Amazon has settled a Federal Trade Commission (FTC) privacy lawsuit involving repeated breaches of Ring video cameras by both employees and hackers. The order has yet to be approved by a federal court, but would require Amazon to pay $5.8 million in restitution and delete a great deal of the video it has collected (and the products derived from it) over the past several years.
Privacy lawsuit spans Ring’s full history
Amazon purchased Ring in 2018, but the privacy lawsuit encompasses a number of policies and internal practices that date back to the camera company’s startup period in the years prior.
The privacy lawsuit argues that Ring has been advertising its product since 2014 as a secure and private way for owners to monitor even sensitive areas of their home, those that they would not want arbitrary outside access to. The FTC found that the company has had a consistent corporate culture of putting growth ahead of security considerations that might slow down development or add extra costs, and this has manifested in both illicit hackers and hired employees ending up with inappropriate access to these private aspects of user’s lives.
The first major failure noted by the privacy lawsuit is that prior to September 2017, there was inappropriately widespread access to customer videos within the company. Not only did nearly every employee working for the company have the ability to access customer videos, this same access was provided to hundreds of third-party contractors working in Ukraine. Customer videos were saved unencrypted on Ring systems, and any of these employees or contractors could freely download or transfer them without violating any company policy or facing internal reprisal.
Prior to May 2018, the company also had no system of privacy or data security training in place. It also reportedly did nothing to advise either employees or the remote contractors that they were working with sensitive customer data and should treat it as such.
The privacy lawsuit investigation did turn up specific cases of abuse of this freewheeling company policy. From June to August 2017, one particular Ring employee viewed the private videos of 81 female customers for “prurient” reasons not connected to work. Ring had no system in place to detect this sort of abusive access at the time; the incident only came to light when a female co-worker noticed what the employee was doing and reported it to a supervisor. And in January 2018, a male employee was caught stalking a female co-worker by looking up her stored video recordings.
Just ahead of the eventual acquisition by Amazon, Ring began tightening the screws on employee access to videos. Engineers were required to provide a “business need” to access customer files. But this prompted hacking by determined privacy invaders inside the company. In February 2018, a Ukraine contractor was caught constructing a “tunnel” into the network to restore the former unfettered access to customer videos that they previously enjoyed. And between March 2018 and September 2019, an employee distributed Ring equipment to people with the intent of using it to spy on them. This latter incident was only uncovered after the guilty party left the company (taking private videos with him) and a whistleblower stepped forward.
Ring did not implement a restriction to require customer consent for employee access to videos until February 2019, nor did it have an internal system for detecting unauthorized employee access. Prior to that point, these incidents of abuse were only discovered if an employee stepped forward to report them. The privacy lawsuit notes that it is “highly likely” that there were many more incidents that were never noticed or reported.
In addition to failing to control employees, Ring’s cybersecurity was inadequate
Cybersecurity was also a major issue for Ring until at least 2020. Until January of that year, Ring had no adequate defense against password guessing attacks such as “brute force” and credential stuffing techniques. Multi-factor authentication was not available inside the company until May 2019, complete rate limiting was not implemented until July 2019, and it also did not require customers to set sufficiently complex passwords during this period.
Prior to March 2020, some 55,000 customers in the US had their accounts compromised by some sort of password guessing approach. This led to an infamous wave of incidents in which some hackers harnessed the two-way communication abilities of the devices to harass customers, shouting abuse or threats and attempting to scare them.
The $5.8 million Ring will pay to settle the privacy lawsuit is primarily earmarked for customer refunds. Any customer videos or biometric face identification information collected prior to 2018 will have to be deleted, as will algorithms or other products that were built with that information. Ring will also be under new requirements to report unauthorized access of customer videos to the FTC.
Ring provided a response regarding the FTC settlement: “Our focus has been and remains on delivering products and features our customers love, while upholding our commitment to protect their privacy and security. Ring promptly addressed these issues on its own years ago, well before the FTC began its inquiry. While we disagree with the FTC’s allegations and deny violating the law, this settlement resolves this matter so we can focus on innovating on behalf of our customers.”