ADT Tech Spied On Women For Four Years Before Getting Caught By Accident
from the what's-the-opposite-of-security dept
Another day, another example of why we might want to actually pass at least a basic privacy law for the internet era. The latest problem bubbled up over at home security vendor ADT, after a technician was caught using home security cameras to spy on people for years. More specifically, the tech accessed customer video cameras in 200 homes some 9,600+ times over a period of four years. His preferred targets were attractive women he spied on while they were having sex, bathing, or getting dressed. This was, as US Attorney Prerak Shah was quick to note, a grotesque abuse of trust:
"This defendant, entrusted with safeguarding customers’ homes, instead intruded on their most intimate moments,” said Acting U.S. Attorney Prerak Shah. “We are glad to hold him accountable for this disgusting betrayal of trust."
The tech simply added his email address to the authorization list for the company's ADT Pulse accounts, which lets home security customers access cameras when not at home. ADT's now facing three different lawsuits for failing to "implement adequate procedures that would prevent non-household members from adding non-household email addresses." Aka, they didn't engage in some basic due diligence to ensure that employees couldn't abuse the system. The federal charges were brought some five months after the first lawsuit was filed.
One of the interesting bits is that he appeared to have only been caught by accident, and could easily still be engaging in the same behavior today if not for one attentive subscriber:
"The lawsuit also claims the flagrant security breach was discovered not by the company, but 'by luck and happenstance.' A customer, reporting a technical issue, inadvertently revealed the unwanted third-party access," the lawsuit claims. "But for that event, ADT would be unaware of this invasive conduct."
So no basic security measures to prevent employees from abusing their authority. No system to notify users when somebody new was added to the email access list for video cameras they provide. ADT didn't even know this was going on -- and if not for a customer being attentive it probably still would be. And this is a security company! It's notably worse for the parade of "internet of thing" companies that decided we needed to hook every home device up to the internet with zero willingness to embrace or fund basic privacy and security standards.
In ADT's case, the company is busy trying to dodge responsibility by throwing complaining customers into binding arbitration, a lopsided process that pretends to be better than traditional class actions, but usually winds up with the companies in question getting little more than a wrist slap. When you know that repeated privacy and security violations can be brushed aside with a modicum of billable legal hours, you're not inclined to try very hard. It's far easier, and less expensive, to half-ass it, then have your lawyers water down already flimsy after-the-fact penalties.
It's why properly staffing and funding our privacy regulators, and having a basic privacy law where the expectations are clear and the penalties are notable (and consistently enforced) seems like a no brainer. Though it's still amazingly not clear how many national privacy scandals are necessary before we finally figure out that our existing "solution" of apathy, wrist slaps, binding arbitration, and intentional policy gridlock aren't working very well.
Filed Under: doj, iot, privacy, security, surveillance
Companies: adt