Listen
to
this
post
On
May
31,
2023,
the
Federal
Trade
Commission
announced
a
proposed
order
against
home
security
camera
company
Ring
LLC
(“Ring”)
for
unfair
and
deceptive
acts
or
practices
in
violation
of
Section
5
of
the
FTC
Act.
According
to
the
FTC’s
complaint,
Ring
allegedly
made
false
or
misleading
representations
that
it
took
reasonable
steps
to
ensure
that
Ring
home
security
cameras
are
a
secure
means
to
monitor
private
areas
of
consumers’
homes.
In
addition,
the
FTC
alleged
that
Ring
gave
thousands
of
employees
and
contractors
unrestricted
access
to
video
recordings
of
customers’
intimate
spaces
(e.g.,
bathrooms,
bedrooms
and
children’s
nurseries)
without
customers’
knowledge
or
consent.
Ring’s
privacy
disclosures
allegedly
included
descriptions
of
Ring’s
use
of
recordings
for
product
improvement
and
development
but
these
were
“buried”
in
terms
that
were
“dense
with
legalese”
and
failed
to
adequately
obtain
consumers
consent
for
the
“invasive
review
of
highly
sensitive”
video
data.
Only
in
January
2018
did
Ring
allegedly
take
steps
to
obtain
consumers’
consent,
“limiting
research
and
development
to
videos
publicly
posted
on
the
Internet
or
for
which
employees,
contractors,
and
their
friends
and
family
had
given
their
written
consent
for
such
use
on
a
document
that
clearly
informed
the
consumer
of
Ring’s
review
of
their
video
data.”
Ring
also
allegedly
failed
to
provide
reasonable
security
to
prevent
unauthorized
access
to
the
live
feeds
and
stored
videos
of
its
cameras,
which
Ring
offered
to
consumers
for
the
purpose
of
monitoring
and
securing
private
areas
of
their
homes.
In
particular,
Ring
allegedly
failed
to
appreciate
and
control
for
credential
stuffing
and
brute
force
attacks,
using
measures
such
as
requiring
a
unique,
strong
complex
password;
notifying
users
of
suspicious
logins;
monitoring
and
notifying
users
of
concurrent
sessions;
rate
limiting;
comparisons
to
ensure
that
passwords
device
owners
try
to
set
do
not
reuse
breached
passwords;
and
multi-factor
authentication.
The
FTC’s
proposed
order
would
require
Ring
to
(1)
pay
$5.8
million;
(2)
delete
recordings
that
were
reviewed
and
annotated
by
employees
or
contractors
for
research
and
development
purposes,
and
any
models
or
algorithms
developed
from
such
review
and
annotation;
(3)
establish
and
implement
for
20
years
a
“comprehensive
privacy
and
data
security
program”
that
includes,
among
other
items,
documented
safeguards
and
controls,
periodic
monitoring
and
testing
and
contractual
requirements
for
service
providers;
(4)
obtain
initial
and
biennial
third
party
assessments
of
the
mandated
privacy
and
data
security
program;
and
(5)
provide
a
certification
of
compliance
with
the
order
from
Ring’s
CEO
or
other
principal
executive
officer.
About Author
