Consumer Privacy in Question Over Ring Video Files
Recently we learned that Ring, the video surveillance and security equipment/service provider (owned by Amazon), had allowed its research and development staff wide access to its users’ video files. Just how wide? It appears, according to The Information, in 2016 CEO of Ring provided the 30-member R&D team in the Ukraine with access to users’ video files so the team could dig in and produce artificial intelligence solutions to “help homeowners know when someone approaches their door.”
This seemingly incongruous event had security professionals scratching their head, given that in 2016 the Ukraine was known (and still is today) for the presence of cybercriminals and for being the victim of said cybercriminals. In 2018, following Ring’s acquisition by Amazon, access to these video files was somewhat restricted, according to The Information article.
The question of privacy percolates to the surface as user videos of every “event” detected by a service subscriber’s Ring device are available for perusal by the R&D staff. While allowing internal R&D access to customer experience data is not out of the norm, the fact is the videos being generated by Ring’s devices may be used in a nefarious manner by an enterprising and malevolent individual with access.
Indeed, The Intercept noted that Ring’s video files are hosted on Amazon’s S3 cloud storage service, as one might expect given the Amazon ownership. Engineers within Ring could, allegedly, access any user’s video history simply with a user’s email address. The example provided by The Intercept highlights how “if [someone] knew a reporter or competitor’s email address, [they] could view all their cameras.”
Now, Ring does have a “neighborhood” sharing function that enables users to share a video capture with their neighbors, which effectively places the video in the public domain. Ring noted that it is now confining its R&D work to these videos. “We have strict policies in place for all our team members,” a Ring spokesperson said. “We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them.”
Ring was praised over the Christmas holidays for being instrumental in thwarting a number of “package thieves,” which highlighted the efficacy of the service. What we don’t know is how many—if any—thefts on customer premises were actually enabled by the information contained in their Ring video depository?
If the videos can be accessed simply by knowing an email address, the bar is quite low for an insider to monitor a given customer’s activities to determine patterns, presence and occupant. Additionally, the many Ring video devices that are located within private residences are generating video files with each motion that falls in a device’s “field.” How many of those photos would fall into the “private” rubric? All? Some? None?
While we can demand service providers protect what they collect, consumers also have responsibilities to protect themselves. For example, there was a recent kerfuffle concerning Ring’s competitor Nest. Allegations were made that Nest’s security protocol on its video device was weak after a customer’s video file was hacked. Nest’s investigation showed that the unauthorized user had logged into the user’s account using the correct user ID and password combination. The account accessed did not have two-factor authentication (2FA) enabled. The Nest investigators concluded that the user had either shared their password or reused their password with a compromised entity.
Nest assessed that poor user hygiene was the culprit and the basic tenet of cybersecurity and password management—one account, one password, enable 2FA when offered—had been violated.
Users should review EULAs and privacy statements for the word “share” and “use” to better grasp how one’s information may be used, sold, shared or manipulated and then decide if the privacy/utility trade-off makes using the product/service worthwhile.
