Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Security Hardware Technology

Nest Competitor Ring Reportedly Gave Employees Full Access To Customers' Live Camera Feeds (9to5google.com) 120

Amazon-owned Ring allowed employees to access customers' live camera feeds, according to a report from The Intercept. "Ring's engineers and executives have 'highly privileged access' to live camera feeds from customers' devices," reports 9to5Google. "This includes both doorbells facing the outside world, as well as cameras inside a person's home. A team tasked with annotating video to aid in object recognition captured 'people kissing, firing guns, and stealing.'" From the report: U.S. employees specifically had access to a video portal intended for technical support that reportedly allowed "unfiltered, round-the-clock live feeds from some customer cameras." What's surprising is how this support tool was apparently not restricted to only employees that dealt with customers. The Intercept notes that only a Ring customer's email address was required to access any live feed.

According to the report's sources, employees had a blase attitude to this potential privacy violation, but noted that they "never personally witnessed any egregious abuses." Meanwhile, a second group of Ring employees working on R&D in Ukraine had access to a folder housing "every video created by every Ring camera around the world." What's more, these employees had a "corresponding database that linked each specific video file to corresponding specific Ring customers." Also bothersome is Ring's reported stance towards encryption. Videos in that bucket were unencrypted due to the costs associated with implementation and "lost revenue opportunities due to restricted access."
In response to the report, Ring said: "We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them."
This discussion has been archived. No new comments can be posted.

Nest Competitor Ring Reportedly Gave Employees Full Access To Customers' Live Camera Feeds

Comments Filter:
  • Duh (Score:5, Insightful)

    by sexconker ( 1179573 ) on Thursday January 10, 2019 @06:25PM (#57941002)

    What did you think would happen?

    • Re:Duh (Score:5, Insightful)

      by swillden ( 191260 ) <shawn-ds@willden.org> on Friday January 11, 2019 @07:42AM (#57942862) Journal

      What did you think would happen?

      That some (perhaps most) of these companies would cut corners and do the wrong thing was inevitable. But the implication of your question is that it's inevitable everywhere, which is not true. It's perfectly possible to construct a system so that no employees have access to the content other than those who need it to troubleshoot specific problems at customer request, and even those are closely audited and monitored. Yes, even the sysadmins can be disallowed access, through use of encryption and separation of responsibilities applied both to the system architecture and to the groups of administrators who manage different elements of the system.

      I know this can be done because I've seen it done (and participated in doing it), including regular pen testing and ongoing security analysis to ensure it's tight and stays tight. It's not even that expensive to do on a large scale. It's challenging for startups to do well, but can be done even there; liberal use of cloud computing helps because it's easy to put the bulk data processing in a location where it's physically inaccessible to all of your employees, and logical access can easily be partitioned among admins. Appropriate use of encryption is essential, to ensure that no system in isolation (and therefore the managers of that system) has access to sensitive data in plaintext. Then you just need to carefully architect, control and audit the ways in which ciphertext and decryption keys can be brought together.

      • That some (perhaps most) of these companies would cut corners and do the wrong thing was inevitable. But the implication of your question is that it's inevitable everywhere, which is not true. It's perfectly possible to construct a system so that no employees have access to the content other than those who need it to troubleshoot specific problems at customer request, and even those are closely audited and monitored.

        The fact that your data is stored on their servers guarantees that these kinds of things can happen. They even say WHY they keep that data: To monetize it!

        I don't think people realize what the real trade is here. People who buy (why do they have to pay for it?) these devices are essentially allowing an external entity to place a camera in their home to monetize any data that the camera can capture, things such as routines, demographics, etc. It just so happens that the person purchasing this device can also

        • That some (perhaps most) of these companies would cut corners and do the wrong thing was inevitable. But the implication of your question is that it's inevitable everywhere, which is not true. It's perfectly possible to construct a system so that no employees have access to the content other than those who need it to troubleshoot specific problems at customer request, and even those are closely audited and monitored.

          The fact that your data is stored on their servers guarantees that these kinds of things can happen.

          This need not be true, though it takes deliberate effort and discipline on the part of the company. The company as a whole certainly has access to your data, but they can structure things so that no employee does, and that the ways in which the data can be used by the systems and people are limited to the ways that customers know and expect.

          They even say WHY they keep that data: To monetize it!

          This also need not be true. Nest, for example, explicitly says that it does not.

  • commentsubject (Score:2, Insightful)

    by Anonymous Coward

    phonehome device owners shocked to learn device is phoning home

    welcome to the future

    welcome to Cloudthing, Smartproduct, and Alwaysonline

    this is for your safety
    this is for your convenience
    this is for your user experience to be reliable and carefully controlled
    this is not for our sake

  • by taustin ( 171655 ) on Thursday January 10, 2019 @06:36PM (#57941046) Homepage Journal

    In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them."

