Shocking Absolutely No One, Ring Admits Employees Improperly Accessed Customers' Data
from the who-could-have-seen-this-coming dept
Ring never fails to disappoint. And by "disappoint," I mean never fails to be disappointing. This pleases me. So, I guess Ring never fails to please… by being incessantly disappointing.
I realize this is beginning to resemble a beating that continues long past the point the victim has lapsed into unconsciousness. But if Ring hadn't made itself such an inviting punching bag, I would not continue to rain down printed blows on its oh so very soft body.
Ring first grabbed our attention by offering up a snitch app that encouraged neighbors to start talking about suspicious people in their neighborhood. This app also happened to be a portal for the voluntary sharing of footage captured by Ring cameras, most of which were built into Ring's "smart" doorbells.
From there, things went from bad to worse to godawful to horrendous to PR-team-on-constant-suicide-watch. It has been super-enjoyable for me (and hopefully for Techdirt readers) for two reasons:
1. Ring promiscuously got in bed with over 600 law enforcement agencies, selling them "free" cameras to hand out to homeowners with some implicit/not-so-implicit strings attached. In return, law enforcement agencies gave up their authority and autonomy, granting Ring permission to write their press releases and statements for them.
2. Ring does not care about its customers. It enjoys a commanding lead in the market, but it has produced yet another internet-connected thing that it does not bother to secure properly. When breaches happen -- and they are unimaginably horrifying breaches that involve hijacked cameras -- the company says customers should have done more to secure their devices, rather than accept any responsibility for doing as little as possible to prevent this sort of thing from happening.
So, the latest news is more fuel for the dumpster fire. It's not just cops grabbing footage without bothering with the Fourth Amendment niceties. There's also abuse happening internally -- the sort of abuse you'd expect when you give people access to a wealth of personal information.
The doorbell-camera giant Ring has terminated employees in recent years for improperly accessing users’ video data, parent company Amazon told lawmakers this week, an admission that could increase pressure on the firm to prove it protects customer privacy.
The company has investigated four complaints regarding employees abusing their access to camera data over the past four years, Brian Huseman, a vice president of public policy at Amazon, wrote in a letter to five senators this week.
The company did not provide any detail about the data that was improperly accessed, but considering how much data Ring collects -- along with footage from millions of cameras -- the imagination is free to run wild.
This is the latest unsurprising development for Ring. Give enough people access to intimate recordings and data, and abuse is bound to happen. Maybe the Ring employees were just following the lead of their law enforcement partners, who also have access to a great deal of personal info and abuse this access with alarming frequency.
I'm sure Ring will weather this news cycle as it has every other over the past 12 months: by claiming it takes everyone's security seriously and sending out tweets to anyone tagging the company with the latest bad news saying the coverage is inaccurate. But no one believes Ring, especially when its defensive tweets talk their way around direct questions and link to talking points delivered by Ring reps.
Ring is no longer just a dumpster fire d/b/a a security camera company. Its flaming dumpster existence is mounted to every flatbed car on a never ending train wreck. It can't pull the plug on its thousands of buddy cops. And it appears to be far more interested in market growth than properly serving the customers it already has. Things will get worse. That's it. There's no "before it gets better." At best, Ring can only hope to fade from the public eye before it alienates any more of its past and future customers.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: abuse, doorbells, employees, police, surveillance, video
Companies: amazon, ring
Reader Comments
Subscribe: RSS
View by: Time | Thread
Maybe Ring should ditch the Neighbors App and come out with a CoWorkers App.
[ link to this | view in thread ]
Amazon tells its employees to be "customer-centric" I guess that doesn't apply to subsidiaries.
[ link to this | view in thread ]
And what exactly should they have done? Most of the suggestions involve making the device harder to use, and it's a truism in the world of computer security that "security at the expense of usability comes at the expense of security."
In other words, if you make the security difficult to use, users will invariably do things to deal with that difficulty that end up subverting the security of the system. (The classic example is writing down mandatory hard-to-remember passwords on post-it notes stuck to the side of your workstation.)
When it comes down to it, the users' security is ultimately in their own hands, and if they don't take it seriously, they've got no one to blame but themselves. Simply because there are a lot of people who don't doesn't change that basic fact.
[ link to this | view in thread ]
....and as it has been demonstrated, nothing will happen to the employees that illegally used those users' data.
[ link to this | view in thread ]
Re:
The employees are being customer-centric. What, you thought the people who buy Ring devices are the customers? No, they're the product.
[ link to this | view in thread ]
Re:
They could have used something other than a password as the default authentication method. For example, by cryptographically pairing the app and camera (maybe hold up a QR code and press a button on the camera). That makes things easier, because there's no password. Notifying the existing authorized devices whenever a new one is granted access wouldn't harm usability either.
[ link to this | view in thread ]
Re:
I dunno, they didn't take the absolutely basic step of requiring users to change the default password. That doesn't seem likely to cause problems.
[ link to this | view in thread ]
I hate these corporations who know they can get away with anything and get fined very little even on those rare occasions when a court determines that they have crossed the line, and it seems that line is getting farther and farther away.
[ link to this | view in thread ]
Stupid people who buy stupid products deserve the consequences of their stupidity. "Gee honey, instead of just setting up our own camera, let's set up this camera and microphone that's soooo cool because it sends video over the internet somewhere to someone."
I don't feel sorry in the least for any fucking idiot who installed one of these idiotic ring dumbells. They're just lucky it isn't a piece of machinery that they could kill themselves with by operating it with just as much ignorance.
