FTC Says Ring Employees Illegally Spied on Customers

The Federal Trade Commission (FTC) has charged home security camera company Ring with customer privacy violations, including allowing any employee or contractor to access consumers’ private videos.

A proposed order, which requires approval by a federal court to go into effect, outlines demands and punitive measures against Ring, an Amazon-owned company, including requiring Ring to delete data, models, and algorithms that it created using videos it unlawfully viewed and analyzed.

Part of the FTC’s issue with Ring is that the company didn’t do enough to prevent hackers from gaining access and control over users’ cameras. Part of the proposed order outlines steps that Ring must take to implement a privacy and security program with new and improved safeguards against hacking, as well as more robust security controls over who within Ring has access to view customer videos. The FTC also wants Ring to implement multi-factor authentication for employee and customer accounts.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment. The FTC’s order makes clear that putting profit over privacy doesn’t pay,” says Samuel Levine, Director of the FTC’s Bureau of Consumer Protection.

FTC Outlines Pattern of Invasive Behavior Within Ring

A complaint filed in the United States District Court for the District of Columbia by the FTC against Ring LLC outlines ways in which Ring deceived its customers by not restricting access to customers’ videos. The complaint also says Ring used customer videos without consent to train internal software algorithms.

However, the entire litany of violations is even more nefarious and invasive than that.

“According to the complaint, these failures amounted to egregious violations of users’ privacy. For example, one employee over several months viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms,” the FTC explains.

The FTC continues, “The employee wasn’t stopped until another employee discovered the misconduct. Even after Ring imposed restrictions on who could access customers’ videos, the company wasn’t able to determine how many other employees inappropriately accessed private videos because Ring failed to implement basic measures to monitor and detect employees’ video access.”

A Failure to Protect Customers From Outside Threats

The FTC also claims Ring failed to take meaningful steps to notify customers or obtain consent for human review of private video recordings. Ring buried implied consent within its Terms of Service and Privacy Policy, claiming it had the right to use recordings to improve and develop its products.

Ring also failed to protect user data from outside threats. The FTC claims that Ring didn’t take meaningful action to prevent consumers’ data from being stolen and used to access other accounts, a technique known as “credential stuffing.” Ring experienced multiple “credential stuffing” attacks in 2017 and 2018, and the FTC’s complaint says that Ring didn’t do anything about it until 2019. The FTC considers Ring’s approach to security to be haphazard at best.

Hackers continued to have access to vulnerabilities, including stored customer videos, for a considerable period. The FTC’s complaint alleges that approximately 55,000 customer accounts in the United States were compromised.

Some Ring Customers Lived in Fear in Their Own Homes

Bad actors stole people’s private videos and content and took control of Ring cameras inside people’s homes and the device’s two-way functionality to “harass, threaten, and insult customers,” according to the FTC, including elderly people and children.

“For example, hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened a family with physical harm if they didn’t pay a ransom,” the FTC says.

FTC’s Proposed Punishment

In addition to forcing Ring to implement improved privacy and security safeguards, the FTC’s order requires Ring to pay $5.8 million, which will be used for consumer refunds.

“The company also will be required to delete any customer videos and face embeddings, data collected from an individual’s face, that it obtained prior to 2018, and delete any work products it derived from these videos. The proposed order also will require Ring to alert the FTC about incidents of unauthorized access or exposure of its customers’ videos and to notify consumers about the FTC’s action,” the FTC continues.

Signs of a Broader Issue with Cameras

The new FTC ruling against Ring comes less than two months after a bombshell report claimed that Tesla’s staff shared sensitive images captured by customers’ cars. As more cameras are in and around people’s homes, companies seemingly fail to protect their customers.