in the second of two Amazon settlements with the Federal Trade Commission over alleged privacy violations announced this week, Amazon’s surveillance device division, Ring, has agreed to pay $5.8 million for allowing its employees and contractors to have nearly unrestricted access to customers’ Ring-recorded video for years — allowing recordings in users’ bathrooms and bedrooms, among other surreptitious activities.
Separately, Amazon agreed to pay $25 million to settle FTC charges that it violated children's privacy laws by indefinitely retaining their voice recordings and geolocation data.
The FTC accused Ring of “dangerously overbroad access and lax attitude toward privacy and security” that resulted in allowing employees and contractors to view, download and transfer sensitive customer video data at will. Ring gave every employee, and hundreds of Ukraine-based third-party contractors, “full access to every customer video, regardless of whether the employee or contractor actually needed that access to perform his or her job function,” according to the complaint.
advertisement
advertisement
For several months in 2017, one then-employee of Ring’s doorbell camera unit viewed videos made by at least 81 female users with cameras in bedrooms and bathrooms, the FTC reported. Other violations included an employee providing a customer’s video information to her ex-husband without permission, and an employee giving Ring devices to people and then surreptitiously watching their videos.
Ring plans to send affected customers a notification, which includes a statement that the people involved in such privacy violations are no longer employed by Ring, according to TechCrunch.
The FTC complaint also accuses Ring of failing to take adequate measures to prevent accounts being hacked. That included failing to respond to complaints that hackers were using stolen credentials from data breaches to break into accounts using the same passwords on other sites, and allowing Ring users to use easily guessable passwords.
The accounts of more than 55,000 U.S. customers were compromised between January 2019 and March 2020 and in more than a dozen cases, hackers maintained access to hacked accounts for more than a month. Ring later established two-factor authentication and gave users the ability to encrypt the video from their doorbells, making it unviewable by Ring, as well as all third parties.
Along with the fine, Ring agreed to establish a data security program that will be assessed regularly for the next 20 years, and disclose to customers how much access its employees and contractors have to customer data.