Shocking Absolutely No One, Ring Admits Employees Improperly Accessed Customers' Data

from the who-could-have-seen-this-coming dept

Ring never fails to disappoint. And by “disappoint,” I mean never fails to be disappointing. This pleases me. So, I guess Ring never fails to please… by being incessantly disappointing.

I realize this is beginning to resemble a beating that continues long past the point the victim has lapsed into unconsciousness. But if Ring hadn’t made itself such an inviting punching bag, I would not continue to rain down printed blows on its oh so very soft body.

Ring first grabbed our attention by offering up a snitch app that encouraged neighbors to start talking about suspicious people in their neighborhood. This app also happened to be a portal for the voluntary sharing of footage captured by Ring cameras, most of which were built into Ring’s “smart” doorbells.

From there, things went from bad to worse to godawful to horrendous to PR-team-on-constant-suicide-watch. It has been super-enjoyable for me (and hopefully for Techdirt readers) for two reasons:

1. Ring promiscuously got in bed with over 600 law enforcement agencies, selling them “free” cameras to hand out to homeowners with some implicit/not-so-implicit strings attached. In return, law enforcement agencies gave up their authority and autonomy, granting Ring permission to write their press releases and statements for them.

2. Ring does not care about its customers. It enjoys a commanding lead in the market, but it has produced yet another internet-connected thing that it does not bother to secure properly. When breaches happen — and they are unimaginably horrifying breaches that involve hijacked cameras — the company says customers should have done more to secure their devices, rather than accept any responsibility for doing as little as possible to prevent this sort of thing from happening.

So, the latest news is more fuel for the dumpster fire. It’s not just cops grabbing footage without bothering with the Fourth Amendment niceties. There’s also abuse happening internally — the sort of abuse you’d expect when you give people access to a wealth of personal information.

The doorbell-camera giant Ring has terminated employees in recent years for improperly accessing users’ video data, parent company Amazon told lawmakers this week, an admission that could increase pressure on the firm to prove it protects customer privacy.

The company has investigated four complaints regarding employees abusing their access to camera data over the past four years, Brian Huseman, a vice president of public policy at Amazon, wrote in a letter to five senators this week.

The company did not provide any detail about the data that was improperly accessed, but considering how much data Ring collects — along with footage from millions of cameras — the imagination is free to run wild.

This is the latest unsurprising development for Ring. Give enough people access to intimate recordings and data, and abuse is bound to happen. Maybe the Ring employees were just following the lead of their law enforcement partners, who also have access to a great deal of personal info and abuse this access with alarming frequency.

I’m sure Ring will weather this news cycle as it has every other over the past 12 months: by claiming it takes everyone’s security seriously and sending out tweets to anyone tagging the company with the latest bad news saying the coverage is inaccurate. But no one believes Ring, especially when its defensive tweets talk their way around direct questions and link to talking points delivered by Ring reps.

Ring is no longer just a dumpster fire d/b/a a security camera company. Its flaming dumpster existence is mounted to every flatbed car on a never ending train wreck. It can’t pull the plug on its thousands of buddy cops. And it appears to be far more interested in market growth than properly serving the customers it already has. Things will get worse. That’s it. There’s no “before it gets better.” At best, Ring can only hope to fade from the public eye before it alienates any more of its past and future customers.

Filed Under: , , , , ,
Companies: amazon, ring

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Shocking Absolutely No One, Ring Admits Employees Improperly Accessed Customers' Data”

Subscribe: RSS Leave a comment
23 Comments
Anonymous Coward says:

When breaches happen … the company says customers should have done more to secure their devices, rather than accept any responsibility for doing as little as possible to prevent this sort of thing from happening.

And what exactly should they have done? Most of the suggestions involve making the device harder to use, and it’s a truism in the world of computer security that "security at the expense of usability comes at the expense of security."

In other words, if you make the security difficult to use, users will invariably do things to deal with that difficulty that end up subverting the security of the system. (The classic example is writing down mandatory hard-to-remember passwords on post-it notes stuck to the side of your workstation.)

When it comes down to it, the users’ security is ultimately in their own hands, and if they don’t take it seriously, they’ve got no one to blame but themselves. Simply because there are a lot of people who don’t doesn’t change that basic fact.

Anonymous Coward says:

Re: Re:

They could have used something other than a password as the default authentication method. For example, by cryptographically pairing the app and camera (maybe hold up a QR code and press a button on the camera). That makes things easier, because there’s no password. Notifying the existing authorized devices whenever a new one is granted access wouldn’t harm usability either.

