The Federal Trade Commission (FTC) and the U.S. Department of Justice (DOJ) accuse Amazon of violating the Children’s Online Privacy Protection Act (COPPA) by not deleting sensitive voice and geolocation data collected by Ring devices, even after parents sent the tech giant data deletion requests.
Ring is a home security and smart home device maker, subsidiary of Amazon, that sells a wide range of products, including doorbells, indoor and outdoor cameras, dashboard cams, smart lighting systems, and alarms.
The company has previously faced fervent criticism for its loose or murky data privacy policies and security issues after it was reported that it shared video footage from its smart doorbells with the police without acquiring the user’s permission or even notifying them of the fact.
The two agencies propose that Amazon pay a civil penalty of $25,000,000 for the said violations. Additionally, FTC submitted an order demanding that the company implement stricter safeguards and requested that any user data illegally retained on Amazon’s servers be deleted immediately.
The proposed order includes various provisions, such as prohibiting Amazon from using data subject to deletion requests for algorithm improvement, mandating the company to notify users about the FTC-DOJ action and its retention practices, and implementing a privacy program.
For those who want to dive deeper into the details of the motion, the relevant complaint submitted to the U.S. District Court of the Western District of Washington is available here.
A second, simultaneous charge from FTC, which is also targeted at Ring, accuses the company of allowing unethical employees or even contractors to access private user videos and failing to implement strong enough security measures to prevent hackers from taking control of user cameras.
The consumer protection agency criticized Ring for failing to notify customers that their video recordings were being used for training algorithms or viewed by employees to improve the provided services. Furthermore, FTC notes that Amazon couldn’t even monitor and detect cases of inappropriate internal access to video feeds due to a lack of basic protection measures, so the extent of abuse cannot even be appreciated.
The details of Amazon’s lackluster security and privacy protection practices are laid out in the complaint FTC submitted to the U.S. District Court for the District of Columbia. The complaint requests a permanent injunction to prevent future violations and also a monetary compensation of $5,800,000 to customers who suffered the consequences of Amazon’s poor practices.
Users of smart home products should take precautions to mitigate security and privacy risks, such as setting strong passwords and protecting user accounts with two-factor authentication, restricting shared access, using privacy zones that prevent camera recording in sensitive areas, and avoiding integrations with third-party platforms that could bypass or change security settings.
Finally, users should regularly check and apply available security updates for their smart devices, especially firmware patches that address critical flaws.