All those hacks got Amazon’s Ring sued

Knock, knock! Who’s there? A lawsuit.

Amazon can add a new lawsuit to its ever-growing list of Ring woes.

An owner of a Ring smart video doorbell filed a class action lawsuit against the company on Thursday over allegations that the devices’ security vulnerabilities are a result of negligence and that they led to an invasion of privacy. The plaintiff, John Baker Orange, claims he installed a Ring on his garage last July — and then someone hacked it and talked to his children using its speaker.

Much of the suit seems to rest on whether or not Amazon knew its Ring devices were susceptible to hackers and that it didn’t implement security measures to protect users. The suit specifically calls out how, as Recode reported on last week, Ring should have required its users to set up two-factor authentication for their devices’ accounts. Two-factor authentication requires a user to submit a second piece of information — like a code that has been texted to their phone — in addition to their password in order to log into a device or website.

Two-factor authentication would have prevented most, if not all, of the recent Ring hacks. Once a hacker gains access to a vulnerable Ring camera (and, according to Vice, this isn’t difficult to do), they can watch victims through the camera and communicate with them over its two-way speaker. There has been a spate of these hacks recently. In Florida, a hacker shouted racial slurs at a couple in their kitchen. In Mississippi, a man spoke to an 8-year-old girl through the Ring camera in her bedroom. And in Texas, a sleeping couple awoke to a hacker threatening to “terminate” them unless they paid a 50 bitcoin ransom. All of these incidents happened in the last month.

While Amazon does suggest that Ring customers should enable two-factor authentication, a 2017 study found that the majority of people don’t even know what two-factor authentication is, let alone how to use it. (If you are one of those people, Ring has a handy guide you should read.) Orange claims he didn’t know his Ring had two-factor authentication until after he was hacked.

Orange’s suit also details the assurances Ring makes to customers, noting that the privacy policy says it takes “the privacy, security and control of [users’] devices and personal information” seriously, especially given the importance and sensitive nature of the data the device collects — that is, footage of someone’s home. This is a basic obligation, the suit says, and it alleges that Ring failed to fulfill it because it “did not offer or did not compel two-factor authentication.”

Earlier this month and in light of recent Ring hacks, several consumer and privacy advocates issued a group warning against purchasing Rings due to its security issues. The popular product review site Wirecutter suspended its recommendations of Ring’s doorbell and home security system for the same reason. Ring has also been accused of working too closely with the police, forming partnerships with hundreds of departments that gave law enforcement access to video footage (with the homeowners’ consent), as well as maps that showed the general location of Ring customers’ homes. The company’s Halloween round-up, which featured videos of children trick-or-treating, drew questions over whether or not the company had parental consent to share those videos.

No one knows where this particular lawsuit will lead. In fact, Ring’s terms of service include a class action waiver and require arbitration in its place, so the case may be dismissed before it gets very far. Still, the lawsuit is a sign that as Amazon’s Ring devices grow in popularity, scrutiny over their privacy practices (or alleged lack thereof) is likely to increase.

Open Sourced is made possible by Omidyar Network. All Open Sourced content is editorially independent and produced by our journalists.