Sources Say Amazon Ring Home Security Videos Were Stored Unencrypted and Were Widely-Accessible Internally

Matt Drange and Reed Albergotti, reporting last month for the Information:

But former employees said that wasn’t always the case, and that when the Kiev office was launched, customer videos were widely shared there. It couldn’t be learned when Ring began to restrict this access. Ring’s terms of service don’t inform customers who opt in to the community watch feature that their videos are used for image-recognition research. Mr. Siminoff said he believed Ring’s disclosures to customers were sufficient.

Ring has had other issues with security. As The Information reported earlier this year, a software flaw allowed former users of shared accounts to continue to view doorbell video.

Ring has added additional security measures since being acquired by Amazon in April. Employees in Ukraine are no longer allowed to download and store videos on their computers, for example. An Amazon spokeswoman didn’t respond to questions about security measures, or what due diligence the company conducted prior to acquiring Ring.

Sam Biddle, reporting today for the Intercept:

At the time the Ukrainian access was provided, the video files were left unencrypted, the source said, because of Ring leadership’s “sense that encryption would make the company less valuable,” owing to the expense of implementing encryption and lost revenue opportunities due to restricted access. The Ukraine team was also provided with a corresponding database that linked each specific video file to corresponding specific Ring customers.

At the same time, the source said, Ring unnecessarily provided executives and engineers in the U.S. with highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras, regardless of whether they needed access to this extremely sensitive data to do their jobs. For someone who’d been given this top-level access — comparable to Uber’s infamous “God mode” map that revealed the movements of all passengers — only a Ring customer’s email address was required to watch cameras from that person’s home. Although the source said they never personally witnessed any egregious abuses, they told The Intercept “if [someone] knew a reporter or competitor’s email address, [they] could view all their cameras.” The source also recounted instances of Ring engineers “teasing each other about who they brought home” after romantic dates. Although the engineers in question were aware that they were being surveilled by their co-workers in real time, the source questioned whether their companions were similarly informed.

Davey Alba, of Buzzfeed, on Twitter:

We reported on Orlando PD’s use of Amazon Rekognition in October & discovered Orlando had made a deal with Ring to crowdsource footage from the app. When we asked, Amazon would not commit to keep the data generated by Ring and by Rekognition separate.

Let’s be charitable here: Amazon, at the very least, acquired a company with poor security practices that sells cameras for use inside customers’ homes.

I don’t have any “internet of things” devices — partly because I’m not really able to replace the thermostat or electrical outlets in my rented apartment, and partly because I don’t want to deal with more software updates. But the security and privacy concerns with these kinds of devices are very real, and should not be underestimated. Consumers should have the confidence that buying one of these products will not make their homes less secure or private in exchange for a marginal gain in efficiency.