Ring Should Refund Customers $5.8M After Illegal Surveillance, Hacking: FTC Complaint

SANTA MONICA, CA — Federal authorities are proposing home security company Ring issue $5.8 million in refunds after employees illegally surveilled customers and hackers used cameras to harass people, the Federal Trade Commission alleged in a complaint.

“Ring’s disregard for privacy and security exposed consumers to spying and harassment,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a news release Wednesday. “The FTC’s order makes clear that putting profit over privacy doesn’t pay.”

The commission charged the Santa Monica-based company with compromising customers’ privacy by allowing any employee or contractor to access private videos and by failing to implement basic privacy and security protections, thereby enabling hackers.

One employee over several months viewed thousands of videos belonging to female Ring users that surveilled intimate spaces in their homes such as bathrooms or bedrooms, according to the FTC complaint. The company wasn’t able to determine how many other workers inappropriately accessed private videos because Ring failed to put in place basic measures to monitor and detect employees’ video access, according to the FTC.

The FTC also said Ring failed to take any steps until January 2018 to adequately notify customers or get consent for extensive human review of private video recordings for various purposes, including training algorithms.

Despite repeatedly experiencing the online threat of credential-stuffing attacks in 2017 and 2018, Ring failed, according to the complaint, to implement common tactics — such as multifactor authentication — until 2019. Even then, Ring’s implementation of additional security measures hampered their effectiveness, according to the FTC.

As a result, hackers continued to access stored videos, live streams, and account profiles of about 55,000 U.S. customers, according to the complaint.

Bad actors not only viewed customers’ videos but also used Ring cameras’ two-way functionality to harass, threaten and insult people — including elderly individuals and children — whose rooms were monitored by the cameras, and to change device settings, the FTC said.

Hackers taunted several children with racist slurs, sexually propositioned individuals, and threatened to harm a family if they didn’t pay a ransom, according to the FTC.

In a statement Wednesday, Ring defended its security measures, noting it became the first business of its kind to require two-step verification for customers in 2020. Ring has taken further steps such as locking accounts and requiring password resets when unauthorized access is detected, and adding CAPTCHA to its apps and websites.

The company has also put policies in place to restrict employee access to stored videos and livestreams, Ring said.

“We want our customers to know that the FTC complaint draws on matters that Ring promptly addressed on its own, well before the FTC began its inquiry; mischaracterizes our security practices; and ignores the many protections we have in place for our customers,” the statement said.

“While we disagree with the FTC’s allegations and deny violating the law, this settlement resolves this matter so we can focus on innovating on behalf of our customers.”

Under the FTC’s proposed order, which must be approved by a federal court before it can go into effect, Ring will be required to delete products such as data, models, and algorithms derived from videos it unlawfully reviewed. The company also must implement a privacy and security program with safeguards for human review of videos as well as other controls for both employee and customer accounts.

The proposed order requires Ring to pay $5.8 million, which will be used for customer refunds, according to the FTC. The company also will be required to delete customer videos and data collected from an individual’s face that it obtained before 2018 as well as any work products derived from the videos.