FTC fines Ring $5.8 million for employees' illegal surveillance of customers' private videos

The Federal Trade Commission announced a $5.8 million settlement with Ring after finding the company compromised customers’ privacy by allowing employees and contractors to access private videos and failing to implement basic security protections that enabled hackers to take control of users’ accounts and cameras. The FTC charged that Ring’s privacy violations occurred between 2017 and 2020, during a period when the company was rapidly expanding its police partnerships and surveillance network.

Unrestricted Employee Access

The FTC investigation found that Ring gave every employee and hundreds of Ukraine-based third-party contractors full access to every customer video, regardless of whether such access was necessary for their job functions. Staff could “readily download any customer’s videos and then view, share, or disclose those videos at will.” In at least two documented cases, Ring employees improperly accessed private videos of women, including recordings from intimate spaces like bathrooms and bedrooms. In one particularly egregious case, an employee conducted unauthorized surveillance over several months, viewing thousands of video recordings of female users, and was only stopped when another employee discovered the misconduct.

Inadequate Monitoring and Security Failures

Even after Ring imposed restrictions on video access, the company failed to implement basic measures to monitor and detect employee video viewing, making it impossible to determine how many other employees inappropriately accessed customer videos. The FTC also found Ring failed to adequately protect against credential stuffing attacks, allowing weak passwords like “password” and “12345678” that contributed to over 55,000 account compromises between January 2019 and March 2020.

Settlement Requirements and Data Deletion

Under the FTC order, Ring must delete data products including models and algorithms derived from videos it unlawfully reviewed, implement a comprehensive privacy and security program with novel safeguards on human review of videos, and mandate multi-factor authentication for both employee and customer accounts. Ring must also delete customer videos and face embeddings obtained prior to 2018, along with any derivative work products. The FTC sent refunds totaling more than $5.6 million to 117,044 consumers who owned certain types of Ring devices, particularly indoor cameras most vulnerable to the privacy violations.