Subscriber Discussion

Executives And Engineers Spied On Customers' Ring Cameras

Avatar
Ari Erenthal
Jan 11, 2019
Chesapeake & Midlantic

From The Intercept:

Beginning in 2016, according to one source, Ring provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world. This would amount to an enormous list of highly sensitive files that could be easily browsed and viewed. Downloading and sharing these customer video files would have required little more than a click... 

Ring unnecessarily provided executives and engineers in the U.S. with highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras, regardless of whether they needed access to this extremely sensitive data to do their jobs. For someone who’d been given this top-level access... only a Ring customer’s email address was required to watch cameras from that person’s home...

The source also recounted instances of Ring engineers “teasing each other about who they brought home” after romantic dates. Although the engineers in question were aware that they were being surveilled by their co-workers in real time, the source questioned whether their companions were similarly informed.

 

(5)
U
Undisclosed #1
Jan 11, 2019

i read the Intercept's article yesterday when it came out...

And even though the 'ease of customer video access' which you mention is alarming, what I found more problematic is that the reason that the Ukrainian team had such access to video clips is because they were involved in manually categorizing objects from video streams in order to 'help' their algorithms 'learn' how to better do this automatically.

i.e. the analytics algorithms that Ring promotes don't work very well - requiring massive human intervention to manually classify objects in an effort to help their algorithms do what they are supposed to be doing on their own.

From that Intercept article:

"Computer vision has made incredible strides in recent years, but creating software that can categorize objects from scratch is often expensive and time-consuming. To jump-start the process, Ring used its Ukrainian “data operators” as a crutch for its lackluster artificial intelligence efforts, manually tagging and labeling objects in a given video as part of a “training” process to teach software with the hope that it might be able to detect such things on its own in the near future. This process is still apparently underway years later: Ring Labs, the name of the Ukrainian operation, is still employing people as data operators, according to LinkedIn, and posting job listings for vacant video-tagging gigs: “You must be able to recognize and tag all moving objects in the video correctly with high accuracy,” reads one job ad. “Be ready for rapid changes in tasks in the same way as be ready for long monotonous work.”

U
Undisclosed #3
Jan 11, 2019

i.e. the analytics algorithms that Ring promotes don't work very well - requiring massive human intervention to manually classify objects in an effort to help their algorithms do what they are supposed to be doing on their own.

I don't find that all that noteworthy, it's the basic process for training analytics algorithms. You feed them a bunch of tagged images. Somebody has to do the tagging of those images, particularly when you are dealing with FOV's that are not easy to find generic image sets for.

I read that part and thought "yeah, no shit".

 

(2)
U
Undisclosed #1
Jan 11, 2019

...and you have no issue with a company offering an existing product in General Availability that is still in development 2 years after GA?

UM
Undisclosed Manufacturer #4
Jan 15, 2019

Every analytic I've ever seen works the same way, including LPR.  Want to figure out if you LPR provider has designed their own technology or they just bought someone else's?  Ask what they would need to do to capture tags in a region where they do not currently have a presence.  If they say "we can capture tags anywhere", they're buying the technology, or they're spent a zillion dollars on development.  If they say that it would take a few weeks to hone the algorithm, they're developing their own. 

True manufacturers have a few mobile capture rigs, usually cameras mounted on a trailer.  They'll park the trailer by several busy roads, and capture a few hundred thousand or million plates.  Then a team of engineers will pour over the images, make sure they are properly identified, and tweak the code for errors.  It's expensive and time consuming, but that's kind of the only way to get it right.

(1)
U
Undisclosed #2
Jan 11, 2019
IPVMU Certified

“Be ready for rapid changes in tasks in the same way as be ready for long monotonous work.“

that I can handle.  

What can be difficult is adapting to semi-interesting work that gradually changes every once in a while.

UM
Undisclosed Manufacturer #5
Nov 01, 2019
U
Undisclosed #6
Nov 01, 2019

...but, but, the EULA said they would only would access/disclose given the following:

"...In addition to the rights granted above, you also acknowledge and agree that Ring may access, use, preserve and/or disclose your Content to law enforcement authorities, government officials, and/or third parties, if legally required to do so or if we have a good faith belief that such access, use, preservation or disclosure is reasonably necessary to:

(a) comply with applicable law, regulation, legal process or reasonable governmental request; (b) enforce these Terms, including investigation of any potential violation thereof; (c) detect, prevent or otherwise address security, fraud or technical issues; or (d) protect the rights, property or safety of Ring, its users, a third party, or the public as required or permitted by law..."

Guess it falls under "technical issue" when my videos can be accessed by email address and 1 click. But it's not all Ring's fault, right? I mean, they aren't the only one storing my personal data on a cloud service...

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions