Ring cameras fail privacy test

Update 2:39 pm ET: We have updated this article with comment from Ring.

Ring video doorbells and security cameras do not meet the minimum security and privacy standards achieved by dozens of other internet-connected popular electronic devices, the Mozilla Foundation says in a new report. 

Mozilla's Privacy Not Included report and website, updated every year, is meant to let holiday shoppers know what they're getting when they buy smart devices. Of 76 different gadgets included in this year's report, 60 devices got Mozilla's certificate of approval, including the Nintendo Switch, Sonos One SL, Amazon Kindle, Apple Watch and Nest Learning Thermostat. 

But of nine devices that didn't meet the minimum standards, three were from Ring: the Ring Video Doorbell, Ring Indoor Cam and Ring Security Cams. Mozilla cited "potential privacy vulnerabilities that could let someone go all Big Brother on you." 

"We were unable to determine if Ring currently uses secure encryption," Mozilla wrote. 

That sounds pretty bland, but Mozilla added that "Ring doesn't have a great track record for securing customer data or hiring experienced security engineers" and that "there is a general lack of transparency around Ring's privacy practices." Furthermore, "it's unclear whether you can delete your data."

UPDATE: Ring provided us with the following statement:

"Ring takes customer security seriously and we have experienced, full teams dedicated to ensuring the safety and security of our products and systems. We have taken measures to help secure Ring devices from unauthorized access. These measures include preventing the installation of third-party applications on the device, rigorous security reviews, secure software development requirements, and encryption of communication between Ring devices with services such as AWS servers.

"We use a combination of AES encryption (Advanced Encryption Standard) and TLS (Transport Layer Security) to secure data between Ring devices, the Ring app, and Ring servers, and we encrypt data between Ring devices using AES encryption, TLS and SRTP (Secure Real Time Protocol)."

Litany of woes

Ring has had several security and privacy problems in the past couple of years. Just this month, Bitdefender disclosed that the Ring Video Doorbell Pro transmitted Wi-Fi access passwords in cleartext during the setup process. (That flaw was patched.)

This past January, The Intercept reported that Ring employees at the company's Ukrainian research and development labs had access to an unencrypted cloud database that stored every video ever recorded by Ring devices worldwide. 

In August, BuzzFeed reported that the Ukrainian lab was working on facial-recognition technology, even though Ring denied that its video doorbells and cameras use such technology.

Back in 2016, Pen Test Partners found that anyone with a screwdriver could pop off a Ring Video Doorbell's cover, press a button to activate the Ring's own Wi-Fi access point, connect to the Ring doorbell from a smartphone and obtain the password for the homeowner's Wi-Fi network.

"While Ring has likely patched any security problems, we do not feel confident in stating the company uses secure encryption," Mozilla said.

Ring Congressional inquiry

Those aren't Ring's only problems. Yesterday (Nov. 20), five U.S. senators, all Democrats, sent Amazon, Ring's owner, a letter demanding more information on Ring's security and privacy policies.

"Ring devices routinely upload data, including video recordings, to Amazon's servers," stated the letter. "If hackers or foreign actors were to gain access to this data, it would not only threaten the privacy and safety of the impacted Americans; it could also threaten U.S. national security."

The senators want to know if Amazon ever deletes Ring video footage; if the footage is encrypted; how many employees can view the footage, and how many of those are Ukrainian; and what exactly Ring plans to do with the facial-recognition research.

"The American people have a right to know who else is looking at the data they provide to Ring, and if that data is secure from hackers," the letter states.

Ring providing video to police departments

Yesterday's letter followed earlier correspondence in which one of the five senators, Edward Markey of Massachusetts, demanded to know the policies surrounding Ring's Neighbors app. 

The Neighbors app lets Ring video doorbell owners in a particular neighborhood share street-facing video with each other -- and with the police. More than 600 local police departments across the United States have signed confidential agreements with Amazon to participate in Ring Neighbors.

"We intentionally designed the Neighbors Portal to ensure that users get to decide whether to voluntarily provide their videos to the police," said Amazon in a Nov. 1 response to Markey's queries. "Local police may only seek assistance with the investigation of a specific crime."

But in a Sept. 26 response to Markey, Amazon said that if a user voluntarily shares video with police, then "Ring does not require law enforcement to delete materials shared through a video request after a certain period of time."

It added that "Ring does not require police departments to agree to additional restrictions, as the videos may become public records," and that "Ring would not receive a notification each time a law enforcement agency shared information to solve a crime."

Outlook

So far, none of this smoke amounts to actual fire. Ring video doorbells may indeed be safe to use and may respect privacy rights, as Mozilla notes and as we hope. 

But the company isn't "as transparent as we would like them to be about their privacy and data deletion practices," Mozilla adds on its page about the Ring security camera. "This is a security video camera that raises just too many questions about privacy and security."

• Best video doorbells
• Smart gadget security is terrible and only getting worse
• Best wireless home security cameras