Amazon has agreed to pay more than $30 million to settle two federal lawsuits alleging that the tech giant violated users’ privacy — including that of children — through its Alexa voice assistant and its Ring doorbell cameras.
The twin settlements with the Federal Trade Commission highlight claims that Amazon retained Ring videos and Alexa voice recordings, along with related geolocation information, for years – in some cases without consent and despite requests by consumers for the data to be deleted.
In addition, the FTC alleged that lax data policies at Amazon meant that the information could often be accessed by unauthorised parties — and often was, in the case of Ring doorbell footage.
“While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us,” Amazon said in a statement Wednesday.
Amazon acquired Ring in 2018, paving the way for the e-commerce giant to get into the home security business. In addition to video doorbells, Ring makes indoor and outdoor security cameras as well as alarm systems.
In a complaint accompanying the settlement, the FTC claimed Ring gave employees unrestricted access to videos from customers’ home security systems. In one instance, the complaint states, a Ring employee viewed thousands of video recordings from at least 81 female users between June and August 2017, viewing cameras that users had assigned to bathrooms and bedrooms. An initial misconduct report by a fellow employee was not taken seriously, the complaint said.
“Only after the supervisor noticed that the male employee was only viewing videos of ‘pretty girls’ did the supervisor escalate the report of misconduct,” the FTC alleged in the complaint. “Only at that point did Ring review a portion of the employee’s activity and, ultimately, terminate his employment.”
The complaint against Ring also recounts numerous alleged instances of hacked cameras allowing malicious actors to speak to victims, causing distress. Many of these attacks allegedly occurred through successful guessing of user passwords, reflecting failures by Amazon to require strong password protections, according to the complaint.
“Between January 2019 and March 2020, more than 55,000 U.S. customers suffered from credential stuffing and brute force attacks that compromised Ring devices,” the FTC alleged. “Through these attacks, bad actors gained access to hundreds of thousands of videos of the personal spaces of consumers’ homes, including their bedrooms and their children’s bedrooms—recorded by devices that Ring sold by claiming that they would increase consumers’ security.”
Ring has agreed to pay $5.8 million and implement a new data security program, according to the proposed settlement. In its statement, Amazon said: “Ring promptly addressed the issues at hand on its own years ago, well before the FTC began its inquiry.”
