FTC Rings Up Privacy Charges Against Ring, Alexa

A doorbell that lets hackers look into your house? FTC proposes $5 million penalty.

FTC Rings Up Privacy Charges Against Ring, Alexa
Amazon photo

Amazon's Ring doorbells are quite popular with consumers who think that having a photo of the doorbell pirates that infest some neighborhoods will somehow be helpful to them.

The device, based on Amazon's gossipy Alexa cybertroll, basically works like an old-fashioned peephole – it lets you see who's at the door without opening it. You can also use it like an intercom, telling solicitors to get lost without confronting them personally.

This supposedly miraculous device works, as you might suspect, via your home's wi-fi, i.e., the internet. And therein lies the rub – what Alexa sees and hears through your Ring may be seen and heard by others.

What happens on the Ring doesn't stay on the Ring, you might say.

This is not really surprising, given the amazing amount of leakage that goes on in the cyberworld but it has nevertheless drawn the attention of the Federal Trade Commission (FTC).

Violated privacy rights

The federal agency is alleging that Ring violated its customers' privacy rights by allowing any employee or contractor to access consumers’ private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers’ accounts, cameras, and videos.

The FTC is proposing that Ring pay $5.8 million, which will be used for consumer refunds, and improve its overall security.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

In one instance cited by the FTC, an employee over several months viewed thousands of video recordings belonging to female users of Ring cameras that surveilled intimate spaces in their homes such as their bathrooms or bedrooms.

According to the complaint, Ring also failed to implement standard security measures to protect consumers’ information from two well-known online threats — “credential stuffing” and “brute force” attacks — despite warnings from employees, outside security researchers and media reports.

Credential stuffing involves the use of credentials, such as usernames and passwords, obtained from a consumer’s breached account to gain access to a consumer’s other accounts. In a brute force attack, a bad actor uses an automated process of password guessing.

Improvements demanded

Under a proposed order, which must be approved by a federal court before it can go into effect, Ring will be required to delete data products such as data, models, and algorithms derived from videos it unlawfully reviewed, according to a news release.

It also will be required to implement a privacy and security program with novel safeguards on human review of videos as well as other stringent security controls, such as multi-factor authentication for both employee and customer accounts.

Amazon promotes Ring as offering improved home secrity through its doorbell and cameras which can be placed throughout the home.

Ring touts the ability of purchasers to “See your home. Away from home” alongside a picture of a Ring camera monitoring a child’s bedroom.

Of course, Ring also allows hackers and Amazon employees to see your home as well, which is the crux of the complaint.

Unmentioned is the somewhat illusory nature of the security the Ring system provides. It doesn't really do anything if it "sees" someone rifling through your ammunition locker, as a true full-featured home security system might.

Likewise, a blurred video of someone stealing an Amazon package from your porch is not really of much interest to the police, who probably wish people would stop bothering them with their little three-second videos.