Ring gets ‘dinged’ for its video doorbell privacy
While “Internet of Things” (IoT) devices open up new worlds of convenience, they’ve also introduced new security vulnerabilities. At the risk of overgeneralizing, many of these vulnerabilities stem from the ease of set-up and use that make these singular-purpose devices so attractive. They tend to be scaled down, with little internal memory, and lack strong out-of-the-box security, often shipped with default accounts and passwords enabled.
Yet despite their small stature, IoT devices punch above their weight class when it comes to threats. For example, the now infamous Mirai botnet attack in 2016 was perpetrated “via small, innocuous Internet-of-Things (IoT) devices like home routers, air-quality monitors, and personal surveillance cameras,” crippling high-profile websites, including Netflix, Spotify and CNN.
Take the Amazon-owned Ring doorbell, introduced on “Shark Tank” in 2013. It’s proved to be a revolutionary idea, but has also leaked Wifi login credentials, exposed homeowners’ audio and video transmissions to third-party attackers, and is vulnerable to hackers looking to take over the device.
IoT devices have also given rise to a number of new privacy concerns. For example, Ring has taken heat for sharing users’ video with over 600 law enforcement agencies around the U.S. without requiring any evidence of a crime, permitting the video to be retained indefinitely; police can request “up to 12 hours of video from anyone within a half square mile of a suspected crime scene, covering a 45-day time span.”
According to Ring, this sharing is with consent of the user; as Ring’s Neighbors App notes, upon receipt of a law enforcement request Ring will “ask a targeted group of users in that area if they are willing to share any relevant footage with law enforcement. It’s then up to the user to share their video file(s) or decline the request.” Moreover, “[l]aw enforcement can only view the publicly available content in the Neighbors App, unless a user explicitly and voluntarily chooses to share their own recordings with law enforcement.”
To address ongoing privacy concerns, Ring announced the release of a new dashboard at the January 2020 Consumer Electronics Show, designed to allow consumers more control over their video: “[w]hile you have always had the ability to opt out of these requests after you received your first one, Control Center now ensures that you don’t have to wait for that first request — you can easily opt out from the start.”
This dashboard doesn’t address all of the privacy issues, however. For example, do Ring owners understand the ancillary use the videos may later be put to? Finding the perpetrator of a recent criminal incident is one thing. Uploading and storing video and aggregating it with other data, such as license plate databases, video from traffic stops, surveillance video, etc., is quite another. In all fairness, Ring does disclose that “[i]f law enforcement downloads a copy of your video, neither you nor Ring will have control over that copy . . . .”
The question arises as to the privacy interests of other parties that frequently enter a home, such as nannies, relatives, etc. While privacy advocates are rightly concerned about these secondary impacts, to the extent that a visitor enters a Ring owner’s house, they have no basis to challenge the use of this video by law enforcement in a criminal proceeding; the Fourth Amendment only protects against unreasonable searches and seizures by the government, and when the video is voluntarily captured by the homeowner and consensually shared with law enforcement, the Fourth Amendment doesn’t apply. Of course, if the homeowner coordinates with the police in advance — for example, pointing the camera in a direction requested — the result may differ, as the homeowner potentially becomes an “agent of the government.”
Putting aside law enforcement sharing, another privacy concern relates to sharing with third parties. As illuminated in a recent EFF investigative report, Ring’s Android doorbell app is “packed with third-party trackers sending out a plethora of customers’ personally identifiable information (PII).” For example, information delivered to Facebook — even if you don’t have a Facebook account — includes “time zone, device model, language preferences, screen resolution, and a unique identifier.” Even more concerning, Ring provides MixPanel with “[u]sers’ full names, email addresses, device information such as OS version and model, whether bluetooth is enabled, and . . . the number of locations a user has Ring devices installed.”
On the positive side, the traffic observed by EFF was sent using encrypted HTTPS, meaning that it’s likely safe from accidental leakage. Nonetheless, this begs the question of how and whether such sharing is permitted.
At the end of the day, while Ring clearly found an untapped market for remote monitoring, it also poses new privacy challenges. But privacy is not purely a legal question. It’s also one of reputation and perception, and to the extent the public continues to use Ring for peace of mind security, there may not be enough incentive for Ring to substantively alter its business model.
Joel Schwarz is a senior principal at Global Cyber Risk, LLC, where he works as a consultant and attorney, and an adjunct professor at Albany Law School, teaching courses on cybercrime, cybersecurity and privacy. He previously served as the Civil Liberties and Privacy Officer (CLPO) for the National Counterterrorism Center and was a cybercrime prosecutor for the Justice Dept. and N.Y. State Attorney General’s Office. He was also counsel on e-commerce and privacy for MetLife.
The Hill has removed its comment section, as there are many other forums for readers to participate in the conversation. We invite you to join the discussion on Facebook and Twitter.