Posts: 9,135 +117
What just happened? Amazon has agreed to a $5.8 million settlement with the Federal Trade Commission (FTC) after the agency discovered that Ring allowed employees and contractors to access customers' video content. One former Ring employee was able to spy on female users for months in 2017 through cameras in their bedrooms and bathrooms.
In addition to allowing access to customers' videos, the FTC's investigation found that Ring, acquired by Amazon in 2018, failed to implement basic privacy and security protections, enabling hackers to take control of customers' accounts, cameras, and videos. The security issues were present between 2016 and 2020.
In January 2019, there were reports that Ring employees around the world were given access to unencrypted video feeds from customers' homes. A year later, Ring told US Senators, who had questioned the company's security practices, that it had fired four employees for improperly accessing customers' video footage.
The FTC discovered that in 2017, Ring workers viewed videos from at least 81 female customers and other employees recorded on the company's products.
One employee viewed thousands of videos of female customers in their bedrooms and bathrooms and was only stopped (and fired) when another employee noticed what they were doing.
As Rockwell once said, "I always feel like somebody's watching me"
"As a result of this dangerously overbroad access and lax attitude toward privacy and security, employees and third-party contractors were able to view, download and transfer customers' sensitive video data for their own purposes," said the FTC.
Ring was also blasted by the FTC for privacy violations stemming from a lack of security in its devices. The agency found that hackers were able to use credential stuffing and brute-force attacks to access customer accounts. Despite these incidents occurring in 2017 and 2018, Ring did not introduce multi-factor authentication until 2019. "Even then, Ring's sloppy implementation of the additional security measures hampered their effectiveness," said the FTC.
Hackers were not only able to access stored videos, live video streams, and account profiles of approximately 55,000 US customers, but they also used the Ring cameras' two-way intercom to harass, threaten, and insult consumers, including elderly individuals and children, writes the FTC.
The 20-year agreement the FTC now has with Ring includes the latter disclosing to customers the amount of access the company and its contractors have to their data. In addition to the $5.8 million fine, which will go toward customer refunds, Ring is required to implement a privacy and security program with novel safeguards on human review of videos and delete all customer data, models, and algorithms derived from any video footage it unlawfully reviewed.
Ring has faced complaints over privacy matters for years. Its partnership with the police, in which it gave authorities footage from Ring products without customers' consent, drew plenty of criticism; the Electronic Frontier Foundation (EFF) said in 2020 that it had identified several embedded third-party trackers in the Ring Android app that were grabbing "a plethora" of personal information and sharing it with firms that include Facebook; and an Amazon engineer once said the company should be shut down permanently.
In a separate settlement, Amazon agreed to pay $25 million over allegations it violated children's privacy rights by failing to delete Alexa recordings at the request of parents. It's also alleged to have kept the recordings longer than necessary.
Update: Amazon has given the following statement regarding the FTC settlement.
At Amazon, we take our responsibilities to our customers and their families very seriously. Our devices and services are built to protect customers' privacy, and to provide customers with control over their experience. While we disagree with the FTC's claims regarding both Alexa and Ring, and deny violating the law, these settlements put these matters behind us.
We built Alexa with strong privacy protections and customer controls, designed Amazon Kids to comply with COPPA, and collaborated with the FTC before expanding Amazon Kids to include Alexa. As part of the settlement, we agreed to make a small modification to our already strong practices, and will remove child profiles that have been inactive for more than 18 months unless a parent or guardian chooses to keep them.
Ring promptly addressed the issues at hand on its own years ago, well before the FTC began its inquiry. Our focus has been and remains on delivering products and features our customers love, while upholding our commitment to protect their privacy and security.