Techdirt. Stories filed under "ring"

LAPD Asked Ring Users To Turn Over Footage Of Anti-Police Brutality Protests

Tim Cushing — Mon, 22 Feb 2021 12:04:28 PST

It's not just a home surveillance system. It's a surveillance system.

Documents obtained by the EFF and shared with The Intercept show law enforcement used footage from Ring doorbell cameras -- cameras some people have obtained for free from Ring's thousands of law enforcement "partners" -- to hunt down people protesting police violence.

The documents show the Los Angeles Police Department sent requests to Los Angeles residents asking them for footage recorded by their cameras. But the LAPD did not specify what sort of footage it was looking for. The task force making the request was charged with investigating crimes committed "during protests and demonstrations."

This information was vaguely conveyed to Ring owners in the area. The requests didn't even bother to specify whether the "incident" the LAPD was investigating could even have been captured by the doorbell cameras targeted by this request.

"The LAPD ‘Safe L.A. Task Force’ is asking for your help,” reads the message, from detective Gerry Chamberlain. “During recent protests, individuals were injured & property was looted, damaged, and destroyed. In an effort to identify those responsible, we are asking you to submit copies of any video(s) you may have for [redacted].” The request appears to have made no mention of what exactly the LAPD was pursuing; no crime, proven or alleged, is described in the unredacted portion of the request, only that the police wanted footage of an unspecified “incident” related to a protest. The redacted portion of the request does not appear to contain any substantive further description.

This was not the only message sent. The documents show the LAPD made additional requests following other demonstrations, in essence asking Los Angeles residents to rat out people engaged (for the most part) in peaceful protests. The task force wasn't asking for any info about specific crimes, but rather anything that showed people doing stuff that (again, for the most part) was protected by the First Amendment.

And there wasn't a lot of criminal activity. At least, not so much the LAPD should have felt comfortable sending out blanket requests for footage from cameras owned by private citizens.

In October, the Los Angeles Times cited LAPD data showing that the “vast majority” of the city’s Black Lives Matter rallies, part of a national wave of outraged mobilization following the police killing of Floyd, were peaceful, with only “between 6% and 7%” of protests resulting in any violence, including violence perpetrated by the LAPD itself.

But Ring has made aggressive inroads with thousands of law enforcement "partners." And it has provided them with instructions for requests like these -- ones that evade warrant or subpoena requirements.

On the plus side, the requests make any handover of footage completely voluntary. Bear in mind that law enforcement "requests" for footage are perceived by citizens as being far less voluntary than law enforcement perceives them to be. But the bottom line is these are requests, not demands. Even so, the LAPD would rather not answer questions about its mass emails or their efficiency rate.

And that's a problem Ring doesn't have an answer for. Indeed, it's an answer Ring doesn't even appear to care about. Ring likes cops. The people actually buying and/or deploying its cameras appear to be far down the list of things Ring cares about. As far as Ring is concerned, the market it has cornered is little more than an extension of existing government surveillance networks. If it did care about its users, it would have done more to protect them from malicious hackers and law enforcement officers who can't be bothered to boilerplate up a warrant affidavit.

Even if you decide the First Amendment question isn't settled enough to give Los Angeles residents pause when handing over footage to cops, the mutual appreciation society formed by Ring and law enforcement cuts private citizens out of the equation. It turns their cameras into cop cameras.

Sure, people may retain control of the devices and ignore emailed requests for footage, but Ring is doing all it can to erase the line between public and private. It allows law enforcement agencies to give cameras to citizens, increasing the chance the recipients of these freebies will be receptive law enforcement requests. It gives cops a portal that shows them where cameras are located, giving the government information it wouldn't have under other circumstances. Finally, Ring inserts itself into the PR process, giving itself final approval on press statements from law enforcement that involve its products, allowing it to craft a more self-serving narrative.

There's no indication this effort was limited to areas where criminal activity during protests was suspected. Instead, the portal provided by Ring made it possible for the LAPD to ask for private citizens' inadvertent recordings of protected speech. This is secondhand surveillance. And its encroachment into our everyday lives should be greeted with suspicion. This is an opportunistic approach to law enforcement, one that embraces mission creep.

Amazon Transparency Report Indicates Its Multiple IoT Devices Are Juicy Targets For Law Enforcement

Tim Cushing — Mon, 8 Feb 2021 13:32:47 PST

Never forget the IoT device you invite into your home may become the state's witness. That's one of the unfortunate conclusions that can be drawn from Amazon's latest transparency report.

Amazon has its own digital assistant, Alexa. On top of that, it has its acquisitions. One of its more notable gets is Ring. Ring is most famous for its doorbells -- something that seems innocuous until you examine the attached camera and the company's 2,000 partnerships with law enforcement agencies.

Ring is in the business of selling cameras. That the doorbell may alert you to people on your doorstep is incidental. Cameras on the inside. Cameras on the outside. All in the name of "security." And it's only as secure as the people pitching them to consumers. Ring's lax security efforts have led to harassment and swatting, the latter of which tends to end up with people dead.

Malicious dipshits have been using credentials harvested from multitudinous breaches to harass people with Ring cameras. The worst of these involve false reports to law enforcement about activity requiring armed response. That no one has ended up dead is a miracle, rather than an indicator of law enforcement restraint.

Ring wants you to hand over footage to law enforcement agencies. That's why it partners with agencies to hand out cameras for free and instructs officers how to obtain footage without a warrant. That's also why it stays ahead in the PR game, handling press releases and public statements it feels law enforcement officials are too clumsy to handle on their own.

And gather footage law enforcement does, as Zack Whittaker reports for TechCrunch. Omnipresent IoT devices give law enforcement plenty of recordings and other information -- with or without the consent of device owners and with or without the warrants they would normally need.

Amazon said it processed 27,664 government demands for user data in the last six months of 2020, up from 3,222 data demands in the first six months of the year, an increase of close to 800%. That user data includes shopping searches and data from its Echo, Fire and Ring devices.

While it's good to see warrants were involved in a majority of these cases, the unfortunate fact is a lot of this isn't considered protected under the Fourth Amendment and can be obtained with nothing more than a subpoena. Third party data isn't -- for the most part -- shielded by the Constitution.

The silver lining is that someone is likely to challenge warrantless acquisition of footage or data. The third party doctrine isn't as immutable as it used to be and federal courts have been interpreting the Supreme Court's Carpenter decision (which dealt with long-term tracking via cell site location info) to cover more than the justices originally envisioned when they handed down their ruling.

Even so, consumers should be aware that their internet-connected devices are generating a wealth of information about their habits, movements, and the people they associate with. And a lot of it can be had without judicial oversight. These devices are useful but they're also low-level informants. And anyone who invites Ring or Alexa into their home needs to be aware of their downsides and weigh that against the security or convenience they gain from having an always-on, internet-connected snitch. Those who feel they have nothing to hide may be unpleasantly surprised in the future.

Amazon Ring App Found To Be (Again) Exposing User Locations, Home Addresses

Karl Bode — Fri, 22 Jan 2021 05:58:44 PST

While Amazon Ring and other doorbells certainly deliver a certain convenience, they've created no shortage of entirely new problems. Problems that could have been avoided with just a bit of foresight and ethical behavior. First comes the fact they're being integrated into our already accountability-optional law enforcement and intelligence apparatus. Then, like the rest of the "let's connect everything to the internet but do a shit job on basic security and privacy because it costs money" IOT sector, they can't be bothered to get the fundamentals right when it comes to consumer security.

The latest example involves Ring failing to adequately secure users information when they share to the Ring "Neighbors" portion of the Ring app. Journalists had already showcased how Ring's security standards were hot garbage. And while Amazon has taken some steps to address those concerns (like making two-factor authentication mandatory), this week it was revealed that Ring’s Neighbors app was exposing the precise locations and home addresses of users who had posted to the app:

"While users’ posts are public, the app doesn’t display names or precise locations — though most include video taken by Ring doorbells and security cameras. The bug made it possible to retrieve the location data on users who posted to the app, including those who are reporting crimes."

Whoops-a-daisy!

The disclosure comes on the heels of a similar report from Gizmodo last year that found it wasn't too difficult to ferret out hidden data allowing journalists (and anybody else) to map the location of Ring users nationwide:

"Examining the network traffic of the Neighbors app produced unexpected data, including hidden geographic coordinates that are connected to each post—latitude and longitude with up to six decimal points of precision, accurate enough to pinpoint roughly a square inch of ground."

Neat! Ring's already facing a class action lawsuit from users not particularly happy about receiving death threats and racist slurs after their Ring smart cameras were hacked.

