Every single Amazon Ring employee could access every single customer video, even when it was not necessary for their job.
Not only that, but employees—along with workers from a third-party contractor in Ukraine—could also download any of those videos and then save and share them as they wished, prior to July 2017.
One Ring employee viewed thousands of videos from at least 81 different female users.
The employee allegedly went looking for camera footage that suggested they might have been used in the most private areas, such as “Master Bedroom,” “Master Bathroom,” and “Spy Cam.”
Between June and August 2017, the employee watched videos for at least an hour a day on hundreds of occasions. Another employee noticed and reported it to their supervisor, who allegedly said it was “normal” for an engineer to view so many accounts.
Ring restricted its employees’ access rights in September 2017, so that customers had to consent for customer service agents to access their videos.
However, it continued to allow hundreds of other employees and third-party contractors to access all video data, regardless of whether they actually needed it to perform their jobs.
Customers had no idea that their videos could be accessed by so many employees.
The FTC states that prior to December 2017, Ring’s terms of service and privacy policy did not state that Ring employees and contractors would have the right to review all video recordings to improve and develop the product:
Amid lengthy terms dense with legal jargon, Ring merely described the company’s right to use recordings obtained in connection with Ring’s cloud service (then called Doorbot) for product improvement and development.
The company also failed to implement basic security measures to protect users from threats such as credential stuffing and brute-force attacks, despite warnings from employees and external security researchers, nor did it implement multi-factor authentication (MFA) until May 2019, long after many competitors had done so.
In addition, they had several security incidents. Between January 2019 and March 2020, the FTC alleges that more than 55,000 customers had their Ring devices compromised.
In some cases, third parties used two-way communication to harass Ring customers:
- Several women lying in bed heard hackers curse at them.
- Several children were subjected to racial slurs.
- An elderly woman in an assisted living facility was propositioned sexually and physically threatened.
- A digital intruder told a woman through her camera that her mother had been killed, and then said, “Tonight you will die.”
- A woman was told that her location was being tracked and that her device would self-destruct at the end of a countdown. She disconnected the device before the countdown ended.
In another settlement announced the same day, Amazon agreed to pay $25 million for failing to protect children’s privacy.
Amazon retained Alexa voice and geolocation information associated with children for years while preventing parents from exercising their rights to delete their children’s data under the Children’s Online Privacy Protection Act (COPPA).
Children’s speech patterns could have been especially valuable to Amazon, as they differ from those of adults:
“Children’s speech patterns are notably different from adults’, so Alexa voice recordings provided Amazon with a valuable dataset to train Alexa’s algorithm and further Amazon’s commercial interest in developing new products.”
Amazon is the market leader 
@trust_level_1 did you know you can be anonymous on Criptonautas?
