Amazon’s Ring Fired Staff for Trying to Access Customer Data

January 9, 2020 by

Amazon.com Inc. said its Ring subsidiary fired at least four employees for improperly seeking access to customer data over the last four years, the latest privacy headache for the video doorbell maker it acquired in 2018.

“Although each of the individuals involved in these incidents was authorized to view video data, the attempted access to that data exceeded what was necessary for their job functions,” Brian Huseman, Amazon’s vice president of public policy, wrote in response to an inquiry from five Democratic senators about the company’s privacy and data security practices.

The letter doesn’t specify what customer data the employees involved in four separate incidents sought, how many employees were involved, or how many of them successfully gained access to it. In addition to investigating and firing the employees, Ring has taken “multiple actions” to limit data access to a smaller pool of employees, Huseman said.

Ring has been beset by allegations of privacy flubs in the last year, from a report that employees had previously passed around unencrypted footage captured by doorbells, to claims from civil liberties groups that Ring’s partnerships with law enforcement, which allow police departments to ask that doorbell owners turn over footage to aid investigations, risk enabling a government surveillance network.

The company also faces a lawsuit brought by a man who claims someone took control of a video camera installed on his garage and spoke to his children, one among a set of similar incidents that reportedly relied on stolen passwords.

In an interview with CNET, Ring founder and Chief Executive Officer Jamie Siminoff said watching a widely shared video of a similar experience “made me cry. And every time I think about it makes me sad.”

In November, Democratic Senator Ron Wyden of Oregon and four colleagues wrote to Amazon Chief Executive Officer Jeff Bezos to express concern about reports of vulnerabilities to systems holding “a vast amount of deeply sensitive data and video footage detailing the lives of millions of Americans in and near their homes.”

The senators asked about policies on deleting users’ footage, security policies and ambitions on facial recognition. In addition, they focused on reports that developers in Ukraine had “unrestricted access to Ring’s entire camera database in unencrypted form, with each video file reportedly linked to a specific Ring user.”

“If hackers or foreign actors were to gain access to this data, it would not only threaten the privacy and safety of the impacted Americans; it could also threaten U.S. national security,” the lawmakers wrote.

Huseman’s response said that no Ring employees or contractors, including those in the company’s Ukrainian research and development offices, have unrestricted access to customer camera data.

On Monday, in an announcement timed to coincide with the massive CES technology trade show, Ring announced a new feature of its smartphone app designed to centralize privacy and security settings. A Ring spokeswoman said the company planned to enable two-factor authentication, a more secure password protocol, on customer accounts by default.

Senator Edward Markey, of Massachusetts, said Ring’s privacy tools announced this week don’t go far enough. “Ring’s privacy and security problems won’t be solved with a new privacy dashboard,” he said in a statement.

The Ring spokeswoman declined to comment on the terminated employees beyond the details in the letter, which was provided by Wyden’s office. “Privacy, security and user control will always be paramount as we pursue and improve technologies that help achieve our mission of helping to make neighborhoods safer,” she said in an emailed statement. “We take the protection of customer data very seriously and are always looking for ways to improve our security measures.”