Purportedly, Ring's Neighborhood functionality is generally supposed to help communities band together and discuss potential security threats. Kind of a neighborhood watch for the modern era. More often, however, the functionality results in people engaging in paranoid hyperventilation about minorities or homeless people getting a skosh too close to the azaleas.

If you're going to be earning additional billions from selling access to consumer residential cameras to intelligence and law enforcement every year, it seems like the very least you can do is invest a little bit more in taking consumer privacy and security seriously, even if "caring about consumers" and "selling their camera surveillance and location data to any nitwit with a nickel" operate somewhat discordantly.

Mississippi City Trying To Turn Residents' Doorbell Cameras Into Law Enforcement Surveillance Network

Tim Cushing — Wed, 11 Nov 2020 09:33:57 PST

The Ring doorbell/camera has become a fixture of American life, thanks in part to Ring's partnership with law enforcement agencies. In exchange for steering people towards Ring's snitch app, the company has been giving deeply discounted doorbell cameras to police, who then hand them out to homeowners with the implied assumption homeowners will return the favor by handing footage over to cops any time they ask.

There are millions of cameras out there and Ring-enabled portals for law enforcement officers to request footage. If warrants seem to be too much trouble, Ring lets police know they can always approach the company with a subpoena to access recordings stored in Ring's cloud.

Some enterprising city legislators are narrowing the gap between cops and homeowners' cameras. A trial program is underway in Mississippi that would give police direct access to cameras, as Edward Ongweso Jr. reports for Vice. (h/t FourthAmendment.com]

On Tuesday, Jackson, Mississippi's city council signed off on a 45-day pilot program that would let police access Ring surveillance cameras in real time.

In partnership with technology companies PILEUM and Fūsus, the pilot program will run through the police department’s surveillance hub, the Real Time Crime Center, from which Jackson’s police department can stream Ring surveillance camera footage.

The goal, of course, is to fight crime. But the methods are concerning, to say the least. The expansion of law enforcement's surveillance network in Jackson co-opts cameras owned by private citizens. The police feel this would be a boon for their "Real Time Crime Center," allowing them to seamlessly access any footage instantly near scenes of reported crimes. According to the mayor, this is a net win for everyone, but it provides the most benefit to the local government, which won't have to spend money to purchase more CCTV cameras.

None of this is mandatory. Businesses and private citizens have to sign a waiver to grant the police real-time access to their cameras. But this move towards more pervasive surveillance comes at a strange time for the city, which recently took steps to limit local law enforcement's access to surveillance tech.

This may come as a surprise to those who remember that just a few months ago, Jackson was the first city in the South to ban police from using facial recognition technology.

That might explain why this surveillance hub isn't much of a hub at this point. According to Vice's report, there are only five private participants in this program. As for Ring, it's distancing itself from this co-opting of its cameras, stating that this isn't a Ring program and the company has had no participation in this program. And while that may be true in this case, the company hasn't been shy about pushing cameras on citizens via law enforcement and encouraging law enforcement to lean on recipients for camera footage.

This may not be Ring's doing, but that's always been the implicit promise of its hundreds of partnerships with law enforcement agencies: an expanded surveillance network that costs cops almost nothing. It hasn't always worked out the way Ring suggests it will, but this trial program makes it clear others will step up to create a network of their own if Ring can't or won't help out.

FBI Horrified To Discover Ring Doorbells Can Tip Off Citizens To The Presence Of Federal Officers At Their Door

Tim Cushing — Tue, 8 Sep 2020 05:25:01 PDT

Ring's camera/doorbells may as well be branded with local law enforcement agency logos. Since Amazon acquired the company, Ring has cornered the law enforcement-adjacent market for home security products, partnering with hundreds of agencies to get Ring's products into the hands of residents. A lot of this flows directly through police departments, which can get them almost for free as long as they push citizens towards using Ring's snitch app, Neighbors, and allow Ring to handle the PR work.

So, it's hilarious to find out the FBI is concerned about Ring cameras, considering the company's unabashed love for all things law enforcement. The Intercept -- diving back into the "Blue Leaks" stash of exfiltrated law enforcement documents -- has posted an FBI "Technical Analysis Bulletin" [PDF] warning cops about the threat Ring cameras pose to cops. After celebrating the golden age of surveillance the Internet of Things has ushered in, the FBI notes that doorbell cameras see everyone who comes to someone's door -- even if it's people who'd rather the absent resident remained unaware of.

The document describes a 2017 incident in which FBI agents approached a New Orleans home to serve a search warrant and were caught on video. “Through the Wi-Fi doorbell system, the subject of the warrant remotely viewed the activity at his residence from another location and contacted his neighbor and landlord regarding the FBI’s presence there,” it states.

Ratted out by home security tech -- the kind often pushed on residents by law enforcement officers hoping to expand their surveillance networks by deputizing doorbells. Ring's cameras aren't just mute witnesses. Owners receive notifications when someone comes to their door and, depending on model, are able to hold conversations with them using built-in mics and speakers.

This means the sneak-and-peek feds might have been overhead discussing their tactical plans or specifics about the investigation. Hilarious. And this is how another FBI document on the subject of doorbells puts it, turning a normal home security device into a devious tool to be wielded against law enforcement:

“[S]ubject was able to see and hear everything happening at his residence” and possibly “covertly monitor law enforcement activity while law enforcement was on the premises…"

Covert monitoring is the best monitoring, as these FBI agents are well-aware. Sucks when it's the alleged perps doing the covert monitoring, I guess. And it sucks when the FBI decides now is the time to be hot and bothered when security cameras have been catching cops visiting/raiding properties for years. Audio recording isn't some new technology either, so if cops haven't been clued into this possibility already, they have no one to blame but themselves.

The documents are fascinating, and not just because they appear to turn Ring into a co-conspirator in crimes after so many years of being besties with law enforcement. It also shows how much goes unnoticed by people who routinely cite their years of training and experience when applying for search warrants. This should have been obvious from day one.

Ring Continues To Insist Its Cameras Reduce Crime, But Crime Data Doesn't Back Those Claims Up

Tim Cushing — Tue, 24 Mar 2020 03:15:31 PDT

Despite evidence to the contrary, Amazon's Ring is still insisting its the best thing people can put on their front doors -- an IoT camera with PD hookups that will magically reduce crime in their neighborhoods simply by being a mute witness of criminal acts.

Boasting over 1,000 law enforcement partnerships, Ring talks a good game about crime reduction, but its products haven't proven to be any better than those offered by competitors -- cameras that don't come with law enforcement strings attached.

Last month, Cyrus Farivar undid a bit of Ring's PR song-and-dance by using public records requests and conversations with law enforcement agencies to show any claim Ring makes about crime reduction probably (and in some cases definitely) can't be linked to the presence of Ring's doorbell cameras.

CNET has done the same thing and come to the same conclusion: the deployment of Ring cameras rarely results in any notable change in property crime rates. That runs contrary to the talking points deployed by Dave Limp -- Amazon's hardware chief -- who "believes" adding Rings to neighborhoods makes neighborhoods safer. Limp needs to keep hedging.

CNET obtained property-crime statistics from three of Ring's earliest police partners, examining the monthly theft rates from the 12 months before those partners signed up to work with the company, and the 12 months after the relationships began, and found minimal impact from the technology.

The data shows that crime continued to fluctuate, and analysts said that while many factors affect crime rates, such as demographics, median income and weather, Ring's technology likely wasn't one of them.

Worse for Ring -- which has used its partnerships with law enforcement agencies to corner the market for doorbell cameras -- law enforcement agencies are saying the same thing: Ring isn't having any measurable impact on crime.

"In 2019, we saw a 6% decrease in property crime," said Kevin Warych, police patrol commander in Green Bay, Wisconsin, but he noted, "there's no causation with the Ring partnership."

[...]

"I can't put numbers on it specifically, if it works or if it doesn't reduce crime," [Aurora PD public information officer Paris] Lewbel said.

But maybe it doesn't really matter to Ring if law enforcement agencies believe the crime reduction sales pitch. What ultimately matters is that end users might. After all, these cameras are installed on homes, not police departments. As long as potential customers believe crime in their area (or at least their front doorstep) will be reduced by the presence of camera, Ring can continue to increase market share.

But the spin is, at best, inaccurate. Crime rates in cities where Ring has partnered with law enforcement agencies continue to fluctuate. Meanwhile, Ring has fortuitously begun its mass deployment during a time of historically-low crime rates which have dropped steadily for more than 20 years. Hitting the market when things are good and keep getting better makes for pretty good PR, especially when company reps are willing to convert correlation to causation to sell devices.

