FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, DC 20554 Office of Commissioner Geoffrey Starks March 8, 2024 Andy Jassy President and Chief Executive Officer Amazon 410 Terry Avenue North Seattle, WA 98109 Dear Mr. Jassy: On February 29, 2024, Consumer Reports and the Washington Post published articles describing the availability of insecure connected video doorbells on Amazon.com, including models that lack a visible Federal Communications Commission (FCC) ID.1 The FCC has recognized that IoT devices can enhance consumer safety, convenience, comfort, and efficiency.2 Connected doorbells in particular can help consumers secure their home, screen visitors, answer their front door remotely, and track package deliveries. Unfortunately, without adequate cybersecurity, these same devices also provide bad actors with an entry point into our networks, daily routines, and even our homes.3 As a case in point, the Consumer Reports and Washington Post articles report that with alarming ease, unauthorized persons—be they an amateur hacker, sophisticated cybercriminal, or an abusive partner—can commandeer video doorbells sold on Amazon to control the camera and access camera footage without permission due to the failure of these devices to take even basic security precautions. According to the reporting, thousands of these video doorbells are sold each month on Amazon and other online marketplaces, and some of them “often carried badges saying ‘Amazon’s Choice: Overall Pick.’”4 Equally concerning, the article describes how a number of these devices, sold by the Chinese manufacturer the Eken Group under brand names Eken, Tuck, Fishbot, Rakeblue, Andoe, Gemee, and Luckwolf, remain for sale on your platform as of the date of publication. 1 Stacey Higginbotham, Daniel Wroclawski, These Video Doorbells Have Terrible Security. Amazon Sells Them Anyway, Consumer Reports (Feb. 29, 2024), https://www.consumerreports.org/home-garden/home-security- cameras/video-doorbells-sold-by-major-retailers-have-security-flaws-a2579288796/; Tatum Hunter, These camera doorbells from Amazon, Walmart aren’t safe, The Washington Post (Feb. 29, 2024), https://www.washingtonpost.com/technology/2024/02/29/doorbell-cameras-aiwit-privacy-amazon-walmart-temu/. 2 See Cybersecurity Labeling for Internet of Things, PS Docket No. 23-239, Notice of Proposed Rulemaking, ¶ 1 (rel. Aug. 10, 2023), https://docs.fcc.gov/public/attachments/FCC-23-65A1.pdf. 3 Id. ¶ 3. 4 See Higginbotham & Wroclawski, supra note 1. Though not mentioned in the article, wireless devices that lack or do not conform with an FCC equipment authorization pose a separate threat to the security of our networks by potentially causing harmful interference into nearby wireless operations.5 To mitigate these risks, Section 302(b) of the Communications Act provides that “[n]o person shall manufacture, import, sell, offer for sale, or ship devices or home electronic equipment and systems, or use devices, which fail to comply with regulations promulgated pursuant to this section.”6 In turn, Section 2.803(b)(1) of the Commission’s rules provides that no person may market a radio frequency device that is subject to certification unless the device has been authorized and is properly identified and labeled in accordance with our regulations.7 The equipment authorization process is also instrumental to preventing the entry of devices determined to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons into the communications supply chain.8 Earlier this year, President Biden announced a new cybersecurity labeling program to help consumers identify the cybersecurity level of protection of IoT devices. With the Commission poised to vote on establishing the Biden Administration’s Cyber Trust Mark program next week, this is an especially important time to learn more about the processes Amazon employs to ensure the products it offers for sale comply with all applicable FCC regulations. To that end, please respond to the following questions by Friday, March 22, 2024. 1. Please describe in detail the steps that Amazon takes to ensure that the products it sells or makes available for sale on Amazon.com comply with the FCC’s equipment authorization rules, including identification and labeling requirements. 2. Amazon’s “Safety Information, Recalls, Warranties, and Legal Notices” webpage states that “Radio Frequency (RF) devices must comply with the Federal Communications Commission (FCC) Requirements,” and includes links to the FCC’s consumer guides as well as the FCC’s Certified Equipment Database. a. Does Amazon verify that the products that it sells or makes available for sale on Amazon.com have a valid FCC authorization? How so? b. Are you aware of the FCC’s equipment authorization search function, which allows the public to search via product code, applicant name, grantee code, and more, to determine if an RF emitting device has received equipment authorization? 