Amazon has agreed to pay $5,8 million in a settlement after the Federal Trade Commission found it illegally spied on its customers and failed to stop hackers from taking control of users' Ring cameras.
The FTC's investigation concluded that Ring, which was acquired by Amazon in 2018, "violated customer privacy by allowing any employee or contractor to access consumers' private videos and failing to enforce basic privacy protections and security".
Η infringement της ιδιωτικής ζωής των χρηστών από την Ring έγινε σε πολλαπλά μέτωπα, καθώς η Ring απέκρυψε αυτές τις πληροφορίες στους όρους χρήσης και στην πολιτική απορρήτου της, οπότε οι χρήστες της Ring πιθανότατα δεν γνώριζαν ότι η εταιρεία χρησιμοποιούσε τα βίντεό τους για “βελτίωση και ανάπτυξη προϊόντων”. Με άλλα λόγια, τα βίντεο των πελατών δεν χρησιμοποιούνταν μόνο για την εκπαίδευση αλγορίθμων, αλλά τα έβλεπαν και οι υπάλληλοι και οι εργολάβοι της Ring.
Η FTC διαπίστωσε ότι οι υπάλληλοι της Ring είχαν προβάλει χιλιάδες βίντεο με γυναίκες πελάτες στα υπνοδωμάτια και τα μπάνια τους σε space αρκετών μηνών. Ο υπάλληλος σταμάτησε μόνο όταν άλλοι υπάλληλοι ανακάλυψαν τι έκανε- η Ring δεν παρακολουθούσε την πρόσβαση των υπαλλήλων στα βίντεο και, ως εκ τούτου, δεν μπορούσε να διαπιστώσει αν άλλοι υπάλληλοι παραβίαζαν την ιδιωτική ζωή των χρηστών με τον ίδιο τρόπο.
Further privacy breaches occurred due to a lack of security: the FTC found that hackers used a combination of credential stuffing and brute force attacks to gain access to customer accounts. Essentially, the hackers used credentials leaked in other security breaches to discover passwords for Ring accounts using an automated password estimation system.” Ring didn't implement multi-factor authentication until 2019, and even then, "the sloppy implementation of additional security measures hampered its effectiveness" It wasn't a good idea to do so.
In total, about 55.000 Ring customers in the US had their accounts and video views compromised by hackers. However, in some cases, the “bad actors” harassed, threatened, and insulted customers, including children and the elderly—the FTC stated that “the hackers racially taunted many children, made sexual advances to individuals, and threatened physical harm to families.” if no ransom was paid".
Amazon has now imposed a privacy and security program on Ring, requiring the company to delete all customer data (acquired before 2018), models and algorithms derived from videos it has detected infringing way. The FTC is also calling for “new safeguards for human review of videos” going forward, as well as multi-factor authentication on both customer and employee accounts. The $5,8 million paid by Amazon will be used to refund customers.
