Amazon has agreed to pay more than $30 million to settle two federal lawsuits alleging that the tech giant violated users’ privacy — including that of children — through its Alexa voice assistant and its Ring doorbell cameras.
The twin settlements Wednesday with the Federal Trade Commission highlight claims that Amazon retained Ring videos and Alexa voice recordings, along with related geolocation information, for years – in some cases without consent and despite requests by consumers for the data to be deleted.
In addition, the FTC alleged that lax data policies at Amazon meant that the information could often be accessed by unauthorized parties — and often was, in the case of Ring doorbell footage.
“While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us,” Amazon said in a statement Wednesday.
Amazon acquired Ring in 2018, paving the way for the e-commerce giant to get into the home security business. In addition to video doorbells, Ring makes indoor and outdoor security cameras as well as alarm systems.
In a complaint accompanying the settlement, the FTC claimed Ring gave employees unrestricted access to videos from customers’ home security systems. In one instance, the complaint states, a Ring employee viewed thousands of video recordings from at least 81 female users between June and August 2017, viewing cameras that users had assigned to bathrooms and bedrooms. An initial misconduct report by a fellow employee was not taken seriously, the complaint said.
“Only after the supervisor noticed that the male employee was only viewing videos of ‘pretty girls’ did the supervisor escalate the report of misconduct,” the FTC alleged in the complaint. “Only at that point did Ring review a portion of the employee’s activity and, ultimately, terminate his employment.”
The complaint against Ring also recounts numerous alleged instances of hacked cameras allowing malicious actors to speak to victims, causing distress. Many of these attacks allegedly occurred through successful guessing of user passwords, reflecting failures by Amazon to require strong password protections, according to the complaint.
“Between January 2019 and March 2020, more than 55,000 U.S. customers suffered from credential stuffing and brute force attacks that compromised Ring devices,” the FTC alleged. “Through these attacks, bad actors gained access to hundreds of thousands of videos of the personal spaces of consumers’ homes, including their bedrooms and their children’s bedrooms—recorded by devices that Ring sold by claiming that they would increase consumers’ security.”
Ring has agreed to pay $5.8 million and implement a new data security program, according to the proposed settlement.
In its statement, Amazon said: “Ring promptly addressed the issues at hand on its own years ago, well before the FTC began its inquiry.”
“Ring promptly addressed these issues on its own years ago, well before the FTC began its inquiry,” Ring said in a statement provided to CNN. “While we disagree with the FTC’s allegations and deny violating the law, this settlement resolves this matter so we can focus on innovating on behalf of our customers.”
Separately, Amazon will pay $25 million to settle the allegations surrounding its Alexa voice assistant.
In a complaint, the FTC alleged that Amazon violated a children’s privacy law known as COPPA, which restricts the collection of personal information from children under 13 without a parent’s consent.
According to the FTC, Amazon kept Alexa voice recordings of children “indefinitely” unless a user specifically instructed the company to delete the recordings. It also allegedly sometimes failed to honor the deletion requests “and instead retained that data for its own potential use.”
The proposed Alexa settlement requires Amazon to delete voice recordings and geolocation data in accordance with past consumer requests, including that of children. The company will also be barred from using that data to train its algorithms, the FTC said. Amazon also agreed to send consumers notices about the FTC settlement, and to implement a privacy program for geolocation data.
“We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa,” the company said in the statement. “As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.”