Ring Says It Helps Cops Fight Crime But The Data Shows It's No Better At This Than Any Other Security Camera

Tim Cushing — Fri, 21 Feb 2020 09:38:38 PST

The number of law enforcement agencies Ring partners with continues to grow -- up to nearly 900 by the latest count. Ring pitches its devices to homeowners as a better way to keep their homes secure. And maybe it is. But the pitches it makes to law enforcement agencies are something else.

Ring drives this particularly questionable engagement by insinuating people who've received free or cheap cameras will become part of a surveillance network overseen by cops, who will be able to solve tons of crimes and receive tons of footage from compliant recipients without a warrant.

None of this appears to be happening. While homes with Ring cameras are arguably more secure, the same could be said for any consumer camera -- most of which aren't handed to homeowners by law enforcement. A recent report by Cyrus Farivar for NBC News shows there's not much crime being solved by the vast network of Ring cameras and the company's hundreds of law enforcement partners. (via Jeffrey Nonken in the Techdirt chat window)

Thirteen of the 40 jurisdictions reached, including Winter Park, said they had made zero arrests as a result of Ring footage. Thirteen were able to confirm arrests made after reviewing Ring footage, while two offered estimates. The rest, including large cities like Phoenix, Miami, and Kansas City, Missouri, said that they don’t know how many arrests had been made as a result of their relationship with Ring — and therefore could not evaluate its effectiveness — even though they had been working with the company for well over a year.

The extensive agreements with Ring -- ones that allow the company to write press releases and veto law enforcement statements it doesn't like -- apparently don't require any sort of data gathering or reporting that would tie Ring cameras to arrests. The report says none of the 40 departments contacted collect data that might indicate whether or not the increased installation of cameras has reduced crime or resulted in more arrests.

Ring cameras may be everywhere, but their contribution to combating crime is apparently no greater than its competitors. Any other camera company could boast it's contributed just as much as Ring has, all without blurring the line between public and private by aggressively courting law enforcement agencies. The list of criminals taken down by Ring footage reads like a small town paper's police blotter:

Of the arrests that police connected to Ring, most were for low-level non-violent property crimes, according to interviews and police records reviewed by NBC. These arrests detailed the theft of a $13 book, the theft of a Nintendo Switch video game console (and several items, including two coffee mugs, purchased from the Home Shopping Network valued at $175. In Parker County, Texas, two people were arrested for allegedly stealing a dachshund named Rufus Junior, valued at $200.

These are the success stories. And that's from agencies that actually have success stories to relate. Most don't have anything to talk about or are only reporting a very small number of arrests in relation to their cities' overall property crime rate.

But it has opened a dialog of sorts between citizens and law enforcement. Some people view their cameras and the law enforcement portal as a "may I speak to the manager" connection.

Ring makes it so frictionless to share footage with police that some residents submit videos of anything they find displeasing, even when there is no indication that a crime has been committed, Lt. Santos, of Winter Park, said.

“We’ve gotten videos of racoons in the yard, with people saying, ‘Hey, can you deal with these racoons?’” he said. “That’s the type of people we’re dealing with. They’re constantly sending us video clips.”

Ring continues to insist its hundreds of law enforcement partnerships makes citizens safer. But outside of a handful of arrests related to small property crimes, there's nothing in the data that suggests the thousands of cameras and hundreds of partnerships has actually increased public safety.

Ring Updates Privacy Dashboard Again, Allows Users To Preemptively Block All Law Enforcement Requests For Footage

Tim Cushing — Tue, 4 Feb 2020 03:51:04 PST

After months of negative publicity, Ring is finally taking a few small steps towards not being completely awful. The company clearly would rather be a government contractor than a supplier of consumer products, but has repeatedly gotten in its own way by selling products to consumers rather than surveillance tech to government agencies.

Trying to have it all, Ring welcomed police departments into the fold, offering steep discounts on cameras to agencies that played along with its PR pitches and distribution tactics. Citizens could get cameras for almost nothing from local cops with the implicit suggestion they share their recordings with cops whenever law enforcement asked.

That was the initial wave of bad press: the co-opting of police departments to turn consumer security cameras into extensions of law enforcement surveillance networks. The second wave was almost worse. It involved the hijacking of Ring cameras by malicious jerks who used lists of credentials taken from security breaches to take control of the connected devices.

Ring shifted the blame for these hijackings to the end users. While Ring does encourage the use of "strong" passwords and two-factor authentication, it did not -- until recently -- make either of these the default. A recent update to its "privacy dashboard" finally allowed users to easily control access to their cameras by providing lists of all IP addresses/devices currently logged in. It also nudged users in the direction of 2FA a bit more firmly, making this opt-out, rather than opt-in.

The latest update goes further. And it must have been painful to implement, since it undercuts part of the company's sales pitches to law enforcement agencies. Ring has played up the advantages of cops handing cameras to citizens, creating portals that give officers maps of Ring camera locations and coaching cops on the finer points of obtaining footage without a warrant. This addition to Ring's privacy dashboard is going to make it a bit more difficult for cops to bypass the warrant process when seeking to obtain camera footage from Ring users.

In the new update, users will be able to see an "Active Law Enforcement Map" clarifying which local institutions are part of the Neighbor Portal network. They will also be able to disable requests for video from officials, whether or not they have received one in the past. (This feature was available previously, but an account had to have received one request for the opt-out option to appear.)

Ring's blog post on the dashboard update not-so-subtly hints that users shouldn't do this by telling readers about a couple of times the video request tool was used to solve crimes. Even if this PR nudge proves ineffective, cops aren't completely out of luck. Ring is happy to turn over footage stored in its cloud to law enforcement without notifying users, even as it claims this footage still belongs to the end users.

This is a move in the right direction for Ring. Unfortunately, it still seems focused on becoming an appendage of law enforcement, rather than a producer of consumer goods. As long as it spends more time trying to figure out how it can best assist government middlemen, it's going to keep disappointing the actual users of its cameras.

Amazon Tells Ukraine Publication To Alter Its Article After It Links The Company To Ring's Problematic Ukraine Branch

Tim Cushing — Thu, 30 Jan 2020 10:52:53 PST

An extremely-problematic wing of an extremely-problematic company is back in the news. Ring's Ukraine division made headlines last fall when the presence of a "Head of Facial Recognition Tech" in the Ukraine office appeared to contradict Ring's claims it was not interested in adding facial recognition to its cameras.

More disturbing news surfaced earlier this month, when it was discovered this office had allowed its employees to view Ring camera footage uploaded by users. Ring doesn't just produce doorbell cameras. It also sells in-home cameras, making this revelation particularly worrying.

Beginning in 2016, according to one source, Ring provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world. This would amount to an enormous list of highly sensitive files that could be easily browsed and viewed. Downloading and sharing these customer video files would have required little more than a click. The Information, which has aggressively covered Ring’s security lapses, reported on these practices last month.

Not only did the R&D team have complete access to customers' recordings, so did Ring's US-based engineers and executives. And who knows how many other people have accessed these recordings illicitly? When this access was granted to an untold number of Ring employees, Ring did not encrypt uploaded recordings. The company apparently felt encryption was too expensive to implement and would possibly limit revenue opportunities for the company as it aggressively moved into the home security market.

It turns out the company was using customers' footage to train its AI to recognize faces and other objects. This would be the same facial recognition Ring swears it isn't going to be implementing anytime soon.

Apparently, this abuse of trust has resulted in growth opportunities for Ring-Ukraine. A recent article by Ukranian publication Vector stated the office would be lending its expertise to other Amazon products, which possibly includes Rekognition, Amazon's homegrown facial recognition program.

But that story was buried by Amazon PR shortly after it appeared, according to Sam Biddle of The Intercept.

I asked multiple Amazon representatives and Ring’s head of communications about the Vector article, including specifically what were the “many other Amazon projects” Ring’s Ukrainian staff now worked on.

Although Amazon ignored repeated requests for comment and Ring refused to discuss the subject on the record, it seems that the company did take action: Within hours of my inquiries, the text of the Vector piece was quietly edited to remove references to Amazon. Most notably, the entire quoted sentence about the “many other Amazon projects” the Kyiv office was working on was excised.

The author of the story told The Intercept he had nothing to do with the belated deletion. In fact, he was not aware of any editing until The Intercept brought it to his attention. An email from Vector's editor-in-chief explained the situation, although not all that satisfactorily.

We published a news about rebranding, later pr-manager of Ring Ukraine called me and asked to take Amazon mention out from the article. Since I had a good relationship with manager, the article got just several dozens of views and I understood that everyone know that Ring is part of Amazon anyway, I didn’t even asked questions, said ok and took Amazon part out

It appears Amazon doesn't want people to know it has given a problematic division even more responsibility. It also may be trying to head off another Ring-related PR nightmare by removing any text that might suggest Ring customer recordings are being used to train facial recognition software used by government agencies.

