Amazon Gave Ring Footage To Police Without Consent Raising Serious Privacy Concerns
Ring, the smart home security company acquired by Amazon in 2018 for $1 billion, has a history of raising privacy concerns with its user data practices. Less than a year after Amazon completed its acquisition of Ring, an inside source revealed that the company’s employees had full access to customers’ live video feeds, which is a major privacy violation when customers are installing cameras inside and outside their homes, trusting that no one is creeping on them through said cameras. Then, in 2020, the company was found to be sharing customer data with third-party firms, and, in 2021, a bug in Ring’s Neighbors app caused the leakage of anonymous users’ precise locations.
US Senators have responded to these concerning revelations in the past by sending letters to Amazon, asking the company to clarify and explain Ring’s policies and data security practices. More recently, Ring has come under scrutiny for its agreements with police departments across America that give members of law enforcement access to customer video and audio recordings. Senator Edward Markey sent Amazon a letter last month asking the company about these agreements and Ring’s handling of customer data. Amazon’s vice president of public policy, Brian Huseman, responded to the Senator’s question in a letter obtained by The Intercept this week.
US Senators have responded to these concerning revelations in the past by sending letters to Amazon, asking the company to clarify and explain Ring’s policies and data security practices. More recently, Ring has come under scrutiny for its agreements with police departments across America that give members of law enforcement access to customer video and audio recordings. Senator Edward Markey sent Amazon a letter last month asking the company about these agreements and Ring’s handling of customer data. Amazon’s vice president of public policy, Brian Huseman, responded to the Senator’s question in a letter obtained by The Intercept this week.
In his response, Huseman revealed that 2,161 law enforcement agencies and 455 fire departments have enrolled in Ring’s Neighbors Public Safety Service (NPSS), granting them the ability to access customer video and audio under certain conditions. Departments and agencies enrolled in NPSS are able to access Ring footage so long as one of three conditions is met: customers consent, a warrant is obtained, or “an exigent or emergency” circumstance arises.
Asked to clarify this third condition, Huseman wrote that “Ring reserves the right to respond immediately to urgent law enforcement requests for information in cases involving imminent danger of death or serious physical injury to any person.” The vice president of public policy went on to say that members of law enforcement are required to submit an emergency request form describing the situation, and Ring “makes a good-faith determination whether the request meets the well-known standard, grounded in federal law, that there is imminent danger of death or serious physical injury to any person requiring disclosure of information without delay.”
In practice, this policy means that Ring can decide to let law enforcement side-step the customer consent or warrant requirement and access customers’ video and audio. According to Huseman, Ring provided customer footage to members of law enforcement eleven times so far this year. The company does offer end-to-end encryption (E2EE), which, if implemented properly, should prevent both Ring and any third party, including law enforcement, from accessing customer video. However, at present, this feature is not enabled by default.
Huseman explained this decision in his letter (PDF) by calling E2EE an “advanced feature” that “may not be right for all customers” because it disables certain other features. At least in our view, we would rather that Ring err on the side of user privacy and data sovereignty by making E2EE standard, and letting customers disable it to gain access to additional features if desired.
Asked to clarify this third condition, Huseman wrote that “Ring reserves the right to respond immediately to urgent law enforcement requests for information in cases involving imminent danger of death or serious physical injury to any person.” The vice president of public policy went on to say that members of law enforcement are required to submit an emergency request form describing the situation, and Ring “makes a good-faith determination whether the request meets the well-known standard, grounded in federal law, that there is imminent danger of death or serious physical injury to any person requiring disclosure of information without delay.”
In practice, this policy means that Ring can decide to let law enforcement side-step the customer consent or warrant requirement and access customers’ video and audio. According to Huseman, Ring provided customer footage to members of law enforcement eleven times so far this year. The company does offer end-to-end encryption (E2EE), which, if implemented properly, should prevent both Ring and any third party, including law enforcement, from accessing customer video. However, at present, this feature is not enabled by default.
Huseman explained this decision in his letter (PDF) by calling E2EE an “advanced feature” that “may not be right for all customers” because it disables certain other features. At least in our view, we would rather that Ring err on the side of user privacy and data sovereignty by making E2EE standard, and letting customers disable it to gain access to additional features if desired.
