Leak claims Ring staff had 'unfettered' access to unencrypted videos

A new leak alleges major security concerns revolving around Amazon Ring, a line of security camera products designed for inside and outside of one's home. Amazon acquired Ring in 2018 for $1 billion, expanding its hardware portfolio while offering consumers a way to increase their home security. A new report claims poor privacy practices at Ring have left its customers vulnerable, however.

Citing multiple sources, The Intercept claims that Ring began allowing its Ukraine-based R&D team to access a cloud folder that contained every video created by a Ring camera globally, including ones captured within customers' homes. The team reportedly had the ability to view and download the videos, which were unencrypted.

The reason for the alleged lack of encryption, the sources claimed, was Ring leadership's belief that the increased expense of implementing the security could "make the company less valuable." The data access didn't stop there, the report claims, also including access to a database that linked specific Ring customers with videos recorded by their cameras.

In addition to the Ukrainian R&D team, Ring also reportedly gave US-based engineers and executives "highly privileged access" they didn't require to a video portal containing customer camera videos. This alleged access was said to be available even in cases where it wasn't necessary for the individuals to perform their job; sources claim a customer's email address was the only data needed to pull up their camera feeds.

As far as the Ukraine access is concerned, the report claims Ring provided the videos due to a lack of advanced object and facial recognition. In its place, Ukraine-based "data operators" were reportedly tasked with tagging objects present in videos from customers' cameras, the goal being the eventual ability to do this — with a higher degree of accuracy — automatically.

Ring failed to comment on the company's past data policies and changes compared to the current policy. However, the company said in a statement that it takes customer privacy "extremely seriously," acknowledging the annotation of "certain Ring videos." The company claims the videos used for annotation were publicly shared via the Neighborhood app and customers "who have provided their explicit written consent to allow us to access and utilize their videos for such purposes."

The report points out, however, that Ring fails to mention Ukrainian R&D researchers could access customer videos for annotation in its privacy policy and terms of service.

Update:

A Ring spokesperson has provided the following statement:

We take the privacy and security of our customers' personal information extremely seriously. In order to improve our service, we view and annotate certain Ring video recordings. These recordings are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes. Ring employees do not have access to livestreams from Ring products.

We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them.