3. According to your website, Amazon’s Seller Central requires sellers to comply with your “FCC Radio Frequency Compliance Attribute.” Your website states that, as of March 7, 2022, Amazon will remove listings that do not comply. 5 See, e.g., Enforcement Advisory No. 2012-07, TDWR and U-NII Devices, https://docs.fcc.gov/public/attachments/DA-12-459A1.pdf; Enforcement Advisory No. 2016-05, WARNING: FCC Authorized Equipment Must be Used in Compliance with All Laws and Rules, https://docs.fcc.gov/public/attachments/DA-16-588A1.pdf. 6 47 U.S.C. § 302(b). 7 47 C.F.R. § 2.803(b). 8 Prohibition on Authorization of “Covered” Equipment, Federal Communications Commission, https://www.fcc.gov/laboratory-division/equipment-authorization-approval-guide/equipment-authorization-system. 2 a. Please explain how Amazon identifies listings that do not comply with the FCC Radio Frequency Compliance Attribute. b. Since March 7, 2022, how many listings has Amazon removed for failure to comply with the Radio Frequency Compliance Attribute? c. Please explain how video doorbells lacking an FCC ID were available for sale on Amazon.com, and how that was in compliance with Amazon policy. d. Has Amazon removed listings for products sold under any of the following brand names: Eken, Tuck, Fishbot, Rakeblue, Andoe, Gemee, and Luckwolf? If so, please list the products whose listings Amazon removed, and the date of removal. 4. The Washington Post and Consumer Reports indicate that insecure video doorbells were listed on Amazon as “Amazon’s Choice: Overall Pick.” a. Please describe how the “Amazon’s Choice: Overall Pick” selection process works. b. Does the “Amazon’s Choice: Overall Pick” label tend to increase sales of products bearing that label? c. Does the “Amazon’s Choice: Overall Pick” label tend to draw the attention of shoppers to products bearing that label? d. Does the “Amazon’s Choice: Overall Pick” increase the visibility of products bearing that label? e. Does Amazon vet the products selected as an “Amazon’s Choice: Overall Pick”? If so, please describe any verifications that relate to FCC equipment authorization requirements. f. Does Amazon ever remove the “Amazon’s Choice: Overall Pick” designation in response to concerns about products bearing that designation? If so, what concerns have prompted removal and what is the process for a consumer to request removal? g. Does Amazon maintain records indicating when and for how long products listed on Amazon.com bore the “Amazon’s Choice: Overall Pick” designation? h. Have any video doorbells sold under the brand names Eken, Tuck, Fishbot, Rakeblue, Andoe, Gemee, or Luckwolf appeared on Amazon bearing the “Amazon’s Choice: Overall Pick” designation? Did it increase the visibility and sales of these products after bearing that label? Did Amazon remove the designation for any of these video doorbell products, and when? 5. Amazon provides sellers on Amazon.com with fulfillment, warehousing, shipping, distribution, and payment services. a. Does Amazon vet the products sold by merchants to whom it provides these services? If so, please describe any verifications that relate to FCC equipment authorization requirements. b. Does Amazon ever terminate the provision of these services in response to concerns about products sold using these services? If so, what concerns have prompted termination and what is the process for a consumer to request termination? 3 c. Has Amazon provided these services to merchants who at the time Amazon provided such services listed video doorbells under the brand names Eken, Tuck, Fishbot, Rakeblue, Andoe, Gemee, or Luckwolf on Amazon.com? 6. Amazon allows sellers to pay for sponsored listings on Amazon.com. a. Does Amazon vet the products sold under sponsored listings? If so, please describe any verifications that relate to FCC equipment authorization or requirements. b. Does Amazon ever terminate sponsored listings in response to concerns about products marketed using a sponsored listing? If so, what concerns have prompted termination and what is the process for a consumer to request termination? c. Have any video doorbells sold under the brand names Eken, Tuck, Fishbot, Rakeblue, Andoe, Gemee, or Luckwolf appeared on Amazon under a sponsored listing? If so, how much revenue did Amazon receive in exchange for the sponsorship? 7. Please describe how Amazon plans to incorporate the Cyber Trust Mark, once it is active, into its marketplace to help consumers identify IoT devices that meet the Mark’s level of security. If Amazon does not currently have plans to incorporate the Cyber Trust Mark, please describe why. Please send your responses via email to Geoffrey.Starks@fcc.gov. Sincerely, Geoffrey Starks 4