Reversing a trend leading up to 2018, internet users have begun to really care about their privacy online. As such, the FTC has been investigating potential privacy violations at a higher rate. We've seen them go after Tiktok and YouTube for child privacy violations, the latter changing the way YouTube does business. This week, the Federal Trade Commission (FTC) and Department of Justice (DOJ) have taken aim at Amazon, costing the company over $30 million.
Ring's privacy violations
Ring is a well-known home automation and security brand. In 2018, Amazon purchased the company looking for an easy way to get into the smart and connected home industry. Unfortunately for the company, it turns out that purchase came with some legal troubles, though it has taken years for it to come to light.
The issue comes mostly from the days before Amazon. Ring was a fledgling startup looking to make a name for itself. With the term startup usually comes the issue of funding. Unfortunately, Ring decided to cut some corners while looking for its funding. In [particular, they decided to eschew the concept of privacy and security, leaving their customers' data amazingly available. In fact, leading up to the purchase by Amazon, all employees of the company, plus all employees of a Ukrainian contractor had access to all customer videos, whether or not their job required access to that data.
While the data access issues were solved in 2017, not all other privacy issues were resolved. This is what has been alleged in an FTC lawsuit filed in the US District Court for the District of Columbia. Amazon quickly agreed to a settlement offer which is pending a judge's approval. The settlement would require Amazon to pay $5.8 million for customer refunds (which will be inevitable once customers know what happened), as well as delete certain types of internal data and even a required implementation of new security and privacy controls. All of this will help protect users going forward.
Alexa's privacy violations
While Ring may have created a headache for Amazon, Alexa is causing all sorts of trouble. The FTC and DOJ filed a join lawsuit against the company, this time alleging that they have specifically violated the privacy of children and the COPPA rules.
So, how has Alexa violated COPPA? It has to do with Alexa's data retention policies and the variable ability to delete recordings from your account. In particular, the government takes offense to the fact that parents are not able to fully exercise their data deletion rights under the COPPA. According to the announcement, the organizations described the problem, saying,
Amazon prevented parents from exercising their deletion rights under the COPPA Rule, kept sensitive voice and geolocation data for years, and used it for its own purposes, while putting data at risk of harm from unnecessary access.
As part of the proposed court order, Amazon would have a number of penalties. First, they would be required to pay a fine of $25 million. But, there are actions involved, as well. For example, they will need to delete all inactive child accounts, as well as recordings and geolocation data. Plus, they will be prohibited from using and child data to train any AI systems.
It's important to note that it is already illegal to use any recording of children to train AI, unless the recording was made specifically for that purpose. Companies are not allowed to use any child data for their own purposes. Acording to the Director of the FTC's Bureau of Consumer Protection Samuel Levine,
Amazon's history of misleading parents, keeping children's recordings indefinitely, and flouting parents' deletion requests violated COPPA and sacrificed privacy for profits. COPPA does not allow companies to keep children's data forever for any reason, and certainly not to train their algorithms.
Any time you are called out to specifically prevent you from doing a thing that is already not allowed, you know you've done something especially nefarious.