It seems every day another article appears in the media about the dangers of facial recognition technology, but we’ve always had surveillance. We’ve had old ladies switching behind lace curtains. Neighborhood Watch community programs and more recently a plethora of smart home cameras, security systems, apps, and CCTV that blur the boundaries between public and private security.
You may also like: Make Your Home Smart and Secure
Living in East Germany I never really thought they’d become present in this part of the world, and while they’re far from ubiquitous, there’s plenty on offer even time I visit a trade far or IoT conference here in Germany. Who monitors those who create the devices that watch us?
One of those best known is Ring. Amazon acquired Ring in February 2018 for $1.2 billionUSD. In short, the company manufactures IoT connected home security products that incorporate indoor and outdoor cameras, video doorbells, alarms, and smart lights. Over the last few years, the company has come under fire for a lack of data privacy, inadequate security practices, and problematic neighborhood practices, and partnerships with law enforcement.
Don’t Ring for Privacy
This month, an investigation by Electronic Frontiers Foundation of the Ring doorbell app for Android found it to be packed with third-party trackers sending out a plethora of customers’ personally identifiable information (PII). Four main analytics and marketing companies were discovered to be receiving information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers. These companies were: MixPanel AppsFlyer.
branch.io and Facebook. When it comes to Facebook:
“Information delivered to Facebook (even if you don’t have a Facebook account) includes time zone, device model, language preferences, screen resolution, and a unique identifier (
anon_id), which persists even when you reset the OS-level advertiser ID.”
Each of these probably might not seem like such a big deal. But it’s more concerning when you consider this data combined with other already available. Huge seemly disparate pools of data can be combined and cross-referenced and ultimately used to identify and track people without their knowledge.
Don’t Ring for Security
In December, Buzzfeed News reported that over 3,600 Ring owners’ email addresses, passwords, camera locations, and camera names were dumped online. This includes cameras recording private spaces inside homes.
“Using the log-in email and password, an intruder could access a Ring customer’s home address, telephone number, and payment information, including the kind of card they have, and its last four digits and security code. An intruder could also access live camera footage from all active Ring cameras associated with an account, as well as a 30- to 60-day video history, depending on the user’s cloud storage plan.”
Account passwords failed to receive the scrutiny you’d expect for this kind of surveillance equipment. 2FA was optional. Accounts weren’t locked after unsuccessful login attempts. Passwords weren’t checked for complexity. Ring does not alert users of attempted log-in from an unknown IP address or tell users how many others are logged into an account at one time. Ring offered belated security advice, all of which (bizarrely) reads as suggestions rather than compulsory actions.
Ring asserts in their press kit:
“Ring, our mission is simple: To reduce crime in neighborhoods. Unlike traditional security systems, which only help you react to crimes, Ring is proactive security that lets you stop crime before it happens.” Cybercrime seems to be exempt from this mission.
Don’t Ring to Love Thy Neighbour
In 2018, Ring launched the Neighbors app. It’s like a digital version of Neighbourhood Watch. It allows people in the neighborhood to anonymously communicate with each other about their street, block or subdivision. It has some great wins in terms of locating missing pets, thwarting petty thieves (shouting at them over the smart home speaker attached the Ring alarm seems a pretty popular deterrent). Truth be told, there are some rather glorious stories where simple citizen becomes intrepid PI tracking down their stolen Amazon parcels.
However, it’s also fallen prey to the racial profiling that has plagued apps such as NextDoor, where a common complaint seems to be”sketchy” men who”linger and lurk (seriously if you want to lose yourself in a rabbit hole of bizarre neighborhood surveillance check out @bestofnextdoor). Too bad when they turn out to be one of your neighbors who also use the app or their guests.
It all sounds a bit silly until you realize that over 700 police departments across the US have signed up to work with Ring. They have access to a law enforcement portal where they can request police footage from residents without a portal. These contracts give police access to the company’s law enforcement portal, which allows police to request camera footage from residents without receiving a warrant. You might think ok fine, but it’s a little bit more insidious. Research by VICE revealed:
“A signed memorandum of understanding between Ring and the police department of Lakeland, Florida, and emails obtained via a public records request, show that Ring is using local police as a de facto advertising firm. Police are contractually required to “Engage the Lakeland community with outreach efforts on the platform to encourage adoption of the platform/app. Convince enough people to download its neighborhood watch app, Neighbors.”
There’s No Escape
One of the biggest problems I have with Ring and the neighborhood surveillance it perpetuates is that like a lot of the facial recognition tech we’ve been decrying, there’s no real way to opt-out – our neighbors can film us walking down the street, and share that footage with police and others through the app.
I’m a big fan of Senator Edward J. Markey (D-Mass.) who I’ve been writing about for a few years regarding his efforts to ensure IoT cybersecurity legislation. Late last year he conducted an extensive investigation into Ring where he found:
- Ring has no security requirements for the law enforcement offices that get access to users’ footage.
- Ring has no restrictions on law enforcement sharing users’ footage with third parties.
- Ring has no policies that prohibit law enforcement from keeping shared video footage forever.
- Ring has no evidentiary standard for law enforcement to request Ring footage from users.
- Ring refuses to commit to not selling users’ biometric data.
- Ring has no oversight/compliance mechanisms in place to ensure that users don’t collect footage from beyond their property.
- Ring has no oversight/compliance mechanisms in place to ensure that users don’t collect footage of children.
- Ring has no compliance mechanisms in place to prohibit law enforcement from requesting and obtaining footage that does not comply with Ring’s Terms of Service.
- Ring has not committed to not using facial recognition technology in the future.
Where Do We Go From Here?
We’re at a time in history where technology evolves at an exponential rate. Devices and platforms created even just a few years ago are being owned and now used by unintended people in ways that we never thought possible.
I’m genuinely passionate about IoT. I can see a hell of a lot of good in smart home security – whether preventing petty theft at one end of the spectrum and bearing witness to kidnapping at the other- but again I have to ask, who monitors those who create the devices that watch us?
We do have some options. We can:
- Choose to avoid purchasing such products without due diligence.
- Decide to not install Neighborhood Watch style apps or call out racial profiling and prejudice where we see it.
- Make decisions about the kind of tech companies we work for.
- Support elected officials in asking critical questions.
- Keep our friends and neighbors informed.
- Remain knowledgeable and contribute to debate and analysis.