Amazon to pay over $30 million in Ring, Alexa FTC privacy settlements

Smith Collection/Gado | Archive Photos | Getty Images

Amazon will pay the Federal Trade Commission more than $30 million to settle allegations of privacy lapses in its Alexa and Ring divisions, according to filings on Wednesday.

The agency filed a lawsuit alleging Amazon’s Ring doorbell unit violated a portion of the FTC Act that prohibits unfair or deceptive business practices, which Amazon settled by agreeing to pay $5.8 million.

As part of the proposed settlement, Ring is required to delete any customer videos and data collected from an individual’s face, referred to as “face embeddings,” that it obtained prior to 2018. It must also delete any work products it derived from those videos.

A separate suit alleges Amazon violated the FTC Act and Children’s Online Privacy Protection Act by illegally retaining thousands of children’s information through their profiles with the Alexa voice assistant. Amazon paid $25 million to settle that suit.

The Department of Justice filed the Alexa complaint and proposed settlement on behalf of the FTC. The government alleged that Amazon kept voice and geolocation information associated with young users for years while preventing parents from using their rights to delete their kids’ data under the COPPA Rule.

Under the proposed settlement, Amazon will have to delete inactive child accounts as well as some voice recordings and geolocation information. It also would be prohibited from using that information to train its algorithms.

Amazon has faced scrutiny over the data that’s collected by its kids-oriented Echo smart speakers, which use Alexa to respond to commands.

The FTC said in a press release that kids’ speech patterns could have been especially valuable to Amazon since they differ from those of adults. That means the recordings of kids’ voices could have provided an important training dataset for the Alexa algorithm to better respond to kids’ voices. The government alleged Amazon failed to create an effective system to honor data deletion requests.

Alongside the $25 million civil penalty, if approved by the court, Amazon will be prohibited from using children’s voice information and geolocation data subject to deletion requests for creating or improving any data product. Amazon will also be required to delete inactive child accounts on Alexa, notify users about the government action against the company and of its retention and deletion practices. Amazon will also have to implement a privacy program to govern its use of geolocation information.

Both settlements must be approved by a court to take effect. The FTC’s ability to pursue monetary relief for consumers is limited by a 2021 Supreme Court ruling that narrowed the scope of the types of financial remedies it can impose.

Amazon published blog posts responding to the settlements on its site and Ring’s website. The company said it built Alexa with strong privacy protections and customer controls; designed Amazon Kids, a content service catered for children, to comply with COPPA; and worked with the FTC before expanding Amazon Kids to include Alexa. It added that Ring addressed the privacy and security issues before the FTC began its inquiry.

“Our devices and services are built to protect customers’ privacy, and to provide customers with control over their experience,” Amazon spokesperson Emma Daniels said in a statement. “While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us.”

What allegedly happened with Ring

While Ring has claimed its products help keep customers safer with its doorbell security cameras, the FTC alleged that Ring instead compromised customer information by giving third-party contractors access to customer videos, even when it was unnecessary to perform their jobs.

Ring employees and those who worked for a third-party contractor in Ukraine could access and download every customer’s videos, with no technical or procedural restrictions on the practice before July 2017, the FTC alleged.

The agency claims Ring did not have any privacy or data security training before 2018, even as the company’s employee handbook prohibited misuse of customer data. It also alleges Ring failed to implement basic security measures to protect users’ information from online threats like “credential stuffing” and “brute force” attacks, despite warnings from employees, external security researchers and media reports.

In one instance, a Ring employee allegedly viewed thousands of videos from at least 81 different female users from cameras labeled for use in intimate spaces, like “Master Bedroom,” “Master Bathroom” and “Spy Cam.” Between June and August 2017, the FTC alleged, the employee looked through the videos for often at least an hour a day on hundreds of occasions.

Another employee who reported the alleged inappropriate access was told by a supervisor that it was “‘normal’ for an engineer to view so many accounts,” according to the complaint. “Only after the supervisor noticed that the male employee was only viewing videos of ‘pretty girls’ did the supervisor escalate the report of misconduct,” the complaint alleges, and the employee was ultimately fired.

Ring narrowed employee access to customer videos in September 2017, the complaint says, so that customers had to consent to customer service agents accessing their videos. But even then, the FTC alleged, Ring allowed hundreds of employees and Ukraine-based contractors to continue accessing all video data.

“Importantly, because Ring failed to implement basic measures to monitor and detect inappropriate access before February 2019, Ring has no idea how many instances of inappropriate access to customers’ sensitive video data actually occurred,” the complaint alleges.

Amazon acquired Ring for a reported $1 billion in 2018 and the company now operates as a subsidiary of Amazon. The deal has helped Amazon grow its presence in the smart home and home security categories. But Ring has also drawn criticism from privacy and civil liberties advocates over a controversial partnership with thousands of police departments across the country.

Ring’s security protocols have been criticized previously. In 2020, Ring said it fired four employees for peeping into customer video feeds after reports from The Intercept and The Information found that Ring staffers in Ukraine were given unfettered access to videos from Ring cameras around the world.

The company strengthened its security measures after a series of incidents wherein hackers gained access to a number of users’ cameras. In one case, hackers were able to watch and communicate with an 8-year old girl. Ring blamed the issue on users reusing their passwords.