Amazon will pay $30 million in fines to settle alleged privacy breaches related to the operation of its Ring video doorbell and Alexa virtual assistant services.

The company’s Ring home security camera subsidiary has been accused by the Federal Trade Commission (FTC) of engaging in unlawful surveillance of customers and failing to prevent hackers from taking control of users’ cameras.

Under a proposed order, Ring will have to repay consumers $5.8 million and be prohibited from enjoying illegally obtained consumer videos.

The complaint alleges that Ring compromised the privacy of its customers by granting access to private videos to its employees and contractors. It also allegedly neglected to implement basic privacy and security measures, allowing hackers to take control of consumers’ cameras and videos by breaching their accounts.

“In pursuit of rapid product development, prior to September 2017, Ring did not limit access to customer video data to those employees who needed it to perform their jobs (e.g., customer support, product improvement, etc.),” ​​the FTC’s complaint reads.

“Rather, Ring has given every employee, as well as hundreds of Ukraine-based third-party contractors, full access to every customer video, whether the employee or contractor actually needs that access to do his job.”

It also highlights a specific case where an Amazon employee viewed thousands of video recordings of female users in private spaces such as bathrooms and bedrooms over several months. This incident went unnoticed by the company’s security team until another employee discovered it and reported it.

The FTC also points out that Ring failed to implement key safeguards such as multi-factor authentication (MFA) until 2019, despite being aware of several credential stuffing attacks. which targeted its customers in 2017 and 2018.

Moreover, even after Ring added support for MDA, the inadequate implementation compromised their effectiveness.

$25 million fine for ignoring requests to delete children’s data

In a separate case, the FTC and the US Department of Justice (DOJ) accused Amazon of violating children’s privacy laws after failing to delete their voice recordings and geolocation information at the request of their parents. .

As part of a proposed order, Amazon is to pay $25 million and delete children’s data at the request of their parents.

It will also prohibit Amazon from using children’s data to train its algorithms and require the removal of inactive child accounts and related voice recordings and geolocation data.

“Amazon also failed for a long time to honor parents’ requests to delete their children’s voice recordings by continuing to retain transcripts of those recordings and failing to disclose that it was doing so, also in violation of COPPA” , said the complaint reads.

“Finally, Amazon failed to remove users’ voice information and geolocation information upon request and instead retained this data for its own potential use.”

In December 2022, the FTC slapped Fortnite maker Epic Games with a $245 million fine For violate children’s privacy laws and use dark patterns to entice millions into unwitting in-game purchases.