[ link to this | view in thread ]
Re: Re:
I also recommend 2FA. I've lost count of the number of bad actors trying to break into my emails, etc., who were thwarted by this. RE: hard-to-remember passwords, choose a random word you don't often use (so no one else will guess it). Replace the vowels with numbers and add an exclamation mark to the end. Job done. Of course this means that if I log into my emails from work, I have to check my mobile phone for the PIN provided by my email service, but that's a minor inconvenience compared to the hassle of having my emails hijacked by a spammer sending all sorts of malware in my name, etc.
[ link to this | view in thread ]
Re: Caveat emptor
That's not how they're advertised bobob. They're sold (in the UK) as a way of keeping an eye on your property remotely. This is what their ads look like to me:
Exterior walleye view of someone in a hoodie sauntering around the back of someone's house. He ducks behind a chair and bends down to pick something up.
Unseen male speaker: Hi Billy, what are you doing?
Billy: Just getting my ball.
Exterior view of someone approaching, who then appears to look through the glass of the front door.
Unseen female speaker: Can I help you?
Potential burglar turns and flees
As far as Joe Punter knows, the doorbell camera and mic are hooked up to his mobile phone. He's not aware that any film is being stored anywhere else for anyone else to see. He's not stupid, just uninformed. And that's the way Ring likes it.
As I've stated many times before I get most of my tech information from TD. If not for TD, I wouldn't be aware that the IOT is something you confront with a crucifix and holy water instead of welcoming the Shiny New Thing with open arms. Alas, not all of us read TD or the tech press, and I don't tend to see these stories in the MSM. My daily Metro doesn't carry these cautionary tales and it's not widely discussed on the internet, except in tech circles.
This is what consumer protections are for.
[ link to this | view in thread ]
Re: Re: Re:
That's exactly the wrong advice to be giving someone (or following!) regarding passwords. Try googling "correct horse battery staple" for an explanation on why that's a bad idea and how to do it better.
[ link to this | view in thread ]
Re: Re: Caveat emptor
There is also that Buzzard I.T. site that is as informative and good for a laugh.
A great accompaniment to T.D.
[ link to this | view in thread ]
Re: Re: Re: Re:
If that's true, how come I've had multiple attempts to break into my accounts and no one has succeeded?
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
Probably because the "bad actors" don't care about getting into your accounts. They just need some accounts to send spam from.
[ link to this | view in thread ]
Re: Re: Caveat emptor
It doesn't matter how they are advertised. The fact that the camera can send data to your mobile phone is enough to know what's wrong with the device. The fact that the data are stored somewhere other than on your home computer is enough to know what's wrong with the device.
[ link to this | view in thread ]
Re: Re: Caveat emptor
Actual film, eh? Who knew...
[ link to this | view in thread ]
Re: Re: Caveat emptor
As far as Joe Punter knows, the doorbell camera and mic are hooked up to his mobile phone. He's not aware that any film is being stored anywhere else for anyone else to see. He's not stupid, just uninformed. And that's the way Ring likes it.
Yes, in that case, Joe Punter is stupid, very stupid.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re:
I'm convinced it was the trolls who were harassing me some years ago. They did everything else (including trying to plant keyloggers on my PC, which my anti-malware always caught, so they never succeeded), why not that? And they hacked into other targets' accounts, so why not try to get into mine? I was locked out of my own email account for three days because they'd tried to guess the password so many times.
I switched to another email provider, where I see less frequent attempts to break in, which are always thwarted by 2FA. Since they don't appear to have tried anything more than try to guess my password I'll assume it's just random spammers trying to use my account as you described.
But yes, I've experienced actual direct harassment from people who bragged about targeting me. When I left that community, it tailed off and stopped.
The point is, my methods work perfectly well for me. I'm not stupid enough to leave the kind of information online that could be used for social engineering so, as far as I'm concerned, they're bomb-proof.
[ link to this | view in thread ]
Re: Re: Re: Caveat emptor
The fact that the camera can send data to your mobile phone.. The fact that the data are stored somewhere other than on your home computer is enough to know what's wrong with the device.
If you're tech savvy. Joe Punter thinks it only goes to his phone. I would have if I didn't read TD.
[ link to this | view in thread ]
Re: Re: Re: Caveat emptor
Sigh! Okay, how did you find out about IOT security being weak? You don't "just know" it. Someone has to explain this to you at some point.
Being rude about people who would be glad to learn if someone just pointed them in the right direction doesn't make them want to learn from you. As I said, I only know about this from TD. I don't see information about it elsewhere, except in the tech press. It's not widely reported.
[ link to this | view in thread ]
Re:
a post-it note with the password stuck right to the door would not make you any less secure against the kinds of abuses detailed in this article. Not sure if it would make you less secure against a criminal who breaks in though, as I'm not sure what all can be done with that password. Still, that's no worse than a generic default password, which seems to be what they do right now. And it seems better in general to protect against the networked threats -- where you may be under attack by any number of adversaries at any time -- than the lone burglar, which isn't going to happen very often.
Security is neither binary nor monolithic. It's not just how well you protect it, it's also what you protect against. There's a lot of security that would be entirely transparent to the end-user (like making sure their employees don't generally have access to users' recordings. How the F- did anyone think THAT was a good idea??)
[ link to this | view in thread ]
Re: Re: Re: Re: Caveat emptor
You RTFM, you look things up online if you don't understand them, and you don't buy something if you don't understand what the hell it is. Simple enough...
[ link to this | view in thread ]