Amazon Ring And Alexa Caught Being Very Naughty
And The FTC Have Gone With The Wrist Slap Again
***Updated***
You may have some concerns about the security of two of the more popular Amazon IoT products, Ring and Alexa but as it turns out you were nowhere near worried enough. Recent investigations by the US FTC have revealed rather terrifying facts about what is done with the recordings made by Amazon as well as the utter lack of any of the security protocols you likely assumed they followed.
Instead it seems that your Ring recordings, which are not encrypted on Amazon’s servers, were treated like YouTube videos and shared among employees. Anyone working with Ring can access any stored video to watch and to share with employees, and yes that most certainly includes recordings from inside user’s homes and not just the doorbell. Even when some employees reported the rather lurid videos being swapped around, management informed them it was perfectly acceptable behaviour and required to offer proper support.
As for Alexa, well anything you said around it is kept, up to and including recordings of children. There was no retention policy in place to delete the recordings after a certain amount of time, and they were even used to train Alexa to improve it’s language recognition skills with no thought as to the content. While parents could contact Amazon to specifically request recordings of their children were deleted, the FTC found numerous instances where the recordings were only deleted from certain databases after a request was made, they were still kept in others.
The total fines levied were US$30.8 million, which The Register points out is less than a single day’s profit for Amazon. Amazon also does not admit any wrongdoing, but were happy to toss some spare change at the FTC to make the complaints go away.
Amazon reached out to us on this topic, “At Amazon, we take our responsibilities to our customers and their families very seriously. Our devices and services are built to protect customers’ privacy, and to provide customers with control over their experience. While we disagree with the FTC’s claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us.”
They have also made a change and “will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them“, and feel that they addressed the Ring issues internally before the beginning of the FTC investigation.
America's Federal Trade Commission has made Amazon a case study for every cautionary tale about how sloppily designed internet-of-things devices and associated services represent a risk to privacy – and made the cost of those actions, as alleged, a mere $30.8 million.