Amazon’s surveillance doorbell company Ring has reached a settlement with the U.S. Federal Trade Commission which will require the company to pay $5.8 million over its inability to keep private footage and audio collected from users’ homes. This action stems from a collection of privacy violations that occurred between 2017 and 2020. Ring customers brought a class action lawsuit in December 2019 after dozens of people had their Ring devices accessed by malicious actors using brute force and credential stuffing attacks, “despite warnings from employees, outside security researchers and media reports” to implement standard security measures to protect customer information. The FTC alleged that in 2017, one Ring employee had, “over several months viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms.” The FTC also claimed that “Ring failed to take any steps until January 2018 to adequately notify customers or obtain their consent for extensive human review of customers’ private video recordings for various purposes, including training algorithms.” EFF has long maintained that Ring–with its centralized control and storage of millions of cameras across the United States–is one massive privacy headache, especially since millions of private cameras store footage remotely and can be used as a tool of mass surveillance. Now, the FTC has put some much-needed restrictions and oversight on the surveillance company. Under the settlement, “Ring will be required to delete data products such as data, models, and algorithms derived from videos it unlawfully reviewed. It also will be required to implement a privacy and security program with novel safeguards on human review of videos as well as other stringent security controls, such as multi-factor authentication for both employee and customer accounts.” Despite this settlement, there are still many other things the company needs to to show it is taking user privacy seriously, like ending police ability to get access to footage without a warrant or user consent, turning on end-to-end encryption by default, and ending audio collection by default.
