Amazon will pay more than $30 million to resolve FTC privacy complaints over Alexa and Ring

CNN
—

Amazon has agreed to pay more than $30 million to settle two federal lawsuits alleging the tech giant violated users’ privacy — including children’s — through its Alexa voice assistant and Ring doorbell cameras.

The twin settlements Wednesday with the Federal Trade Commission highlight allegations that Amazon kept Ring videos and Alexa voice recordings, along with related geolocation information, for years — in some cases without consent and despite requests from consumers that the data be deleted.

In addition, the FTC argued that lax data policies at Amazon meant that the information could often be accessed by unauthorized parties — and often was in the case of Ring doorbell recordings.

“While we disagree with the FTC’s allegations regarding both Alexa and Ring, and deny any violations of the law, these settlements put these matters behind us,” Amazon said in a statement Wednesday.

Amazon bought Ring in 2018, paving the way for the e-commerce giant to enter the home security business. In addition to video doorbells, Ring makes indoor and outdoor security cameras as well as alarm systems.

In a complaint accompanying the settlement, the FTC alleged that Ring gave employees unlimited access to videos from customers’ home security systems. In one case, the complaint says, a Ring employee viewed thousands of video recordings from at least 81 female users between June and August 2017, looking at cameras that users had assigned to bathrooms and bedrooms. An initial report of misconduct by an employee was not taken seriously, the complaint states.

“Only after the supervisor noticed that the male employee was only watching videos of ‘pretty girls,’ did the supervisor escalate the report of misconduct,” the FTC alleged in the complaint. “Only at that point did Ring review some of the employee’s activity and ultimately terminate the employment relationship.”

The complaint against Ring also recounts a number of alleged cases of hacked cameras that allow malicious actors to talk to victims, causing distress. Many of these attacks allegedly occurred through successful guessing of user passwords, reflecting Amazon’s failure to require strong password protection, according to the complaint.

“Between January 2019 and March 2020, more than 55,000 US customers suffered from credential stuffing and brute force attacks that compromised Ring devices,” the FTC claimed. “Through these attacks, bad actors gained access to hundreds of thousands of videos of the personal spaces of consumers’ homes, including their bedrooms and their children’s bedrooms — recorded by devices that Ring sold by claiming they would increase consumer security.”

Ring has agreed to pay $5.8 million and implement a new data security program, according to the proposed settlement.

In its statement, Amazon said, “Ring immediately addressed the issues at hand on its own years ago, long before the FTC began its investigation.”

“Ring immediately addressed these issues on its own years ago, long before the FTC began its investigation,” Ring said in a statement to CNN. “While we disagree with the FTC’s allegations and deny any violation of the law, this settlement resolves this matter so that we can focus on innovation on behalf of our customers.”

Separately, Amazon will pay $25 million to settle allegations surrounding its Alexa voice assistant.

In a complaint, the FTC alleged that Amazon violated a children’s privacy law known as COPPA, which restricts the collection of personal information from children under 13 without parental consent.

According to the FTC, Amazon Alexa kept child voice recordings “indefinitely” unless a user specifically instructed the company to delete the recordings. It also allegedly sometimes failed to comply with erasure requests “and instead retained that data for its own potential use.”

The proposed Alexa settlement requires Amazon to delete voice recordings and geolocation data in accordance with previous consumer requests, including children’s. The company will also be barred from using that data to train its algorithms, the FTC said. Amazon also agreed to send consumers notices about the FTC settlement, and to implement a geolocation data privacy program.

“We built Alexa with strong privacy and customer controls, designed Amazon Kids to comply with COPPA, and worked with the FTC before expanding Amazon Kids to include Alexa,” the company said in the statement. “As part of the settlement, we agreed to make a small change to our already strong practice, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.”