Amazon’s Ring Security Camera Let Employees Spy on Customers

66
This site may earn affiliate commissions from the links on this page. Terms of use.

The Internet of Things central promise is that by allowing internet and compute-enable products into your home, you can enjoy luxuries and conveniences like voice assistants, different colored light bulbs that change on command, and a really smart toaster. There are always going to be tensions between certain IoT devices and privacy. If you have a camera in your home and can view the output remotely, there’s always going to be a chance that someone else could intercept that data stream.

What we keep discovering, however, is that the companies supposedly devoted to bringing us these breakthroughs are almost always violating the privacy of their customers in significant ways. The latest company under fire is Amazon, for its Ring security cameras.

An investigation by The Intercept claims that beginning in 2016, Ring gave its Ukrainian R&D team “virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world.” The video files were left unencrypted because Ring leadership felt that encryption would make the company less valuable. The Ukranian team doing the R&D was also provided with “a corresponding database that linked each specific video file to corresponding specific Ring customers.”

This data wasn’t limited to just the engineers working on the cameras. The Intercept writes:

Ring unnecessarily provided executives and engineers in the U.S. with highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras, regardless of whether they needed access to this extremely sensitive data to do their jobs. For someone who’d been given this top-level access — comparable to Uber’s infamous “God mode” map that revealed the movements of all passengers — only a Ring customer’s email address was required to watch cameras from that person’s home.

Why did Ring grant its engineers access to this data? In part, apparently, because its facial recognition software and AI capabilities were terrible. One of Ring’s leading features is called Neighbors. It claims to provide real-time crime and safety alerts to your entire neighborhood (assuming, of course, your neighbors all use Ring) with features that “proactively keep you in the know.” But making this work correctly requires sophisticated facial recognition and processing techniques. The company’s customers were complaining that the Neighbors feature didn’t actually work very well at all, misidentifying cars driving by or leaves falling from trees. So Ring started hiring folks to manually identify and flag everything they saw in video streams, trying to build out a satisfactory machine learning data set with on-the-fly training.

ring-redacted-1547070465

Image by the Intercept

There was, according to the Intercept, precious little data security. Interior and exterior cameras were used for training. Employees shared choice data clips amongst themselves. When contacted for comment, Ring claimed to have established robust safeguards for data privacy and security, but would not comment on how its policies might have changed or what kinds of activity had previously been permitted. Ring’s public advertising doesn’t even mention facial recognition — to discover that the company is even using the data it gathers from you for this purpose, you have to check the privacy policy, which states, “You may choose to use additional functionality in your Ring product that, through video data from your device, can recognize facial characteristics of familiar visitors.”

Nothing in that paragraph implies that your home is being watched by a Ukrainian lab for the purpose of developing better facial recognition technology. Nothing in any policy acknowledges that other people have access to your data stream at all, much less that they have it on an ongoing real-time basis with nothing more than email address required to access it.

After the Intercept story went live, Ring contacted the Intercept to claim “Ring employees never have and never did provide employees with access to livestreams of their Ring devices.” The Intercept states this claim is contradicted by multiple sources. It’s definitely contradicted by a report from The Information, which opens by describing how, back in 2016, Ring executives flew to the Ukraine to ask its engineering staff what they needed to help them develop the product more effectively.

While the story is paywalled, the paragraph you can see certainly implies what happened next.

One of the engineers in the room said that to improve Ring’s software, the Kiev office needed access to customer video feeds. The information trove contained images from security cameras pointed at home entrances across the globe that could be traced back to individual customers.

Now Read:

Let’s block ads! (Why?)

ExtremeTechInternet – ExtremeTech

Get real time updates directly on you device, subscribe now.

Subscribe to our newsletter
Sign up here to get the latest news, updates and special offers delivered directly to your inbox.
You can unsubscribe at any time

Leave A Reply

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More