactive child accounts, geolocation data, and voice recordings, and prohibited from gathering such data to train its algorithms. It’s also required to disclose to customers its data retention practices.
Amazon has also agreed to fork out an additional $5.8 million in consumer refunds for breaching users’ privacy by permitting any employee or contractor to gain broad and unfettered access to private videos recorded using Ring cameras.
“For example, one employee over several months viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms,” the FTC noted. “The employee wasn’t stopped until another employee discovered the misconduct.”
The consumer protection authority, besides faulting Amazon for failing to adequately notify customers or obtain their consent before using the captured recordings for product improvement, called out the company for not implementing adequate security controls to protect Ring user accounts.
The “egregious” violations exposed users to credential stuffing and brute-force attacks, enabling miscreants to take control of the accounts and gain unauthorized access to video streams.
“Bad actors not only viewed some customers’ videos but also used Ring cameras’ two-way functionality to harass, threaten, and insult consumers—including elderly individuals and children—whose rooms were monitored by Ring cameras, and to change important device settings,” it explained.
“Hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom.”
More than 55,000 U.S. customers are estimated to have had their accounts compromised between January 2019 and March 2020 as a result of these lax policies.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!
The proposed settlement further requires Amazon to purge all customer videos and facial data that it unlawfully obtained prior to 2018, and also take down any work products it derived from those videos.
While both settlements must be approved by a court to take effect, Amazon said “we our responsibilities to our customers and their families very seriously” and that it’s “consistently taken steps to protect customer privacy by providing clear privacy disclosures and customer controls, […] and maintaining strict internal controls to protect customer data.”
The development comes weeks after the FTC accused Meta of “repeatedly” violating its privacy promises and misleading parents about their ability to control with whom their children communicated through its Messenger Kids app between late 2017 and mid-2019.
The regulator is also seeking a blanket ban that would prohibit the company from profiting off of children’s data. Meta has labeled the allegations as a “political stunt” and said it operates an “industry-leading privacy program.”