The FTC’s investigation found that the recordings, also including sensitive geolocation data, were used to train the Alexa voice assistant to improve its response to voice commands and speech recognition.
In a landmark settlement with the Federal Trade Commission (FTC), Amazon has been fined a total of $31 million due to security and privacy violations committed by its subsidiaries Ring and Alexa.
The penalties stem from separate investigations carried out by the FTC, uncovering alarming breaches that have raised concerns over consumer privacy and data protection.
The first case (PDF) revolves around Ring, the home security company acquired by Amazon in 2018. The FTC’s complaint highlighted how Ring had allegedly failed to protect its customers’ data adequately and misrepresented the security features of its products. The FTC’s stipulated order, available on their website, shed light on the allegations and provided details on the settlement terms, which Amazon will be forced to comply with.
The FTC alleges that Amazon allowed its employees and contractors to view the video footage collected through Ring, resulting in a serious customer privacy violation. One former Ring employee was reported by another employee for having viewed thousands of video recordings captured by Ring, showing female users in the intimate areas of their house such as bedrooms and bathrooms.
The charges levied against Ring also included instances from 2017 and 2018 when various users suffered from credential stuffing due to brute-force attacks. FTC claimed that Ring was slow in improving customers’ account security to thwart such attacks.
Due to the lack of proper security protocols and multiple Ring vulnerabilities, threat actors were able to access the stored videos, live streams and account profiles of 55,000 US users. They even attempted to extort some, threatening them with violence if demands were not met.
The biggest concern lies in the fact that Amazon implemented no procedure for asking customers to consent or decline the collection and use of their video footage.
The second case (PDF) pertains to Amazon’s voice-activated assistant, Alexa, and its alleged violation of the Children’s Online Privacy Protection Act (COPPA). The COPPA is designed to protect the personal information of children under the age of 13. As such, the FTC and the US DoJ found that Alexa retained recordings of children’s voices indefinitely, sometimes even after parents wanted them to be deleted.
Amazon was accused of misleading parents and misrepresenting its product’s data deletion practices. The FTC’s investigation found that the recordings, also including sensitive geolocation data, were used to train the Alexa voice assistant to improve its response to voice commands and speech recognition.
Director of the FTC’s Bureau of Consumer Protection, Samuel Levine, said, “COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.”
For Ring’s consumer privacy violation, Amazon has been charged to pay a settlement of $5.8 million which will be used for consumer refunds. Ring will also be required to delete data, models and algorithms derived from videos it unlawfully collected.
Amazon will also be forced to pay $25 million for the Alexa case and must delete any inactive child accounts, voice recordings and geolocation information. It has been prohibited from training its algorithm using such data.
Amazon, meanwhile, has maintained its position of not breaking any law and stated, “We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa.”
“As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.”
RELATED ARTICLES
- The Pros and Cons of Smart Homes
- ALPHV ransomware claims it hacked Amazon’s Ring
- Amazon Ring Flaw Could Expose Camera Recordings
- Hacked Ring Cames Used in Livestreaming Swatting Attacks