Ring Fired Employees For Watching Customer Videos
Amazon-owned home security camera company Ring has fired employees for improperly accessing Ring users’ video data, according to a letter the company wrote to Senators and obtained by Motherboard. Ring Fired Employees For Watching Customer Videos
The news highlights a risk across many different tech companies: employees may abuse access granted as part of their jobs to look at customer data or information. In Ring’s case this data can be particularly sensitive though, as customers often put the cameras inside their home.
“We are aware of incidents discussed below where employees violated our policies,” the letter from Ring, dated January 6, reads. “Over the last four years, Ring has received four complaints or inquiries regarding a team member’s access to Ring video data,” it continues. Ring explains that although each of these people were authorized to view video data, their attempted access went beyond what they needed to access for their job.
“In each instance, once Ring was made aware of the alleged conduct, Ring promptly investigated the incident, and after determining that the individual violated company policy, terminated the individual,” the letter adds. As well as firing workers, Ring has also taken steps to limit such data access to a smaller number of people, the letter reads. It says three employees can currently access stored customer videos.
As The Intercept previously reported, Ring granted a number of workers in Ukraine access to Ring user video for research purposes. In the new letter, Ring says “The R&D team in Ukraine can only access publicly available videos and videos available from Ring employees, contractors, and friends and family of employees or contractors with their express consent.”
Ring’s letter was in response to one multiple Senators sent to the company in November 2019. In that, Senators Ron Wyden, Chris Van Hollen, Edward J. Markey, Christopher A. Coons, and Gary C. Peters asked Ring multiple questions about the security of Ring’s systems.
In response to a wave of incidents where hackers broke into Ring users’ accounts and then harassed customers through their devices, Ring has implemented a number of new security features, such as requiring new signups to use two-factor authentication. In December Motherboard found multiple security issues with the Ring platform, such as Ring allowing logins from unknown IP addresses. Ring has since introduced warning messages when someone logs in from a new location.
“Requiring two-factor for new accounts is a step in the right direction, but there are millions of consumers who already have a Ring camera in their homes who remain needlessly vulnerable to hackers. Amazon needs to go further—by protecting all Ring devices with two-factor authentication. It is also disturbing to learn that Ring’s encryption of user videos lags behind other companies, who ensure that only users have the encryption keys to access their data,” Senator Wyden said in a statement.
When asked specific questions on the termination of employees who abused data access, a Ring spokesperson told Motherboard in an email, “We do not comment on personnel matters.”
Third-Party Trackers Are Pulling Your Data Off Ring’s Android App
Ring, the home security company owned by Amazon, promises to watch the world around you and keep your property safe. But the doorbell app is also surveilling its users, sending personally identifiable information out to third party vendors, according to a new report from the Electronic Frontier Foundation (EFF), the San Francisco civil liberties nonprofit.
Bill Budington, the senior staff technologist who wrote the report, tested the Ring for Android version 3.21.1 app, finding that it was sharing data such as IP addresses, full names, email address, information about whether bluetooth is enabled, and even sensor data from the device being used to access the app.
Budington identified four main companies that received this information, including Branch, which calls itself a “deep linking” platform (meaning it takes people to specific web pages or products). Facebook also received information such as a person’s time zone and was alerted when the app is opened.
AppsFlyer, a big data firm, received information such as when users engage with the Neighbors section of the app, as well as where you installed the app from, and when it was first launched. Mixpanel, a business analytics company that tracks user engagement with apps, received the most identifiable data, such the number of locations a where a user has Ring devices installed, and users name and emails.
Analytics companies take these discrete forms of data and combine it with other internet user data to create a cohesive picture of device usage.
“This cohesive whole represents a fingerprint that follows the user as they interact with other apps and use their device, in essence providing trackers the ability to spy on what a user is doing in their digital lives and when they are doing it,” writes Budington.
This is the most recent in a long line of revelations involving Ring. For example, it partnered with more 400 police departments in sharing device images to accidentally exposing the data of more than 3,000 users, including login details and names of Ring devices (which are often labeled with terms like “bedroom”), and created neighborhood wide panopticons in which neighbors are surveilling neighbors, and paying for the privilege to do so.
Considering Amazon has a patent for “surveillance as a service” (delivery drones perform aerial surveillance at the property of an “authorized party”) along with its facial recognition technology, it’s worth considering how services you use to watch the world are also watching you.