Amazon has agreed to pay $5,8 million in a settlement after the Federal Trade Commission found it illegally spied on its customers and failed to stop hackers from taking control of users' Ring cameras.
The FTC's investigation concluded that Ring, which was acquired by Amazon in 2018, "violated customer privacy by allowing any employee or contractor to access consumers' private videos and failing to enforce basic privacy protections and security".
Ring's violation of user privacy occurred on multiple fronts, as Ring hid this information in its terms of service and privacy policy, so Ring users were likely unaware that the company was using their videos to "enhance and product development". In other words, customer videos were not only used to train algorithms, but were also viewed by Ring employees and contractors.
The FTC found that Ring employees had shown thousands of videos of female customers in their bedrooms and bathrooms over several months. The employee was only stopped when other employees discovered what he was doing—Ring did not monitor employees' access to the videos, and therefore could not determine whether other employees were violating users' privacy in the same way.
Further privacy breaches occurred due to a lack of security: the FTC found that hackers used a combination of credential stuffing and brute force attacks to gain access to customer accounts. Essentially, the hackers used credentials leaked in other security breaches to discover passwords for Ring accounts using an automated password estimation system.” Ring didn't implement multi-factor authentication until 2019, and even then, "the sloppy implementation of additional security measures hampered its effectiveness" It wasn't a good idea to do so.
In total, about 55.000 Ring customers in the US had their accounts and video views compromised by hackers. However, in some cases, the “bad actors” harassed, threatened, and insulted customers, including children and the elderly—the FTC stated that “the hackers racially taunted many children, made sexual advances to individuals, and threatened physical harm to families.” if no ransom was paid".
Amazon has now imposed a privacy and security program on Ring, requiring the company to delete all customer data (acquired before 2018), models and algorithms derived from videos it has detected infringing way. The FTC is also calling for “new safeguards for human review of videos” going forward, as well as multi-factor authentication on both customer and employee accounts. The $5,8 million paid by Amazon will be used to refund customers.