Amazon to pay $30 million for Alexa and Ring breaches

Ring employee accessed 'thousands' of recordings belonging to female users

Amazon to pay $30 million for Alexa and Ring breaches

Amazon has agreed to pay the US Federal Trade Commission (FTC) an amount exceeding $30 million, to settle allegations of privacy violations within its Alexa and Ring divisions.

That is according to two lawsuits filed by the Department of Justice (DOJ) on the FTC's behalf.

In one filing, the FTC alleges that Amazon unlawfully held onto voice and geolocation data of children using the Alexa voice assistant.

That would violate the USA's FTC Act and the Children's Online Privacy Protection Act (COPPA).

The complaint says Amazon made "prominent and repeated" assurances to its users, including parents, that they could delete voice recordings collected by the system.

However, the company failed to fulfil this promise and instead retained the data for an extended period of time. The company also unlawfully used this data to enhance its Alexa algorithm.

"Amazon's history of misleading parents, keeping children's recordings indefinitely, and flouting parents' deletion requests violated COPPA and sacrificed privacy for profits," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection.

"COPPA does not allow companies to keep children's data forever for any reason, and certainly not to train their algorithms."

According to the proposed settlement between Amazon and the FTC, the company will be required to pay a civil penalty of $25 million, which it has agreed to. Additionally, Amazon will need to delete inactive child accounts, as well as specific voice recordings and geolocation information.

Employees could view and download Ring recordings

In the second complaint, the FTC alleges that despite emphasising security measures in promotional materials, Ring failed to implement adequate safeguard that would stop employees and contractors from gaining unrestricted access to customers' videos.

The complaint says Amazon's employees could both view and download customers' sensitive video data. One employee accessed thousands of video recordings belonging to female Ring camera users - videos from private spaces within their homes, such as bathrooms and bedrooms.

The employee's actions were allegedly stopped only after a colleague noticed their inappropriate behaviour.

The proposed order requires Ring to delete data products derived from unlawfully reviewed videos, including data, models and algorithms.

Additionally, the company says it will establish a privacy and security programme incorporating new measures to safeguard against human review of videos.

Ring will also implement "stringent" security controls, such as multi-factor authentication for both employee and customer accounts.

It is worth noting that many of the violations mentioned by the FTC occurred before Amazon acquired Ring in 2018. Ring modified its access practices in February 2019, preventing most employees or contractors from accessing a customer's private video unless they obtained explicit consent from the individual in question.

The FTC's order would require Ring to pay $5.8 million, which would be allocated for consumer refunds.

Both settlements need to be granted court approval in order to become effective.

"While we disagree with the FTC's claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us," Amazon told the BBC in a statement.