June 01, 2023
Since 2013, Ring has promised customers "indoor protection" and "personalized privacy" through its popular home security cameras. But according to a new complaint from the Federal Trade Commission, the company gave employees inappropriate access to thousands of customer videos and failed to safeguard devices from hackers, who harassed children through their families' Ring cameras.
The FTC alleges that, for several years, Ring gave all its employees "full access" to customer videos, regardless of whether this was necessary for each employee's job. Unfettered access also was granted to third-party contractors in Ukraine, and both groups could easily download and share videos without restriction.
These practices resulted in numerous invasions of privacy, which could make the company liable for $5.8 million in consumer refunds under the FTC's proposed order, filed in court on Wednesday.
Up until 2018, Ring maintained broad access to customer recordings under its terms and conditions, which granted the company "the right to review all video recordings for product improvement and development," the FTC complaint says. Since this stipulation was "buried" in fine print, the FTC alleges, most customers were unaware that Ring was accessing their videos without explicit permission.
In one instance described in the complaint, a former male employee viewed thousands of videos of at least 81 women in their bathrooms and bedrooms through their Ring cameras. He allegedly targeted cameras with names like "Master Bedroom" or "Spy Cam," viewing the feeds for up to an hour each day over the course of three months in 2017. He was only stopped and fired when a female colleague reported him to a supervisor, who initially dismissed his behavior as "normal."
This incident, along with another in which a male employee spied on his female coworker through her Ring videos, led the company to narrow access rights in February 2018, shortly before Amazon purchased the company. But the "culture of overly broad access to sensitive information" continued, the FTC says. Later that year, an employee shared information about a customer's videos with that customer's ex-husband. A whistleblower also alleged that a former employee gave Ring cameras to multiple people and then accessed their videos without consent, even taking copies with him when he left the company in 2019.
The FTC complaint further details numerous disturbing incidents of hackers gaining access to customer devices. In addition to viewing videos, the hackers spoke through Ring's two-way communication feature, allegedly cursing at women in their bedrooms and hurling racist slurs at children. In two separate incidents, a teenager and an 87-year-old woman in an assisted living facility were sexually propositioned through their Ring devices, the FTC says.
At least 55,000 U.S. customers experienced "serious account compromises" as a result, according to the complaint. Ring allegedly ignored external advice and warnings from its own security team about the company's vulnerability to third-party attacks; one researcher reported that he was able to guess his own Ring password after 1,000 failed attempts.
The FTC characterized Ring's eventual security upgrades — including two-factor authentication, which it offered to customers in 2019 — as "too little and too late." Under its proposed order, which requires federal court approval before it can go into effect, Ring must delete all customer recordings collected prior to March 2018 for research and development purposes and destroy any algorithms or models developed with that data.
Ring also would be required to develop a "comprehensive data and security program" and maintain it for at least 20 years under the order. That program would have to include safeguards banning human review of customer recordings, unless it is required by law, connected to a criminal investigation, necessary to prevent physical or financial harm or authorized by the customer.
If the order is approved, Ring would have to pay $5.8 million to the FTC, which says it will use the money for consumer refunds. An FTC spokesperson said via email that it could not provide specific details on who would be eligible for the refund, but that the commission "will work to get money back to the consumers injured by these practices, specifically the hackers' victims and consumers who used cameras inside the home where they were exposed to spying."
Ring said in a statement that it was committed to protecting customer privacy, and had begun to address security issues before the commission's inquiry.
"While we disagree with the FTC’s allegations and deny violating the law, this settlement resolves this matter so we can focus on innovating on behalf of our customers," the company said.
This story has been updated with a statement from Ring.