Smart doorbell company Ring allowed employees to share unencrypted customer videos with each other, according to reports by both The Intercept and The Information. The reports say that Ring, which was purchased by Amazon last year, gave various teams access to unencrypted customer video files on company servers and live feeds from some customer cameras, regardless of whether that access was necessary.
The reports say that this behavior began in 2016, when Ring founder Jamie Siminoff moved the company’s efforts from San Francisco to Ukraine to save money. Sources tell The Information that for months after the Ukraine office was opened, videos were frequently transmitted without encryption. In addition, the company provided its R&D team in Ukraine with virtually unrestricted access to a folder on the company’s Amazon’s S3 cloud storage instance containing every Ring customer video. These videos were unencrypted, and could be easily downloaded and shared. The team was also given a database that linked each video to the Ring customer it belonged to.
At the same time, US-based Ring executives and engineers were granted overreaching access to “unfiltered, round-the-clock live feeds from some customer cameras.” There aren’t any documented instances of this access being abused, but a source told The Intercept:
“If [someone] knew a reporter or competitor’s email address, [they] could view all their cameras.” The source also recounted instances of Ring engineers “teasing each other about who they brought home” after romantic dates.
Ring’s Ukraine team was granted access to customer videos as a manual prop-up for underperforming AI. “Data operators” manually tagged and labeled objects in videos — like vehicles and people — in efforts to train the software’s object recognition. This team, another source tells The Intercept, watched footage from both outdoor and indoor cameras, showed other employees footage, and annotated actions like “kissing, firing guns, and stealing.”
Since the Amazon acquisition, some security measures have been put in place to prevent access to sensitive customer information, but the reports say staffers have ways around them. A former employee in Ukraine told The Information that “Workers could then access the system from any computer, at home or anywhere.”
A Ring representative told The Intercept that the only videos employees view and annotate are those made public through Ring’s community watch app, Neighbors:
We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring videos. These videos are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes.
We have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them.
Reached by The Verge, a Ring spokesperson pushed back against The Intercept’s livestream claim in particular, saying, “Ring does not provide and never has provided employees with access to livestreams of Ring devices.”
Although it doesn’t appear anything nefarious has occurred, Ring’s lax views toward its customers’ privacy is a bad look for both Ring and Amazon. Though Ring says policies have changed, the question of if and how those policies are enforced is still open.
Update January 11th, 12:44PM ET: Added statement provided to The Verge from Ring regarding access to livestreams.