The Federal Trade Commission charged home security camera company Ring with compromising its customers’ privacy by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras and videos.
Under a proposed order, California-based Ring LLC —which was purchased by Amazon in 2018 — will be required to delete data products such as data, models and algorithms derived from videos it unlawfully reviewed. It will also be required to implement a privacy and security program with novel safeguards on human review of videos as well as other stringent security controls, such as multi-factor authentication for both employee and customer accounts.
Before going into effect, the proposed order must be approved by a federal court.
In addition to the mandated privacy and security program, the proposed order requires Ring to pay $5.8 million, which will be used for consumer refunds. The company also will be required to delete any customer videos and face embeddings, data collected from an individual’s face, that it obtained prior to 2018 and delete any work products it derived from these videos. The proposed order also will require Ring to alert the FTC about incidents of unauthorized access or exposure of its customers’ videos and to notify consumers about the FTC’s action.
The Commission voted 3-0 to authorize the staff to file the complaint and stipulated final order. The FTC filed the complaint and final order in the U.S. District Court for the District of the District of Columbia.
In a complaint, the FTC says Ring deceived its customers by failing to restrict employees’ and contractors’ access to its customers’ videos, using customer videos to train algorithms, among other purposes, without consent and failing to implement security safeguards.
According to the complaint, these failures amounted to egregious violations of users’ privacy. Such as one employee, over several months, viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms.
The FTC also said Ring failed to take any steps until January 2018 to adequately notify customers or obtain their consent for extensive human review of customers’ private video recordings for various purposes, including training algorithms. Ring buried information in its Terms of Service and Privacy Policy, claiming it had a right to use recordings obtained in connection with its services for “product improvement and development,” according to the complaint.
According to the complaint, Ring also failed to implement standard security measures to protect consumers’ information from two well-known online threats — “credential stuffing” and “brute force” attacks — despite warnings from employees, outside security researchers and media reports. Credential stuffing involves the use of credentials, such as usernames and passwords, obtained from a consumer’s breached account to gain access to a consumer’s other accounts. In a brute force attack, a bad actor uses an automated process of password guessing hundreds or thousands of times to gain access to an account.
Despite experiencing multiple credential-stuffing attacks in 2017 and 2018, Ring failed, according to the complaint, to implement common tactics — such as multi-factor authentication — until 2019.
As a result, hackers continued to exploit account vulnerabilities to access stored videos, live video streams and account profiles of approximately 55,000 U.S. customers, according to the complaint. Bad actors not only viewed some customers’ videos but also used Ring cameras’ two-way functionality to harass, threaten and insult consumers.