Vu sur le web > Ring employees reportedly had access to all live and recorded customer videos

Ring, the smart home device startup Amazon acquired for $1 billion in March 2018, reportedly has a security problem: some of its employees were given unfettered access to footage from customers’ Ring security cameras.

The Intercept, citing an anonymous source, today reported that beginning in 2016, Ring provided its Ukraine-based research and development division — Ring Labs — access to a folder on Amazon’s S3 cloud storage service containing every video recorded by every Ring camera around the world. Moreover, it says that team members were provided a database linking each video to corresponding Ring customers.

Downloading the files wouldn’t have required more than a few clicks, the publication notes — they weren’t encrypted, reportedly because Ring leadership believed it would be too costly and rule out future revenue opportunities.

News of Ring’s lax security practices emerged late last year, but The Intercept’s report pulls back the curtain on specific lapses. It comes roughly three months after The Intercept revealed that IBM secretly collaborated with the New York City Police Department to develop a camera system that could search for people by skin color and gender, and six months after the American Civil Liberties Union found that Amazon had provided its cloud-based Rekognition facial detection service to law enforcement.

Ring Labs staff was tasked with manually tagging and labeling objects to build databases that could be used to improve Ring’s computer vision algorithms. A second source told The Intercept that recorded videos came from both in-home and exterior Ring cameras, and that some of the frames employees annotated showed “people kissing, firing guns, and stealing.”

Ring’s privacy terms of service and privacy policy make no mention of manual video annotation, noting only that owners “may choose to use additional functionality in … Ring product[s] that, through video data from your device, can recognize facial characteristics of familiar visitors.”

The reported reason for the annotation was to make more robust Ring’s object detection and facial recognition software. According to a recent report in The Information, its cameras’ Neighbors feature, which Ring advertises as a distributed surveillance platform that can detect attempted burglaries and distinguish between familiar and unfamiliar people, frequently reports false positives.

Additionally, The Intercept says, Ring liberally provided U.S.-based executives and engineers access to its support video portal, allowing them to view live footage from cameras “regardless of whether they needed access to … do their jobs.” With no more than an email address, these employees could pull up feeds from any customer.

The Intercept’s source claims that they never witnessed Ring staff abusing the feature, but recalled instances of engineers “‘teasing each other about who they brought home’” after dates.

According to The Intercept, Ring reigned in access to live and recorded video footage following Amazon’s acquisition. But sources told the publication that staffers in Ukraine work around the restrictions.

In a statement provided to The Intercept, Ring spokesperson Yassi Shamiri said that the company “take[s] the privacy and security of our customers’ personal information extremely seriously,” and that it has “strict policies in place for … team members [and] implement[s] systems to restrict and audit access to information.”

“We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties,” he added. “In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them.”

We’ve reached out to Amazon for comment, and will update this article when we hear back.

via VentureBeat

January 10, 2019 at 09:45PM