Ring doorbells and your data – all the serious issues that have hit Amazon’s home security brand

Ring has had an awful time of things over the past year, repeatedly finding itself embroiled in a new controversy. The home security brand was bought by Amazon in 2018, and what’s followed has been a laundry list of scandals that stand out, even against its parent company’s own reputation.

Here’s a definitive list of everything Ring has got in trouble for over the past year.

Edit: This story has been edited to include comments from Ring.

Law enforcement ties

Ring first came under public scrutiny in June when it emerged that security footage was being shared with police departments across the US without users’ permission.

While forcing users to hand over footage to authorities is actually against Ring’s rules, that didn’t stop more than 50 police departments from offering free and discounted video doorbells to residents in exchange for free rein over their footage.

It isn’t difficult to see why these law enforcement groups might have got the wrong idea about Ring’s purpose. One month prior, Amazon had unveiled Neighbors, an app designed to allow users to liaise with police to combat crime in their area. The app creates a virtual neighbourhood watch or surveillance network that has proved invaluable when it comes to police investigations.

However, Neighbors has also faced its own criticism. While Ring owners are (generally) able to opt in or out of sharing data with law enforcement, homeowners without devices cannot.

The nature of a surveillance network means that, even if you don’t buy a Ring doorbell, the chances of your house being caught in your Ring-using neighbours’ videos are high. And, ultimately, it’s up to them what they do with that footage.

A spokesperson for Ring told Trusted Reviews:

“Ring’s mission is to make neighbourhoods safer. We work towards this mission in a number of ways, including providing an additional way for local police agencies to communicate and share important safety updates with their residents through the Neighbors app. We are proud to work with local police agencies across the US and have taken care to design these programs in a way that keeps users in control. Users decide what footage is shared to the Neighbors app, and whether or not they want to share any footage or information with local police. Law enforcement is never given access to users’ cameras or devices”.

Location tracking

Another issue with Ring’s surveillance network is that it makes accessing location data incredibly easy.

In November, an investigation found that Ring stored hidden geographic coordinates for each post in the Neighbors app, including latitude and longitude with up to six decimal points of precision. The tracking data was so precise, it could be used to pinpoint a square inch of ground.

While precise location data isn’t even made accessible to police investigating the area, it seems anyone with the Neighbors app could find out where you lived if they really wanted to.

Even Amazon employees have warned of the issue with Ring’s private surveillance networks. In January, Amazon software engineer Max Eliaser spoke out about the security company, stating that “home security cameras that allow footage to be queried centrally are simply not compatible with a free society” before calling for Ring to be shut down and not brought back.

A spokesperson for Ring told Trusted Reviews: 

“The Neighbors app is built on users receiving alerts about important safety incidents near them to stay informed about what’s happening in their communities. We’re committed to delivering this important service to the community while putting our users’ privacy and security first.

“Posts to the Neighbors app do not reveal the exact addresses of users or Ring devices owners. When choosing to post to the app, users include the incident location, which is not always the same location as their address. These public posts are then displayed as happening in a larger, obscured location in the vicinity of the incident to protect user privacy.

“Ring is always open to dialogue about ways we can iterate and improve upon our products, but it is also important to ensure that the Neighbors app and the way its features work are properly represented. We will continue to educate the greater public on how the Neighbors app actually works and the positive impact its users are having on communities around the United States”.

Related: Best security camera

Hacked cameras

In December, reports emerged of Ring cameras being hacked by strangers, with videos like the below of an intruder talking to an 8-year-old in her bedroom going viral and bringing attention to Ring’s potential vulnerabilities.

Each time I've watched this video it's given me chills.

A Desoto County mother shared this Ring video with me. Four days after the camera was installed in her daughters' room she says someone hacked the camera & began talking to her 8-year-old daughter.

More at 6 on #WMC5 pic.twitter.com/77xCekCnB0

— Jessica Holley (@Jessica_Holley) December 10, 2019

To make it even worse, an investigation found that users might not know that their camera has been hacked until it’s too late.

Ring’s login requirements were found to be shockingly minimal. All a person needs is your username and password in order to watch your live feed, access archived footage of your home and peek at sensitive info including your name and address – which Ring requires you to store on the account as part of the camera’s setup.

Motherboard logged into a Ring video camera from a host of different countries and found that anyone with the account’s login info could access footage and take control of the device’s mic in seconds.

There was no alert to tell the user that someone had logged into their account and no attempt to limit login attempts or introduce an additional measure such as a captcha when the password was deliberately and repeatedly entered incorrectly.

This would make it easy for an intruder to gain access to a device by simply cycling a list through already-compromised usernames and passwords.

Of course, this would be a much bigger issue if bad actors got their hands on a list of login details directly from Ring. Which they did.

Later that month, thousands of unencrypted usernames and passwords were leaked, leaving the contact info, payment details and live camera feeds of a number of security device owners compromised.

A spokesperson for Ring told Trusted Reviews:

“While our investigation is ongoing, we do not have any evidence that this issue is related to a breach or compromise of Ring’s system or network. It is not uncommon for bad actors to harvest data from other company’s data breaches and create lists so that other bad
actors can attempt to gain access to other services.

“We’ve emailed customers whose accounts we have identified as exposed and have reset their passwords. In addition, we are continuing to monitor for and block potentially unauthorized login attempts. We’ve also contacted all Ring customers, encouraging them to enable two-factor authentication, change their passwords, and follow these important best practices for keeping their accounts secure.

“Ring users can see and manage their connected mobile, desktop and tablet devices, third-party services, among other security features from the Control Center in the Ring app. Future versions of the Control Center will provide users the ability to easily view and control other privacy and security settings right from the Ring app and provide customers with more visibility into how their data is kept secure and private by Ring.

“Starting in February, we’ll be making further security updates including Approval Broadcast. Users will be able to use two-step verification to authorize any new client device that logs in with correct credentials before that device can gain access to the Ring account. And now, two-factor authentication will be the default setting for new accounts and all new device setups, including those on existing accounts.

“We know that customers are understandably concerned about privacy and data security. In the year ahead, we are committed to putting control and privacy front and center, while providing the best possible experience for users”.

Related: How to stop Facebook tracking you when you’re not on Facebook

Data sharing

The latest in the Ring saga is the revelation that the company has secretly been sharing customer data with one of the few companies with an obviously worse track record than itself when it comes to user privacy: Facebook.

According to the EFF, Ring has conveniently been leaving a certain tracker off its list of third-party analytics services.

Facebook collects time zone, device model, language preference, screen resolution and a “unique identifier” from Ring devices, allowing the company to track you from app to app even if you don’t have a Facebook account.

And because Facebook wasn’t on the list of third-party services, there was no way to opt out.

Ring has released an updated set of privacy controls in the wake of this news to “empower” users to take better control of their security settings. However, the damage has already been done (and there certainly has been a lot of it).

Privacy and safety are important factors when it comes to home security devices. We’ll have to wait to see if Ring can earn trust back after this series of security foul-ups.

A spokesperson for Ring told Trusted Reviews:

“Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimise the customer experience, and evaluate the effectiveness of our marketing. Ring ensures that service providers’ use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf, and not for other purposes”.