The US Federal Trade Commission (FTC) has fined Amazon a cumulative $30.8 million over a series of privacy breaches regarding its Alexa assistant and Ring security cameras.
This consisted of a $25 million fine for violating children’s privacy laws by keeping their Alexa voice recordings indefinitely and preventing parents from exercising their deletion rights.
“Amazon history that misleads parents, keeps children’s records indefinitely, and flouts parental takedown requests violates COPPA and sacrificing privacy for profit,” said Samuel Levine of the FTC.
As part of the court order, the retail giant has been mandated to remove the information it collects, including inactive child accounts, geolocation data and voice recordings, and is prohibited from collecting the data to train its algorithms. It is also required to disclose to the customer its data retention practices.
Amazon has also agreed to pay an additional $5.8 million in consumer refunds for violating user privacy by allowing any employee or contractor broad and unrestricted access to private videos recorded using Ring cameras.
“For example, one employee over the course of several months viewed thousands of video footage of women using Ring cameras surveillance of intimate spaces in their homes such as their bathrooms or bedrooms,” the FTC said. noted. “The employee was not terminated until another employee discovered the error.”
Consumer protection authorities, in addition to blaming Amazon for failing to adequately notify customers or obtain their consent before using captured footage for product enhancements, asked the company not to implement adequate safety controls to protect Ring user accounts.
The “horrific” breach exposed users to credential stuffing and brute-force attacks, allowing criminals to take control of accounts and gain unauthorized access to video streams.
“Bad actors not only viewed some customer videos but also used the two-way functionality of Ring cameras to harass, threaten, and insult consumers—including the elderly and children—whose rooms are monitored by Ring cameras, and to change important device settings,” he explained.
“Hackers taunted children with racist slurs, individuals engaging in sexual relations, and threatened a family with physical violence if they did not pay a ransom.”
Over 55,000 US customers are estimated to have had their accounts compromised between January 2019 and March 2020 as a result of this lax policy.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
The proposed settlement further requires Amazon to remove all customer videos and facial data that were illegally obtained prior to 2018, and also remove all work products derived from those videos.
While both settlements must be approved by a court to take effect, Amazons said “we take our responsibilities to our customers and their families very seriously” and that “consistently takes steps to protect customer privacy by providing clear privacy disclosure and customer controls, (…) and maintaining strict internal controls to protect customer data.”
The development comes weeks after the FTC accused Meta “repeatedly” violated its privacy promises and misled parents about their ability to control who their children communicated with through the Messenger Kids app between late 2017 and mid-2019.
Regulators are also seeking a blanket ban that would bar companies from profiting from children’s data. Meta has labeled accused it of being a “political stunt” and said it operated an “industry-leading privacy program.”