Owners of Ring doorbells are set to receive a $5.6 million refund from the Federal Trade Commission after Amazon employees hacked user accounts and devices to access private video feeds.
The settlement, which is the result of a complaint lodged in May 2023 claiming that Ring's security measures were (in a word) inadequate, seeks to repair the damage done to around 117,000 customers—who'll receive the funds via PayPal.
Amazon's range of smart home products, which includes cameras, motion sensors, and assistants, rely on an internet connection to provide their owners with remote access. Unfortunately, this is exactly what was taken advantage of by Ring employees, external contractors, and bad actors leveraging brute force attacks.
Ring the alarm
I can admit that Ring cameras are useful, in theory, and give folks an easy way to check up on pets, accept deliveries, and answer the door without actually having to be at home.
Maybe that's why 1.7 billion Ring cameras were purchased worldwide in 2021—and why so many people were impacted by the hack later in 2023.
Weak (or totally non-existent) security measures gave Ring employees carte blanche to take a peek through customer's cameras, where they saw more than just doorsteps and porches. Some Ring cameras were in bathrooms, bedrooms, and living spaces, and there were even live streams of these home interiors.
To make matters worse, the snooping employees were able to save and share these camera feeds at will.
The incident was a massive invasion of privacy in the one place where people should've been able to shut their front doors and keep the world at bay…for the most part. The fact that it was Ring employees taking advantage of the remote nature of the cameras is pretty gross, too.
Bad actors found their way into the mix eventually, taking the intrusions one step further by harassing customers with sexual propositions, racial slurs, and threats of physical harm.
Bad actors not only viewed some customers’ videos but also used Ring cameras’ two-way functionality to harass, threaten, and insult consumers—including elderly individuals and children
FTC
The big question following the case is…why? Why did it happen? Why did Ring employees need unfettered access to consumer camera feeds? The company claims that the feeds are used to develop image recognition algorithms and that customers opted into the practice when they agreed to the terms and service of the product which, yikes.
There's a recurring theme that crops up time and again with AI algorithms where they're fed people's data—and all to generate profit off the back of our privacy. Image recognition data also contributes to the ever-present issue of discrimination within algorithms themselves, according to the US Federal government. The recognition algorithms can pick out white men, no problem, but have more trouble with people of color, women, the elderly, and children, and have subsequently led to wrongful convictions.
If the idea of footage taken from your home contributing to such a dodgy, unreliable practice makes you feel uneasy—you're not alone. However, if you're at a loss about what to actually do about the invasion of privacy, you're also not alone.
Why do we have such a lax attitude to Internet of Things risks?
You'd be surprised how often the topic of Internet of Things gadgets (like smart speakers and digital assistants) comes up in my day-to-day life—and how often I hear: "Well, I don't do anything illegal so I don't have anything to be worried about" when I warn folks about the inherent risks they post to our homes.
It's a fair argument, but the issue isn't that these devices will catch us getting up to no good, it's that they’re whittling away our privacy while, supposedly, introducing more convenience into our lives. The devices we put in our homes have the potential to handle our data in unlawful or otherwise unethical ways, without us knowing, even if we consent to using the product.
Or even if we haven't. There's another side to the Ring doorbell story, told by neighbors and passers-by who didn't agree to have their movements captured and commodified by the gadgets. Each new Ring doorbell added to a street tips a subtle balance, turning residential areas into mini surveillance states, and the fact that Ring made it incredibly easy for users to file police reports only sped up the process.
Ring was adamant that this was what customers wanted, of course, despite the fact that there's no research to back up the company's claim that recorded camera footage does anything to keep neighborhoods safer.
In fact, recorded camera footage could do more to harm the places we live in than help them. Let's rewind a bit—Ring automatically enrolls users into the Neighbors apps, which is kind of like a neighborhood social media platform. You can check out activity feeds from the people nearby, post alerts, updates, and appeals, and see how many police calls were made in the past week.
The Neighbors app is also how folks send footage from their Ring cameras to the police—totally negating the need for them to obtain a warrant to view civilian content.
The feature drew concern and criticism from a number of media outlets, as it was feared that it'd lead to a rise in racial profiling, with users able to send police alerts based on a person’s ethnicity, religion, or gender with a tap.
Luckily, Ring did take action to address the issue, adjusting the app so that customers can now only report facts, not suppositions. The police can't contact ring users directly via the app, either, but can post requests for assistance.
These issues aren’t isolated to Ring cameras, or smart doorbells in general, either, but affect a variety of IoT gadgets. Plenty have been caught in the act, siphoning user data in order to turn a profit, including:
- Amazon Alexa: In May 2023, Amazon agreed to cough up $25 million to settle FTC claims that it had violated the Children's Online Privacy Protection Act Rule (COPPA Rule) and misled parents about how their Alexa voice assistants handled their data. Amazon held onto voice and geolocation information for years, putting it at risk of unlawful access, despite reassuring parents that the data could be erased at any time, all to improve the Alexa algorithm.
- Hello Barbie and Planet VTech: IoT children's toys come with their own connected apps, these days, and the Hello Barbie and Planet VTech iterations were riddled with vulnerabilities that leaked the information of millions of underage users. The apps' login process lacked encryption, which unveiled user login details, and were "protected" by flimsy privacy policies that didn’t comply with the US COPPA.
- Tapo L530 smart bulb: That's right, your lightbulbs can act as an entryway into your IoT network for savvy cybercriminals. A study revealed that the products lacked strong authentication, allowing bad actors to impersonate the bulb, extract network information, and modify passwords in order to connect to other IoT gadgets. Luckily, Tapo has since released a patch to resolve the issue.
Is there a way to secure my IoT devices?
Okay, so, honestly, it shouldn't be down to you and me to go the extra mile to secure the IoT gadgets we bring into our homes—they should already be secure, and the companies manufacturing them should adhere to watertight privacy policies. The FTC does what it can to enforce this credo, with provisions requiring companies to be more transparent about how they handle user data.
The Ring doorbell settlement contains a few common FTC provisions, too. Ring can no longer mislead its consumers about the extent to which "the company or its contractors" can check out user videos, payment details, and login credentials. Amazon must also delete all of the video content it used for training algorithms and models.
The cherry on top, however, is that Ring has to limit the "human review" of customer video feeds to the most specific of circumstances—which basically boils down to complying with the law—and implement multi-factor authentication and encryption.
That's great, but you might still wonder if there's anything you can do yourself to shore up your home's digital security and your family's privacy.
First and foremost, be wary. I'm not advocating for paranoia, but when it comes to IoT gadgets, it's important to remember that any device that can connect to the internet is vulnerable to unauthorized intrusion. With that in mind, here are a few simple things you can do to firm up your peace of mind:
- Keep your login details fresh: Okay, who's guilty of using the same password for a bunch of accounts? It's convenient, sure, but if a cybercriminal hacks one website, you've basically given them the keys to every website you've used the same password for. Use strong passwords that contain symbols, numbers, and non-dictionary terms, as well as 2FA wherever it's available.
- Update your software on the regular: It's easy to keep putting off updates, especially if it's estimated that they're going to take a while, but they can contain important firmware updates designed to fix vulnerabilities. Without them, you're putting your device (and data) at risk.
- Invest in a VPN: VPNs aren't a security silver bullet, but installing one of the best VPNs on your router will help protect all of the devices on your Wi-Fi network. Your gadgets will benefit from the VPN's solid encryption, making it much harder for hackers to get a foothold in your IoT network.
