Ring, the Amazon subdivision that makes smart cameras and doorbells, may have given employees unrestricted access to unencrypted customer video footage.
A story from The Intercept, quoting multiple sources from within the company, reports that Ring gave employees in its Ukranian image recognition research team unfettered access to ‚Äúevery video created by every Ring camera around the world" along with a database that could link these videos to specific customers.
Worse yet, the videos were stored in Amazon's S3 cloud with no encryption due to Ring's fear that encrypting video would make the company less valuable, the report says.
Additionally, executives and engineers in the US were reportedly given access to Ring's technical support video portal, essentially giving them the keys to live video feeds from customer cameras.
These employees did not need access, and one source said that there were instances of employees ‚Äúteasing each other about who they brought home‚ÄĚ after dates, as they were easily able to access each others' video feeds. According to one source, only a customer's email address was needed in order to gain access to their live feed.
The lack of encryption is bad enough, but by giving employees such easy access, the risk of a significant and damaging data breach is heightened.
The Intercept report claims that since acquiring Ring, Amazon has since put more restrictions on access to videos, however employees can still get around this. In a statement to The Ambient, Ring didn't address claims made about the Ukraine team specifically, but did say this:
"We take the privacy and security of our customers‚Äô personal information extremely seriously. In order to improve our service, we view and annotate certain Ring video recordings. These recordings are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes.
"Ring employees do not have access to livestreams from Ring products. We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them."