But it's too late to change public perception. The scrubbing may keep Amazon from being linked to unfettered access to Ring camera recordings in search results, but there's no separating Amazon from Ring. And there's nothing here that suggests either company is moving away from leveraging user-generated content to fine-tune AI for the customers they really want: law enforcement agencies.

Ring Sued Because 'Taking Customers' Security Seriously' Means Selling Easily-Hijacked Cameras

Tim Cushing — Tue, 7 Jan 2020 10:44:00 PST

Amazon's Ring has been uniformly terrible ever since it decided its primary market (homeowners) should be treated with less care and concern than the market it's actually courting and subsidizing (law enforcement agencies).

Since it's not really in the customer service business anymore, the end users who thought they were buying some security and peace of mind have discovered they've actually become part of a law enforcement surveillance network run by a company that doesn't really seem to be in the security business.

A group of forum members found Ring cameras incredibly easy to hijack. Running scripts utilizing lists of credentials harvested from the web's many security breaches, some sociopathic idiots were able to brute force their way into taking control of devices. Their favorites were the ones equipped with mics, where they could verbally abuse and taunt unsuspecting Ring owners for the enjoyment of their podcast audience. (I really wish I were making that last part up but this is the internet we have.)

When the news cycle of "hacked" Ring cameras began, Ring was quick to point out this wasn't its fault. To a certain point, Ring is right. Ring says it encourages the use of two-factor authentication and strong passwords. Great. So do lots of IoT device makers. But very few are actually forcing their users to engage two-factor authentication prior to allowing the connected device to go "live" on the web. Ring isn't doing this either.

It's even worse in Ring's case. Ring says it's the customers that are wrong, but it does absolutely nothing to prevent this sort of hijacking. There's no lockout after a certain number of failed logins. No warnings are sent to owners about logins from unrecognized devices or IP addresses. Repeated failed login attempts aren't flagged as suspicious. For a company supposedly in the security business, this is a pretty insecure way to run a business.

It's this latest insecurity that's getting the company sued.

Amazon and its home security subsidiary Ring are facing a federal lawsuit in California over allegations that its "lax security standards" led to a series of invasive and frightening hacks over the past year.

The lawsuit, which alleges Ring security cameras have been hacked six times across the U.S., comes as Amazon's Ring faces a barrage of scrutiny from lawmakers, privacy advocates and the public over its cybersecurity standards and widespread partnerships with local police departments.

The lawsuit [PDF], filed by a victim of just such a "hacking" hopes to become a class action when it's all grown up and fully-represented. Until then, there's this incident, which happened to the plaintiff.

Plaintiff John Baker Orange is a resident of Jefferson County Alabama. He purchased a Ring outdoor camera for his house in July 2019 for approximately $249.00. The Ring camera was installed over his garage with a view of the driveway. Mr. Orange purchased the Ring camera to provide additional security for him and his family which include his wife and three children aged 7, 9, and 10. Recently, Mr. Orange’s children were playing basketball when a voice came on through the camera’s two-way speaker system. An unknown person engaged with Mr. Orange’s children commenting on their basketball play and encouraging them to get closer to the camera. Once Mr. Orange learned of the incident, he changed the password on the Ring camera and enabled two-factor authentication. Prior to changing his password, Mr. Orange protected his Ring camera with a medium-strong password.

Orange alleges that Ring did almost nothing to protect its customers while promising its products will protect its customers.

Unfortunately, Ring does not fulfill its core promise of providing privacy and security for its customers, as its camera systems are fatally flawed. The Ring system is Wi-Fi enabled, meaning that it will not work without internet connectivity. Once connected, however, any internet device can be seen by the on-line community, making it incumbent upon its manufacturer to design the device such that it can be properly secured for only intended use. This obligation is even more critical in instances where the device, like the Ring camera, is related to the safety and security of person and property.

Ring failed to meet this most basic obligation by not ensuring its Wi-Fi enabled cameras were protected against cyber-attack. Notably, Ring only required users enter a basic password and did not offer or did not compel two-factor authentication.

He's not wrong. Security is pretty much an afterthought for this security company. It likes to put its resources into pitching its products to cops, who can then hand the flawed products to citizens in exchange for possible glimpses of camera recordings in the future.

But is it enough to win a lawsuit? The plaintiff alleges negligence and a few other related torts, but he'll have to prove Ring deliberately sold a product it knew was insecure. Ring is probably aware of the lack of built-in security, but is it more deliberately negligent than any other IoT device maker that decides to dumb down security options to increase adoption and marketshare? And if it's just as terrible as its competitors, should that be enough to allow it to escape a lawsuit?

Maybe this one will hit Ring hard and force it and its competitors in the IoT marketplace to actually take the security of their customers seriously, rather than just saying that after their customers have already been compromised. Or maybe I just want Ring to get smacked around for pushing an insecure product on consumers with the assistance of over 600 law enforcement agencies. Ring has been an absentee landlord in its market, grabbing all the market share it can while leaving its millions of customers to fend for themselves when it comes to securing their devices properly.

Nearly 4,000 Ring Credentials Leaked, Including Users' Time Zones And Device Names

Tim Cushing — Mon, 23 Dec 2019 14:06:00 PST

The eternal flame that is Ring's dumpster fire of an existence continues to burn. In the past few months, the market leader in home surveillance products has partnered with over 600 law enforcement agencies to:

Engage in law enforcement stings that don't sting anyone
Teach cops how to bypass warrant requirements
Sign up a bunch of people for its snitch app
Use said snitch app to generate "suspicious person" alerts
Blame users for not securing their cameras properly
Admit the company places no restrictions on sharing of subpoenaed footage by law enforcement agencies
Let everyone know it's collecting images of children

The latest bad news for Ring -- via Caroline Haskins of BuzzFeed -- is another PR black eye inflicted on a company whose face that still hasn't healed from the last half-dozen black eyes.

The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as “bedroom” or “front door.”

The compromised data plays right into the hands of the assholes who hang out in certain online forums solely for the purpose of hijacking people's Ring devices to hassle individuals who thought their homes would be more secure with the addition of an internet-connected camera.

Ring says this leak of personal data isn't its fault. The company claims there's been no breach. Maybe so, but the information is out there and presumably being exploited.

And it's kind of hard to take Ring's word for it. The company has been doing nothing but putting out PR fires ever since its law enforcement partnerships came to light earlier this year. And its explanation for where the sensitive data came from makes very little sense.

“Ring has not had a data breach. Our security team has investigated these incidents and we have no evidence of an unauthorized intrusion or compromise of Ring’s systems or network,” the spokesperson said. “It is not uncommon for bad actors to harvest data from other company's data breaches and create lists like this so that other bad actors can attempt to gain access to other services.”

Ring's spokesperson did not specify which other "companies" it suspected of carelessly handling device names given to Ring devices by Ring users. The spokesperson also failed to explain why Ring took no interest in this sensitive Ring user info until after the security researcher who discovered the compromised credentials discussed his findings on Reddit. "Unable to assist" is not a proper response to notification of a possible breach, but that's exactly what Ring reps told the researcher when he first informed them of what he had found.

Ring may have been quick to blame users for the commandeering of their cameras by a forum full of shitbirds, but the company does almost nothing to ensure users are protected from malicious activity. The only thing Ring does is recommend users utilize two-factor authentication and "strong passwords" (whatever that means). It does not alert users of attempted logins from unknown IP addresses or inform users how many users are logged in at any given time. Ring is doing less than the minimum to protect users but still seems to feel device hijackings are solely the fault of end users.

This is a garbage company. There's no way around it. Ring has prioritized market growth and law enforcement partnerships over the millions of citizens/customers who own its products. Rather than provide a secure product that makes people safer, it's selling a domestic surveillance product that comes with law enforcement strings attached. It has shown it will bend over backwards for the government but is only willing to deliver the most hollow of "we care about our customers" statements in response to news cycle after news cycle showing it absolutely gives zero fucks about its end users.

Online Forum Members Exploited Weak Credentials To Turn Ring Cameras Against Their Owners

Tim Cushing — Fri, 13 Dec 2019 03:24:09 PST

To add to all the bad news that is Ring camera's life cycle to this point comes the report that a group of malcontents has been exploiting default/weak credentials to gain access to cameras. Joseph Cox has the this-would-be-funny-if-it-weren't-so-scary details at Motherboard.

Hackers have created dedicated software for breaking into Ring security cameras, according to posts on hacking forums reviewed by Motherboard. The camera company is owned by Amazon, which has hundreds of partnerships with police departments around the country.

On Wednesday, local Tennessee media reported that a hacker broke into a Ring camera installed in the bedroom of three young girls in DeSoto County, Mississippi, and spoke through the device's speakers with one of the children.

The family said they had the camera for four days, during which time the hacker could have been watching the kids go about their day.

There's not much actual hacking going on. What appears to be happening is purchasers aren't choosing unique passwords when they set up their cameras. They also aren't using the two-factor authentication Ring recommends.

There are enough cameras out there (and more being installed every day) that there's an entire forum set up just for the hijacking of Ring cameras/doorbells. Forum members are selling exploit tools to each other which allow these jackasses to brute force Ring devices using credentials (usernames/email addresses and passwords) found elsewhere on the web.

The popular exploitables have even spawned a podcast featuring unsuspecting device owners being trolled by jerks who have gained access to Ring and Nest cameras. This is what's in store for device owners who haven't properly secured their new purchases.

A blaring siren suddenly rips through the Ring camera, startling the Florida family inside their own home.

"It's your boy Chance on Nulled," a voice says from the Ring camera, which a hacker has taken over. "How you doing? How you doing?"

"Welcome to the NulledCast," the voice says.

The NulledCast is a podcast livestreamed to Discord. It's a show in which hackers take over people's Ring and Nest smarthome cameras and use their speakers to talk to and harass their unsuspecting owners. In the example above, Chance blared noises and shouted racist comments at the Florida family.

Good times. Nulled forum members are starting to scatter, now that Joseph Cox has shined a light on their dirty little games. The Nulled admin has nailed an unbelievable statement to the top of the forum, saying that Nulled does not tolerate the "harassments of individuals over Ring cameras or any similar." This posting followed some "unscheduled maintenance," which occurred shortly after Motherboard's first article on Ring exploitation went live.

Panic has ensued. Cox reports the forum is in disarray, with members quitting or changing their usernames. Some appeared to be worried law enforcement is all over this. Others think the only ones going to jail are the members who participated in the podcasted Ring hijacking.

But it's not over yet. A few members appear to be willing to roll the dice on possible legal charges.

It doesn't seem the livestreaming of Ring hacking is going to end just yet, however.

"Podcast dead?" one user on the Nulled Discord asked Wednesday night.

Another user replied, "Nope. Tune in Friday. Like and subscribe."

Perhaps the focus of the podcast will change. Considering the channel's been dedicated to finding exploitable devices and exploiting them to create content, any pivot will likely be short lived.

In the meantime, Ring is doing about the only responsible thing it's ever done.

"As a precaution, we highly and openly encourage all Ring users to enable two-factor authentication on their Ring account, add Shared Users (instead of sharing login credentials), use strong passwords, and regularly change their passwords," [Ring] added.

Perhaps more education of consumers is in order. Security recommendations are great, but purchasers appear to feel installing the cameras is the end of the job. It's one thing to get your sidewalk-facing doorbell camera hacked. It's quite another to have your interior cameras turned against you. The Internet of Things continues to be awful. Ring's general awfulness kind of obscures the fact that this particular debacle isn't really Ring's fault. But it could be doing more. It could prevent deployment until two-factor authentication is engaged. And it could ease up a bit on its promises of home security when the default setup process allows outsiders to virtually enter the homes of Ring owners.

Cops Offered Deeper Discounts On Ring Cameras Depending On How Much Of The Neighborhood The Cameras Would Surveil

Tim Cushing — Tue, 10 Dec 2019 03:42:47 PST

"You know what would be cool," said the consumer product that wished it was a cop? "If everything we made catered to law enforcement rather than the end user." That's the Ring business model: make inroads with security-conscious homeowners by inserting them into a toxic ecosystem that includes a snitch app that amps up the worst aspects of humanity, and breaks down the walls between "sharing" and "giving law enforcement agencies footage they can keep and distribute forever without limitation."

Ring doorbells have 95% of the doorbell camera market. That's a lot of "fuck you" market share. Ring says all doorbell camera footage belongs to homeowners, even as it renders homeowners extraneous by handing over footage stored in the cloud in response to subpoenas. Ring says it cares about the privacy of its customers, even as it tallies up doorbell rings and partners with law enforcement in sting operations.

The never ending negative news cycles continues for Ring with these details tucked away in another long, scathing report on the the doorbell company that wants so badly to be deputized, it's willing to cross lines most tech companies aren't willing to cross.

Caroline Haskins of Vice has been tracking Ring's incestuous relationship with law enforcement for several months now, using a slew of public records requests to make the things Ring and law enforcement don't want to discuss publicly public.

In her latest post -- one that should be read start to finish, especially if you haven't kept current with Ring's endless deluge of self-owns -- Haskins points out some more reprehensible behavior by the home security company that thinks it's a domestic surveillance contractor.

Being a good citizen involves more than flying an American flag over your driveway.

West Hollywood, CA distributed flyers advertising its Ring subsidy program at voter registration events, according to documents obtained by Motherboard. West Hollywood also sold subsidized Ring products “exclusively” to residents in areas moderated by neighborhood watches. Everyone who bought a discounted camera was added to a registry list with their name and address.

Ah, there's nothing more American than implicating the First and Fourth Amendments at the same time. The only way this would have been more American is if law enforcement asked citizens to turn over their weapons until troops were done staying at their homes.

Ask not what your [insert law enforcement agency name here] can do for you. Ask what you can do for [REDONDO BEACH POLICE DEPARTMENT].

Police from Redondo Beach, CA even used the pretense of camera registries to determine who should get a discount and who shouldn’t, according to a city council meeting memo obtained by Motherboard. Police said that they inspected the facades of homes of each applicant, and looked for who had the most “optimal viewpoints that could assist with criminal investigations.”

Kind of fucked up. What makes it really fucked up is the Redondo Beach PD offered steeper discounts to homeowners who agreed to place cameras in areas where they could capture footage "of the entire block" (60% stipend) or a "neighboring residence" (50% stipend).

Meanwhile, further north, Green Bay, WI police handed out cameras to residents under a "loan" program that predicated end user "ownership" on police ownership of all footage.

The implicit ask becomes explicit. Ring has partnered with 600+ law enforcement agencies. There's no reason to believe what's been revealed here is an anomaly.

Cops Are Running Ring Camera Footage Through Their Own Facial Recognition Software Because Who's Going To Stop Them

Tim Cushing — Tue, 3 Dec 2019 15:33:00 PST

Ring may be holding off on adding facial recognition tech to its already-problematic security cameras, but that's not stopping any of its not-exactly-end-users from doing it for themselves.

Ring is swallowing up the doorbell camera market with aggressive marketing that includes the free use of taxpayer-funded services. It calls over 600 law enforcement agencies "partners." In exchange for agency autonomy and free cameras, police departments all over the nation are pushing cameras on citizens and asking them to upload anything interesting to Ring's "I saw someone brown in my neighborhood" app, Neighbors.

The company that has someone in charge of its facial recognition division Ring claims it's not using to implement facial recognition tech is handing out cameras like laced candy. Law enforcement agencies are snatching the cameras up. And they're snatching the footage up, using subpoenas to work around recalcitrant homeowners. Once they have the footage, they can keep it forever and share it with whoever they want.

They can also run the footage through whatever hardware or software they have laying around, as Caroline Haskins reports for BuzzFeed.

Amazon does not offer the ability to recognize faces in footage on its Ring doorbell cameras. But just one month after police in Chandler, Arizona, received 25 surveillance cameras for free from the company, the department's then–assistant chief discussed using its own facial recognition technology on Ring footage at a meeting of the International Association of Chiefs of Police, according to his slideshow obtained in a public records request.

In an April presentation titled “Leveraging Consumer Surveillance Systems,” Jason Zdilla discussed various consumer surveillance devices and platforms. Examples cited in the presentation included Ring cameras and the Neighbors app.

It's the perfect storm of unaccountability. Footage can be obtained from Ring with a subpoena. Ring hands it over with zero strings attached. Cop shop runs it through the Zoom Enhancer and any databases it has or has access to. Bingo: facial recognition in cameras supplied by a company that says it's not all that into facial recognition at the moment.

Now, you may be wondering why this is a big deal. Why does any of this matter when other surveillance systems with cloud storage are likely similarly responsive to subpoenas and place no restrictions on footage they hand over to law enforcement?

Well, two things: first, Ring claims all footage belongs to camera owners, but treats camera owners as if they're not a stakeholder when it comes to sharing their recordings with the government.

Second -- and far more importantly -- Ring aggressively courts police departments as "partners," turning consumer products into unofficial extensions of existing government camera networks. Ring hands out free cameras to cops and hands out even more freebies if cops convince homeowners to download the Neighbors app and share as much footage as possible. Ring also takes control of all PR efforts and official statements involving Ring doorbells that cops have given to citizens. And Ring coaches cops how to obtain footage without having to trouble the courts with a warrant.

