Amazon’s Ring Security Camera Let Employees Spy on Customers

Amazon’s Ring Security Camera Let Employees Spy on Customers

The Internet of Things central promise is that by allowing internet and compute-enable products into your home, you can enjoy luxuries and conveniences like voice assistants, different colored light bulbs that change on command, and a really smart toaster. There are always going to be tensions between certain IoT devices and privacy. If you have a camera in your home and can view the output remotely, there’s always going to be a chance that someone else could intercept that data stream.

What we keep discovering, however, is that the companies supposedly devoted to bringing us these breakthroughs are almost always violating the privacy of their customers in significant ways. The latest company under fire is Amazon, for its Ring security cameras.

An investigation by The Intercept claims that beginning in 2016, Ring gave its Ukrainian R&D team “virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world.” The video files were left unencrypted because Ring leadership felt that encryption would make the company less valuable. The Ukranian team doing the R&D was also provided with “a corresponding database that linked each specific video file to corresponding specific Ring customers.”

This data wasn’t limited to just the engineers working on the cameras. The Intercept writes:

Ring unnecessarily provided executives and engineers in the U.S. with highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras, regardless of whether they needed access to this extremely sensitive data to do their jobs. For someone who’d been given this top-level access — comparable to Uber’s infamous “God mode” map that revealed the movements of all passengers — only a Ring customer’s email address was required to watch cameras from that person’s home.

Why did Ring grant its engineers access to this data? In part, apparently, because its facial recognition software and AI capabilities were terrible. One of Ring’s leading features is called Neighbors. It claims to provide real-time crime and safety alerts to your entire neighborhood (assuming, of course, your neighbors all use Ring) with features that “proactively keep you in the know.” But making this work correctly requires sophisticated facial recognition and processing techniques. The company’s customers were complaining that the Neighbors feature didn’t actually work very well at all, misidentifying cars driving by or leaves falling from trees. So Ring started hiring folks to manually identify and flag everything they saw in video streams, trying to build out a satisfactory machine learning data set with on-the-fly training.

Image by the Intercept
Image by the Intercept

There was, according to the Intercept, precious little data security. Interior and exterior cameras were used for training. Employees shared choice data clips amongst themselves. When contacted for comment, Ring claimed to have established robust safeguards for data privacy and security, but would not comment on how its policies might have changed or what kinds of activity had previously been permitted. Ring’s public advertising doesn’t even mention facial recognition — to discover that the company is even using the data it gathers from you for this purpose, you have to check the privacy policy, which states, “You may choose to use additional functionality in your Ring product that, through video data from your device, can recognize facial characteristics of familiar visitors.”

Nothing in that paragraph implies that your home is being watched by a Ukrainian lab for the purpose of developing better facial recognition technology. Nothing in any policy acknowledges that other people have access to your data stream at all, much less that they have it on an ongoing real-time basis with nothing more than email address required to access it.

After the Intercept story went live, Ring contacted the Intercept to claim “Ring employees never have and never did provide employees with access to livestreams of their Ring devices.” The Intercept states this claim is contradicted by multiple sources. It’s definitely contradicted by a report from The Information, which opens by describing how, back in 2016, Ring executives flew to the Ukraine to ask its engineering staff what they needed to help them develop the product more effectively.

While the story is paywalled, the paragraph you can see certainly implies what happened next.

One of the engineers in the room said that to improve Ring’s software, the Kiev office needed access to customer video feeds. The information trove contained images from security cameras pointed at home entrances across the globe that could be traced back to individual customers.

Continue reading

The Best Smart Home Security Systems
The Best Smart Home Security Systems

Once a niche business with a few traditional players and some startups, home security systems are now a major battleground for not just security companies, but several internet giants. We round up highlights of the most popular options for 2020.

Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs
Microsoft: Pluton Chip Will Bring Xbox-Like Security to Windows PCs

Intel, AMD, and Qualcomm are working to make Pluton part of their upcoming designs, which should make PCs more difficult to hack, but it also bakes Microsoft technology into your hardware.

Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019
Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019

SolarWinds, the company at the center of the massive hack that hit US government agencies and corporations, doesn't exactly use cutting-edge password techniques.

A File Sharing App With 1 Billion Downloads Has a Major Security Flaw
A File Sharing App With 1 Billion Downloads Has a Major Security Flaw

Trend Micro says SHAREit is a security nightmare that could allow intruders to sneak a peek at your data or even install malware. Perhaps most troublingly, the developers have not responded to Trend Micro's warnings.