Edited by: TJVNews.com

Amazon will pay more than $30 million in fines to settle alleged privacy violations involving its voice assistant Alexa and doorbell camera Ring, according to federal filings, as was reported on Thursday on the NPR.org web site.

In one lawsuit, the Federal Trade Commission claims the tech company violated privacy laws by keeping recordings of children’s conversations with its voice assistant Alexa, and in another that its employees have monitored customers’ Ring camera recordings without their consent.

The Federal Trade Commission on Wednesday in a press statement charged home security camera company Ring with compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.

Under a proposed order, which must be approved by a federal court before it can go into effect, Ring will be required to delete data products such as data, models, and algorithms derived from videos it unlawfully reviewed. It also will be required to implement a privacy and security program with novel safeguards on human review of videos as well as other stringent security controls, such as multi-factor authentication for both employee and customer accounts.

NPR reported that in addition to the $25 million civil penalty, Amazon would not be able to use data that has been requested to be deleted. The company also would have to remove children’s inactive Alexa accounts and be required to notify its customers about the FTC’s actions against the company.

“Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests violated COPPA and sacrificed privacy for profits,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. “COPPA does not allow companies to keep children’s data forever for any reason, and certainly not to train their algorithms.”

He added that, “Ring’s disregard for privacy and security exposed consumers to spying and harassment. The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

California-based Ring LLC, which was purchased by Amazon in February 2018, sells internet-connected, video-enabled home security cameras, doorbells, and related accessories and services. The company has marketed its products as offering greater home security and providing its users with peace of mind. For example, in promoting its indoor security cameras, which can be placed in individual rooms, Ring touts the ability of purchasers to “See your home. Away from home”  alongside a picture of a Ring camera monitoring a child’s bedroom.

Until September 2019, Alexa’s default settings were to store recordings and transcripts indefinitely. NPR reported. Amazon said it uses the recordings to better understand speech patterns and respond to voice commands, the complaint says.

After the FTC intervened at the time, Amazon added a setting to automatically delete data after three or 18 months, but still kept the indefinite setting as the default.

Amazon said in a statement it disagrees with the FTC’s findings and does not believe it violated any laws, as was reported by NPR.

“We take our responsibilities to our customers and their families very seriously,” it said. “We have consistently taken steps to protect customer privacy by providing clear privacy disclosures and customer controls, conducting ongoing audits and process improvements, and maintaining strict internal controls to protect customer data.”

The NPR report also indicated that more than 800,000 children under age 13 have their own Alexa accounts, according to the complaint. The FTC claims that when these issues were brought to Amazon’s attention, it did not take action to remedy them.

In a separate lawsuit, the FTC seeks a $5.8 million fine for Amazon over claims employees and contractors at Ring had full access to customers’ videos, the NPR report said.

In a complaint, the FTC says Ring deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using customer videos to train algorithms, among other purposes, without consent, and failing to implement security safeguards.

According to the complaint, these failures amounted to egregious violations of users’ privacy. For example, one employee over several months viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms. The employee wasn’t stopped until another employee discovered the misconduct. Even after Ring imposed restrictions on who could access customers’ videos, the company wasn’t able to determine how many other employees inappropriately accessed private videos because Ring failed to implement basic measures to monitor and detect employees’ video access.

The FTC also said Ring failed to take any steps until January 2018 to adequately notify customers or obtain their consent for extensive human review of customers’ private video recordings for various purposes, including training algorithms. Ring buried information in its Terms of Service and Privacy Policy, claiming it had a right to use recordings obtained in connection with its services for “product improvement and development,” according to the complaint.

According to the complaint, Ring also failed to implement standard security measures to protect consumers’ information from two well-known online threats—“credential stuffing” and “brute force” attacks—despite warnings from employees, outside security researchers and media reports. Credential stuffing involves the use of credentials, such as usernames and passwords, obtained from a consumer’s breached account to gain access to a consumer’s other accounts. In a brute force attack, a bad actor uses an automated process of password guessing—for example, by cycling through breached credentials or entering well-known passwords—hundreds or thousands of times to gain access to an account.

Despite experiencing multiple credential-stuffing attacks in 2017 and 2018, Ring failed, according to the complaint, to implement common tactics—such as multifactor authentication—until 2019. Even then, Ring’s sloppy implementation of the additional security measures hampered their effectiveness, the FTC said.

As a result, hackers continued to exploit account vulnerabilities to access stored videos, live video streams, and account profiles of approximately 55,000 U.S. customers, according to the complaint. Bad actors not only viewed some customers’ videos but also used Ring cameras’ two-way functionality to harass, threaten, and insult consumers—including elderly individuals and children—whose rooms were monitored by Ring cameras, and to change important device settings, the FTC said. For example, hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom.

In addition to the mandated privacy and security program, the proposed order requires Ring to pay $5.8 million, which will be used for consumer refunds. The company also will be required to delete any customer videos and face embeddings, data collected from an individual’s face, that it obtained prior to 2018, and delete any work products it derived from these videos. The proposed order also will require Ring to alert the FTC about incidents of unauthorized access or exposure of its customers’ videos and to notify consumers about the FTC’s action.

The Commission voted 3-0 to authorize the staff to file the complaint and stipulated final order. The FTC filed the complaint and final order in the U.S. District Court for the District of the District of Columbia.