Last year, Amazon made waves in the smart home space by acquiring Ring for over $1 billion. Known for home security doorbells, a new report today claims that the company has a lax stance towards privacy that allowed more employees than seemingly necessary to access customers’ live camera feeds.
According to The Intercept, Ring’s engineers and executives have “highly privileged access” to live camera feeds from customers’ devices. This includes both doorbells facing the outside world, as well as cameras inside a person’s home. A team tasked with annotating video to aid in object recognition captured “people kissing, firing guns, and stealing.” [Update: According to Ring, annotation is only conducted on “publicly shared Ring videos.”]
U.S. employees specifically had access to a video portal intended for technical support that reportedly allowed “unfiltered, round-the-clock live feeds from some customer cameras.” What’s surprising is how this support tool was apparently not restricted to only employees that dealt with customers.
Update: In a statement, Ring explicitly argues that “employees do not have access to livestreams from Ring products.”
The Intercept notes that only a Ring customer’s email address was required to access any live feed.
Although the source said they never personally witnessed any egregious abuses, they told The Intercept “I can say for an absolute fact if I knew a reporter or competitor’s email address, I could view all their cameras.” The source also recounted instances of Ring engineers “teasing each other about who they brought home” after romantic dates.
According to the report’s sources, employees had a blasé attitude to this potential privacy violation, but noted that they “never personally witnessed any egregious abuses.”
Meanwhile, a second group of Ring employees working on R&D in Ukraine had access to a folder housing “every video created by every Ring camera around the world.” What’s more, these employees had a “corresponding database that linked each specific video file to corresponding specific Ring customers.”
Also bothersome is Ring’s reported stance towards encryption. Videos in that bucket were unencrypted due to the costs associated with implementation and “lost revenue opportunities due to restricted access.”
Since the Amazon acquisition, more restrictions were reportedly put in place, though employees can still bypass them. When asked for comment, a Ring spokesperson did not specifically address the nature of the access allegations, but only noted current “strict policies” to “restrict and audit access to information.”
“We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring video recordings. These recordings are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes. Ring employees do not have access to livestreams from Ring products.We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them.”