ADT Tech Spied On Women For Four Years Before Getting Caught By Accident

from the what's-the-opposite-of-security dept

Another day, another example of why we might want to actually pass at least a basic privacy law for the internet era. The latest problem bubbled up over at home security vendor ADT, after a technician was caught using home security cameras to spy on people for years. More specifically, the tech accessed customer video cameras in 200 homes some 9,600+ times over a period of four years. His preferred targets were attractive women he spied on while they were having sex, bathing, or getting dressed. This was, as US Attorney Prerak Shah was quick to note, a grotesque abuse of trust:

"This defendant, entrusted with safeguarding customers’ homes, instead intruded on their most intimate moments,” said Acting U.S. Attorney Prerak Shah. “We are glad to hold him accountable for this disgusting betrayal of trust."

The tech simply added his email address to the authorization list for the company's ADT Pulse accounts, which lets home security customers access cameras when not at home. ADT's now facing three different lawsuits for failing to "implement adequate procedures that would prevent non-household members from adding non-household email addresses." Aka, they didn't engage in some basic due diligence to ensure that employees couldn't abuse the system. The federal charges were brought some five months after the first lawsuit was filed.

One of the interesting bits is that he appeared to have only been caught by accident, and could easily still be engaging in the same behavior today if not for one attentive subscriber:

"The lawsuit also claims the flagrant security breach was discovered not by the company, but 'by luck and happenstance.' A customer, reporting a technical issue, inadvertently revealed the unwanted third-party access," the lawsuit claims. "But for that event, ADT would be unaware of this invasive conduct."

So no basic security measures to prevent employees from abusing their authority. No system to notify users when somebody new was added to the email access list for video cameras they provide. ADT didn't even know this was going on -- and if not for a customer being attentive it probably still would be. And this is a security company! It's notably worse for the parade of "internet of thing" companies that decided we needed to hook every home device up to the internet with zero willingness to embrace or fund basic privacy and security standards.

In ADT's case, the company is busy trying to dodge responsibility by throwing complaining customers into binding arbitration, a lopsided process that pretends to be better than traditional class actions, but usually winds up with the companies in question getting little more than a wrist slap. When you know that repeated privacy and security violations can be brushed aside with a modicum of billable legal hours, you're not inclined to try very hard. It's far easier, and less expensive, to half-ass it, then have your lawyers water down already flimsy after-the-fact penalties.

It's why properly staffing and funding our privacy regulators, and having a basic privacy law where the expectations are clear and the penalties are notable (and consistently enforced) seems like a no brainer. Though it's still amazingly not clear how many national privacy scandals are necessary before we finally figure out that our existing "solution" of apathy, wrist slaps, binding arbitration, and intentional policy gridlock aren't working very well.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: doj, iot, privacy, security, surveillance
Companies: adt


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    ECA (profile), 27 Jan 2021 @ 3:29pm

    and?

    Who here trusts ANY human not to be human?(just another idiot)

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Jan 2021 @ 4:06pm

    ADT attempted to sell me their services when I moved in to my current home. After their scare sell presentation, I asked them, "What do you offer that I can't do myself with some WiFi cameras, door and window sensors and a cell phone?"

    The answer boiled down to "charge you money to watch your home". I asked them: no matter whether you're bonded or not: why would I want to pay your employees to spy on my home, when I can watch it perfectly well myself without any of the privacy risks?

    The guy didn't have an answer and walked away. That was it until the next week, when the NEXT guy from ADT showed up at the door (which now had a "no soliciting" note on it)... After the same conversation, his supervisor got a phone call.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 27 Jan 2021 @ 4:15pm

    Note: This comment is a bit of a derail, the whole train should not follow.

    Yeah, first place i want a security cam is in my bathroom.

    reply to this | link to this | view in chronology ]

  • icon
    OldMugwump (profile), 27 Jan 2021 @ 5:47pm

    I don't think "a basic privacy law" is going to help here...

    I'm pretty sure the tech has been fired, and is likely being sued.

    And what he did is probably already illegal.

    Simply passing a law doesn't make the prohibited behavior disappear.

    See how well the War on Drugs is working? The streets of America have been drug-free since the Nixon administration!

    I remember Al Gore trying to settle concerns about abuse of the Clipper chip by promising to make such abuse...illegal.

    Come on, Karl. You're old enough to know better.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 27 Jan 2021 @ 7:59pm

      Re: I don't think "a basic privacy law" is going to he

      He's talking about regulations on companies, such as those requiring basic due diligence which could have prevented this in the first place.

      Beyond that, your extremely shallow "why even have laws!?" argument is nonsense.

      reply to this | link to this | view in chronology ]

    • icon
      Thad (profile), 28 Jan 2021 @ 7:05am

      Re: I don't think "a basic privacy law" is going to help here...

      I'm pretty sure the tech has been fired, and is likely being sued.

      And what he did is probably already illegal.

      The issue here is establishing clear regulatory standards, and holding companies responsible when they violate them.

