When Atlas Shrugs – FTC Faults Amazon for Alexa and Ring

Privacy Plus+

Privacy, Technology and Perspective

When Atlas Shrugs – FTC Faults Amazon for Alexa and Ring. This week, the Federal Trade Commission (FTC) announced two separate complaints against Amazon, one of the world’s largest retailers, both related to its privacy practices.

Alexa - Charges of COPPA Rule Violation: According to a newly-filed FTC complaint backed by the DOJ, Amazon has been hindering parents from using their deletion rights under the Children’s Online Privacy Protection Act Rule (COPPA Rule), and has used unlawfully-retained data to improve its Alexa algorithm.  Specifically, the FTC alleges that Amazon has retained sensitive voice and geolocation data for its own benefit. A link to the Complaint follows:

https://www.ftc.gov/system/files/ftc_gov/pdf/Amazon-Complaint-%28Dkt.1%29.pdf

Under the Proposed Order, Amazon will be required to pay a $25 million civil penalty. In addition, the order seeks to bind “Defendants and Defendants’ officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them,” and to:

  • Prohibit Amazon from using geolocation, voice information, and children’s voice information subject to consumers’ deletion requests for the creation or improvement of any data product;

  • Require Amazon to delete inactive Alexa accounts if they belong to children;

  • Require Amazon to notify users about the FTC-DOJ action against the company and its retention and deletion practices and controls;

  • Prohibit Amazon from misrepresenting its privacy policies related to geolocation, voice and children’s voice information; and

  • Mandate the creation and implementation of a privacy program specifically related to the company’s use of geolocation information.

A link to the Proposed Order follows:

https://www.ftc.gov/system/files/ftc_gov/pdf/Amazon-Proposed-Stipulated-Order-%28Dkt.-2-1%29.pdf

Ring – Charges of Unfair and Deceptive Practices: In a separate suit filed on the same day, the FTC has charged California-based Ring LLC, an Amazon subsidiary, with compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, thereby enabling hackers to take control of consumers’ accounts, cameras, and videos.

According to the Complaint, Ring has consistently claimed that its products increase customers’ security, thereby implying that Ring devices are a secure means to monitor the private spaces of consumers’ homes.  At the same time, however, Ring allegedly has failed to implement standard security measures, such as limiting access to its customers’ videos.  The FTC also faults Ring for failing to provide any training on privacy or data security before its acquisition by Amazon in May 2018, despite the fact that Ring is alleged to have collecting mass quantities of highly sensitive data.

The FTC alleges, among other things, that because of Ring’s lax data security, a Ring employee viewed thousands of videos in “prurient searches on cameras with names indicating that they surveilled an intimate space, such as ‘Master Bedroom,’ ‘Master Bathroom,’ or ‘Spy Cam.’” Also, other hackers exploited vulnerabilities to access stored videos, live video streams, and account profiles of approximately 55,000 U.S. customers.  According to the Complaint, bad actors also used Ring cameras’ two-way functionality to harass, threaten, and insult elderly individuals and children, taunting them with racist slurs, sexually propositioning individuals, and even threatening a family with physical harm if they didn’t pay a ransom. A link to the Complaint follows:

https://www.ftc.gov/system/files/ftc_gov/pdf/complaint_ring.pdf

Under the Proposed Order, Ring must pay $5.8 million in consumer refunds, and its Principal Executive Officer must certify that Ring has established, implemented, and maintained a new system for data security, and is not aware of any material noncompliance with the order.

A link to the Proposed Order follows:

https://www.ftc.gov/system/files/ftc_gov/pdf/proposed_stipulated_order_ring.pdf

Our thoughts:  In our view, many of the FTC’s complaints – if well-grounded in fact -- are routine enforcement of understood standards of fairness, along with specific points of concern that are updating with the times: 

  • ·      By now, it’s common sense that misrepresenting one’s data policies is as unfair and deceptive as misrepresenting anything else that’s material to consumers’ decisions and the competitive process;

  • ·      It’s also common sense that the bigger an organization, the more bad actors it’s bound to attract, and the more diligence the organization should apply in defending against them, and

  • ·      Geolocation information has been a known problem since at least the early 90’s, when a stalker found an actress’s home address from the state DMV (which led to the passage of the Drivers Privacy Protection Act).  It’s greatly exacerbated and more acute now, of course, because of Dobbs, Carpenter, and other developments, and (sadly) seems to be no closer to a solution, but the basic problem has been familiar for a generation or more.

It seems to us that what’s different now is the increasingly-common strategy of putting senior executives directly and personally on the spot for dealing with these ills, and including within this the senior executives of the largest tech companies.  Anecdotally, it seems that before the Sarbanes Oxley Act, executives were usually attacked only for acts in which they had personally participated. They were commonly not held personally liable for frauds or abuses which their companies had committed under their watch, but without the senior or “apex” executives’ personal knowledge or involvement. 

Requiring “apex” executives personally to certify their companies’ performance – including executives whose companies are so large that they can’t be personally familiar with every misstep or foolishness, much less personally prevent every bad behavior – is dramatically different.  Much like Sarbanes Oxley caused a dramatic tightening of bookkeeping and accounting controls up and down companies subject to it, we expect that this trend will cause dramatic tightening up, down, and across companies. This tightening may well accomplish its intended purpose as to privacy issues, which would be wonderful. 

What may not be wonderful are the other possible, unintended consequences.  While everyone’s responsible for keeping their own entries complete and accurate, bookkeeping and accounting issues are largely the domain of specific people who are supposed to be trained in that area and are tasked with those issues. In contrast, privacy issues stretch across literally every department of every company. Unchecked, this C-Suite-led tightening trend may ratchet up to the point of creating distrust, paranoia, and morale problems among companies’ best and most honest employees who are simply trying to do a good job – while meanwhile, the pressure bearing down on certain acts or actors may simply squeeze bad actors, like goo, to ooze up through fissures and openings someplace else. 

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

Previous
Previous

Janus - Use of Facial Recognition Expanded by the TSA

Next
Next

The Implications of Varying "Opt-in" and "Opt-out" Requirements in New State Privacy Laws