Bringing The World Home To You

© 2024 WUNC North Carolina Public Radio
120 Friday Center Dr
Chapel Hill, NC 27517
919.445.9150 | 800.962.9862
Play Live Radio
Next Up:
0:00
0:00
0:00 0:00
Available On Air Stations

Amazon must pay over $30 million over claims it invaded privacy with Ring and Alexa

The Federal Trade Commission has accused Amazon of harboring children's data even when parents request it to be deleted, as well giving its Ring employees access to users' videos.
Michael Sohn
/
AP
The Federal Trade Commission has accused Amazon of harboring children's data even when parents request it to be deleted, as well giving its Ring employees access to users' videos.

Amazon will pay more than $30 million in fines to settle alleged privacy violations involving its voice assistant Alexa and doorbell camera Ring, according to federal filings.

In one lawsuit, the Federal Trade Commission claims the tech company violated privacy laws by keeping recordings of children's conversations with its voice assistant Alexa, and in another that its employees have monitored customers' Ring camera recordings without their consent.

The FTC alleges Amazon held onto children's voice and geolocation data indefinitely, illegally used it to improve its algorithm and kept transcripts of their interactions with Alexa despite parents' requests to delete them.

The alleged practices would violate the Children's Online Privacy Protection Act, or COPPA, which requires online companies to alert and obtain consent from parents when they gather data for children under age 13 and allow parents to delete the data at will.

In addition to the $25 million civil penalty, Amazon would not be able to use data that has been requested to be deleted. The company also would have to remove children's inactive Alexa accounts and be required to notify its customers about the FTC's actions against the company.

"Amazon's history of misleading parents, keeping children's recordings indefinitely, and flouting parents' deletion requests violated COPPA and sacrificed privacy for profits," said Samuel Levine, director of the FTC's Bureau of Consumer Protection, in a statement. "COPPA does not allow companies to keep children's data forever for any reason, and certainly not to train their algorithms."

Until September 2019, Alexa's default settings were to store recordings and transcripts indefinitely. Amazon said it uses the recordings to better understand speech patterns and respond to voice commands, the complaint says.

After the FTC intervened at the time, Amazon added a setting to automatically delete data after three or 18 months, but still kept the indefinite setting as the default.

Amazon said in a statement it disagrees with the FTC's findings and does not believe it violated any laws.

"We take our responsibilities to our customers and their families very seriously," it said. "We have consistently taken steps to protect customer privacy by providing clear privacy disclosures and customer controls, conducting ongoing audits and process improvements, and maintaining strict internal controls to protect customer data."

The company said it requires parental consent for all children's profiles, provides a Children's Privacy Disclosure elaborating on how it uses children's data, allows child recordings and transcripts to be deleted in the Alexa app and erases child profiles that have been inactive for at least 18 months.

More than 800,000 children under age 13 have their own Alexa accounts, according to the complaint.

The FTC claims that when these issues were brought to Amazon's attention, it did not take action to remedy them.

In a separate lawsuit, the FTC seeks a $5.8 million fine for Amazon over claims employees and contractors at Ring — a home surveillance company Amazon bought in 2018 — had full access to customers' videos.

Amazon is also accused of not taking its security protections seriously, as hackers were able to break into two-way video streams to sexually proposition people, call children racial slurs and physically threaten families for ransom.

Despite this, the FTC says, Ring did not implement multi-factor authentication until 2019.

In addition to paying the $5.8 million, which will be issued as customer refunds, Ring would have to delete customers' videos and faces from before 2018, notify customers about the FTC's actions and report any unauthorized access to videos to the FTC.

"Ring's disregard for privacy and security exposed consumers to spying and harassment," Levine said. "The FTC's order makes clear that putting profit over privacy doesn't pay."

The proposed orders require approval from federal judges.

Copyright 2023 NPR. To see more, visit https://www.npr.org.

Tags
Ayana Archie
[Copyright 2024 NPR]
More Stories