Five U.S. Senators are demanding that Amazon disclose how it’s securing Ring home-security device footage – and who is allowed to access that footage.
The demands, outlined in a Wednesday letter to Amazon CEO Jeff Bezos, come on the heels of several security vulnerabilities and privacy-related incidents surrounding Amazon-owned Ring devices.
“Ring devices routinely upload data, including video recordings, to Amazon’s servers,” the senators wrote, Wednesday. “Amazon therefore holds a vast amount of deeply sensitive data and video footage detailing the lives of millions of Americans in and near their homes. If hackers or foreign actors were to gain access to this data, it would not only threaten the privacy and safety of impacted Americans; it could also threaten U.S. national security.”
The five Democratic senators, which include Ron Wyden (D-Ore.), Chris Van Hollen (D-Md.), Chris Coons (D-Del.), Gary Peters (D-Mich.) and Edward Markey (D-Mass.), asked for a response to their questions by Jan. 6, 2020.
Last week, researchers discovered a (now-fixed) vulnerability in Ring doorbells that left Wi-Fi network passwords exposed. Previous vulnerabilities have been discovered over the past year, including a flaw reported in February that could allow an attacker to spy on families’ video and audio footage.
A separate report earlier this year alleged that Ring employees in Ukraine were provided with “virtually unfettered access” to a folder containing every video created by every Ring camera globally, and that same U.S. Ring executives and engineers were given “highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras.”
Other reports have drawn privacy concerns about the video footage collected by Ring doorbells. Ring has acknowledged that it’s partnering with more than 600 police departments across the country to allow them to request access to camera footage from camera owners, drawing concern from privacy and consumer advocacy groups.
When responding to a September letter penned by Wyden asking for more information about this partnership, Amazon said that it does not require law enforcement to delete materials shared through a video request after a certain period of time. Furthermore, if videos are downloaded by law enforcement, they may become public records, Amazon said.
“Amazon plays on people’s fears to sell them surveillance products, and then turns around and puts them and their neighbors in danger,” said Evan Greer, deputy director of digital rights advocacy group Fight for the Future, in an email. “Through consumer products like Ring, Amazon is collecting footage and all the data needed to build a nationwide surveillance network. They leverage government relationships to promote their own products, gain consumer trust and secure their position in the market. This is an unprecedented assault on our security, constitutionally protected rights, and communities. Amazon’s admissions to Senator Markey show that we need an immediate full scale Congressional investigation into this tech titan’s surveillance practices.”
In the midst of the security concerns, Senators demanded to know Ring’s security measures in place regarding: Default data retention policy, data protection, and how many Amazon and Ring employees have access to American users’ camera data.
They also asked Ring to detail the data privacy policies in place for varying countries with Ring employees, including how employee access to video data is logged, controlled and audited and what kind of access employees have.
According to reports, Ring has also applied for a “facial recognition patent” and employees a “head of facial recognition research.” Senators asked Amazon to describe its plans regarding facial recognition for Ring devices – including Amazon’s own platform, Rekognition.
“We are reviewing the letter and have nothing else to share at this time,” a Ring spokesperson told Threatpost.
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.