This is unlike any other company in the home security business. Ring's assimilation of hundreds of law enforcement agencies blurs the line between public and private in the name of commerce. Taxpayers are contributing to their own co-opting into a surveillance mesh network propelled by one of the largest companies in the world. This isn't acceptable. But the longer Ring's expansion remains unchecked, the sooner its behavior will become normalized. And once it's normalized, it's over.

Ring Coyness About Adding Facial Recognition Tech To Its Cameras Doesn't Extend To Its Marketing Materials

Tim Cushing — Mon, 2 Dec 2019 10:44:00 PST

Ring may say it's not getting into the facial recognition business, but its internal documents say otherwise. The company has a head of facial recognition tech in its Ukraine office. And its answers to Senator Edward Markey's questions make it clear Ring hasn't ruled out adding this tech to its doorbell cameras. Specifically, the company said it had no plans at the present but was always looking to "innovate" to meet "customer demand."

Documents obtained by The Intercept show Ring is still "innovating," even if there's no apparent customer demand for facial recognition tech. Sam Biddle has the details:

Ring, Amazon's crimefighting surveillance camera division, has crafted plans to use facial recognition software and its ever-expanding network of home security cameras to create AI-enabled neighborhood “watch lists,” according to internal documents reviewed by The Intercept.

The planning materials envision a seamless system whereby a Ring owner would be automatically alerted when an individual deemed “suspicious” was captured in their camera’s frame, something described as a “suspicious activity prompt.”

In the mockup seen by The Intercept, "suspicious" apparently translates to "shabbily dressed man." This person is shown walking past a garage-mounted camera (which the company says users shouldn't point at public areas like streets and sidewalks) with the alert "This person appears to be acting suspicious."

Dress better, citizens. Otherwise, your image might be uploaded to Ring's snitch app, Neighbors, where local randos can collectively gin up fear and sic the cops on you. Nowhere in the document does Ring define what triggers its "suspicion" sensors.

Here's where the facial recognition tech is pitched but never named specifically:

A third potentially invasive feature referenced in the Ring documents is the addition of a “proactive suspect matching” feature, described in a manner that strongly suggests the ability to automatically identify people suspected of criminal behavior — again, whether by police, Ring customers, or both is unclear — based on algorithmically monitored home surveillance footage. Ring is already very much in the business of providing — with a degree of customer consent — valuable, extrajudicial information to police through its police portal. A “proactive” approach to information sharing could mean flagging someone who happens to cross into a Ring video camera’s frame based on some cross-referenced list of “suspects,”

Ring may not have facial recognition tech built in (yet), but plenty of police departments utilize or have access to this software. Any images or footage shared with law enforcement agencies -- either voluntarily by Ring owners or acquired with a subpoena from the company -- can be subjected to facial recognition tech and placed on a Ring-enabled "watchlist."

Ring remains mostly a dump pipe in this scenario, but its aggressive marketing to law enforcement suggests it wants its 600+ government partners to take advantage of the tools they have on hand to make the most of footage cops are invited to download and hold onto indefinitely. Ring can then remain in a state of plausible deniability when being questioned by critics and/or Congress while still giving hundreds of law enforcement agencies all the reason they need to act as Ring brand ambassadors.

Amazon: Cops Can Get Recordings From Ring, Keep Them Forever, And Share Them With Whoever They Want

Tim Cushing — Mon, 25 Nov 2019 11:58:00 PST

Even more alarming news has surfaced about Amazon's Ring doorbell/camera and the company's ultra-cozy relationship with police departments.

Since its introduction, Ring has been steadily increasing its market share -- both with homeowners and their public servants. At the beginning of August, this partnership included 200 law enforcement agencies. Three months later, that number has increased to 630.

What do police departments get in exchange for agreeing to be Ring lapdogs? Well, they get a portal that allows them to seek footage from Ring owners, hopefully without a warrant. They also get a built-in PR network that promotes law enforcement wins aided by Ring footage, provided the agencies are willing to let Ring write their press releases for them.

They also get instructions on how to bypass warrant requirements to obtain camera footage from private citizens. Some of this is just a nudge -- an unstated quid pro quo attached to the free cameras cops hand out to homeowners. Some of this is actual instructions on how to word requests so recipients are less likely to wonder about their Fourth Amendment rights. And some of this is Ring itself, which stores footage uploaded by users for law enforcement perusal.

If it seems like a warrant might slow things down -- or law enforcement lacks probable cause to demand footage -- Ring is more than happy to help out. Footage remains a subpoena away at Ring HQ. And, more disturbingly, anything turned over to police departments comes with no strings attached.

Statements given to Sen. Edward Markey by Amazon indicate footage turned over to cops is a gift that keeps on giving.

Police officers who download videos captured by homeowners’ Ring doorbell cameras can keep them forever and share them with whomever they’d like without providing evidence of a crime, the Amazon-owned firm told a lawmaker this month.

Brian Huseman, Amazon's VP of Public Policy, indicates the public is kind of an afterthought when it comes to Ring and its super-lax policies.

Police in those communities can use Ring software to request up to 12 hours of video from anyone within half a square mile of a suspected crime scene, covering a 45-day time span, Huseman wrote. Police are required to include a case number for the crime they are investigating, but not any other details or evidence related to the crime or their request.

Ring itself maintains that it's still very much into protecting users and their safety. Maybe not so much their privacy, though. The company says it takes the "responsibility" of "protecting homes and communities" very seriously. But when it comes to footage, well… that footage apparently belongs to whoever it ends up with.

Ring… "does not own or otherwise control users’ videos, and we intentionally designed the Neighbors Portal to ensure that users get to decide whether to voluntarily provide their videos to the police.”

It's obvious Ring does not "control" recordings. Otherwise, it would place a few more restrictions on the zero-guardrail "partnerships" with law enforcement agencies. But pretending Ring owners are OK with cops sharing their recordings with whoever just because they agreed to share the recording with one agency is disingenuous.

Ring's answers to Markey's pointed questions are simply inadequate. As the Washington Post article notes, Ring claims it makes users agree to install cameras so they won't record public areas like roads or sidewalks, but does nothing to police uploaded footage to ensure this rule is followed. It also claims its does not collect "personal information online from children under the age of 13," but still proudly let everyone know how many trick-or-treaters came to Ring users' doors on Halloween. And, again, it does not vet users' footage to ensure they're not harvesting recordings of children under the age of 13.

The company also hinted it's still looking at adding facial recognition capabilities to its cameras. Amazon's response pointed to competitors' products utilizing this tech and said it would "innovate" based on "customer demand."

While Ring's speedy expansion would have caused some concern, most of that would have been limited to its competitors. That it chose to use law enforcement agencies to boost its signal is vastly more concerning. It's no longer just a home security product. It's a surveillance tool law enforcement agencies can tap into seemingly at will.

Many users would be more than happy to welcome the services of law enforcement if their doorbell cameras captured footage of criminal act that affected them, but Ring's network of law enforcement partners makes camera owners almost extraneous. If cops want footage, Ring will give it to them. And then the cops can do whatever they want with it, even if it doesn't contribute to ongoing investigations.

These answers didn't make Sen. Markey happy. Hopefully, other legislators will find these responses unsatisfactory and start demanding more -- both from law enforcement agencies and Ring itself.

Ring Spends The Week Collecting Data On Trick-Or-Treating Kids And Being An Attack Vector For Home WiFi Networks

Tim Cushing — Wed, 13 Nov 2019 10:50:53 PST

Nothing owns like a self-own. And Ring -- Amazon's doorbell surveillance project -- is so into self-abuse, it's almost kinky. It's a DOM when it picks up another submissive law enforcement partner (400+ at last count, so maybe get tested if you install a doorbell without protection). Any other time, it seems to be a relentlessly cheery masochist. Hopefully it's deriving some pleasure from the endless negative news cycles. Maybe 95% market share heals all wounds.

Ring is putting the "creep" back in the phrase "surveillance creep." While there's some value to keeping an eye on your front doorstep when you're expecting an expensive delivery, the downside is Ring might be letting cops know you've got a camera on your house. What it won't be letting you know is that it will part with your footage at the drop of a subpoena.

If you're not eyeballing your neighbors by proxy, you're not living right. That's the message of the Neighbors app, which is pushed by Ring and cops alike. Breaking down "sharing" barriers is the first step toward bypassing the warrant process. Ring is the grease and the wheel.

The pushback against Ring's law enforcement adoption offensive has had minimal effect on the company. It continues undeterred, even as it attempts to explain both its lack of interest in adding facial recognition software to its doorbells and its retention of a facial recognition division head. It's things like this that make one believe the public's opinion ultimately doesn't matter, not if Ring can convince enough cop shops to start pushing its offerings on the public.

