Ring gets ‘dinged’ for its video doorbell privacy

While “Internet of Things” (IoT) devices open up new worlds of convenience, they’ve also introduced new security vulnerabilities. At the risk of overgeneralizing, many of these vulnerabilities stem from the ease of set-up and use that make these singular-purpose devices so attractive. They tend to be scaled down, with little internal memory, and lack strong out-of-the-box security, often shipped with default accounts and passwords enabled. 

Yet despite their small stature, IoT devices punch above their weight class when it comes to threats. For example, the now infamous Mirai botnet attack in 2016 was perpetrated “via small, innocuous Internet-of-Things (IoT) devices like home routers, air-quality monitors, and personal surveillance cameras,” crippling high-profile websites, including Netflix, Spotify and CNN. 

Take the Amazon-owned Ring doorbell, introduced on “Shark Tank” in 2013. It’s proved to be a revolutionary idea, but has also leaked Wifi login credentials, exposed homeowners’ audio and video transmissions to third-party attackers, and is vulnerable to hackers looking to take over the device.

IoT devices have also given rise to a number of new privacy concerns. For example, Ring has taken heat for sharing users’ video with over 600 law enforcement agencies around the U.S. without requiring any evidence of a crime, permitting the video to be retained indefinitely; police can request “up to 12 hours of video from anyone within a half square mile of a suspected crime scene, covering a 45-day time span.”

According to Ring, this sharing is with consent of the user; as Ring’s Neighbors App notes, upon receipt of a law enforcement request Ring will “ask a targeted group of users in that area if they are willing to share any relevant footage with law enforcement. It’s then up to the user to share their video file(s) or decline the request.” Moreover, “[l]aw enforcement can only view the publicly available content in the Neighbors App, unless a user explicitly and voluntarily chooses to share their own recordings with law enforcement.”

To address ongoing privacy concerns, Ring announced the release of a new dashboard at the January 2020 Consumer Electronics Show, designed to allow consumers more control over their video: “[w]hile you have always had the ability to opt out of these requests after you received your first one, Control Center now ensures that you don’t have to wait for that first request — you can easily opt out from the start.”

This dashboard doesn’t address all of the privacy issues, however. For example, do Ring owners understand the ancillary use the videos may later be put to? Finding the perpetrator of a recent criminal incident is one thing. Uploading and storing video and aggregating it with other data, such as license plate databases, video from traffic stops, surveillance video, etc., is quite another. In all fairness, Ring does disclose that “[i]f law enforcement downloads a copy of your video, neither you nor Ring will have control over that copy . . . .”

The question arises as to the privacy interests of other parties that frequently enter a home, such as nannies, relatives, etc. While privacy advocates are rightly concerned about these secondary impacts, to the extent that a visitor enters a Ring owner’s house, they have no basis to challenge the use of this video by law enforcement in a criminal proceeding; the Fourth Amendment only protects against unreasonable searches and seizures by the government, and when the video is voluntarily captured by the homeowner and consensually shared with law enforcement, the Fourth Amendment doesn’t apply. Of course, if the homeowner coordinates with the police in advance — for example, pointing the camera in a direction requested — the result may differ, as the homeowner potentially becomes an “agent of the government.”

Putting aside law enforcement sharing, another privacy concern relates to sharing with third parties. As illuminated in a recent EFF investigative report, Ring’s Android doorbell app is “packed with third-party trackers sending out a plethora of customers’ personally identifiable information (PII).” For example, information delivered to Facebook — even if you don’t have a Facebook account — includes “time zone, device model, language preferences, screen resolution, and a unique identifier.” Even more concerning, Ring provides MixPanel with “[u]sers’ full names, email addresses, device information such as OS version and model, whether bluetooth is enabled, and . . . the number of locations a user has Ring devices installed.”

On the positive side, the traffic observed by EFF was sent using encrypted HTTPS, meaning that it’s likely safe from accidental leakage. Nonetheless, this begs the question of how and whether such sharing is permitted.

While Ring’s privacy policy notes that it shares information with third party analytics firms, it suffers from three shortcomings. Interestingly, Ring updated its privacy policy on Feb. 18, after bad press resulting from the release of EFF’s report, yet, while disclosing the sharing with Google, Mixpanel, Heap Analytics and Optimizely, Ring fails to disclose sharing with Facebook, Branch and AppsFlyer, despite having conceded using them in a CBS News interview published Feb. 14. Second, there’s no notice of the categories of personal information shared. For example, while disclosing sharing with MixPanel, Ring doesn’t explain that this information includes full name and email address, as well as data such as the number of locations a user has Ring devices installed.

Finally, to the extent a Ring user wishes to opt out of third party analytics sharing, there’s no clear way to do so. Previously, there were “opt-out” links to the third party sites, but these disappeared in the February privacy policy iteration. As such, it’s questionable whether this would meet the requirements of state privacy laws. Consider the California Consumer Privacy Act (CCPA), which would potentially apply to third party analytic providers, depending on the terms through which Ring shares information with them, and what the third parties can do with this information. Assuming the CCPA were to apply, it’s questionable whether Ring would be deemed compliant with CCPA’s opt-out requirements; indeed, it’s a challenge to even figure out where and how to opt-out.

At the end of the day, while Ring clearly found an untapped market for remote monitoring, it also poses new privacy challenges. But privacy is not purely a legal question. It’s also one of reputation and perception, and to the extent the public continues to use Ring for peace of mind security, there may not be enough incentive for Ring to substantively alter its business model.

Joel Schwarz is a senior principal at Global Cyber Risk, LLC, where he works as a consultant and attorney, and an adjunct professor at Albany Law School, teaching courses on cybercrime, cybersecurity and privacy. He previously served as the Civil Liberties and Privacy Officer (CLPO) for the National Counterterrorism Center and was a cybercrime prosecutor for the Justice Dept. and N.Y. State Attorney General’s Office. He was also counsel on e-commerce and privacy for MetLife.