ADT Tech Spied On Women For Four Years Before Getting Caught By Accident
from the what's-the-opposite-of-security dept
Another day, another example of why we might want to actually pass at least a basic privacy law for the internet era. The latest problem bubbled up over at home security vendor ADT, after a technician was caught using home security cameras to spy on people for years. More specifically, the tech accessed customer video cameras in 200 homes some 9,600+ times over a period of four years. His preferred targets were attractive women he spied on while they were having sex, bathing, or getting dressed. This was, as US Attorney Prerak Shah was quick to note, a grotesque abuse of trust:
"This defendant, entrusted with safeguarding customers’ homes, instead intruded on their most intimate moments,” said Acting U.S. Attorney Prerak Shah. “We are glad to hold him accountable for this disgusting betrayal of trust."
The tech simply added his email address to the authorization list for the company's ADT Pulse accounts, which lets home security customers access cameras when not at home. ADT's now facing three different lawsuits for failing to "implement adequate procedures that would prevent non-household members from adding non-household email addresses." Aka, they didn't engage in some basic due diligence to ensure that employees couldn't abuse the system. The federal charges were brought some five months after the first lawsuit was filed.
One of the interesting bits is that he appeared to have only been caught by accident, and could easily still be engaging in the same behavior today if not for one attentive subscriber:
"The lawsuit also claims the flagrant security breach was discovered not by the company, but 'by luck and happenstance.' A customer, reporting a technical issue, inadvertently revealed the unwanted third-party access," the lawsuit claims. "But for that event, ADT would be unaware of this invasive conduct."
So no basic security measures to prevent employees from abusing their authority. No system to notify users when somebody new was added to the email access list for video cameras they provide. ADT didn't even know this was going on -- and if not for a customer being attentive it probably still would be. And this is a security company! It's notably worse for the parade of "internet of thing" companies that decided we needed to hook every home device up to the internet with zero willingness to embrace or fund basic privacy and security standards.
In ADT's case, the company is busy trying to dodge responsibility by throwing complaining customers into binding arbitration, a lopsided process that pretends to be better than traditional class actions, but usually winds up with the companies in question getting little more than a wrist slap. When you know that repeated privacy and security violations can be brushed aside with a modicum of billable legal hours, you're not inclined to try very hard. It's far easier, and less expensive, to half-ass it, then have your lawyers water down already flimsy after-the-fact penalties.
It's why properly staffing and funding our privacy regulators, and having a basic privacy law where the expectations are clear and the penalties are notable (and consistently enforced) seems like a no brainer. Though it's still amazingly not clear how many national privacy scandals are necessary before we finally figure out that our existing "solution" of apathy, wrist slaps, binding arbitration, and intentional policy gridlock aren't working very well.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: doj, iot, privacy, security, surveillance
Companies: adt
Reader Comments
Subscribe: RSS
View by: Time | Thread
and?
Who here trusts ANY human not to be human?(just another idiot)
[ link to this | view in thread ]
ADT attempted to sell me their services when I moved in to my current home. After their scare sell presentation, I asked them, "What do you offer that I can't do myself with some WiFi cameras, door and window sensors and a cell phone?"
The answer boiled down to "charge you money to watch your home". I asked them: no matter whether you're bonded or not: why would I want to pay your employees to spy on my home, when I can watch it perfectly well myself without any of the privacy risks?
The guy didn't have an answer and walked away. That was it until the next week, when the NEXT guy from ADT showed up at the door (which now had a "no soliciting" note on it)... After the same conversation, his supervisor got a phone call.
[ link to this | view in thread ]
Note: This comment is a bit of a derail, the whole train should not follow.
Yeah, first place i want a security cam is in my bathroom.
[ link to this | view in thread ]
I don't think "a basic privacy law" is going to help here...
I'm pretty sure the tech has been fired, and is likely being sued.
And what he did is probably already illegal.
Simply passing a law doesn't make the prohibited behavior disappear.