Ring is back in the news again. And, again, it's not because it did anything right. Or competently.

First, Buzzfeed reports the doorbell company is as tone deaf as it is dominant in its market sector. What Ring thinks is cute and fun is actually just very, very creepy.

In a company blog and series of Instagram stories, posted Monday and Tuesday, the company showed that it collects, stores, and analyzes sensitive data about how, when, and where people use its doorbell cameras. Ring said that nationwide, its doorbell cameras were activated 15.8 million times on Halloween. The company makes several other types of surveillance cameras in addition to its doorbell camera.

As it has on other occasions, like Super Bowl Sunday, Ring turned Halloween into a marketing opportunity. As reported by Mashable, Ring circulated videos of children on Halloween on Twitter. Ring also promoted Halloween-themed skins to decorate doorbell cameras on its company blogs and Instagram. However, in promoting itself as a family-friendly company, Ring showed that it collects user data on a granular level.

Friends, neighbors, visitors… children -- nothing but data and footage to be used to promote Ring's version of everyday life in the United States. The information a Ring doorbell collects belongs to Ring, not its customers. And if it belongs to Ring, it can be had without a warrant in most cases. Ring knows how often customers' doorbells ring. It says it anonymizes this data, but first you have to trust that it actually did what it said it did. And then you have to believe anonymizing data actually anonymizes it, which it kind of doesn't.

But trading trick-or-treating kids for social media impressions isn't the only headline Ring made this past week. It also showed it's not immune to the IoT curse: connected "smart' things tend to be attack vectors. And if they're not actually being attacked, they're just giving info away to whoever wants it.

A vulnerability in the Amazon Ring doorbells could have exposed homes’ WiFi username and password to hackers.

Discovered earlier this year by Romanian cybersecurity firm Bitdefender, the issue caused users’ WiFi credentials to be transmitted unencrypted while they were setting up the internet-connected device.

“When entering configuration mode, the device receives the user’s network credentials from the smartphone app,” Bitdefender notes. “Data exchange is performed through plain HTTP, which means that the credentials are exposed to any nearby eavesdroppers.”

While this method requires a hacker to be near the doorbell or on the targeted WiFi network in order to intercept the credentials, this doesn't mean exploitation is only a crime of opportunity. As Bitdefender noted, hackers could flood the device with de-authentication messages which would kick the doorbell off the network. When Ring users try to reconnect their doorbell to their network, hackers could jump in and grab the credentials as they sail by in plaintext.

The good news is this issue has been fixed. The bad news is this is the second time Ring's doorbells have been caught handing out WiFi credentials. At least last time, malicious hackers needed physical access to the doorbell. The last misstep allowed hackers to stay in their cars.

The further bad news is Ring is still Ring and mainly interested in turning doorbells in spy cams that can be easily accessed by its hundreds of law enforcement "partners." It has never expressed any sincere desire to protect the privacy of its users. As far as it's concerned, every camera is just another eye it owns, feeding it footage and data it can use at will.

Ring Has A 'Head Of Face Recognition Tech,' Says It's Not Using Facial Recognition Tech. Yet.

Tim Cushing — Tue, 10 Sep 2019 03:11:20 PDT

Amazon has developed facial recognition tech it's inordinately proud of. Known as "Rekognition," it's not nearly as accurate as its deliberately misspelled moniker suggests it is. It drew Congressional heat last year when it misidentified a number of Congress members as criminals.

There has been no interplay between Amazon's Rekognition software and the Ring doorbell cameras its subsidiary is pushing to cops (who then push them to citizens). Yet. Maybe there will never be. But it's pretty much an inevitability that Ring cameras will, at some point, employ facial recognition tech.

There's probably no hurry at the moment. The doorbell camera company doesn't seem all that concerned about optics -- not after partnering with 400 law enforcement agencies en route to securing 97% of the doorbell camera market. When not writing press releases and social media posts for cop shops, Ring is waging a low-effort charm offensive with vapid blog posts meant to boost its reputation as a crime-fighting device while burying all the questionable aspects of its efforts -- like encouraging "sharing" of footage with law enforcement so they don't have to go through the hassle of obtaining a warrant.

Ring is toughening up a bit in the face of all this bad press. It's engaging directly with critics on Twitter to rebut points they haven't made and answer questions they didn't actually ask. It responded to the ACLU's post that theorized about Amazon's forays into surveillance tech, positing that the company's Rekognition software and Ring doorbell cameras make for a dynamic surveillance duo -- one that faces outwards from millions of private homes around the nation.

Ring says it does not use facial recognition tech in its doorbells. It has made this statement multiple times in the past couple of weeks. That's good news. But it's not the end of the story. Nicole Nguyen and Ryan Mac of BuzzFeed are countering Ring's PR push by pointing out that it's a little weird for a company that says it does not use facial recognition tech to employ someone directly tasked with exploring facial recognition opportunities. (via Boing Boing)

While Ring devices don’t currently use facial recognition technology, the company’s Ukraine arm appears to be working on it. “We develop semi-automated crime prevention and monitoring systems which are based on, but not limited to, face recognition,” reads Ring Ukraine’s website. BuzzFeed News also found a 2018 presentation from Ring Ukraine's "head of face recognition research" online and direct references to the technology on its website.

Maybe the stateside version isn't ready to mix in the tech, but its Ukraine arm seems poised to explore this option. The presentation BuzzFeed located was created by Oleksandr Obiednikov, who listed himself as Ring's "Head of Face Recognition Tech" in his presentation about "alignment-free face recognition."

Ring's US operations also indicate Ring is looking into this, even if it hasn't added the tech yet.

In November 2018, Ring filed two patent applications that describe technology with the ability to identify “suspicious people” and create a “database of suspicious persons.”

So, the company's assertions about facial recognition tech appear to be true, but only because it has added the qualifier "currently" to its statements. The pairing of doorbell cameras to unproven, often-inaccurate facial recognition tech is all but assured. Ring's denials would be a whole lot more palatable if it wasn't exploring this option elsewhere in the world.

We may only be on the outskirts of a corporation-enabled dystopia at the moment, but a future full of unblinking eyes containing biometric scanning capabilities is swiftly approaching. And this surveillance state won't be the product of the show of force by the government but the result of private companies using law enforcement to expand their user base with a series of "would you kindly?" requests.

Ring Let Cops Know How Often Their Requests For Camera Footage Were Ignored

Tim Cushing — Fri, 6 Sep 2019 03:12:18 PDT

I have seen the future and it's hundreds of law enforcement agencies morphing into Amazon subsidiaries. Amazon's Ring doorbell camera currently commands 97% of the doorbell camera market. It's easy to see why. Amazon has the marketing power and cash flow to hand out discounted cameras to police departments, using them as loss leaders to ensure buy-in by end users, many of whom get these cameras for free from local cops.

What's the catch? There isn't one* -- not if you disregard the implications of accepting a free surveillance camera from law enforcement. Ring wants more end users and for more of those end users to download its Neighbors app. Neighbors accelerates the sharing of doorbell cam footage. It also accelerates bigotry, which tends to turn virtual meetups on Neighbors into a discussion about shady people of color wandering the neighborhood.

^{*Sometimes there's a catch.}

It's not enough for Ring to command nearly 100% of the market. It also spends its time vetting law enforcement statements and press releases to ensure cop shops stay on brand and push the Neighbors app. The more people cops can convince to use the app, the bigger the discount on the next order of Ring doorbells.

Sharing is what matters. Encouraging people to share footage of suspicious activity with their neighbors via the app breaks down reservations people might have about turning over footage to cops. Law enforcement requests are made through a portal provided by Ring, which includes a map that shows cops every residence that has a Ring doorbell installed.

The Guardian has obtained documents from two more of the 400+ law enforcement agencies currently partnering with Ring. These documents contain screenshots of Ring doorbell maps from the portal, as well as its template for warrantless footage requests.

The documents also contain a very heavily-edited press release from the Gwinnett County Police Department. Nearly the entire thing has been rewritten by Ring reps, excising mentions of Ring's donation of 80 cameras, as well as language that makes it clear law enforcement will have access to any footage uploaded to the Neighbors app. [Picture via The Guardian]

The end game is seamless access to recordings, with the wheels greased by social media interaction and the implicit suggestion that recipients of free doorbell cameras may want to repay the favor with a little footage.

But not everyone is willing to give cops warrantless access to footage. Well, Ring is on top of that as well, as Dell Cameron reports for Gizmodo. Upon request, it will hand over rejection stats to law enforcement, letting them know how often citizens (or "civilians" in Ring's PR language) aren't meeting their tacit obligations. Turns out it's most of them.

