Image: Ring

It shouldn’t be the case that inviting smart technology into our homes to safeguard against potential threats might instead lead to serious breaches of individual privacy, and yet reports of such violations of user trust are increasingly common. Now, Amazon’s Ring security cameras have come under fire for just that.

An investigation from the Intercept’s Sam Biddle published Thursday alleged that owners of Ring security cameras may have been spied on by employees of the company, an allegation Ring denies. However, citing sources familiar with Ring’s privacy practices, the Intercept reported that employees who were reportedly granted “highly privileged access” were able to gain access to video recordings as well as to Ring cameras in- or outside an individual’s home, depending on where the devices were positioned, using only that person’s email address. Per the Intercept:

Despite its mission to keep people and their property secure, the company’s treatment of customer video feeds has been anything but, people familiar with the company’s practices told The Intercept. Beginning in 2016, according to one source, Ring provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world. This would amount to an enormous list of highly sensitive files that could be easily browsed and viewed. Downloading and sharing these customer video files would have required little more than a click.

Advertisement

According to the Intercept, this high-level access was provided to the company’s team in Ukraine in part because of failures in Ring’s object and facial recognition technology and in an attempt to better its product. Having previously reported on such alleged employee access in December, the Information said in its own report that users early on frequently complained of triggered alerts for such innocuous activity as a passing car.

The Information also reported that it was Ring founder Jamie Siminoff who in 2016 granted the company’s engineers in Ukraine “administrative access to Ring’s web-based interface, where customer videos could be streamed, according to multiple people either present or briefed about the meeting.” However, Siminoff reportedly told the site that he did not recall such a meeting and “that he delegated to senior managers the decision to make customer video feeds available there.”

Advertisement

While both reports cited employees who said they weren’t aware of the apparent access being used for anything nefarious, the reports are still unsettling. A Ring spokesperson issued the following statement to Gizmodo by email:

We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring video recordings. These recordings are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes. Ring employees do not have access to livestreams from Ring products.

We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them.

Advertisement

Notably absent from a nearly identical statement from the company issued to the Intercept is the claim by the company that “Ring employees do not have access to livestreams from Ring products.” Asked by Gizmodo whether this apparently became the case before or after reporters began researching the alleged employee access to livestreams, a spokesperson said: “Ring employees do not and have never had access to customer live streams.” A spokesperson did not answer further questions about employee or contractor access to livestreams or sensitive user data.

This is not the first time Ring has been accused of serious violations of privacy. The Information previously reported last May that the company—which was acquired by Amazon last year in a deal reportedly valued at around $1 billion—through a security flaw allowed users who were logged into Ring’s app to maintain access to the account even if the password was changed. While the company said it had changed the feature last January, the problem reportedly persisted.

Advertisement

It shouldn’t be too much to ask that having a security device in your home doesn’t, you know, jeopardize it.

[The Intercept]

Advertisement