Ring videos completely open to employees: insider
Smart video security systems have been growing in popularity, and have acted as a sort of vanguard for the smart home industry. Popular products like NetGear’s Arlo and Amazon’s Ring security cameras are prominently on display in many retail outlets, and more products are hitting the market regularly for old and new players. These products all tout security features and high levels of encryption to allay the natural concerns of any prudent buyer, but anyone with a modicum of awareness of the tech industry would keep a grain of salt well on hand.
Ring has been a pioneer in this product category and continues to launch new products every year to expand it’s range. Amazon’s acquisition in 2018 only served to boost the reach of these products and add a level of street cred for the everyman consumer. Existing Ring customers were not so sure, as the growth and evolution of small companies, especially when being abasorbed by bigger ones, has often led to less than satisfactory experiences for those who had come to love something about those products. In this case, though, Ring’s failures are all their own.
News has now come to light from an ex-Ring employee of some disturbing internal practices that, unfortunately, only add to a string of privacy issues coming out of Ring in recent years. According to this source as reported through The Information Ring Labs, Ring’s Ukraine-based R&D office, has been given unfettered access to Ring customer videos. Apparently this was granted sometime in 2016 in response to discussion Ring CEO Jamie Siminoff had with the Ukraine team as to how to make their products better.
Ring has long struggled with intelligent object identification in their software. After claiming to use infrared to differentiate between people, animals, and vehicles (for example), customers have complained of false positives, and motion notifications where nothing of significance is happeneing. I’ve experienced this while testing a Ring Spotlight Cam and having regular motion notifications from moving plants, even in only a slight breeze. Ring’s support advice? Turn down the detection range.
So, what did the Ukraine team want acces for? The theory was to help train the software by manually tagging objects in customer videos. This doesn’t seem to have payed dividends given that task is ongoing years later, and Ring is still hiring people for the mundane task of flagging and tagging objects. The very real result however, is that the R&D team was given unfettered access to an Amazon S3 bucket containing every ring camera video in unencrypted form.
This is rather shocking, as Ring has previously been held in high regard in terms of their security design by researchers. This design remains uncompromised, but doesn’t discuss the server-side security implementation. Evidently this is significantly lacking, and a major disappointment from a company that has made bold claims about their dedication to security in the past.
In addition to video access, the team was provided a database which linked the videos to specific customers, which seems entirely unnecessary for the stated goal. Executives and engineers in the US where also given unrestricted access to the customer support portal which allows access to specific cameras on demand, where those employees had no need for such access to do their jobs.
Amazon’s acquisition has apparently led to some improvements around data controls, but the insiders say employees have ways around them still. Ring has only responded to inquiries about this issue with the following statement:
We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring videos. These videos are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes.
We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them.
The Ring position is that only videos provided to their Neighbors service are manually viewed, which doesn’t gel with the reports from the source, although we don’t know which is correct. If all ring camera output is stored unencrypted in a single location, that would be bad in any case. We also don’t know what their access policies officially are, or how they are enforced (as they claim).
The source did note that they were not aware of any abuse of the access being provided, but again, that’s not to say it hasn’t happened, or won’t if the access policies remain as they are. If you have Ring cameras only monitoring the public facing exterior of your home, there is probably nothing really to be concerned about, but if you are using their newer indoor models you might want to refrain from dancing naked where they can see you.