Amazon subsidiary Ring has agreed to a $5.8 million settlement over allegations it failed to prevent employees from violating customer privacy.
The Federal Trade Commission (FTC) laid out the claims in a complaint, which stated that every Ring employee and hundreds of third-party contractors had full access to customer videos prior to February 2018.
One employee was found to have viewed “thousands of video recordings belonging to at least 81 unique female users” including video feeds from bathrooms and bedrooms.
A co-worker of the employee is said to have discovered the activity by chance and reported it to a supervisor.
Protect and preserve your data from endpoint to infrastructure
Achieve cyber resilience with help from a powerhouse partnership
DOWNLOAD FOR FREE
Details of the misconduct were laid out in the FTC’s complaint [PDF], which alleged that no action was initially taken against the perpetrator and it was only after all the victims were proven to have been women that they were terminated.
“We want our customers to know that the FTC complaint draws on matters that Ring promptly addressed on its own, well before the FTC began its inquiry; mischaracterizes our security practices; and ignores the many protections we have in place for our customers,” Ring wrote.
“While we disagree with the FTC’s allegations and deny violating the law, this settlement resolves this matter so we can focus on innovating on behalf of our customers.”
Although employees used this access for legitimate purposes such as for training Amazon algorithms, the FTC found that adequate notice or consent of this practice was not given to customers.
Policies that required Ring employees or contractors to receive customer consent to access their videos were not put in place until February 2019.
The FTC stated that Ring has been unable to identify the number of employees that accessed videos prior to this date.
Although employees were required to sign an agreement prohibiting misuse of data, the complaint alleged, they were not provided with training on data privacy or data security prior to May 2018.
The complaint also alleged that Ring did not secure its devices against hacking techniques like brute force attacks and credential stuffing, which led to the compromise of 55,000 customers’ accounts.
Hackers gained access to video feeds from around 1,250 devices, with 40% of these being internal cameras. In some cases, threat actors used the intercom functions of the devices to verbally harass victims inside their homes.
This is not the first time that Ring has been put in the spotlight over privacy concerns.
In 2022, the firm admitted it had given police departments device footage without user consent on 11 occasions that calendar year.
At the time, the firm stated that it had determined the disclosure of videos “without delay” had helped to prevent the danger of serious injury or death.
In 2019, a Ring vulnerability let hackers intercept Wi-Fi passwords in clear text which exposed victims to follow-up attacks.
Further fines for Alexa child privacy allegations
Amazon has also agreed to a $25 million settlement over allegations it violated privacy laws pertaining to children and misled parents over its data practices.
The firm was accused of retaining voice recordings of children indefinitely, and in violation of a children’s privacy law that allows parents to request deletion.
An official FTC complaint [PDF], filed by the Department of Justice, stated that Amazon acted in violation of the Children’s Online Privacy Protection Act (COPPA) by retaining voice recordings and transcripts of children for “longer than is reasonably necessary”.
The business value of Zscaler Data Protection
Understand how this tool minimizes the risks related to data loss and other security events
Amazon policy states that Alexa data will be deleted upon request and that parents can choose whether it is retained, but the FTC found that until September 2019 parents were required to delete data themselves.
It also alleged that Amazon failed to honor deletion requests in violation of COPPA. The FTC noted that child voice recordings are valuable to Amazon as training data for its algorithms.
The firm denied the allegations, and in a blog post drew attention to the privacy measures already in place to protect Alexa data.
“We take our responsibilities to our customers and their families very seriously,” Amazon stated.
“We have consistently taken steps to protect customer privacy by providing clear privacy disclosures and customer controls, conducting ongoing audits and process improvements, and maintaining strict internal controls to protect customer data. While we disagree with the FTC’s claims and deny violating the law, this settlement puts the matter behind us, and we believe it’s important to put the settlement in the right context.”
Alvaro M Bedoya, the commissioner of the FTC, noted that Amazon’s justification for retaining data was inadequate.
“Today’s settlement sends a message to all those companies: Machine learning is no excuse to break the law,” he stated.
“Claims from businesses that data must be indefinitely retained to improve algorithms do not override legal bans on indefinite retention of data. The data you use to improve your algorithms must be lawfully collected and lawfully retained. Companies would do well to heed this lesson.”
In addition to the settlement, Amazon will be required to delete child data including geolocation, and will be barred from using said data to train algorithms.
