American senators write to Bezos asking him to clarify data security practices of Ring in Ukraine
On November 20, five US Democratic senators sent a letter to Amazon CEO inquiring about operation of Ring. Amazon acquired it for $1 billion in February 2018. Ring has a large R&D office in Ukraine.
AIN.UA publishes a brief retelling of the request, the full text of the letter is available here.
What’s it all about
The startup, producing IoT gadgets for home security found itself in the center of a scandal in January 2019. It turned out that the staff of the Ukrainian R&D office have “unlimited” access to the recordings from the cameras of the Americans and look through them to mark out passages for neural network training.
Now the Senate wants to clarify the details of the situation as well as other measures that Ring takes to ensure secure data storage.
Senators refer to investigation conducted by The Intercept outlet and other materials of the scandal in January. It indicated the authority of the Ukrainian office staff, as well as possibility of senior Ring employees accessing live video recordings of some cameras.
If hackers or foreign entities gain access to this data, it not only poses a threat to the privacy and security of Americans but also to the national security of the United States.
The authors of the letter write that Americans have the right to know what data they provide Ring and how they are protected. Questions raised by senators must be answered no later than January 6, 2020.
Points of interest
AIN.UA provides a short version of questions.
- How many units has Rings sold to Americans?
- Does Ring delete users’ video footage generated by Ring devices? Does Ring ever delete a user’s video footage it has retained? Please detail Ring’s default data retention policy.
- Does Ring encrypt video footage, both in storage and transmission?
- How regularly does Ring perform in-depth security tests, audits, vulnerability scans, source code reviews and penetration testing? Are independent security audits performed?
- How many security incidents have you detected over the past two years? Please describe the severity of each incident.
Ukraine and other contractors
According to media reports, Ring has provided its Ukraine-based research and development team with unrestricted access to Ring’s entire camera database in unencrypted form, with each video file reportedly linked to a specific Ring user.
- How many employees of Amazon and Ring have access to American users’ camera data?
- How is employee access to customer video data controlled, logged, and audited?
- Do employees have access to live feeds?
- Do employees have access to any other information regarding the customer’s account other than camera data (e.g. user name(s), email address(es), physical address, geolocation)?
- To your knowledge, have there been any documented instances of this access being abused?
Ring’s online career postings suggest that the company is still hiring Ukrainians to view and tag videos of Americans. Please confirm this practice and explain its purpose.
- Please describe the process by which Americans’ data is accessed by employees or contractors in Ukraine or any other country outside the United States and the standards by which they are held?
- Please detail in how many other countries employees have access to Americans’ Ring data?
- Please detail, for each country where employees have access to Americans’ Ring data, which data privacy or retention policies are in place and any ability for a foreign government to access (through a legal process within that country or otherwise) any Americans’ Ring data stored within that country?
According to media reports, Ring employs a “head of facial recognition research” and has applied for a “facial recognition patent.” Please describe Ring’s plans regarding the addition of facial recognition capabilities to its products.
- Does Ring intend to use, currently use, or has it used, any type of image matching software capable of facial recognition, including Amazon’s Rekognition?
- Does Ring contact to, or request assistance from, any entity regarding facial recognition? Which entities or agencies? Please provide relevant guidelines or memoranda outlining this relationship, including any audits or analysis you have undertaken to evaluate the use of facial recognition.
Position of Ring and Amazon
Ring and Amazon have not answered the requests of American media.
In response to an inquiry from AIN.UA, the former head of Ring Ukraine, Kira Rudik, declined to comment. Currently, she is a member of the Verkhovna Rada and the first deputy chair of the Committee on Digital Transformation.