Amazon’s Ring devices reportedly granted the company's Ukraine-based research and development team as well as U.S. executives and engineers virtually unfettered round the clock access to live feeds from some customer’s cameras, claims which Ring denies.
The workers, regardless of whether they needed the information or not, allegedly had access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world, all of which was searchable by a user’s email address, anonymous sources told the Intercept.
The team was also given a database that linked each video to the Ring customer it belonged to. At the time they were granted access, the videos were allegedly stored unencrypted as the company’s leadership at the time felt encryption would make the company less valuable as the result of lost revenue opportunities due to restricted access.
The source said the decision to grant access to the Ukraine team was partially based on the weaknesses of the firm’s in-house facial and object recognition software that had trouble determining differences between people and animals, often leading to false alerts to customers.
The researchers would step in to help train the technology to recognize and differentiate between objects in hopes that it would be able to do it on its own in the future.
Although the source said they never personally witness any abuse of the data, a separate source said at times employees showed each other videos they were annotating and described some of the things they had witnessed, including people kissing, firing guns, and stealing.
However, a source did say “If [someone] knew a reporter or competitor’s email address, [they] could view all their cameras” and recounted instances of Ring engineers “teasing each other about who they brought home” after romantic dates.
Since Amazon acquired the firm, some security measures have been put in place to prevent access to sensitive customer information but some sources told the publication staffers know of ways to circumvent these protections with a former Ukrainian employee saying they could access the system from any computer, at home or anywhere.”
“Ring does not provide and never has provided employees with access to livestreams of Ring devices,” a Ring representative denied the claims.
"We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring video recordings," A Ring spokesperson told SC Media.
"These recordings are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes. Ring employees do not have access to livestreams from Ring products. We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them."
Obsidian Securi Director of Research Laura Norén told SC Media that labeling images by teams of humans is incredibly common but many consumers are led to believe that artificial intelligence like facial recognition is strictly a computational practice.
"That is rarely true,” Norén said. “The algorithms in most artificial intelligence applications are 'trained' using data labeled by humans. Ring's leadership should have requested explicit consumer consent, in plain language, to share access to feeds coming from inside their customers' homes with the Ukrainian research team.”
Norén added that bigger ethical concern stems from cameras pointing towards public streets and neighbors' yards which are the bread and butter of the Ring product and in those situations the customer is not legally able to give consent to Ring to capture, store, or share video feed data.
In addition,Norén said while customers could decide to let Ring researchers access videos of them, they cannot give second party consent for Ring to access images of their neighbors or the general public.
“Another concern stems from Ring's reported practice of storing unencrypted videos and images in a single Amazon Web Services bucket,”Norén said. “This trove of geo-tagged video data presents a juicy target for cybercriminals. A tenet of capable data guardianship requires that privacy sensitive data should be encrypted in transit and at rest."
