Every single Amazon Ring employee was able to access every single customer video, even when it wasn't necessary for their jobs.
Not only that, but the employees—along with workers from a third-party contractor in Ukraine—could also download any of those videos and then save and share them as they liked, before July 2017.
That's what the FTC has alleged in a recent complaint, for which Amazon is facing a settlement of $5.8 million.
And, unsurprisingly, some employees abused that access right.
In one example, the FTC says a Ring employee viewed thousands of videos from at least 81 different female users. The employee allegedly went looking for camera feeds that suggested they may have been used in the most private of areas, such as "Master Bedroom," "Master Bathroom," and "Spy cam".
Between June and August 2017, the employee looked through the videos for at least an hour a day on hundreds of occasions. Another employee noticed and reported it to their supervisor who allegedly told them that it was "normal" for an engineer to view so many accounts.
From the FTC complaint:
"Only after the supervisor noticed that the male employee was only viewing videos of “pretty girls” did the supervisor escalate the report of misconduct. Only at that point did Ring review a portion of the employee’s activity and, ultimately, terminate his employment."
As a result of that incident, Ring narrowed its employees' access rights in September 2017, so that customers had to consent to customer service agents accessing their videos. However, Ring continued to allow hundreds of other employees and third-party contractors access to all video data, regardless of whether they actually needed it in order to perform their jobs.
So, then, more abuse of that access occurred. In January 2018, a male employee used his access rights to spy on a female colleague's videos, looking her up using her email address.
In February 2018, employee access rights were narrowed further, with engineers (both employees and third-party contractors) only given access to customer videos if there was a business need. Videos used for research and development were limited to those posted by customers to Ring’s Neighbors app, and those for which employees, contractors, and their friends and family had given their written consent for such use.
In Februrary 2019, Ring changed its access practices again so that most Ring employees or contractors could only access a customer’s private video with that customer’s consent.
The FTC lists several further examples of access abuse and spying. According to the complaint, Ring actually has no idea how much inappropriate access went on, because there were no detection measures in place:
"Importantly, because Ring failed to implement basic measures to monitor and detect inappropriate access before February 2019, Ring has no idea how many instances of inappropriate access to customers’ sensitive video data actually occurred.”
Bad apples aside, before May 2018 Ring also wasn't conducting any employee training on privacy or data security, despite the fact that the company was collecting huge amounts of highly sensitive data. Nor did it advise employees or third-party contractors that customer video data was sensitive and should be treated as such.
Customers had no idea their video was able to be accessed by so many employees. The FTC says that before December 2017, Ring’s Terms of Service and Privacy Policy didn't say Ring employees and contractors would have the right to review all video recordings for product improvement and development:
In the middle of lengthy terms dense with legalese, Ring merely described the company’s right to use recordings obtained in connection with Ring’s (then called Doorbot’s) cloud service for product improvement and development.
The FTC says Ring also failed to implement basic security measures to protect users from threats such as credential stuffing and brute force attacks, despite warnings from employees and external security researchers, nor did it implement multi-factor authentication (MFA) until May 2019, long after many competitors had done so.
As a result of these bad practices, Ring suffered several security incidents. Between January 2019 and March 2020, the FTC alleges that more than 55,000 customers had their Ring devices compromised. In some instances cybercriminals used the two-way communication to terrorise Ring customers, like something from a horror movie:
- Several women lying in bed heard hackers curse at them
- Several children had racist slurs thrown at them
- An elderly woman in an assisted living facility was sexually propositioned and physically threatened
- A digital intruder told a woman through her camera that they had killed her mother, and then said: "Tonight you die"
- A woman was told her location was being tracked and that her device would self-destruct at the end of a countdown. She disconnected the device before the countdown ended.
Aside from the fine, Ring has been ordered to delete any customer videos and data collected from an individual’s face—known as “face embeddings”—that Ring obtained before 2018. Ring must also delete any work products it derived from the videos.
Children's privacy
In a separate settlement announced the same day, Amazon agreed to pay $25 million for failing to protect children's privacy.
The Department of Justice filed the complaint and proposed settlement on behalf of the FTC. The complaint alleged that Amazon kept Alexa voice and geolocation information associated with young users for years while preventing parents from using their rights to delete their kids’ data under the Children's Online Privacy Protection Act (COPPA) rule.
The FTC said in a post that kids’ speech patterns could have been especially valuable to Amazon since they differ from those of adults:
"Children’s speech patterns are markedly different from adults, so Alexa’s voice recordings gave Amazon a valuable data set for training the Alexa algorithm and further Amazon’s commercial interest in developing new products."
Alongside the $25 million settlement, Amazon will be banned from using children's voice information and geolocation data for creating or improving a data product. It must also delete inactive child accounts on Alexa, and notify users about the government action against the company and of its retention and deletion practices.
Additionally, Amazon will have to implement a privacy program to govern its use of geolocation information.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.