FTC Says Ring Employees Illegally Surveilled Customers, Failed to Stop Hackers from Taking Control of Users' CamerasUnder proposed FTC order,
May 31st, '23, ~Media Contact Julina Grusenwald-Henderson
Jhenderson2@ftc.gov
FTC Says Ring Employees Illegally Surveilled
Customers, Failed to Stop Hackers from Taking Control of Users' CamerasMay 31st, ’23
~ Media ContactJuliana Gruenwald Henderson Office of
Public Affairs202-326-2924 Under proposed FTC order, Ring will be prohibited from
profiting from unlawfully accessing consumers videos, pay $5.8 million in
consumer refunds The Federal Trade
Commission charged home security camera company Ring with compromising its
customers’ privacy by allowing any employee or contractor to access consumers’
private videos and by failing to implement basic privacy and security
protections, enabling hackers to take control of consumers’ accounts, cameras,
and videos.
Under a proposed order,
which must be approved by a federal court before it can go into effect, Ring
will be required to delete data products such as data, models, and algorithms
derived from videos it unlawfully reviewed. It also will be required to
implement a privacy and security program with novel safeguards on human review
of videos as well as other stringent security controls, such as multi-factor
authentication for both employee and customer accounts.“Ring’s
disregard for privacy and security exposed consumers to spying and harassment,”
said Samuel Levine, Director of the FTC’s Bureau of Consumer
Protection. “The FTC’s order makes clear that putting profit over privacy
doesn’t pay.”California-based
Ring LLC, which was purchased by Amazon in February 2018, sells
internet-connected, video-enabled home security cameras, doorbells, and related
accessories and services. The company has marketed its products as offering
greater home security and providing its users with peace of mind. For example,
in promoting its indoor security cameras, which can be placed in individual
rooms, Ring touts the ability of purchasers to “See your home. Away from
home” alongside a picture of a Ring camera monitoring a child’s bedroom.
In
a complaint, the FTC says Ring deceived its
customers by failing to restrict employees’ and contractors’ access to its
customers’ videos, using customer videos to train algorithms, among other
purposes, without consent, and failing to implement security safeguards. According
to the complaint, these failures amounted to egregious violations of users’
privacy. For example, one employee over several months viewed thousands of
video recordings belonging to female users of Ring cameras that surveilled
intimate spaces in their homes such as their bathrooms or bedrooms. The
employee wasn’t stopped until another employee discovered the misconduct. Even
after Ring imposed restrictions on who could access customers’ videos, the
company wasn’t able to determine how many other employees inappropriately
accessed private videos because Ring failed to implement basic measures to
monitor and detect employees’ video access.
The FTC
also said Ring failed to take any steps until January 2018 to adequately notify
customers or obtain their consent for extensive human review of customers’
private video recordings for various purposes, including training algorithms.
Ring buried information in its Terms of Service and Privacy Policy, claiming it
had a right to use recordings obtained in connection with its services for
“product improvement and development,” according to the complaint. Security failures according to the complaint, Ring also failed to implement standard security measures to
protect consumers’ information from two well-known online threats—“credential
stuffing” and “brute force” attacks—despite warnings from employees, outside
security researchers and media reports. Credential stuffing involves the use of
credentials, such as usernames and passwords, obtained from a consumer’s
breached account to gain access to a consumer’s other accounts. In a brute
force attack, a bad actor uses an automated process of password guessing—for
example, by cycling through breached credentials or entering well-known
passwords—hundreds or thousands of times to gain access to an account.
Despite
experiencing multiple credential-stuffing attacks in 2017 and 2018, Ring
failed, according to the complaint, to implement common tactics—such as
multifactor authentication—until 2019. Even then, Ring’s sloppy implementation
of the additional security measures hampered their effectiveness, the FTC said.As a
result, hackers continued to exploit account vulnerabilities to access stored
videos, live video streams, and account profiles of approximately 55,000 U.S.
customers, according to the complaint. Bad actors not only viewed some
customers’ videos but also used Ring cameras’ two-way functionality to harass,
threaten, and insult consumers—including elderly individuals and children—whose
rooms were monitored by Ring cameras, and to change important device settings,
the FTC said. For example, hackers taunted several children with racist slurs,
sexually propositioned individuals, and threatened a family with physical harm
if they didn’t pay a ransom.
In
addition to the mandated privacy and security program, the proposed order
requires Ring to pay $5.8 million, which will be used for consumer refunds. The
company also will be required to delete any customer videos and face
embeddings, data collected from an individual’s face, that it obtained prior to
2018, and delete any work products it derived from these videos. The proposed
order also will require Ring to alert the FTC about incidents of unauthorized
access or exposure of its customers’ videos and to notify consumers about the
FTC’s action.
The
Commission voted 3-0 to authorize the staff to file the complaint and
stipulated final order. The FTC filed the complaint and final order in
the U.S. District Court for the District of the District of Columbia.NOTE: The
Commission files a complaint when it has “reason to believe” that the named
defendants are violating or are about to violate the law and it appears to the
Commission that a proceeding is in the public interest. Stipulated final orders
have the force of law when approved and signed by the District Court judge.
The lead
staff attorneys on this matter are Elisa Jillson, Andy Hasty, and Julia
Horwitz from the FTC’s Bureau of Consumer Protection. The Federal Trade
Commission works to promote competition and protect and educate consumers.
Learn more
about consumer topics at consumer.ftc.gov, or report fraud, scams,
and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer
alerts and the business
blog, and sign
up to get the latest FTC news and alerts.