Slashdot Mirror
Nest Competitor Ring Reportedly Gave Employees Full Access To Customers' Live Camera Feeds (9to5google.com)
Amazon-owned Ring allowed employees to access customers' live camera feeds, according to a report from The Intercept. "Ring's engineers and executives have 'highly privileged access' to live camera feeds from customers' devices," reports 9to5Google. "This includes both doorbells facing the outside world, as well as cameras inside a person's home. A team tasked with annotating video to aid in object recognition captured 'people kissing, firing guns, and stealing.'" From the report: U.S. employees specifically had access to a video portal intended for technical support that reportedly allowed "unfiltered, round-the-clock live feeds from some customer cameras." What's surprising is how this support tool was apparently not restricted to only employees that dealt with customers. The Intercept notes that only a Ring customer's email address was required to access any live feed.
According to the report's sources, employees had a blase attitude to this potential privacy violation, but noted that they "never personally witnessed any egregious abuses." Meanwhile, a second group of Ring employees working on R&D in Ukraine had access to a folder housing "every video created by every Ring camera around the world." What's more, these employees had a "corresponding database that linked each specific video file to corresponding specific Ring customers." Also bothersome is Ring's reported stance towards encryption. Videos in that bucket were unencrypted due to the costs associated with implementation and "lost revenue opportunities due to restricted access." In response to the report, Ring said: "We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them."
According to the report's sources, employees had a blase attitude to this potential privacy violation, but noted that they "never personally witnessed any egregious abuses." Meanwhile, a second group of Ring employees working on R&D in Ukraine had access to a folder housing "every video created by every Ring camera around the world." What's more, these employees had a "corresponding database that linked each specific video file to corresponding specific Ring customers." Also bothersome is Ring's reported stance towards encryption. Videos in that bucket were unencrypted due to the costs associated with implementation and "lost revenue opportunities due to restricted access." In response to the report, Ring said: "We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them."
What did you think would happen?
phonehome device owners shocked to learn device is phoning home
welcome to the future
welcome to Cloudthing, Smartproduct, and Alwaysonline
this is for your safety
this is for your convenience
this is for your user experience to be reliable and carefully controlled
this is not for our sake
In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them."
I think you mean "if we get caught with bad actors."
The worst acting here is pretending this wasn't all done intentionally.
But anyone that trusts their privacy to Ring gets what they deserve.
"Eve of Destruction", it's not just for old hippies anymore...
...but any network-connected camera with proprietary firmware might phone home without your knowledge. The only sure way to prevent this with untrusted firmware is by isolating those cameras on their own network with no Internet access.
Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
I recommend that instead of Ring, people should get the DEBARK Smart Video Doorbell.
It's less expensive (~$78 on Amazon) and it can record to SD card, SDVR, or a cloud service of your choosing (optional). Comes with a free remote indoor chime, and from what I understand, it's easy for it to connect to your old doorbell chime. Can be used wired or wireless. Two-way audio, and very good night vision capability.
Ring is waaaaaay overpriced and they force you to use their paid cloud service. Yes, it's only $3 a month, but why be forced to pay anything? The cheaper models won't let you do anything besides receive alerts and watch live video.
And, for the record, I have no connection to DEBARK, I just think their wireless doorbell is FAR better than the crap that Ring puts out.
Just cruising through this digital world at 33 1/3 rpm...
It is a new Netflix Reality Show.
Make sure its a USB webcam that only gets used when needed.
Build your own CCTV network.
Network your own CCTV to a wider network you designed, understand and trust.
Don't let camera and microphones connect to network you did not set up.
Domestic spying is now "Benign Information Gathering"
Once considered a Nest thermostat, then Google bought them out, and decided “NOPE!”
Same thing when Amazon bought Ring: “NOPE!”
Today I feel validated in my decisions.
AC comments get piped to
If you are a technologist, then lead the way. Gently educate your family and friends that *everything* is tracked by these companies, especially by the large tech firms that offer "free" services. These companies do not respect privacy or personally identifying information (PII) because it's a big reason how they make money. The US has no laws to protect individuals' personal data. The US has no restrictions on what data can be collected and stored beyond the weak and easily bypassed age checks.
Non-technical people have no real understanding about how easy and effortlessly it is to log, store, and analyze every keystroke, mouse movement, mouse click, touch gesture, search query, location, picture, video, audio, document, email, phone call, website visit, instant message, etc. And they have no concept that the largest tech companies also buy personal data from smaller companies to supplement their own.
The US needs protections for privacy now.
Well, I'm sure they have people watching employees all the time and none of the files ever escape. Right?
"In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them."
Newsflash: if you allow your employees unfettered access of this sort, you have already lost the game. It's too late once you "find bad actors". You need to set things up so that as much as possible, bad actors can't do these things.
Or in other words: preventative measures, not reactive measures, are what you want. Sure, there will be some employees who need that sort of access. So you lock it down to the maximum you can manage.
This is privacy 101. That they got this stuff wrong does not speak well for the rest of their systems.
OP: Videos in that bucket were unencrypted due to the costs associated with implementation and "lost revenue opportunities due to restricted access."
Translation: They are selling the videos to 3rd-parties.
Goddamn.
=^..^= all your rodent are belong to us
Yeah, this seems like a "step 1: install cameras everywhere" for your "convenience" or "security". Step 2: allow law enforcement to have access, monitor when someone is home, etc.. I fear we will look back on this decade as when the groundwork was laid for the rest of our privacy to be taken away. So many of us willingly.
If only there were some way they could WATCH their employees remotely......any ideas anyone?
This is why I (and likely most people around here) refuse to buy these cloud cameras. For all the people who did buy into it, they were warned and warned that this sort of thing was almost a given. Now what are they upset about?
They were/possibly still are giving China full access to our rings.
Quite honestly, we will be switching to Nest doorbell in the near future. I want to be able to see my doorbell from Google Assistant, as well as I like the constant circular recording.
I prefer the "u" in honour as it seems to be missing these days.
Just wondering if anyone has experience with a roll your own system using RTSP cameras. Any cheap cameras you can recommend that are usable without sending data to the cloud? I tried my hand hacking a couple of the cheap XiaoFang cameras ( https://github.com/samtap/fang...) but haven't been successful to date.
Would love 2-3 such low powered cameras I could get to record locally using VLC or similar. Just a basic set-up.
I'd be shocked, SHOCKED if there was a part of Amazon that didn't collect all of the data that they could. That's what they do. That's how they make money. Of course they're looking at your stuff. You're PAYING THEM TO.
I don't respond to AC's.
Arlo, Ring, Nest, etc. Probably the same from our own government like NSA! :P
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
$5 / month hosted VPS on linux = awesome!
Possibly; after all, they've got all the gear at hand that's necessary!
No, but neither did/do I know what Nest is. At least now I know that they compete in whatever they do.
The above is not "Score 4, Insightful." It is "Score -1, Idiot."
Ooh, moderator points! Five more idjits go to Minus One Hell!
Delendae sunt RIAA, MPAA et Windoze
This sort of behavior from device makers is just abhorrent. Is there any decent camera setup that can allow only the user to access features? I mean I want to be able to check the video from my phone, but I want to use a firewall in front of any device so that it can't talk outbound to ANYTHING else including the vendor's networks. My phone isn't likely to have a consistent IP address and I don't know if any company offers security camera's that don't depend on any vendor interaction for the features to work. We have got to push the IoT industry to have LAN side only access and user only interaction, where no trust is given to the device vendor and there is little or no opportunity for remote exploit, but we need to have decent ways to interact securely when we want to interact with IoT devices remotely. Maybe allow LAN and VPN allowed, but no public internet in or out?