See how well the War on Drugs is working? The streets of America have been drug-free since the Nixon administration!
I remember Al Gore trying to settle concerns about abuse of the Clipper chip by promising to make such abuse...illegal.
Come on, Karl. You're old enough to know better.
[ link to this | view in thread ]
Re: I don't think "a basic privacy law" is going to he
He's talking about regulations on companies, such as those requiring basic due diligence which could have prevented this in the first place.
Beyond that, your extremely shallow "why even have laws!?" argument is nonsense.
[ link to this | view in thread ]
Better to roll your own, if you can
I would be willing to bet there are a large number of "peeping Tom's" working for companies like ADT that have access to video cameras in people's homes.
[ link to this | view in thread ]
Re: I don't think "a basic privacy law" is going to help here...
The issue here is establishing clear regulatory standards, and holding companies responsible when they violate them.
This reasoning is absurd. Carried to its logical conclusion, it would mean there's no point in having laws against anything. Why have laws against murder? People still commit murder.
I was going to list out a few of the many ways in which your comparison is bad, but you know what? Nah. It's your comparison; it's not my job to tell you why it's bad, it's your job to explain why it's not.
So, to that end: in what way are privacy laws analogous to the War on Drugs? Besides that both things are laws?
This analogy is less stupid; the Clipper chip has a lot more overlap with the ADT scandal we're talking about in that it was a supposed security device that could be backdoored by malicious actors.
That said, there are important differences here. For one, Clipper was rooted in US law enforcement and the surrounding surveillance state, which is fundamentally a different target than a private security firm with employees watching people's cameras for voyeuristic reasons.
Second, the vulnerabilities in the Clipper chip were inherent to the concept of key escrow, whereas the vulnerabilities in the ADT system are inherent to SaaS. If you're running software on somebody else's computer, there's no way to prevent its owner from gaining access to whatever it is you're doing with it. There's no technical solution to this problem, except "don't use SaaS", which is not a tenable solution for most people.
If we allow that some people are, inevitably, going to use SaaS, the only solution is to set and enforce security policies for companies that offer it. (In this instance, the breach could have been trivially found by simply doing DB audits and looking for instances where the same e-mail address was tied to multiple accounts.)
You are correct that passing a law is no guarantee that people will follow it. (Again, this is true of literally every law.) But laws don't exist to completely eliminate bad behavior; they exist to disincentivize it and make it less likely to occur.
Leaving security and privacy up to the free market is clearly not working.
[ link to this | view in thread ]
Re: Re: I don't think "a basic privacy law" is going to help her
THIS is the key. If the US had a GDPR equivalent, ADT would have just earned themselves a 15% of annual revenue fine. This would ensure they updated their policies so that this never happened again, because it would cost them more for this to happen once than for them to put proper privacy policies in place and enforce them.
With the current US privacy laws (including California), if you break them, you get to apologize and make a nominal political contribution and go back to doing (profitable) business as usual.
[ link to this | view in thread ]
Re: Re: Re: I don't think "a basic privacy law" is going to help
To quote the Spartans: "If"
If such a law and the associated regulations were on the books.
If such a regulatory agency was properly funded, staffed, and free from political influence to monitor and enforce said regulations.
As longtime readers of TechDirt can tell you, this here's 'Murica, we don't do things like that around here.
[ link to this | view in thread ]
Re: Better to roll your own, if you can
"If you can" is a pretty significant "if".
I've got the knowhow to set up my own security system, and I'm guessing a lot of Techdirt readers can say the same. But what percentage of the population do you suppose we represent?
[ link to this | view in thread ]
Re: Better to roll your own, if you can
In the case of setting up internet-accessible cameras that can see you bathing and having sex, I'd say it's better to not roll your own. Either don't do it, or outsource it to a company that will pay you when people watch those videos.
[ link to this | view in thread ]
I already new this was going on...They all do it...They should be fired and never to be hired again for any security job...and they should be labeled as a sexual predator...
[ link to this | view in thread ]