Amazon-owned Ring has found itself under fire today for its internal handling of users’ video streams and recordings generated by its smart home products, according to a report published today at The Intercept.
It’s not the first time privacy concerns have been raised about smart home systems, and Ring especially, but this is something we’re going to have to deal with more in the coming years. Privacy breaches and violations have become commonplace, and as home security systems become more affordable, more connected and more cloud-based, we need to pay attention to who might be able to access live camera feeds and recordings of our most personal and private spaces.
The Intercept is today alleging that every video captured by every Ring camera in the world is – or was at some point – accessible to the company’s Ukranian-based development team with little to no access restrictions. It appears that this team is responsible for developing Ring’s AI object recognition technology, so it actually makes sense that this team has access to some real-world data, and they employ people specifically for the purpose of viewing and annotating these videos.
The team also had access to a database that could link a given video to a specific customer. Additionally, a source connected with the annotation efforts claimed that employees would show each other specific things they had seen in these videos, “including people kissing, firing guns and stealing”.
Elevated Customer Service Privileges
Of more concern is the Ring’s alleged practice of giving its US executives and engineers “highly privileged” access to the company’s support system, allowing them to look up customers by email address and access all of their cameras.
While this function needs to exist for the purposes of customer service, providing access to the feature to company executives seems a stretch. Additionally, The Intercept describes a culture within this office whereby engineers would tease each other about “who they brought home”, and alleges that someone could look up reporters or competitors by their email address, if known.
Ring, in response to The Intercept‘s enquiry, stated that the videos viewed and annotated by their staff are in fact publicly-shared videos from their Neighbors service, and selected users who’ve explicitly consented to the sharing of their videos – while not explicitly denying the allegations it does seem to imply that the Ukranian-based development team does not have access to any and all videos.
Further, the spokesperson said that the company has systems in place to restrict and audit employee access to information, and holds their team members to a high ethical standard.
Some of this access does appear to be covered in Ring’s Terms of Service:
20.1 Cloud Recordings. We do not claim ownership of your intellectual property rights in Cloud Recordings … you give us the right, without any compensation or obligation to you, to access and use your Cloud Recordings for the limited purposes of providing services to you, protecting you, improving our Products, the Software, and the Cloud Service, and developing new products and services.
One could reasonably assume that efforts would be made to anonymise and encrypt the videos and audit and restrict employee access, even if it’s not explicitly stated within the company’s policies. You wouldn’t expect executive-level employees to have access to this data though, and the fact that the company’s development team can link videos to customers seemingly without oversight is cause for concern.
For more detail about this story, including the full response from Ring, click through to The Intercept.
Update, January 12: Ring has provided an updated statement and some clarifications:
We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring video recordings. These recordings are sourced exclusively from publicly shared Ring videos from the Neighbours app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilise their videos for such purposes. Ring employees do not have access to livestreams from Ring products.
We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behaviour, we will take swift action against them.
Ring also very specifically states that it “does not provide employees with access to livestreams of Ring devices”, clarifying that employees only have access to publicly shared recordings and users who’ve opted in to sharing videos with the company – this clarifies the videos used for annotation.
The allegations regarding the elevated access to the customer service portal are harder to address. Given that the concerns were raised anonymously and not shared with the company, this makes it harder to investigate, and as noted it’s a tool that needs to exist for Ring staff to do their jobs. You would expect that employees found misusing/abusing systems will face consequences.