Amazon faces $30 million fine over Ring, Alexa privacy violations

Amazon will pay $30 million in fines to settle allegations of privacy violations related to the operation of its Ring video doorbell and Alexa virtual assistant services.

The company's Ring home security camera subsidiary has been accused by the Federal Trade Commission (FTC) of engaging in unlawful surveillance of customers and failing to prevent hackers from gaining control of users' cameras.

According to a proposed order, Ring will have to pay $5.8 million in refunds to consumers and will be barred from profiting from unlawfully obtained consumer videos.

The complaint alleges that Ring compromised its customers' privacy by granting access to private videos to its employees and contractors. It also allegedly neglected to implement basic privacy and security measures, allowing hackers to gain control of consumers' cameras and videos by breaching their accounts.

"In pursuit of rapid product development, before September 2017, Ring did not limit access to customers' video data to employees who needed the access to perform their job function (e.g., customer support, improvement of that product, etc.)," the FTC's complaint reads.

"To the contrary, Ring gave every employee—as well as hundreds of Ukraine-based third-party contractors—full access to every customer video, regardless of whether the employee or contractor actually needed that access to perform his or her job function."

It also highlights a specific instance where an Amazon employee viewed thousands of video recordings of female users in private spaces like bathrooms and bedrooms over several months. This incident went unnoticed by the company's security team until another employee discovered and reported it.

FTC also points out that Ring failed to implement essential safeguards like multifactor authentication (MFA) until 2019, although aware of multiple credential-stuffing attacks that targeted its customers in 2017 and 2018.

Furthermore, even after Ring added support for MDA, the inadequate implementation compromised their effectiveness.

Fined $25 million for ignoring requests to delete children's data

In a separate case, the FTC and the U.S. Department of Justice (DOJ) charged Amazon with violating children's privacy laws after failing to delete their voice recordings and geolocation information on their parents' requests.

Under a proposed order, Amazon must pay $25 million and delete the children's data per their parents' requests.

It will also prohibit Amazon from using children's data to train its algorithms and require deleting inactive child accounts and linked voice recordings and geolocation data.

"Amazon also failed for a significant period of time to honor parents' requests that it delete their children's voice recordings by continuing to retain the transcripts of those recordings and failing to disclose that it was doing so, also in violation of COPPA," the complaint reads.

"Finally, Amazon failed to delete users' voice information and geolocation information upon request and instead retained that data for its own potential use."

In December 2022, the FTC slapped Fortnite maker Epic Games with a $245 million fine for violating children's privacy laws and using dark patterns to trick millions into making unintentional in-game purchases.