In order to resolve complaints about Alexa and its Ring home security service, Amazon has agreed to pay the Federal Trade Commission (FTC) close to $31 million in order to reach a settlement.
The claim that Amazon violated the US Children’s Online Privacy Protection Act Rule (COPPA Rule) and mislead Alexa consumers about the smart voice assistant’s data deletion policies will be settled with the bigger of the two civil fines ($25 million). The Federal Trade Commission in the United States has made Amazon a case study for every cautionary story about how carelessly constructed internet-of-things devices and related services constitute a danger to privacy. In addition, the FTC has set the cost of Amazon’s claimed activities a modest $30.8 million.
The online retailer’s home security camera subsidiary, Ring, was accused of “compromising the privacy of its customers by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.” This was alleged to have occurred because Ring “allowed any employee or contractor to access consumers’ private videos and by allowing any employee or contractor to access consumers’ private videos.”
According to the complaint filed by the FTC, “Not only could every Ring employee and Ukraine-based third-party contractor access every customer’s videos (all of which were stored unencrypted on Ring’s network), but they could also readily download any customer’s videos and then view, share, or disclose those videos at will,” the FTC wrote. Another nightmarish scenario: “although an engineer working on Ring’s floodlight camera might need access to some video data from outdoor devices, that engineer had unrestricted access to footage of the inside of customers’ bedrooms.”
The workers of Ring were not properly taught on how to handle confidential information. According to the consumer watchdog, some people utilized it in a very harmful manner. People had “no reasonable way of knowing that hundreds of Ring employees and third-party contractors in Ukraine had unfettered access to live streams and stored videos,” according to the complaint, which acknowledges that customers were warned that Ring gave itself extensive rights to access their videos in its Terms of Service and Privacy Policy, but criticizes those documents as being a “buried half-explanation” that gave people “no reasonable way of knowing that hundreds of Ring employees and third-party contractors in Ukraine had access to live streams and stored videos.”
According to the FTC’s complaint, Ring’s primary marketing pitch was that its products promote safety; yet, the company’s actions meant that its goods accomplished the reverse of what Ring had said they would do.
Amazon “prominently and repeatedly” guaranteed its customers, including parents, that they could remove Alexa voice recordings and geolocation information, according to a complaint that was filed by the Department of Justice (DoJ) on behalf of the FTC. The complaint was brought by the DoJ on behalf of the FTC. According to the allegations included in the lawsuit, Amazon did, in fact, keep some of this information for years and illegally exploited it to develop the Alexa algorithm.
“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” stated Samuel Levine, head of the Bureau of Consumer Protection of the Federal Trade Commission (FTC). “Amazon’s history of misleading parents” “Companies are not permitted under COPPA to store the personal information of children indefinitely or for any other purpose, and certainly not for the purpose of training their algorithms.”
Separately, Amazon’s Ring firm, which it acquired in 2018, has agreed to pay $5.8 million to resolve claims that it breached the privacy of customers and did not follow the best standards for information security. The monies are going to be utilized to provide reimbursements to customers.
The FTC received a complaint alleging that the company mislead its consumers by failing to limit employees and contractors’ access to customers’ films and by using customer movies to train algorithms without first obtaining approval from those customers. One employee is reported to have examined hundreds of video recordings made by female Ring users in “intimate spaces” in their houses, such as toilets. These “intimate spaces” include places like bedrooms and closets.
The lawsuit also said that Ring was tardy in enhancing customer account security to prevent the danger from brute-force attacks, despite customers experiencing repeated credential stuffing attacks in 2017 and 2018. This was despite the fact that Ring users suffered many attacks in both 2017 and 2018.
It said that the “sloppy implementation” of security measures beginning in 2019 reduced the efficacy of such safeguards. It seems that malicious actors were able to access the saved movies, live video broadcasts, and account profiles of around 55,000 consumers in the United States. These actors even attempted to extort some of the customers and threatened others.
Amazon will be compelled to destroy dormant kid accounts, as well as certain Alexa voice recordings and geolocation information, and the company will be prohibited from utilizing this data to train its algorithms. In addition to the penalties, Amazon will be required to delete these items.
Ring will be compelled to erase data, models, and algorithms that were created from films that it illegally examined. Additionally, Ring will be required to adopt a privacy and security program that includes protections on the human inspection of videos, multi-factor authentication for employee and customer accounts, and other measures.
According to a statement released by Amazon, the company takes issue with the FTC’s allegations about Ring and Alex and asserts that it did not violate any laws.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.