Following several accusations of privacy breaches concerning its Ring video doorbell and Alexa virtual assistant services, Amazon has agreed to pay a $30 million fine. The Federal Trade Commission (FTC) has accused Amazon's subsidiary, Ring, of unlawfully conducting surveillance on customers and neglecting to protect users' cameras from unauthorised access by hackers.
As per a proposed order, Ring is required to provide $5.8 million in refunds to consumers and will be prohibited from benefiting from consumer videos acquired unlawfully.
The allegation outlined in the complaint alleges that Ring compromised the privacy of its customers by allowing its employees and contractors access to private videos. Additionally, it is claimed that Ring failed to implement fundamental privacy and security measures, enabling hackers to gain control of consumers' cameras and videos through unauthorised access to their accounts.
According to the complaint filed by the FTC, prior to September 2017, Ring did not restrict access to customers' video data to only those employees who required it for their job functions, such as customer support or product improvement. Instead, the complaint reveals that Ring granted unrestricted access to every employee, along with numerous third-party contractors based in Ukraine, providing them with full access to every customer video, regardless of the necessity for performing their specific job duties.
The report also brings attention to a particular incident in which an Amazon employee accessed and viewed thousands of video recordings of female users in private areas such as bathrooms and bedrooms over the course of several months. The company's security team remained unaware of this incident until another employee stumbled upon it and promptly reported it.
A further fine
In an independent matter, both the FTC and the U.S. Department of Justice have accused Amazon of breaching children's privacy laws by neglecting to delete their voice recordings and geolocation data upon their parents’ requests.
According to a proposed order, Amazon will be obligated to pay $25 million in penalties and comply with the parents' demands to delete the children's data.
The proposed order will impose restrictions on Amazon, preventing the company from utilising children's data for algorithm training purposes. Additionally, it will mandate the deletion of inactive child accounts, as well as any associated voice recordings and geolocation data.
In conclusion
The cases involving Amazon's privacy violations underscore the crucial significance of data sovereignty and classification within the world of cybersecurity. The incidents revealed the potential dangers that arise when sensitive data, especially that of vulnerable individuals such as children, falls into the wrong hands or is misused.
Safeguarding data sovereignty requires strict adherence to privacy regulations and the implementation of robust security measures to help prevent unauthorised access and data breaches. The classification of data based on its sensitivity is vital for establishing appropriate safeguards and access controls.
As technology continues to advance, organisations must prioritise data sovereignty and classification as fundamental pillars of their cybersecurity strategies, ensuring the protection of individuals' privacy and the maintenance of trust in the digital landscape.
