Amazon will pay the Federal Trade Commission more than $30 million as part of settlement agreements related to its Alexa and Ring divisions, according to filings on Wednesday.
The agency filed a lawsuit alleging Amazon’s Ring doorbell unit violated a portion of the FTC Act that prohibits unfair or deceptive business practices, which Amazon settled by paying $5.8 million.
As part of the proposed settlement, Ring is required to delete any customer videos and data collected from an individual’s face, referred to as “face embeddings,” that it obtained prior to 2018. It must also delete any work products it derived from those videos.
A separate suit alleges Amazon violated the FTC Act and Children’s Online Privacy Protection Act by illegally retaining thousands of children’s information through their profiles with the Alexa voice assistant. Amazon paid $25 million to settle that suit.
The Department of Justice filed the Alexa complaint and proposed settlement on behalf of the FTC. The government alleged that Amazon kept voice and geolocation information associated with young users for years while preventing parents from using their rights to delete their kids’ data under the COPPA Rule.
Under the proposed settlement, Amazon will have to delete inactive child accounts as well as some voice recordings and geolocation information. It also would be prohibited from using that information to train its algorithms.
Both settlements must be approved by a court to take effect.
While Ring has claimed its products help keep customers safer with its doorbell security cameras, the FTC alleged that Ring instead comprised customer information by giving third-party contractors access to customer videos, even when it was unnecessary to perform their jobs.
Ring employees and those who worked for a third-party contractor in Ukraine could access and download every customer’s videos, with no technical or procedural restrictions on the practice before July 2017, the FTC alleged.
The agency claims Ring did not have any privacy or data security training before 2018, even as the company’s employee handbook prohibited misuse of customer data. It also alleges Ring failed to implement basic security measures to protect users’ information from online threats like “credential stuffing” and “brute force” attacks, despite warnings from employees, external security researches and media reports.
In one instance, a Ring employee allegedly viewed thousands of videos from at least 81 different female users from cameras labeled for use in intimate spaces, like “Master Bedroom,” “Master Bathroom” and “Spy Cam.” Between June and August 2017, the FTC alleged, the employee looked through the videos for often at least an hour a day on hundreds of occasions.
Another employee who reported the alleged inappropriate access was told by a supervisor that it was “‘normal’ for an engineer to view so many accounts,” according to the complaint.” Only after the supervisor noticed that the male employee was only viewing videos of ‘pretty girls’ did the supervisor escalate the report of misconduct,” the complaint alleges, and the employee was ultimately fired.
Ring narrowed employee access to customer videos in September 2017, the complaint says, so that customers had to consent to customer service agents accessing their videos. But even then, the FTC alleged, Ring allowed hundreds of employees and Ukraine-based contractors to continue accessing all video data.
“Importantly, because Ring failed to implement basic measures to monitor and detect inappropriate access before February 2019, Ring has no idea how many instances of inappropriate access to customers’ sensitive video data actually occurred,” the complaint alleges.
Amazon acquired Ring for a reported $1 billion in 2018 and the company now operates as a subsidiary of Amazon. The deal has helped Amazon grow its presence in the smart home and home security categories. But Ring has also been a source of major scrutiny for Amazon as advocacy groups alleged the devices threaten users’ privacy and civil liberties. Ring also established controversial partnerships with police departments.
Ring’s security protocols have been criticized previously. In 2020, Ring said it fired four employees for peeping into customer video feeds after reports from The Intercept and The Information found that Ring staffers in Ukraine were given unfettered access to videos from Ring cameras around the world.
The company strengthened its security measures after a series of incidents wherein hackers gained access to a number of users’ cameras. In one case, hackers were able to watch and communicate with an 8-year old girl. Ring blamed the issue on users reusing their passwords.
This is breaking news. Please check back for updates.