Amazon pays over $30 million to settle Alexa and Ring privacy lawsuits

Amazon has paid a cumulative $30.8 million (£24.8 m) to the Federal Trade Commission (FTC) to settle two separate privacy cases over its Alexa voice assistant and its Ring cameras.

While it was the smaller of the two fines, it’s the Ring case that will likely trouble the average consumer more. Amazon paid $5.8 m (£4.7 m) to settle the claim that employees and contractors were able to spy on customers’ videos, and video was used to train algorithms without user consent.

One particularly troubling instance in the complaint makes for especially grim reading. In a three-month period in 2017, one male employee viewed “thousands of video recordings belonging to at least 81 unique female users” with a focus on cameras labelled as being located in theoretically private spaces, such as “Master Bedroom”, “Master Bathroom”, and “Spy Cam”.

When reported by a female employee, the complaint was initially discounted by a supervisor who contended it was “‘normal for an engineer to view so many accounts”. But it was only when the supervisor noticed that the employee was “only viewing videos of pretty girls” that Ring took action and fired the rogue employee.

Elsewhere, the complaint highlights numerous instances of camera hacking, which allowed not just spying, but for hackers to speak directly to victims via the bundled speaker. The report outlines racial slurs, sexual propositioning, threats, and even attempted Bitcoin extortion.

While hacking is, to an extent, beyond Ring’s control, the report states that as many of these were the result of guessed logins, and Amazon needed to do more to enforce strong passwords.

As well as the payment, Ring will implement a new data security programme, the settlement says.

“Ring promptly addressed these issues on its own years ago, well before the FTC began its inquiry,” Ring said in a widely shared statement. “While we disagree with the FTC’s allegations and deny violating the law, this settlement resolves this matter so we can focus on innovating on behalf of our customers.”

The second settlement concerns the Alexa voice assistant, where Amazon has paid out $25 m (£20 m). This complaint alleged a violation of a children’s privacy law called COPPA, which limits data collection on under-13s without parental consent.

Amazon, however, would allegedly keep smart-speaker-collected recordings of children “indefinitely” unless users specifically asked the company to delete them. Even in these instances, the instruction would apparently sometimes be ignored and the company “retained that data for its own potential use”.

Alongside the $25 m payment, the settlement requires that Amazon deletes voice recordings and geolocation data in line with past requests. It will also be banned from using such data to train its algorithms, the company will send consumer notices about the settlement, and it will introduce a privacy programme for geolocation data.

“We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa,” an Amazon statement reads.

“As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.”