Amazon is facing $30 million in fines levied by the Federal Trade Commission and the U.S. Department of Justice over allegations that Alexa and Ring video doorbells violated users' privacy.
The company faces two separate allegations — one for Ring, and one for Alexa — over how it handled user data. In the case of Ring, it was video recordings, and in the case of Alexa, it was the failure to delete children's recordings and location data, even after their parents requested it be done.
Updated with responses from Amazon
Ring — $5.8 million fine
The FTC complaint against Ring alleges that the company did not restrict its employees, as well as third-party vendors, from accessing videos from Ring users. Additionally, it notes that Ring failed to add two-factor authentication (2FA) to its cameras and app until 2019, even though it was aware that its users were targeted in credential-stuffing attacks in the two years prior.
"In pursuit of rapid product development, before September 2017, Ring did not limit access to customers’ video data to employees who needed the access to perform their job function (e.g., customer support, improvement of that product, etc.). To the contrary, Ring gave every employee—as well as hundreds of Ukraine-based third-party contractors—full access to every customer video, regardless of whether the employee or contractor actually needed that access to perform his or her job function," the complaint reads.
"Not only could every Ring employee and Ukraine-based third-party contractor access every customer’s videos (all of which were stored unencrypted on Ring’s network), but they could also readily download any customer’s videos and then view, share, or disclose those videos at will. Before July 2017, Ring did not impose any technical or procedural restrictions on employees’ ability to download, save, or transfer customers’ videos."
The complaint also alleges that Ring did not provide any instruction to its employees on how to handle private data. The complaint also cites a particular Ring employee, who, in 2017, "viewed thousands of video recordings belonging to at least 81 unique female users (including customers and Ring employees) of Ring Stick Up Cams."
The complaint cites other instances where both Ring employees and third-party vendors in Ukraine also viewed private recordings, and the company failed to detect their actions until it was brought to their attention by whistleblowers.
Amazon is reportedly settling this claim by refunding $5.8 million to its customers, according to BleepingComputer. Considering that millions of Ring cameras have been sold, that means most camera owners will receive a few dollars, at most.
While Ring has increased its internal safeguards in the years since these incidents, it's recommended that you enable end-to-end encryption on your Ring videos to prevent anyone but you from seeing them.
$25 million fine for Alexa and child privacy
The second complaint, which was filed by the FTC and the Department of Justice, alleges that Amazon violated children's privacy laws by not deleting recordings of children and geolocation data, even after the kids' parents requested them to do so.
"Until September 2019, Amazon retained children’s voice recordings and transcripts indefinitely unless a parent actively deleted them," the complaint reads. "Alexa’s default settings still save children’s (and adults’) voice recordings and transcripts forever, even when a child no longer uses his Alexa profile and it has been inactive for years."
"Amazon also failed for a significant period of time to honor parents’ requests that it delete their children’s voice recordings by continuing to retain the transcripts of those recordings and failing to disclose that it was doing so, also in violation of COPPA [Children's Online Privacy Protection Rule]."
Not only does Amazon sell a number of smart speakers aimed at children, such as the Echo Dot Kids, but it also has a service, called Amazon Kids+ (formerly known as FreeTime Unlimited) that offers games, videos, interactive books and more that requires that children interact with its smart speakers or tablets.
In order to use Kids+, a parent must create a profile for their child, which includes their age and gender. According to the complaint, there are more than 800,000 such profiles.
The complaint states that in September 2019, Amazon introduced a new feature that let users "auto-delete voice recordings at regular intervals of three- or eighteen-months, while still retaining the indefinite retention default setting."
However, "until mid-2019, Amazon’s practice was to delete the requested voice recordings but keep written transcripts of those recordings" — but did not let parents know that it was keeping those transcripts.
For this alleged privacy violation, Amazon agreed to pay a fine of $25 million, delete children's data at their parents' request, and prohibit the company from training its algorithms using children's voices from the deleted data. The company must also delete inactive accounts, along with any relevant data.
If you're concerned about your or your child's privacy data, be sure to check out our guide on how to see and delete Alexa's recordings of you.
The company also released this statement:
“At Amazon, we take our responsibilities to our customers and their families very seriously. Our devices and services are built to protect customers’ privacy, and to provide customers with control over their experience. While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us.
“We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa. As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.
“Ring promptly addressed the issues at hand on its own years ago, well before the FTC began its inquiry. Our focus has been and remains on delivering products and features our customers love, while upholding our commitment to protect their privacy and security.”
Analysis: That's it?
Given the number of Alexa-enabled smart speakers, Ring cameras — and Amazon's profitability — a cumulative $30 million fine is pretty paltry for a company that made an average of $14 billion per day in sales in 2022. Yes, both Ring and Amazon have beefed up their security measures since 2019, but these fines amount to little more than a finger-tap on the wrist.
It also highlights how vigilant you have to be when installing a smart speaker, security camera, or any other device that can record audio and video in your home.