    I think you mean "if we get caught with bad actors."

    The worst acting here is pretending this wasn't all done intentionally.

  • by HotNeedleOfInquiry ( 598897 ) on Thursday January 10, 2019 @06:36PM (#57941050)
    But anyone that trusts their privacy to Ring gets what they deserve.
    • But anyone that trusts their privacy to Ring gets what they deserve.

      Similarly Alexa, though this privacy violation far exceeds the former as far as creepiness is concerned.

  • It's almost as if people are just begging to be taken advantage of.

    Here, let me pre-order this game, for this console I cannot control from this company that really abused their customers last time.
    Here, let me buy this product or service that has been repeatedly reported in the news as being used to spy on me.
    Here, let me keep using this website, service, or institution that sells my private information for money.
    Here let me keep voting for this lying son-of-a-bitch because that other liar is somehow worse

  • ...but any network-connected camera with proprietary firmware might phone home without your knowledge. The only sure way to prevent this with untrusted firmware is by isolating those cameras on their own network with no Internet access.
    • Re:Not just Nest (Score:5, Insightful)

      by JaredOfEuropa ( 526365 ) on Thursday January 10, 2019 @07:31PM (#57941348) Journal
      Done and done. I found having a doorbell with a camera in it is very useful (we don’t have Ring though), but you can be sure that sucker shares a separate VLAN with the other security cameras, with no access to the internet. And when we are at home, the indoor cameras have their power cut physically. Until we see CEOs in jail for such blatant unsafe practises, I’ll always double down on privacy measures when using IoT devices. And after that day... I’ll continue to do so. It is not hard to enjoy a little convenience without sacrificing or risking your privacy.
      • by q4Fry ( 1322209 )

        Can you provide any further detail about your set-up? Under what contexts are you able to see the camera feed? I'm particularly interested in whether you can receive notifications offsite, and if so, how.

  • by JustAnotherOldGuy ( 4145623 ) on Thursday January 10, 2019 @06:55PM (#57941168) Journal

    I recommend that instead of Ring, people should get the DEBARK Smart Video Doorbell.

    It's less expensive (~$78 on Amazon) and it can record to SD card, SDVR, or a cloud service of your choosing (optional). Comes with a free remote indoor chime, and from what I understand, it's easy for it to connect to your old doorbell chime. Can be used wired or wireless. Two-way audio, and very good night vision capability.

    Ring is waaaaaay overpriced and they force you to use their paid cloud service. Yes, it's only $3 a month, but why be forced to pay anything? The cheaper models won't let you do anything besides receive alerts and watch live video.

    And, for the record, I have no connection to DEBARK, I just think their wireless doorbell is FAR better than the crap that Ring puts out.

    • I am more interested in this model, after dealing with the RING for my parents.
      Looks like a solid Chinese clone of the RING, and the SD card and de-mount notifications are appreciated.

      I've not heard of SDVR, and was wondering if it can dump stuff to a NAS on the same network? I just don't know what the heck SDVR means. Google wasn't much help.

      Or, if it's the other way, does it just keep the SD card network shared so you can review videos whenever?

      • I've not heard of SDVR, and was wondering if it can dump stuff to a NAS on the same network?

        SDVR just means "security DVR", it's just the box that connects all the cameras and stuff together in a security system.

        I don't know about dumping stuff to a NAS, but I would think that it could be done one way or another.

    • If you're not at home when somebody rings the doorbell, will you get the notification and be able to launch the viewer app on your phone in time to see who rang the bell before they're in their car backing out of your driveway?

      It's not entirely Ring's fault (Google kind of pulled the rug out from under them with regard to push notification timing post-Marshmallow), but the real-world massive time lag was probably the biggest disappointment when I got mine 2 years ago. From my own experience, if you aren't a

    • Comment removed based on user account deletion
      • Or how about a raspberry zero W woth a camera and a button.

        I think it would be a fair bit of work to achieve the same functionality with a Pi, but I'm no expert on the Raspberry Pi stuff.

        Maybe someone else here can tell us if that would be a practical solution or not.

  • It is a new Netflix Reality Show.

  • by AHuxley ( 892839 ) on Thursday January 10, 2019 @06:56PM (#57941176) Journal
    Make sure its a USB webcam that only gets used when needed.
    Build your own CCTV network.
    Network your own CCTV to a wider network you designed, understand and trust.
    Don't let camera and microphones connect to network you did not set up.
  • Once considered a Nest thermostat, then Google bought them out, and decided “NOPE!”

    Same thing when Amazon bought Ring: “NOPE!”

    Today I feel validated in my decisions.

    • by Anonymous Coward

      Yeah, this seems like a "step 1: install cameras everywhere" for your "convenience" or "security". Step 2: allow law enforcement to have access, monitor when someone is home, etc.. I fear we will look back on this decade as when the groundwork was laid for the rest of our privacy to be taken away. So many of us willingly.