Wendy Cockcroft (profile) says:

Re: Re: Re:

I also recommend 2FA. I’ve lost count of the number of bad actors trying to break into my emails, etc., who were thwarted by this. RE: hard-to-remember passwords, choose a random word you don’t often use (so no one else will guess it). Replace the vowels with numbers and add an exclamation mark to the end. Job done. Of course this means that if I log into my emails from work, I have to check my mobile phone for the PIN provided by my email service, but that’s a minor inconvenience compared to the hassle of having my emails hijacked by a spammer sending all sorts of malware in my name, etc.

Wendy Cockcroft (profile) says:

Re: Re: Re:4 Re:

I’m convinced it was the trolls who were harassing me some years ago. They did everything else (including trying to plant keyloggers on my PC, which my anti-malware always caught, so they never succeeded), why not that? And they hacked into other targets’ accounts, so why not try to get into mine? I was locked out of my own email account for three days because they’d tried to guess the password so many times.

I switched to another email provider, where I see less frequent attempts to break in, which are always thwarted by 2FA. Since they don’t appear to have tried anything more than try to guess my password I’ll assume it’s just random spammers trying to use my account as you described.

But yes, I’ve experienced actual direct harassment from people who bragged about targeting me. When I left that community, it tailed off and stopped.

The point is, my methods work perfectly well for me. I’m not stupid enough to leave the kind of information online that could be used for social engineering so, as far as I’m concerned, they’re bomb-proof.

urza9814 (profile) says:

Re: Re:

a post-it note with the password stuck right to the door would not make you any less secure against the kinds of abuses detailed in this article. Not sure if it would make you less secure against a criminal who breaks in though, as I’m not sure what all can be done with that password. Still, that’s no worse than a generic default password, which seems to be what they do right now. And it seems better in general to protect against the networked threats — where you may be under attack by any number of adversaries at any time — than the lone burglar, which isn’t going to happen very often.

Security is neither binary nor monolithic. It’s not just how well you protect it, it’s also what you protect against. There’s a lot of security that would be entirely transparent to the end-user (like making sure their employees don’t generally have access to users’ recordings. How the F- did anyone think THAT was a good idea??)

bobob says:

Stupid people who buy stupid products deserve the consequences of their stupidity. "Gee honey, instead of just setting up our own camera, let’s set up this camera and microphone that’s soooo cool because it sends video over the internet somewhere to someone."

I don’t feel sorry in the least for any fucking idiot who installed one of these idiotic ring dumbells. They’re just lucky it isn’t a piece of machinery that they could kill themselves with by operating it with just as much ignorance.

Wendy Cockcroft (profile) says:

Re: Caveat emptor

That’s not how they’re advertised bobob. They’re sold (in the UK) as a way of keeping an eye on your property remotely. This is what their ads look like to me:

Exterior walleye view of someone in a hoodie sauntering around the back of someone’s house. He ducks behind a chair and bends down to pick something up.

Unseen male speaker: Hi Billy, what are you doing?

Billy: Just getting my ball.

Exterior view of someone approaching, who then appears to look through the glass of the front door.

Unseen female speaker: Can I help you?

Potential burglar turns and flees

As far as Joe Punter knows, the doorbell camera and mic are hooked up to his mobile phone. He’s not aware that any film is being stored anywhere else for anyone else to see. He’s not stupid, just uninformed. And that’s the way Ring likes it.

As I’ve stated many times before I get most of my tech information from TD. If not for TD, I wouldn’t be aware that the IOT is something you confront with a crucifix and holy water instead of welcoming the Shiny New Thing with open arms. Alas, not all of us read TD or the tech press, and I don’t tend to see these stories in the MSM. My daily Metro doesn’t carry these cautionary tales and it’s not widely discussed on the internet, except in tech circles.

This is what consumer protections are for.

Anonymous Coward says:

Re: Re: Caveat emptor

As far as Joe Punter knows, the doorbell camera and mic are hooked up to his mobile phone. He’s not aware that any film is being stored anywhere else for anyone else to see. He’s not stupid, just uninformed. And that’s the way Ring likes it.

Yes, in that case, Joe Punter is stupid, very stupid.

Wendy Cockcroft (profile) says:

Re: Re: Re: Caveat emptor

Sigh! Okay, how did you find out about IOT security being weak? You don’t "just know" it. Someone has to explain this to you at some point.

Being rude about people who would be glad to learn if someone just pointed them in the right direction doesn’t make them want to learn from you. As I said, I only know about this from TD. I don’t see information about it elsewhere, except in the tech press. It’s not widely reported.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...