The request data acquired by Gizmodo, which covers a five-month period in 2018, showed that Ring customers in Fort Lauderdale, Florida, had largely ignored police requests for footage. Between May and September of 2018, the Fort Lauderdale Police Department issued 22 requests via Ring’s law enforcement portal. Those requests resulted in 319 emails being sent to residents asking them to hand over footage, a statistic that the company now says it keeps confidential.

Supposedly, Ring is no longer doing this. According to its spokesperson, it no longer makes this info available to law enforcement agencies. But this low hit rate has to be a concern. The requests come via the Neighbors app or via email. In some cases, people may not have seen the email. In many more cases, people probably just opted out by ignoring or deleting the request.

Police officers also do not know who they're sending requests to. A geofence of sorts narrows down what cameras might provide useful footage, but the portal does not identify the end users. This is a good way to handle this, ensuring there are no reprisals for refusals. But this siloing means nothing when cops are part of the installation team.

In Fort Lauderdale, police went to dozens of homes and helped residents install Ring cameras after holding raffles at neighborhood watch meetings and handing them out for free.

Given the amount of data that is available to law enforcement via the portal, it's pretty easy to narrow down who's been helpful and who should have their emergency call backburnered. Given enough rejections, officers may just decide these Ring owners don't care enough about the safety of their neighborhood to warrant a speedy response. But if these requests are headed to inboxes filled with other junk email, there's probably no malice intended. Hopefully, no one's treating these non-responses as antagonistic, but that's always a concern when the cop mindset tends to be "us vs. them" -- especially those who refer to work as engaging in a "war" against crime.

Every document obtained by journalists brings more bad Ring news to the discussion. The company has already decided it will back the blue. Those in blue seem to enjoy this partnership, even if it means they won't be obtaining much footage and all public-facing announcements must be run by the company before they can be released. Amazon is blurring the line between public and private to grow a private market. If cops want to get pissed off about anything, maybe it should be their demotion to Ring brand ambassadors.

Ring Is Teaching Cops How To Obtain Doorbell Camera Footage Without A Warrant

Tim Cushing — Thu, 8 Aug 2019 12:16:00 PDT

To be part of your local law enforcement's surveillance network, all you need is a little tech from Amazon. Amazon's Ring doorbell/camera is being handed out to cops, who can then give them to citizens with the implication the recipients of this corporate/government largesse will deliver recordings upon request.

Every Ring installed is another contributor to this ad hoc network of cameras -- something both cops and Amazon have access to. Amazon is looking to corner two markets at one time, roping in both the public and private sectors with an eye on dominating both. The added bonus -- at least as far as Amazon is concerned -- is its Neighbors app. Neighbors allows people to report suspicious things to other neighbors, as well as law enforcement. Unsurprisingly, early adopters have tended to report the existence of brown people in their neighborhoods more often than anything else.

The whole process is guided by Amazon's heavy hand. Government agencies participating in the Ring handouts are given talking points, pre-written press releases, and contractual obligations to promote the product they're giving away. Recently-obtained documents show Amazon has even crafted scripts for police officers and press relations staff to use when questioned by citizens.

But there's even more to this partnership than everything you see above. Lucas Ropek of GovTech reports cops have an Amazon-enabled workaround if Ring recipients aren't willing to turn over footage without a warrant.

If the community member doesn’t want to supply a Ring video that seems vital to a local law enforcement investigation, police can contact Amazon, which will then essentially “subpoena” the video.

“If we ask within 60 days of the recording and as long as it’s been uploaded to the cloud, then Ring can take it out of the cloud and send it to us legally so that we can use it as part of our investigation,” [Fresno County Sheriff's Office public information officer Tony Botti] said.

So much for asserting your rights. The only way to shut law enforcement out completely and demand they actually get a warrant supported by probable cause is to store all recordings locally. (It appears only a subpoena is needed to obtain footage from Amazon.) Very few people will be taking those steps. And, as Tony Botti points out, most people "play ball" and allow cops to collect footage without a warrant.

If the implicit obligation of "repaying" a government agency for giving you a free doorbell camera isn't persuasive enough, Amazon is crafting scripts for law enforcement to use to talk people out of their Constitutional rights. Thanks to even more public document requests, the pitches are now public. Caroline Haskins has more details at Motherboard.

Emails obtained from police department in Maywood, NJ—and emails from the police department of Bloomfield, NJ, which were also posted by Wired—show that Ring coaches police on how to obtain footage. The company provides cops with templates for requesting footage, which they do not need a court warrant to do. Ring suggests cops post often on Neighbors, Ring’s free “neighborhood watch” app, where Ring camera owners have the option of sharing their camera footage.

"I have noticed you have been posting alerts and receiving feedback from the community,” a Ring representative told Bloomfield police. “You are doing a great job interacting with them and that will be critical in increasing the opt-in rate.”

“The more users you have, the more useful the information you can collect,” the representative added.

“Seems like you wasted no time sending out your video Request out to Ring Users which is awesome!!” a Ring “Partner Success Associate” told Maywood police.

This guidance is supposed to create a perverse circle of life that ditches Constitutional niceties in favor of keeping cops awash in doorbell footage and Amazon well ahead of the pack in the doorbell camera market.

Ring's PR partners encourage law enforcement agencies to increase their social media presence. (There are scripts for that as well.) While engaging with local residents, agencies should also be pushing the Neighbors app. This gives cops more credits to trade in for more cameras to give to more people. Everyone receiving a camera is nudged by the app to post footage publicly. Cops will be online more often to encourage further sharing of recordings.

Once this feedback loop is engaged, people will be nudged towards thinking there are no legal barriers between police officers and their camera footage. When the cops ask for footage they haven't seen yet, homeowners will likely feel there's no difference between posting footage to Neighbors or handing it over to law enforcement.

While many people do install security cameras at their homes, they seldom do so with the intent of becoming an unofficial extension of a government agency's surveillance network. The pitches and scripted pushes accompanying the Ring rollout suggest Amazon believes this is nothing more than the evolution of snitch tech. It has repeatedly shown it prefers to ingratiate itself to government agencies at the expense of the millions of customers who helped it become the retail behemoth it is. And those are the people Amazon is leaving behind in its quest to dominate a market very few consumers wanted to see it entering.

Amazon's Free Doorbell Cameras Only Cost Law Enforcement Agencies Their Dignity And Autonomy

Tim Cushing — Tue, 30 Jul 2019 03:39:38 PDT

Amazon isn't just handing out cheap/free doorbell surveillance cameras to cops. It's tying them into contracts that require government agency recipients return the favor by publicizing Amazon's Ring doorbells and running their PR responses through the online retailer. That's according to documents obtained by Caroline Haskins of Vice, who secured copies of Amazon Ring contracts via public records requests.

A signed memorandum of understanding between Ring and the police department of Lakeland, Florida, and emails obtained via a public records request, show that Ring is using local police as a de facto advertising firm. Police are contractually required to "Engage the Lakeland community with outreach efforts on the platform to encourage adoption of the platform/app.”

In order to partner with Ring, police departments must also assign officers to Ring-specific roles that include a press coordinator, a social media manager, and a community relations coordinator.

There's no such thing as a free surveillance camera. Amazon gives these to local cops with the understanding they will proselytize on behalf of its doorbell cameras. Police give these cameras to residents with the understanding (albeit one without the legally-binding language) that they'll hand over footage from these cameras whenever officers ask for it.

The set-up is sustainable and scales well. The more residents who download Amazon's surveillance/snitch app Neighbors, the more credits cops can apply towards the purchase of more Ring cameras. It's a new spin on pyramid schemes, with Amazon gaining market share with each deployment, allowing government employees to do the legwork.

The police become middlemen and advertisers. Some agencies might bristle at the mandated evangelism Amazon demands, but that resentment is likely outweighed by the addition of several cameras to the agency's surveillance network. As previous reporting has shown, every installed Ring doorbell cam shows up on an interactive map provided by Amazon called the "Law Enforcement Neighborhood Portal." Cops know who have cameras and can easily figure out what footage might be useful while investigating criminal activity.

This arrangement allows officers to bypass warrant requirements by approaching homeowners directly for footage. Granted, this was always the case, but a portal connecting police with Ring doorbell users streamlines the process.

Amazon -- through Ring -- claims this is all meant to make neighborhoods safer. Many residents accepting doorbell cameras likely believe this claim. But it's really about Amazon cornering a market by offering free goods to cops and the public they serve.

The contractual language that turns police PR contacts into an extension of Ring's marketing team blurs the line between public and private, pretty much ensuring the public will receive the smallest amount of law enforcement's attention. PDs will serve their own interests first, followed by those of their new corporate overlords. And what does the public get out of it? Free cameras loaded with implicit obligations to everyone on the supply chain.