    • Re:“NOPE!” (Score:4, Insightful)

      by JaredOfEuropa ( 526365 ) on Thursday January 10, 2019 @07:36PM (#57941380) Journal
      To be fair, it sounds like Amazon had little to do with this snafu. Not malice, not a desire for customer data, but simple negligence combined with bone shattering stupidity. Even so I agree with your sentiment: connected products that belong to data mining firms like Amazon and Google are doubly tainted. A voice assistant would make a great addition to my smart home setup but I am not adding one until they can be run off the cloud.
      • Not malice, not a desire for customer data, but simple negligence combined with bone shattering stupidity.

        Looking for the best in people and situations is usually a good quality to exhibit. Unfortunately, if you are not diligent enough, you may find yourself excusing terrible and fully intentional behaviour....

        This is in the summary:
        Videos in that bucket were unencrypted due to the costs associated with implementation and "lost revenue opportunities due to restricted access."

        Note the words, "lost revenue opportunities".

        Have a nice day Mr. Europa. :)

  • by Anonymous Coward

    If you are a technologist, then lead the way. Gently educate your family and friends that *everything* is tracked by these companies, especially by the large tech firms that offer "free" services. These companies do not respect privacy or personally identifying information (PII) because it's a big reason how they make money. The US has no laws to protect individuals' personal data. The US has no restrictions on what data can be collected and stored beyond the weak and easily bypassed age checks.

    Non-technica

  • Well, I'm sure they have people watching employees all the time and none of the files ever escape. Right?
  • by Anonymous Coward

    "In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them."

    Newsflash: if you allow your employees unfettered access of this sort, you have already lost the game. It's too late once you "find bad actors". You need to set things up so that as much as possible, bad actors can't do these things.

    Or in other words: preventative measures, not reactive measures, are what you want. Sure, there will be some employe

  • by theCat ( 36907 ) on Thursday January 10, 2019 @07:05PM (#57941216) Journal

    OP: Videos in that bucket were unencrypted due to the costs associated with implementation and "lost revenue opportunities due to restricted access."

    Translation: They are selling the videos to 3rd-parties.

    Goddamn.

  • If only there were some way they could WATCH their employees remotely......any ideas anyone?

  • This is why I (and likely most people around here) refuse to buy these cloud cameras. For all the people who did buy into it, they were warned and warned that this sort of thing was almost a given. Now what are they upset about?
  • They were/possibly still are giving China full access to our rings.
    Quite honestly, we will be switching to Nest doorbell in the near future. I want to be able to see my doorbell from Google Assistant, as well as I like the constant circular recording.
  • Just wondering if anyone has experience with a roll your own system using RTSP cameras. Any cheap cameras you can recommend that are usable without sending data to the cloud? I tried my hand hacking a couple of the cheap XiaoFang cameras ( https://github.com/samtap/fang... [github.com]) but haven't been successful to date.

    Would love 2-3 such low powered cameras I could get to record locally using VLC or similar. Just a basic set-up.

    • by ledow ( 319597 )

      It depends on what you want. A doorbell that shows you who's at the door?

      Literally anything.

      If you can get an RTSP stream (which virtually all cameras, and even the cheapest of NVRs will do, even if they have custom apps), you can make your own, and better.

      The cheapest NVR off Amazon will give you a bunch of cameras, a RTSP stream address to access each, network connectivity, H264 recording, and an "alarm" interface (which you literally wire to the doorbell so when it's pushed the "alarm" activates which c

  • I'd be shocked, SHOCKED if there was a part of Amazon that didn't collect all of the data that they could. That's what they do. That's how they make money. Of course they're looking at your stuff. You're PAYING THEM TO.
  • Arlo, Ring, Nest, etc. Probably the same from our own government like NSA! :P

    • Amazon owns Ring
    • Jeff Bezos owns Amazon
    • Jeff Bezos installs Ring cameras in his epic mansion
    • News coverage reveals MacKenzie Bezos, spouse of 25 years is divorcing husband Jeff Bezos
    • News coverage reveals security lapse regarding Amazon internal access to Ring recordings
    • New Bezos girlfriend announced: Lauren Sanchez!
    • MacKenzie Bezos becomes wealthiest woman in the world
    • Jeff Bezos no longer wealthiest man in the world
  • This sort of behavior from device makers is just abhorrent. Is there any decent camera setup that can allow only the user to access features? I mean I want to be able to check the video from my phone, but I want to use a firewall in front of any device so that it can't talk outbound to ANYTHING else including the vendor's networks. My phone isn't likely to have a consistent IP address and I don't know if any company offers security camera's that don't depend on any vendor interaction for the features to wor

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...