Amazon’s Ring saves user data for every single time the smart doorbell is activated

by

Amazon’s Ring keeps a log of every time a smart doorbell is rung, a motion-sensing camera is activated or the app is used on a smartphone – but claims NO video is saved

  • Investigation found Amazon’s Ring has databases logging user interactions  
  • Records almost every instance the camera is activated or a feature is used  
  • Expert says the feature said it poses a ‘serious threat to people’s privacy’ 
  • Ring claims no video clips are saved and this policy is spelled out on its website

By Joe Pinkstone For Mailonline

Published: | Updated:

Amazon’s Ring keeps a log of every single time one of its cameras, doorbells or apps is activated and used, it has been revealed. 

Events that are logged include motion detected by the cameras, a doorbell being activated or pressed by a visitor, or an action by the user to activate a live feed to converse with a visitor. 

The data recorded also includes exact GPS co-ordinates of the devices as well as the duration of each event in seconds.  

It has also been found that every time the Ring app is used by a customer, a permanent note of the device model and which network it uses is saved and recorded in a vast database. 

Experts have slammed the feature and said it poses a ‘serious threat to people’s privacy’ and could easily be stolen or misused by criminals. 

Scroll down for video  

Every movement identified by Amazon’s Ring devices is saved and recorded in vast databases, it has been revealed. It has also been found that every time the Ring app is used by a customer it makes a permanent note of the device model and which network it uses (file photo)

David Emm, principal security researcher at Kaspersky, a cybersecurity firm, said: ‘This development unfortunately doesn’t surprise me. 

‘Home assistants and other smart technology – i.e. devices that have the power to monitor aspects of our everyday lives – gives huge companies access to lots of data, which is valuable even where that data is anonymised. 

‘However, they can be a serious threat to people’s privacy – consumers are handing valuable information over freely and often without realising it. 

‘In today’s digital era, such information could be used by companies directly or shared with third parties, or stolen and misused by cybercriminals.’ 

The BBC obtained the information via an information request to Ring for two devices under the data subject access request (DSAR) protocol that exists. 

This enables any user to access their own data via the Ring website to see what data the firm has access to.  

Amazon owns Ring and has a policy that no video clips older than 30 days are saved and are scrubbed from its servers. 

Customers that opt for its ‘Ring Protect’ system have videos recorded and stored for up to 30 days before they are automatically deleted. Users can log on and delete them manually beforehand, if they wish.

Users that choose not to have the protect plan are only able to access the live stream and no videos are stored, according to Ring’s protocols. 

A Ring spokesperson told MailOnline: ‘Ring’s Privacy Notice sets forth the type of information Ring collects and what Ring does with that information. Please refer to the Privacy page for more information.’  

Amazon owns Ring and the company has a policy that no video clips older than 30 days exist and must be scrubbed from the servers (file photo)

Amazon owns Ring and the company has a policy that no video clips older than 30 days exist and must be scrubbed from the servers (file photo)

According to the BBC investigation, which looked at two cameras over a 129-day span, almost 26,500 individual events were registered, with data pertaining to the user split over 11 databases.  

One database also included every interaction with Ring’s apps and featured a separate call every time the app was opened, the feed was zoomed in and clocked when each call started and finished. 

The BBC found no evidence of videos being recorded. 

Mr Emm added: ‘It’s vital that companies selling such products are open and explicit about the data they collect, and how they will use it. 

‘People should also think carefully when they are considering buying smart devices. 

‘If they do purchase these products, they should always ensure that updates are available, create hard-to-guess passwords for the device, and disable any feature they do not intend to use, or which causes them any privacy concerns.’

WHAT DID RING REVEAL IN A LETTER TO US SENATORS?  

Ring penned a letter to five senators addressing how its security scandals have been portrayed. 

In the introduction, it says: ‘As expected for any rapidly growing company, Ring’s data security and privacy practices have evolved over time. 

‘Unfortunately, recent media reports have inaccurately portrayed Ring’s security practices, and we hope our letter today will correct some of those inaccuracies.’

When quizzed on how it used the footage and if it was encrypted for security, Ring replied with an emphatic ‘yes’. 

It added: ‘Ring encrypts video footage both in storage and transmission, and Ring stores video on encrypted Amazon Web Services servers.’

Ting was more opaque when answering questions on its security testing. 

Asked about if it conducts in-depth assessments of its security and if it has external audits and how often these were performed, both questions were answered with the preamble ‘Ring routinely conducts assessments’ – but failed to say how often this is done. 

All it did say was that an internal team conducted two audits in 2019. The extent of these is unknown, a Ring cite the need for confidentiality in order to ‘protect against future attempts by bad actors’.

Ring also denied that its Ukraine-based R&D team unrestricted access to an Amazon web server with every Ring video ever created, refuting media reports. 

‘The R&D team in Ukraine can only access publicly available videos and videos available from Ring employees, contractors, and friends and family of employees or contractors with their express consent,’ it writes in the letter.  

And it revealed ‘a very limited number of employees (currently three) have the ability to access stored customer videos’. This, it claims, is to maintain its AWS infrastructure. 

Ring also failed to rule out the possibility of adding Amazon’s controversial Rekognition facial recognition technology to its products. 

Instead of clarifying if it would implement this feature in future models,it named rivals that offer facial recognition technology in their products. 

However, none of these products use Rekognition, accused in 2018 of trying to sell its technology to ICE to help suppress immigrants in the US.  

Ring stated that employees with access to video are unable to identify a person or vehicle from the information they have access to.  

Ring revealed that in the last four years it was forced to terminate four members of staff who overstepped their reach when looking at customer video.