Full access to unencrypted videos —

FTC: Amazon/Ring workers illegally spied on users of home security cameras

Amazon agrees to Ring and Alexa settlements but didn't admit violating any laws.

Two Amazon Ring cameras sitting on a table.
Enlarge / Amazon Ring indoor cameras displayed during an event at company headquarters in Seattle on September 25, 2019.
Getty Images | Bloomberg

A Federal Trade Commission lawsuit filed yesterday accused Ring, the home security camera company owned by Amazon, of invading users' privacy by "allowing thousands of employees and contractors to watch video recordings of customers' private spaces."

Until September 2017, every employee of Ring and a Ukraine-based contractor had access to customer videos, which were stored without encryption, the FTC said. "Ring gave every employee—as well as hundreds of Ukraine-based third-party contractors—full access to every customer video, regardless of whether the employee or contractor actually needed that access to perform his or her job function," the FTC said.

Violations did not stop in 2017 despite new access controls, according to the lawsuit, which alleges privacy invasions both before and after Amazon bought Ring in 2018. The FTC's lawsuit in US District Court for the District of Columbia also alleged that Ring failed to promptly implement basic privacy and security protections, making it easier for hackers to take over customers' accounts and cameras. A settlement that is pending a judge's approval would require Ring to pay $5.8 million for customer refunds, delete certain types of data, and implement privacy and security controls. Amazon did not admit any wrongdoing.

In a press release, the FTC said that "Ring deceived its customers by failing to restrict employees' and contractors' access to its customers' videos, using customer videos to train algorithms, among other purposes, without consent, and failing to implement security safeguards." In one case, an employee "viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms," the FTC said.

That allegedly occurred between June and August 2017 and invaded the privacy of at least 81 female users of Ring products. "The employee wasn't stopped until another employee discovered the misconduct. Even after Ring imposed restrictions on who could access customers' videos, the company wasn't able to determine how many other employees inappropriately accessed private videos because Ring failed to implement basic measures to monitor and detect employees' video access," the FTC said.

In a separate action announced yesterday, the FTC and US Department of Justice charged Amazon with violating the Children's Online Privacy Protection Act (COPPA) "by keeping kids' Alexa voice recordings forever and undermining parents' deletion requests." A pending settlement would force Amazon to pay a $25 million fine; delete children's data, geolocation data, and other voice recordings; and take other steps to improve privacy.

Amazon reported net sales of $127.4 billion and net income of $3.2 billion in the first quarter.

FTC calls Ring security too sloppy

The FTC complaint against Ring alleged that it failed to implement multifactor authentication and other protections against credential-stuffing and brute-force attacks until 2019 and that the implementation of security measures was too sloppy. Ring made two-factor authentication available in May 2019 "but did not take reasonable steps to encourage its adoption, such as through user-friendly opt-ins for existing customers and default opt-outs for new users," the complaint said. Fewer than 2 percent of Ring customers adopted the optional security feature in 2019.

The FTC complaint said:

During the course of these attacks, approximately 55,000 US customers suffered serious account compromises. For at least 910 US accounts (affecting approximately 1,250 devices), the bad actor not only accessed the accounts, but took additional invasive actions, such as accessing a stored video, accessing a live stream video, or viewing a customer's profile. The bad actors disproportionately targeted indoor cameras... in many instances, the bad actors were not just passively viewing customers' sensitive video data. Rather, the bad actors took advantage of the camera's two-way communication functionality to harass, threaten, and insult individuals—including elderly individuals and children—whose rooms were monitored by Ring cameras, and to set off alarms and change important device settings.

Ring also "implemented some forms of rate limiting before July 2019," but the rate limiting didn't cover all authentication portals and "failed to block multiple attempts in rapid succession to log into different accounts from the same IP address," the FTC said. The 55,000 credential-stuffing and brute-force attacks cited by the FTC allegedly occurred between January 2019 and March 2020.

Reader Comments (98)

View comments on forum

Loading comments...

Channel Ars Technica