Infosec Watchtower Logo

FTC Charges Ring with Privacy Violations, Orders Sweeping Security Overhauls and Consumer Refunds

Charles M. Walls | May 2, 2024 | Views: 186

A scene depicting a home security environment gone wrong, reflecting privacy concerns. The image shows a living room with a laptop screen.

The Federal Trade Commission (FTC) has accused Ring, the home security camera enterprise, of severely compromising user privacy. This breach involved allowing widespread internal access to customer videos without stringent controls, and not equipping the system with essential security measures. This negligence enabled hackers to hijack customer accounts and access both live and recorded footage.

According to the terms of a proposed settlement awaiting federal court approval, Ring is mandated to erase all data, including models and algorithms, that were improperly derived from the accessed videos. Moreover, the company must establish a comprehensive privacy and security framework. This new initiative will feature advanced protocols for video review and robust security measures, such as multi-factor authentication for both staff and user accounts.

Samuel Levine, the Director of the FTC's Bureau of Consumer Protection, criticized Ring’s lax security, stating, “Ring’s disregard for privacy and security exposed consumers to spying and harassment,” and emphasized that the FTC's directive serves as a stern reminder that compromising privacy for profit is unacceptable. Ring, now a subsidiary of Amazon since its acquisition in 2018, markets a variety of internet-connected security devices aimed at enhancing home safety and providing peace of mind to its users.

The FTC’s complaint highlighted that Ring’s practices deceived consumers by not limiting internal access to their video feeds, using these feeds to train their systems without user consent, and neglecting to implement essential security protocols. This led to severe privacy breaches, including instances where employees accessed thousands of private video feeds covering sensitive areas like bedrooms and bathrooms without detection.

The complaint further reveals that until January 2018, Ring did not sufficiently inform customers nor did it obtain their consent for the extensive internal use of their video recordings. Despite prior warnings from employees and security experts about the vulnerabilities in their system, it took multiple hacking incidents through 2017 and 2018 before Ring implemented basic security measures like multi-factor authentication in 2019.

These security lapses allowed hackers to exploit weaknesses, resulting in unauthorized access to about 55,000 U.S. customer accounts. Intruders not only viewed private videos but also harassed customers through the camera's two-way talk feature, with some instances involving threats of violence and other abuses.

As part of the resolution, Ring is required to compensate affected consumers with a sum of $5.8 million and implement measures to prevent future unauthorized video access. This includes deleting all videos and associated data collected before 2018 and establishing a robust notification system about data breaches.

This enforcement action by the FTC, which culminated in a unanimous vote to proceed with the legal complaint and order, underscores the agency's commitment to safeguarding consumer privacy and ensuring corporate accountability in digital security practices. The FTC continues to warn the public against scams and encourages reporting suspicious activities through its various consumer education platforms.

Source of Inspiration