Amazon-owned smart doorbell maker Ring is facing claims that might give some smart home enthusiasts pause. Recent reports from The Intercept and The Information have accused the company of mishandling videos collected by its line of smart home devices, failing to inform users that their videos would be reviewed by humans and failing to protect the sensitive video footage itself with encryption.
In 2016, Ring moved some of its R&D operations to Ukraine as a cost-saving move. According to The Intercept’s sources, that team had “unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world.” That group was also privy to a database that would allow anyone with access the ability to conduct a simple search to find videos linked to any Ring owner. At this time, the video files were unencrypted due to the “sense that encryption would make the company less valuable” expressed by leadership at the company.
At the same time the Ukraine team was allowed this access, Ring “executives and engineers” in the U.S. were allowed “unfiltered, round-the-clock live feeds from some customer cameras” even if that access was completely unnecessary for their work.
Ring reportedly leaned on its team in Ukraine, known as Ring Labs, to fill in the gaps for its troubled AI efforts. Those employees would comb through videos and manually tag objects in order to train software to one day be able to perform the recognition tasks. The videos included video from outside houses as well as video inside of them.
The company objected to The Intercept’s characterization of the situation, claiming that the training material was culled from public videos via a Ring app called Neighbors, a neighborhood watch app. It’s not clear that participants in the Neighbors app are aware that their videos are being reviewed manually by Ring’s “data operators” in Ukraine.
Ring provided the following statement to TechCrunch:
We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring video recordings. These recordings are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes. Ring employees do not have access to livestreams from Ring products.
We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them.
While it sounds like Ring may not have taken user privacy very seriously in the past, that attitude appears to have shifted upon the company’s acquisition by Amazon last year. The Information describes that scenario in reporting from December:
After a visit by Amazon representatives to the Ukraine office in May, Amazon moved to restrict access to sensitive customer information, former employees said, requiring a digital key that could only be used from within the Kiev office.
But employees quickly found ways around the restriction. “We had to apply and get access. The Ukraine office wasn’t comfortable with this, so we found a workaround,” a former Kiev employee said. “Workers could then access the system from any computer, at home or anywhere.
It’s impossible to know if Amazon is running a tight ship with Ring’s sensitive user data now, but it’s yet another reason to consider the privacy risks posed by smart home devices, particularly surveillance ones. Setting up an at-home panopticon might feel more secure, but know you might not be the only one keeping a watchful eye on your home.