A court filing submitted Wednesday by the Federal Trade Commission reveals that a former Amazon employee abused their Ring footage access to spy on users. The employee sought footage from cameras placed in bedrooms and bathrooms, impacting at least 81 female users and even fellow Ring unit employees.
The filing is part of a $5.8 million civil lawsuit alleging that Amazon (Ring’s parent company) committed privacy violations by “failing to restrict employees’ and contractors’ access to its customers’ videos.” According to the original complaint, a single employee spent several months in 2017 watching thousands of video recordings without the users’ consent. Most of these recordings occurred in “intimate spaces” in the home.
A colleague eventually took notice of the employee’s inappropriate behavior and reported it to her supervisor. The supervisor reportedly “discounted the report, telling the female employee that it is ‘normal’ for an engineer to view so many accounts.” It took the supervisor realizing that the offending employee was “only viewing videos of ‘pretty girls’” to escalate the report, which eventually resulted in the offending employee’s termination. Shortly after, Amazon realized it had no way to determine how many employees had abused private Ring footage.
The complaint also states Amazon failed to implement security measures that would have mitigated known user safety risks. Employees and third-party security researchers continuously warned of brute force and “credential stuffing” attacks that allowed bad actors to access users’ accounts, but Ring refused to act. In 2017 and 2018, Ring experienced several waves of credential-stuffing attacks. There were even multiple incidents in which hackers used Ring devices’ two-way audio capabilities to harass and threaten users, reportedly going so far as to sexually proposition users and their children. Still, it took until 2019 for Ring to introduce multi-factor authentication and other security checks.
The FTC has demanded that Ring pay a $5.8 million fine. If the US District Court for the District of Columbia approves Wednesday’s order, the money will be used to issue refunds to impacted users.
Ring has previously found itself in hot water for experimenting with facial recognition technology, handing footage to police without warrants or user consent, and sharing a hefty amount of user data with third parties—and then making a feel-good TV show out of user-submitted footage to boost its image. This pattern of concerning conduct has users and home surveillance critics worried that any sense of personal safety presented by a Ring device is outweighed by its privacy implications. Some even worry about the not-so-secret formation of a corporate-controlled surveillance state.
