Amazon to Pay $31m After FTC's Security and Privacy Allegations

Written by

Amazon will pay close to $31m to the Federal Trade Commission (FTC) to settle allegations relating to Alexa and its Ring home security business.

The larger of the two civil penalties ($25m) will settle charges that Amazon violated the US Children’s Online Privacy Protection Act Rule (COPPA Rule) and deceived Alexa customers about the smart voice assistant’s data deletion practices.

Read more on Amazon Ring: New Lawsuit Takes Aim at Ring After Smart Doorbell Hijacking  

According to a complaint filed by the Department of Justice (DoJ) on behalf of the FTC, Amazon “prominently and repeatedly” assured its users, including parents, that they could delete Alexa voice recordings and geolocation information. However, Amazon actually kept some of this information for years and used it unlawfully to improve the Alexa algorithm, the complaint alleged.

“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.”

Separately, Amazon’s Ring business, which it bought in 2018, will pay $5.8m to settle charges that it compromised consumer privacy and failed to implement security best practices. The money will be used for consumer refunds.

An FTC complaint alleged the firm deceived customers by failing to restrict employees and contractor access to customers’ videos, and that it used customer videos to train algorithms without consent. One employee is said to have viewed thousands of video recordings from female users of Ring cameras inside “intimate spaces” in their homes such as bathrooms.

The complaint also alleged that Ring was slow in improving customer account security to mitigate the threat from brute-force attacks despite users suffering multiple credential stuffing attacks in 2017 and 2018.

It claimed that “sloppy implementation” of security measures from 2019 onwards hampered their effectiveness. Malicious actors were apparently able to access the stored videos, live video streams and account profiles of around 55,000 US customers, even threatening and attempting to extort some.

As well as the fines, Amazon will be required to delete inactive child accounts and some Alexa voice recordings and geolocation information, and will be banned from using this data to train its algorithms.

Ring will be required to delete data, models and algorithms derived from videos it unlawfully reviewed, and to implement a privacy and security program featuring safeguards on human review of videos, multi-factor authentication for employee and customer accounts, and other measures.

An Amazon statement noted that the firm disagrees with the FTC’s claims on Ring and Alex and denies breaking the law.

“We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa. As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them,” it added.

“Ring promptly addressed the issues at hand on its own years ago, well before the FTC began its inquiry.”

Editorial image credit: Gary L Hider / Shutterstock.com

What’s hot on Infosecurity Magazine?