The people who were never supposed to be there: Organizational and design failures in data privacy and security

Most smart home technologies are designed to fade into the background of the home. They are quietly monitoring, assisting, and performing their intended functions. Yet what they do in the background can, at times, extend well beyond what was promised. My team in the MIT AgeLab is working on identifying failures in those promises by examining court cases and significant legal and regulatory disputes involving smart home companies and their customers. Our analysis focuses on how shortcomings in technology design and system integration give rise to failures in data privacy and data security.

For this study, we employ a post-incident analysis approach, examining legal cases that have gone to trial or resulted in formal decisions. This approach allows us to investigate real-world failures, understand how privacy and security issues manifest in practice, and assess the extent to which existing laws and enforcement mechanisms have addressed (or failed to address) these issues.

The analytic objective was to identify incidents in which user harms emerged primarily from governance and organizational breakdowns, such as privacy violations, surveillance misuse, data breaches, insecure defaults, opaque data-sharing, and manipulative or unfair data practices. In upcoming blog posts, we will present additional cases, examine distinct categories of failure, and outline corresponding design recommendations.

In this blog, we present two of the real-world cases that we have analyzed as examples in which the promises collapsed.

Case 1

Ring LLC, an Amazon-owned company, manufactures and sells smart-home products like video doorbells and security cameras. On May 31, 2023, the Federal Trade Commission filed a complaint alleging that Ring allowed thousands of employees and contractors to improperly access customer video footage, and that many preventable hacking incidents occurred.

The Ring products at the center of the FTC investigation included internet-connected, video-enabled cameras and doorbells that the company generally sold. The lawsuit also named Ring’s Stick Up Cam (2016 model) and Indoor Cam (2019 model) within their initial complaint.

While the FTC did not disclose what incited their investigation into Ring specifically, prior to the FTC’s involvement, a confluence of news reports, widely reported hacking incidents, and advocacy from digital rights groups about Ring’s lack of data protection emerged. For example:

·       In 2019, the Electronic Frontier Foundation (EEF), a non-profit digital rights group, issued a [warning](https://www.eff.org/deeplinks/2019/08/amazons-ring-perfect-storm-privacy-threats) about Ring products by citing many instances of hacking and the company's failure to protect personal information. ·       On December 12, 2019, the [Washington Post](https://www.washingtonpost.com/nation/2019/12/12/she-installed-ring-camera-her-childrens-room-peace-mind-hacker-accessed-it-harassed-her-year-old-daughter/) reported on an incident of a hacker gaining access to a family's Ring camera and harassing their 8-year-old daughter by speaking to her through the camera's speaker, calling her racial slurs and directing her to misbehave. This incident is referenced in the complaint filed by the FTC against Ring. 

Shortly after the complaint was filed, Ring LLC and the FTC were quick to reach a settlement. The stipulated final order, which was filed on the same day that the complaint was issued and approved by the U.S. District Court for the District of Columbia in June, resolved the FTC’s allegations without a full trial. The terms of the settlement follow:

·       **Customer Refunds**: Ring was ordered to pay $5.8 million, which was then used to refund customers. The FTC began distributing payments via PayPal to over 117,000 customers in April of 2024. ·       **Data deletion**: The company was required to delete customers' videos and data derived from recordings that were improperly reviewed by employees for algorithm training.  ·       **Privacy and security program:** Ring was mandated to implement a comprehensive privacy and data security program, which must be independently assessed every two years for twenty years.  ·       **Restrictions on employee access:** The company must establish new guidelines that limit employee and contractor access to customer video data.  ·       **Reporting Requirements:** Ring is required to notify the FTC of any future incidents of unauthorized access to customer videos.  ·       **Customer Notification:** Ring was ordered to notify all of its customers about the FTC’s action against the company. 

Case 2

The lawsuit, titled Randy Doty v. ADT, LLC d/b/a ADT Security Services, and Telesforo Aviles, is a class action brought against ADT LLC and its former employee, Telesforo Aviles. The plaintiff, Randy Dotry, brought the action individually and on behalf of others similarly situated.

ADT markets itself as “America's #1 smart home security provider.” The litigation centers on the ADT Pulse System, a high-tier package that allows customers remote access via a mobile application or web browser to control their security system, lock doors, and view live camera footage of their home. ADT promised that it would not access a customer's audio or video without the customer's knowledge within its product disclosures.

The class action complaint alleges that vulnerabilities within the Pulse System allowed an ADT technician Telesforo Aviles, to add his personal email address to customer accounts using unauthorized credentials. ADT’s investigation into Aviles before firing him revealed he had accessed more than 200 different customers’ ADT Pulse accounts.

The breach was not discovered through ADT’s internal monitoring systems; rather, it came to light when a customer, while reporting a technical issue, inadvertently discovered the unwanted third-party access on their account. Following this discovery, ADT conducted an internal investigation where they identified Aviles as the employee with third-party access and alerted their customers of the breach.

The specific trigger for the plaintiff, Randy Doty , was a phone call his wife received from ADT in April 2020. ADT informed them that Aviles, the technician who installed their indoor security camera, had granted himself remote access and used it to spy on Mr. Doty, his wife, and their minor son.

On May 31, 2023, the U.S. Federal Trade Commission (FTC) and the Department of Justice (DOJ) jointly charged Amazon with violating the Children’s Online Privacy Protection Act (COPPA) by unlawfully retaining children’s voice recordings and undermining parental deletion requests. The settlement required Amazon to pay a $25 million civil penalty and implement significant changes to its data practices.

These failures are largely structural rather than personal.  These products reflect an absence of meaningful constraints, auditing, or accountability at the organizational level. The risk was not only that access could be misused, but that the system would not detect it if were. Equally critical was the scale of internal access that was treated as an operational necessity.

Smart home technology often fails quietly and not only through breaches announced in headlines, but through permissions never questioned, access never logged, and data that never quite disappears. The systems continue to function, while somewhere inside the organization, the doors remain unlocked.