Getty Images | Bloomberg
A Federal Trade Commission lawsuit filed yesterday accused Ring, the home security camera company owned by Amazon, of invading users’ privacy by “allowing thousands of employees and contractors to watch video recordings of customers’ private spaces.”
Until September 2017, every employee of Ring and a Ukraine-based contractor had access to customer videos, which were stored without encryption, the FTC said. “Ring gave every employee—as well as hundreds of Ukraine-based third-party contractors—full access to every customer video, regardless of whether the employee or contractor actually needed that access to perform his or her job function,” the FTC said.
Violations did not stop in 2017 despite new access controls, according to the lawsuit, which alleges privacy invasions both before and after Amazon bought Ring in 2018. The FTC’s lawsuit in US District Court for the District of Columbia also alleged that Ring failed to promptly implement basic privacy and security protections, making it easier for hackers to take over customers’ accounts and cameras. A settlement that is pending a judge’s approval would require Ring to pay $5.8 million for customer refunds, delete certain types of data, and implement privacy and security controls. Amazon did not admit any wrongdoing.
In a press release, the FTC said that “Ring deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using customer videos to train algorithms, among other purposes, without consent, and failing to implement security safeguards.” In one case, an employee “viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms,” the FTC said.
That allegedly occurred between June and August 2017 and invaded the privacy of at least 81 female users of Ring products. “The employee wasn’t stopped until another employee discovered the misconduct. Even after Ring imposed restrictions on who could access customers’ videos, the company wasn’t able to determine how many other employees inappropriately accessed private videos because Ring failed to implement basic measures to monitor and detect employees’ video access,” the FTC said.
In a separate action announced yesterday, the FTC and US Department of Justice charged Amazon with violating the Children’s Online Privacy Protection Act (COPPA) “by keeping kids’ Alexa voice recordings forever and undermining parents’ deletion requests.” A pending settlement would force Amazon to pay a $25 million fine; delete children’s data, geolocation data, and other voice recordings; and take other steps to improve privacy.
Amazon reported net sales of $127.4 billion and net income of $3.2 billion in the first quarter.
FTC calls Ring security too sloppy
The FTC complaint against Ring alleged that it failed to implement multi-factor authentication and other protections against credential-stuffing and brute-force attacks until 2019 and that the implementation of security measures was too sloppy. Ring made two-factor authentication available in May 2019 “but did not take reasonable steps to encourage its adoption, such as through user-friendly opt-ins for existing customers and default opt-outs for new users,” the complaint said. Fewer than 2 percent of Ring customers adopted the optional security feature in 2019.
The FTC press release said:
As a result, hackers continued to exploit account vulnerabilities to access stored videos, live video streams, and account profiles of approximately 55,000 US customers, according to the complaint. Bad actors not only viewed some customers’ videos but also used Ring cameras’ two-way functionality to harass, threaten, and insult consumers—including elderly individuals and children—whose rooms were monitored by Ring cameras, and to change important device settings, the FTC said. For example, hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom.
Ring also “implemented some forms of rate limiting before July 2019,” but the rate limiting didn’t cover all authentication portals and “failed to block multiple attempts in rapid succession to log into different accounts from the same IP address,” the FTC said. The 55,000 credential-stuffing and brute-force attacks cited by the FTC allegedly occurred between January 2019 and March 2020.
Amazon denies FTC allegations
In a statement provided to Ars, an Amazon spokesperson said that “Ring promptly addressed the issues at hand on its own years ago, well before the FTC began its inquiry. Our focus has been and remains on delivering products and features our customers love, while upholding our commitment to protect their privacy and security.”
Ring published a blog post that claimed the FTC complaint “mischaracterizes our security practices” and “ignores the many protections we have in place for our customers. While we disagree with the FTC’s allegations and deny violating the law, this settlement resolves this matter so we can focus on innovating on behalf of our customers.”
Amazon also denied violating the children’s privacy law. “We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa,” a company statement said. “As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.”
FTC: Ring spying could occur “entirely undetected”
Amazon completed its purchase of Ring in April 2018. The FTC complaint says that in August 2020, “a whistleblower notified Ring that between March 2018 and September 2019, a former employee had provided Ring devices to numerous individuals and then accessed their videos without their knowledge or consent.”
The complaint continued:
When the employee left Ring in September 2019, the whistleblower alleged that he took copies of these videos with him—without the knowledge or consent of his unsuspecting victims and without Ring noticing that anything was amiss. In February 2019, Ring changed its access practices so that most Ring employees or contractors could only access a customer’s private video with that customer’s consent.
“Importantly, because Ring failed to implement basic measures to monitor and detect inappropriate access before February 2019, Ring has no idea how many instances of inappropriate access to customers’ sensitive video data actually occurred,” the FTC said. “Indeed, Ring only discovered the incidents described above through the good fortune of employee reporting, despite having given employees zero security training and no responsibility to engage in such reporting. It is highly likely that numerous other incidents of spying, prurient behavior, and other inappropriate access occurred entirely undetected.”
