Another Class Action Takes Aim at ‘Egregious’ Ring Privacy Failures, Unauthorized Data Sharing

A proposed class action aims to hold Ring, LLC responsible for what one consumer alleges to be the company’s “egregious” failure to safeguard the privacy of its motion-activated cameras and the personally identifiable information of its customers.

The 22-page complaint alleges that despite Ring’s promise to provide “peace of mind” and put “security first,” its devices are plagued by cyber-security vulnerabilities that make easy work for unauthorized parties looking to access the most private and intimate aspects of customers’ lives, allegedly as a result of the defendant’s negligent failure to address security issues brought to light in prior breaches.

“Instead of helping families protect their homes, Ring’s devices—which were plagued with cyber-security vulnerabilities—have provided hackers with a wide-open back door to enter the very homes the devices were supposed to protect,” the case, filed in California federal court, summarizes. “These simple vulnerabilities permit vicious criminals to hack into Ring devices and potentially their home networks.”

Moreover, Ring has actively shared users’ sensitive personal identifying information with third parties without first obtaining authorization or consent to do so, the lawsuit claims. With customers’ data, the complaint says, third parties are able to build “comprehensive and unique digital fingerprints” as a means of both tracking consumer behavior and engaging in surveillance of a customer’s own home.

As a result of the Ring cameras’ security vulnerabilities, the plaintiff and other proposed class members face a “high risk of injury,” according to the suit, which further admonishes Ring for continuing to sell devices that are not secure and “prone to hacking.”

The lawsuit looks for the court to order Ring to “take all necessary measures to secure the privacy of user accounts and devices,” stop sharing users’ personal data without first obtaining clear and informed consent, and compensate proposed class members for “the damage Ring’s acts, and omissions have caused.”

“Ring, a sophisticated tech company, knows what the industry-standard security practices are, but chose not to implement them,” the case reads.

On notice

The crux of the complaint is that Ring is alleged to have been on notice of the security vulnerabilities plaguing its devices since reports surfaced that several of its user accounts and devices were hacked, the suit begins.

Despite Ring’s awareness of its devices’ blatant shortcomings, the company attempted to beef up user privacy and security using updates that were both “tardy” and “insufficient,” according to the complaint. In fact, the suit alleges still no proof exists that Ring has addressed “gaping security holes” that are ripe for “brute force attacks and credential stuffing” and that allow for repeated failed login attempts. In the same vein, Ring has also failed to conduct basic IP detection to warn a customer in the event someone is attempting to log into their account from more than one geographic location at the same time or require customers to use stronger passwords and to stay away from those known to have been exposed in prior data breaches, the lawsuit says.

The case contends that the security risks associated with Ring devices ultimately “take away any benefits” of owning one or signing up for the company’s services.

Alleged data sharing

Beyond the Ring devices’ alleged security vulnerabilities, the defendant has also violated users’ privacy by sharing their personally identifiable information with third parties without authorization or consent to do so, the suit claims. The lawsuit cites an investigation conducted by the non-profit Electronic Frontier Foundation that found the Ring app utilizes multiple third-party trackers, which both share users’ data—names, IP addresses, mobile network carriers, persistent identifiers and devices’ sensor data—and increase the devices’ risk of being hacked.

The suit says that although Ring is capable of removing the personal identifiers in the data it collects before sending it to third parties, the company does not. As a result, Ring permits third parties to track users on a “granular level” from the moment the Ring app is installed and before a consumer even has the chance to view and accept the defendant’s terms and conditions.

As the lawsuit tells it, Ring’s practice of sharing such specific, identifiable user data enables companies to come incredibly close to putting a face to a consumer’s digital fingerprints:

The danger in sending even small bits of information, such as device specifications, and an advertising ID, anonymous ID, or fingerprint ID, is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user’s device (mobile phone or computer), and thus create a fingerprint that follows the user as they interact with other apps and use their device, in essence providing the ability to spy on what a user is doing in their daily lives, in their home, and precisely when they are doing it. This data detailing user behavior is linked into a profile resulting in broad yet near perfect surveillance of practically all of someone’s interests, identities, and daily routines. The information Ring’s app and website sends to third-party servers at a minimum would allow third parties to know when Ring users are at home or away.”

But for Ring’s “acts and omissions” with regard to device security, as well as its unauthorized disclosure and/or sale of users’ personally identifiable information, proposed class members would not face a significant risk of being hacked, spied on, harassed or subject to third-party intrusions for the purpose of collecting a broad swathe of trackable consumer data, the lawsuit alleges.

Who’s covered by this lawsuit?

The lawsuit looks to cover all persons nationwide who bought a Ring security device of any kind from Ring LLC and/or created a Ring account during the applicable limitations period.

How do I join this class action?

There’s generally nothing you need to do to join or be considered part of a class action lawsuit. Class actions usually take a good deal of time to work their way through the court system, usually toward a settlement, dismissal or, in certain cases, binding arbitration. With that said, it might be a while before the time comes for people who may be considered part of a lawsuit’s “class” to file claims for whatever compensation the court finds appropriate.

Put simply, it’s only if and when a case settles that consumers need to take action. If you believe you’ve been affected by a company’s alleged conduct, you can always reach out to a class action attorney in your area, as many offer free consultations.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.