The US Federal Trade Commission (FTC) has fined Amazon a total of $30.8 million over a series of privacy violations involving the Alexa Assistant and Ring security cameras.
This includes a $25 million fine for violating child privacy laws by storing Alexa voice recordings indefinitely and preventing parents from exercising their deletion rights.
“Amazon’s history of misleading parents, storing children’s recordings indefinitely, and ignoring parental requests to take them down violates COPPA and sacrifices privacy for profit,” said Samuel Levin of the FTC. said.
As part of the court order, the retail giant was ordered to delete collected information such as inactive children’s accounts, location data and voice recordings, collecting such data to train its algorithms. was prohibited. You are also required to disclose your data retention practices to your customers.
Amazon also issued an additional $5.8 million in refunds to consumers for violating users’ privacy by allowing employees and contractors to give broad and unfettered access to private videos recorded using ring cameras. also agreed to do so.
“For example, over the course of several months, one employee viewed thousands of video recordings of female Ring Camera users monitoring intimate spaces in their homes, such as bathrooms and bedrooms,” the FTC said. “The employee could not be stopped until another employee discovered the wrongdoing.”
The consumer protection agency accused Amazon of failing to adequately notify or obtain consent from customers before using captured recordings to improve its products, and also accused the company of failing to adequately protect Ring user accounts. accused of not implementing appropriate security controls.
This “egregious” breach exposed users to credential stuffing and brute force attacks, giving criminals control of their accounts and unauthorized access to their video streams.
“Malicious individuals not only viewed the videos of some customers, but also took advantage of the ring camera’s interactive feature to target consumers (including the elderly and children) whose rooms were being monitored by the ring camera. harassed, threatened, insulted, or changed settings on critical devices.”
“Hackers slandered several children with racist slurs, sexually taunted individuals, and threatened physical harm to their families unless ransoms were paid.”
It is estimated that over 55,000 US customers had their accounts compromised between January 2019 and March 2020 as a result of these lax policies.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
The settlement also seeks Amazon to remove all illegally obtained customer videos and facial data prior to 2018, as well as works derived from those videos.
Both settlements require court approval to take effect, but Amazon said it “takes its responsibilities to customers and their families very seriously” and “provides clear privacy disclosure and customer We consistently take steps to protect your privacy.” […] We maintain strict internal controls to protect customer data. “
The development comes after the FTC accused Meta of “repeatedly” violating its privacy promises from late 2017 to mid-2019 and misleading parents about who their children could communicate with through the Messenger Kids app. It came a few weeks after condemning the
Regulators are also seeking a blanket ban barring the company from profiting from children’s data. Meta dismissed the allegations as a “political stunt” and said it operates an “industry-leading privacy program.”
