Citing the potential for sensitive footage “detailing the lives of millions of Americans” to fall into the hands of hackers and foreign spies, a group of a U.S. lawmakers are demanding to know more about how Ring, Amazon’s home security company, is protecting its customers’ data.
In a letter to Amazon CEO Jeff Bezos on Wednesday, five Democratic U.S. senators made public their concerns about now-patched security vulnerabilities in Ring’s systems and the sharing of Americans’ home security footage with research and development teams on foreign soil, saying that consumers have a “right to know” who, precisely, is in possession of the video captured by Ring’s devices.
“Millions of consumers use Ring’s products and services, which include internet-connected video doorbells, spotlight cameras and alarm systems,” the letter begins. “Ring devices routinely upload data, including video records, to Amazon’s servers. Amazon therefore holds a vast amount of deeply sensitive data and video footage detailing the lives of Americans in and near their homes.”
It continues: “If hackers or foreign actors were to gain access to this data, it would not only threaten the privacy and safety of the impacted Americans; it could also threaten U.S. national security.” Personal data can be exploited, the letter says, “by foreign intelligence services to amplify the impact of espionage and influence operations.”
The letter is signed by U.S. Senators Ron Wyden of Oregon, Edward Markey of Massachusetts, Chris Van Hollen of Maryland, Chris Coons of Delaware, and Gary Peters of Michigan.
It goes on to cite a January 2019 article by the Intercept’s Sam Biddle, who, citing unnamed sources, reported that Ring’s Ukraine-based research and development team—known as Ring Labs—had been given “virtually unfettered access” to a shared Amazon server “containing every video created by every Ring camera around the world.”
According to the Intercept report, Ring also employs Ukrainians to further development of its computer vision—wherein a program is capable of analyzing and correctly identifying physical objects, such as cars, trees, and people—which included footage from the interior of Ring customers’ homes. Ring declined to answer questions from Biddle about its data policies, but a spokesperson said that a “small fraction” of Ring users had given Ring their consent to “access and utilize their videos for such purposes.”
The letter also references a TechCrunch story about Ring from earlier this month, in which security researchers discovered a vulnerability in Ring exposing device owners’ wifi passwords by transmitting them in cleartext.
“These reports raise serious questions about Ring’s internal cybersecurity and privacy safeguards, particularly if employees and contractors in foreign countries have access to American consumers’ data,” the lawmakers wrote.
Accompanying the letter are several questions related to Ring’s data security practices, such as: “Does Ring encrypt video footage, both in storage and transmission?” and “How regularly does Ring perform in-depth security tests, audits, vulnerability scans, source code reviews and penetration testing?” The lawmakers requested answers by January 6, 2020.
Ring told Gizmodo it was currently reviewing the letter but had no comment at this time.
Wednesday’s letter follows the release of Ring’s responses to questions asked by Sen. Markey this fall regarding the company’s partnerships with more than 600 law enforcement agencies across the U.S., as first reported by the Washington Post. Ring informed the senator that it places no restrictions on police departments with regard to how they use footage obtained from Ring customers.
You can read a full copy of the letter here.