      Simply passing a law doesn't make the prohibited behavior disappear.

      This reasoning is absurd. Carried to its logical conclusion, it would mean there's no point in having laws against anything. Why have laws against murder? People still commit murder.

      See how well the War on Drugs is working? The streets of America have been drug-free since the Nixon administration!

      I was going to list out a few of the many ways in which your comparison is bad, but you know what? Nah. It's your comparison; it's not my job to tell you why it's bad, it's your job to explain why it's not.

      So, to that end: in what way are privacy laws analogous to the War on Drugs? Besides that both things are laws?

      I remember Al Gore trying to settle concerns about abuse of the Clipper chip by promising to make such abuse...illegal.

      This analogy is less stupid; the Clipper chip has a lot more overlap with the ADT scandal we're talking about in that it was a supposed security device that could be backdoored by malicious actors.

      That said, there are important differences here. For one, Clipper was rooted in US law enforcement and the surrounding surveillance state, which is fundamentally a different target than a private security firm with employees watching people's cameras for voyeuristic reasons.

      Second, the vulnerabilities in the Clipper chip were inherent to the concept of key escrow, whereas the vulnerabilities in the ADT system are inherent to SaaS. If you're running software on somebody else's computer, there's no way to prevent its owner from gaining access to whatever it is you're doing with it. There's no technical solution to this problem, except "don't use SaaS", which is not a tenable solution for most people.

      If we allow that some people are, inevitably, going to use SaaS, the only solution is to set and enforce security policies for companies that offer it. (In this instance, the breach could have been trivially found by simply doing DB audits and looking for instances where the same e-mail address was tied to multiple accounts.)

      You are correct that passing a law is no guarantee that people will follow it. (Again, this is true of literally every law.) But laws don't exist to completely eliminate bad behavior; they exist to disincentivize it and make it less likely to occur.

      Leaving security and privacy up to the free market is clearly not working.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 28 Jan 2021 @ 8:17am

        Re: Re: I don't think "a basic privacy law" is going to help her

        But laws don't exist to completely eliminate bad behavior; they exist to disincentivize it and make it less likely to occur.

        THIS is the key. If the US had a GDPR equivalent, ADT would have just earned themselves a 15% of annual revenue fine. This would ensure they updated their policies so that this never happened again, because it would cost them more for this to happen once than for them to put proper privacy policies in place and enforce them.

        With the current US privacy laws (including California), if you break them, you get to apologize and make a nominal political contribution and go back to doing (profitable) business as usual.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 28 Jan 2021 @ 11:40am

          Re: Re: Re: I don't think "a basic privacy law" is going to help

          To quote the Spartans: "If"

          If such a law and the associated regulations were on the books.

          If such a regulatory agency was properly funded, staffed, and free from political influence to monitor and enforce said regulations.

          As longtime readers of TechDirt can tell you, this here's 'Murica, we don't do things like that around here.

          reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 28 Jan 2021 @ 6:00am

    Better to roll your own, if you can

    I would be willing to bet there are a large number of "peeping Tom's" working for companies like ADT that have access to video cameras in people's homes.

    reply to this | link to this | view in chronology ]

    • icon
      Thad (profile), 28 Jan 2021 @ 1:06pm

      Re: Better to roll your own, if you can

      "If you can" is a pretty significant "if".

      I've got the knowhow to set up my own security system, and I'm guessing a lot of Techdirt readers can say the same. But what percentage of the population do you suppose we represent?

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 28 Jan 2021 @ 3:39pm

      Re: Better to roll your own, if you can

      In the case of setting up internet-accessible cameras that can see you bathing and having sex, I'd say it's better to not roll your own. Either don't do it, or outsource it to a company that will pay you when people watch those videos.

      reply to this | link to this | view in chronology ]

  • identicon
    Jim Wallis, 11 Feb 2021 @ 12:24am

    I already new this was going on...They all do it...They should be fired and never to be hired again for any security job...and they should be labeled as a sexual predator...

    reply to this | link to this | view in chronology ]

  • icon
    Or Hukuk ve Danışmanlık (profile), 13 Apr 2021 @ 1:02am

    vehicle depreciation

    The difference between the second-hand market value of the vehicle, undamaged before the accident, and the second-hand market value after the accident occurred and repaired after an accident is called vehicle value loss. For more, please visit https://or.av.tr/faluluk-alanlari/trafik-kazasi-avukati-sigorta/arac-deger-kaybi-avukati/

    reply to this | link to this | view in chronology ]

  • icon
    Or Hukuk ve Danışmanlık (profile), 13 Apr 2021 @ 1:05am

    vehicle depreciation

    The difference between the second-hand market value of the vehicle, undamaged before the accident, and the second-hand market value after the accident occurred and repaired after an accident is called vehicle value loss. For more, please visit https://or.av.tr/faaliyet-alanlari/trafik-kazasi-avukati-sigorta/arac-deger-kaybi-avukati/

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Make this the First Word or Last Word. No thanks. (get credits or sign in to see balance)    
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.