An interesting saga that is making rounds on the internet is that Amazon’s Ring devices granted the company’s Ukraine-based research and development team as well as U.S. executives and engineers a free round the clock access to live feeds from some customer’s cameras, obviously, Ring denies the claim.
Regardless of whether they needed the information or not, the workers had access to Amazon’s S3 cloud storage service a folder that contained all the video created by every Ring camera around the world.
The team was also had access to a database that linked each video to the Ring customer it belonged to. At the time they were granted access, the videos were allegedly stored unencrypted because at that time Amazon felt encryption would make the company less valuable as the result of lost revenue opportunities due to restricted access.
The news as reported in SC Magazine reads how the source said the decision to grant access to the Ukraine team was partially based on the weaknesses of the firm’s in-house facial and object recognition software that had trouble determining differences between people and animals, often leading to false alerts to customers.
The researchers would step in to help train the technology to recognize and differentiate between objects in hopes that it would be able to do it on its own in the future.
Although the source said they never personally witness any abuse of the data, however, a source did say “If [someone] knew a reporter or competitor’s email address, [they] could view all their cameras” and recounted instances of Ring engineers “teasing each other about who they brought home” after romantic dates.
Since it belongs to Amazon, some security measures have been put in place to prevent access to sensitive customer information, but some sources told the publication staffers to know how to evade these protections with a former Ukrainian employee saying they could access the system from any computer, at home or anywhere.”
A Ring representative has denied the allegation about the Intercept’s Livestream allegation, saying, “Ring does not provide and never has provided employees with access to livestreams of Ring devices.”
SC Media reports how Obsidian Securi Director of Research Laura Norén told them that labeling images by teams of humans are incredibly common but many consumers are led to believe that artificial intelligence like facial recognition is strictly a computational practice.
“That is rarely true,” Norén said. “The Ring’s leadership should have requested explicit consumer consent, in plain language, to share access to live feeds coming from inside their customers’ homes with the Ukrainian research team.”
Norén added that bigger ethical concern stems from cameras pointing towards public streets and neighbors’ yards which are the bread and butter of the Ring product and in those situations the customer is not legally able to give consent to Ring to capture, store, or share video feed data.
In addition, Norén said while customers could decide to let Ring researchers access videos of them, they cannot give second party consent for Ring to access images of their neighbors or the general public.
“Another concern stems from Ring’s reported practice of storing encrypted videos and images in a single Amazon Web Services bucket,” Norén said. “This trove of geo-tagged video data presents a juicy target for cybercriminals. A tenet of capable data guardianship requires that privacy-sensitive data should be encrypted in transit and at rest.”
Related Resources:
Legacy Systems & Cybersecurity – A Difficult Reality
How to Secure Your Access Control System