Tuesday 6 June 2023

Amazon-owned Ring agrees to multimillion settlement with FTC over privacy violations – including SPYING ON CHILDREN

 Security camera company Ring, which Amazon acquired in 2018, has agreed to a $5.8 million settlement after the Federal Trade Commission (FTC) accused it of privacy violations linked to its doorbell cameras.

In a May 31 statement, the FTC said Amazon agreed to settle out of court to avoid being charged by the federal government. The amount involved in the settlement will be used for consumer refunds, it also noted.

A separate report pointed out that the e-commerce giant would be shelling out a total of $30.8 million to settle with the FTC. The additional $25 million was in relation to its Alexa voice assistant storing children’s voices and location data, violating child privacy laws.

The agency alleged that Ring compromised the privacy of consumers by “allowing any employee or contractor to access consumers’ private videos. It also alleged that the California-based company failed “to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras and videos.”

A May 31 court filing elaborated on the FTC’s allegations. It accused Ring of granting hundreds of employees and third-party contractors based in Ukraine “full access to every customer video, regardless of whether the employee or contractor actually needed that access to perform [their] job function.” The agency also accused the company of providing no training on privacy or data security prior to May 2018 – which permitted “dangerous and unnecessary access to highly sensitive data” for some time.

Ring will also be required to comply with a proposed order subject to approval by a federal court. Under the order, it must delete data, models and algorithms derived from videos it unlawfully reviewed. It must also implement a privacy and security program with novel safeguards on human review of videos as well as other stringent security controls, such as multi-factor authentication for both employee and customer accounts.

Moreover, Ring must delete any customer videos, face embedding – data collected from an individual’s face – that it obtained prior to 2018 and any work products it derived from these videos. It must also alert the FTC about incidents of unauthorized access or exposure of its customers’ videos and notify consumers about the agency’s action.

FTC: Ring employee viewed footage of more than 80 women

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said FTC Bureau of Consumer Protection Director Samuel Levine. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

The agency’s May 31 court filing outlined one particularly egregious instance that happened in 2017. Between June and August of that year, a male Ring employee “viewed thousands of video recordings belonging to at least 81 unique female users” on hundreds of separate occasions. He typically accessed cameras located in “intimate” spaces such as bedrooms, the filing stated.

Ring failed to detect the employee’s unauthorized access through any technical means, only managing to do so after a female co-worker discovered the breach and reported the misconduct to her supervisor. Initially dismissing the report, the supervisor only escalated the report upon noticing that the male employee was only viewing videos of “pretty girls.” The erring employee was later terminated.

Following the 2017 incident, the company tightened its security policies. Despite this, employees were still granted sweeping access to customers’ cameras. The filing remarked: “It is highly likely that numerous other incidents of spying, prurient behavior, and other inappropriate access occurred entirely undetected.”  

Aside from this, Ring’s lax security policies enabled hackers to take control of security cameras. The filing said bad actors utilized the devices they hijacked for nefarious ends.

“In many cases, these instances of unauthorized access were not short-lived invasions. For example, the bad actors maintained unauthorized access to the accounts’ devices for more than one month. [Moreover], the bad actors were not just passively viewing customers’ sensitive video data – [they also] took advantage of the camera’s two-way communication functionality to harass, threaten and insult individuals … whose rooms were monitored by Ring cameras.”

Post a Comment

Start typing and press Enter to search