Ring, the small doorbell-maker that Amazon acquired last year, gave several employees unrestricted access to videos recorded by customers and customer videos were not encrypted as that would entail loss of revenue, The Intercept has revealed.
Ring, previously known as Bot Home Automation, was founded in 2012 and is a well-known seller of smart doorbells and cameras that offer consumers the ability to record videos of their homes and surroundings and detect burglars. The company was acquired by Amazon in early 2018 and continues to develop new home security products.
“Our mission to reduce crime in neighborhoods has been at the core of everything we do at Ring. Together with Amazon, we will accelerate our mission dramatically by connecting more neighbors globally and making our security devices and systems more affordable and accessible. The entire Ring team is excited to continue working hard to create products and services that bring real benefits to people’s lives and build safer communities for all our neighbours,” said Jamie Siminoff, CEO and Chief Inventor of Ring following its acquisition.
A number of products being offered by Amazon Ring now include Ring video doorbells, spotlight cams, floodlight cams, Blink XT indoor/outdoor camera, Blink indoor security camera, and Amazon Cloud Cam.
Ring employees enjoyed unrestricted access to customer videos
Even though the company’s mission is to help people secure their homes from external threats by recording videos of their homes and surroundings, the company may not be doing enough to secure the privacy of its very customers, a new report from The Intercept has revealed.
According to the report, the research and development team at Ring’s Ukrainian office had unfiltered and unrestricted access to an Amazon S3 cloud folder that stored every single video recorded by users of Ring’s products.
Not only were private videos of people available to Ring’s employees, but Ring also chose not to encrypt such videos as enabling encryption would make the company less valuable “owing to the expense of implementing encryption and lost revenue opportunities due to restricted access”, sources told The Intercept.
Certain engineers and executives at Ring’s U.S. office also had privileged access to the company’s technical support video portal that stored unfiltered, round-the-clock live feeds from some customer cameras and in order to access such videos, an employee only had to fill in a customer’s email address.
Sources contacted by The Intercept added that the failure of facial and object recognition software to detect burglars or hostile entities forced the company to provide employees access to customer videos so that the company could send accurate alerts to consumers about activities outside their homes.
Indoor policing by other humans a major privacy nightmare
“There are some major privacy concerns here. While users may consent to their images and data being processed in order for the service to identify real intruders from cats for example, the issue is where the processing is done,” said Adam Brown, manager of security solutions at Synopsys.
“Perhaps users believe processing is done on the camera and are therefore happy to have these devices inside their home; some may even be happy for that image data to be processed in a data centre somewhere, but for that data to be watched by human eyes is a totally different question.
“Privacy policies that the Ring spokesperson refers to offer some protection, however if they are not enforced with logical controls then any insider breach is a major privacy risk. Imagine you have this camera inside your house, and you find yourself in a compromising position and the camera sees that.
“The employee watching on the other side finds it hilarious and is upset by their ‘long monotonous work’ (as the job description states) and decides to share the camera’s video in some way on their exit from their job. Someone’s day or even life is ruined,” he added.
Employees never had access to livestreams, Ring clarifies
In an e-mail to TEISS, Ring stated that employees are never given access to live streams but only to recordings that are sourced exclusively from publicly shared Ring videos from the Neighbors app. Employees can also access recordings of customers who have provided their explicit written consent to allow the company to access and utilise their videos.
“We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring video recordings. These recordings are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes. Ring employees do not have access to livestreams from Ring products.
“We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them,” said a Ring spokesperson.