29 Jan Amazon’s Ring Security Camera Let Employees Spy on Customers
The Internet of Things central promise is that by allowing internet and compute-enable products into your home, you can enjoy luxuries and conveniences like voice assistants, different colored light bulbs that change on command, and a really smart toaster. There are always going to be tensions between certain IoT devices and privacy. If you have a camera in your home and can view the output remotely, there’s always going to be a chance that someone else could intercept that data stream.
An investigation by The Intercept claims that beginning in 2016, Ring gave its Ukrainian R&D team “virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world.” The video files were left unencrypted because Ring leadership felt that encryption would make the company less valuable. The Ukranian team doing the R&D was also provided with “a corresponding database that linked each specific video file to corresponding specific Ring customers.”
This data wasn’t limited to just the engineers working on the cameras. The Intercept writes:
Ring unnecessarily provided executives and engineers in the U.S. with highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras, regardless of whether they needed access to this extremely sensitive data to do their jobs. For someone who’d been given this top-level access — comparable to Uber’s infamous “God mode” map that revealed the movements of all passengers — only a Ring customer’s email address was required to watch cameras from that person’s home.
Why did Ring grant its engineers access to this data? In part, apparently, because its facial recognition software and AI capabilities were terrible. One of Ring’s leading features is called Neighbors. It claims to provide real-time crime and safety alerts to your entire neighborhood (assuming, of course, your neighbors all use Ring) with features that “proactively keep you in the know.” But making this work correctly requires sophisticated facial recognition and processing techniques. The company’s customers were complaining that the Neighbors feature didn’t actually work very well at all, misidentifying cars driving by or leaves falling from trees. So Ring started hiring folks to manually identify and flag everything they saw in video streams, trying to build out a satisfactory machine learning data set with on-the-fly training.
Nothing in that paragraph implies that your home is being watched by a Ukrainian lab for the purpose of developing better facial recognition technology. Nothing in any policy acknowledges that other people have access to your data stream at all, much less that they have it on an ongoing real-time basis with nothing more than email address required to access it.
After the Intercept story went live, Ring contacted the Intercept to claim “Ring employees never have and never did provide employees with access to livestreams of their Ring devices.” The Intercept states this claim is contradicted by multiple sources. It’s definitely contradicted by a report from The Information, which opens by describing how, back in 2016, Ring executives flew to the Ukraine to ask its engineering staff what they needed to help them develop the product more effectively.
While the story is paywalled, the paragraph you can see certainly implies what happened next.
One of the engineers in the room said that to improve Ring’s software, the Kiev office needed access to customer video feeds. The information trove contained images from security cameras pointed at home entrances across the globe that could be traced back to individual customers.