Amazon Ring App Found To Be (Again) Exposing User Locations, Home Addresses

from the fool-me-once dept

While Amazon Ring and other doorbells certainly deliver a certain convenience, they've created no shortage of entirely new problems. Problems that could have been avoided with just a bit of foresight and ethical behavior. First comes the fact they're being integrated into our already accountability-optional law enforcement and intelligence apparatus. Then, like the rest of the "let's connect everything to the internet but do a shit job on basic security and privacy because it costs money" IOT sector, they can't be bothered to get the fundamentals right when it comes to consumer security.

The latest example involves Ring failing to adequately secure users information when they share to the Ring "Neighbors" portion of the Ring app. Journalists had already showcased how Ring's security standards were hot garbage. And while Amazon has taken some steps to address those concerns (like making two-factor authentication mandatory), this week it was revealed that Ring’s Neighbors app was exposing the precise locations and home addresses of users who had posted to the app:

"While users’ posts are public, the app doesn’t display names or precise locations — though most include video taken by Ring doorbells and security cameras. The bug made it possible to retrieve the location data on users who posted to the app, including those who are reporting crimes."

Whoops-a-daisy!

The disclosure comes on the heels of a similar report from Gizmodo last year that found it wasn't too difficult to ferret out hidden data allowing journalists (and anybody else) to map the location of Ring users nationwide:

"Examining the network traffic of the Neighbors app produced unexpected data, including hidden geographic coordinates that are connected to each post—latitude and longitude with up to six decimal points of precision, accurate enough to pinpoint roughly a square inch of ground."

Neat! Ring's already facing a class action lawsuit from users not particularly happy about receiving death threats and racist slurs after their Ring smart cameras were hacked.

Purportedly, Ring's Neighborhood functionality is generally supposed to help communities band together and discuss potential security threats. Kind of a neighborhood watch for the modern era. More often, however, the functionality results in people engaging in paranoid hyperventilation about minorities or homeless people getting a skosh too close to the azaleas.

If you're going to be earning additional billions from selling access to consumer residential cameras to intelligence and law enforcement every year, it seems like the very least you can do is invest a little bit more in taking consumer privacy and security seriously, even if "caring about consumers" and "selling their camera surveillance and location data to any nitwit with a nickel" operate somewhat discordantly.

Filed Under: doorbell, locations, privacy, ring
Companies: amazon, ring

Law Enforcement Has Been Using OnStar, SiriusXM, To Eavesdrop, Track Car Locations For More Than 15 Years

from the no-amount-of-premium-gasoline-will-buy-loyalty dept

Thomas Fox-Brewster of Forbes is taking a closer look at a decade-plus of in-car surveillance, courtesy of electronics and services manufacturers are installing in as many cars as possible.

Following the news that cops are trying to sweat down an Amazon Echo in hopes of hearing murder-related conversations, it's time to revisit the eavesdropping that's gone on for years prior to today's wealth of in-home recording devices.

One of the more recent examples can be found in a 2014 warrant that allowed New York police to trace a vehicle by demanding the satellite radio and telematics provider SiriusXM provide location information.

In this case, SiriusXM complied by turning on its "stolen vehicle recovery" mode, which allowed law enforcement to track the vehicle for ten days. SiriusXM told Forbes it only does this in response to search warrants and court orders. That may be the case for real-time tracking, but any location information captured and stored by SiriusXM can be had with nothing more than a subpoena, as this info is normally considered a third-party record.

It's not just satellite radio companies allowing cops to engage in surreptitious tracking. OnStar and other in-vehicle services have been used by law enforcement to eavesdrop on personal conversations between drivers and passengers.

In at least two cases, individuals unwittingly had their conversations listened in on by law enforcement. In 2001, OnStar competitor ATX Technologies (which later became part of Agero) was ordered to provide "roving interceptions" of a Mercedes Benz S430V. It initially complied with the order in November of that year to spy on audible communications for 30 days, but when the FBI asked for an extension in December, ATX declined, claiming it was overly burdensome.

[...]

In 2007, the OnStar system in a Chevrolet Tahoe belonging to a Gareth Wilson in Ohio contacted OnStar staff when an emergency button was pushed. As noted in a 2008 opinion from the case, Wilson was unaware the button had been hit. Subsequently, an OnStar employee heard the occupants discussing a possible drug deal, and allowed an officer from the Fairfield County Sheriff's Office to listen to the conversation. When the vehicle was located and searched, marijuana was found and an indictment filed days later. Ironically, the suspect hadn't even signed up to the OnStar service, but it hadn't been switched off.

The 2001 case didn't end well for law enforcement. It wasn't that the court had an issue with the eavesdropping, but rather that the act of listening in limited the functionality of the in-car tech, which the court found to be overly-burdensome.

OnStar is also asked to engage in real-time tracking by law enforcement. While OnStar denies it collects location info, it too has a stolen car recovery mode that allows OnStar to track vehicles. OnStar also says it will only do this in response to warrants and court orders -- or unless "exigent circumstances" necessitate the bypassing of these constitutional protections. What OnStar definitely won't do is let the public know how many times law enforcement has asked to track vehicles. The company told Forbes it "doesn't release the number of these requests."

Plenty of vehicles come with built-in GPS-reliant devices, most of which perform some sort of data retention. Anything not considered to be "real-time" can be obtained without a warrant, thanks to the incredibly-outdated Third Party Doctrine. Private conversations can be captured and recorded with warrants, which makes a large number of vehicles on the road confidential informants on standby.

Courts have generally been sympathetic to law enforcement use of in-car technology, finding the use of built-in "tools" to be less intrusive than officers installing their own devices on suspects' vehicles. Certainly law enforcement finds these pre-equipped listening/tracking devices more convenient as well.

The expansion of in-car tech has led to a great many opportunities for law enforcement, at the expense of privacy expectations. While drivers certainly can't "reasonably" expect their travels on public roads to be "private," the collection of location data by third parties basically puts drivers under constant surveillance, relieving law enforcement from the burden of actually having to dedicate personnel, vehicles, and equipment to this task. And if cops can't get this location info from in-dash systems, they can probably grab it from the drivers' cell phone service providers.

Law enforcement may find encryption to be slowing things down in terms of accessing cell phone contents, but everything else -- from in-car electronics to the Internet of Things -- is playing right into their hands.

Filed Under: locations, onstar, police, privacy, surveillance, tracking
Companies: onstar, siriusxm

Best Hollywood Set Locations Represent A Trade Secret?

from the yeah,-good-luck-with-that dept

THResq has a post about a lawsuit involving two companies who are focused on the business of finding the right set location for Hollywood films and movies. Apparently, it's a huge business. Universal Locations is upset that two of its employees went to a competitor called Site to Site Locations, and so they're suing, saying that the employees took trade secrets with them. The thing is, it appears that Universal Locations is trying to get past longstanding and well-established California laws barring non-compete agreements, because the state, reasonably, finds it ridiculous that you could ever be barred from making a living because you're too good at your job. Claiming "trade secrets" seems like an attempt to avoid that, but hopefully the court knocks that down pretty quickly by arguing against a ruling that would take away the ability of these two individuals to work in their field of expertise. Of course, it should come as no surprise that it's some movie industry companies making this argument. In a world where IP is highly overrated, no wonder they would think that they could effectively put DRM on former employees to keep them from competing in the same field.

Filed Under: hollywood, locations, noncompetes, sets, trade secrets