A Blog by Jonathan Low

 

Nov 23, 2019

Amazon Says It's Your Fault If A Ring Doorbell Violates Your Privacy

Which might be legally true as its contract with users is currently written, but since violating users' privacy is a fundamental feature of the product, does not alter the potential threat. JL

Kate Cox reports in ars technica:

Ring's privacy policy says it does not knowingly collect personal information from anyone under the age of 13. But the cameras collect footage of whoever happens to be nearby. You grant Ring an unlimited, irrevocable, perpetual, worldwide right to re-use, distribute, store, copy, modify, display, sell, create derivative works from and exploit content for any purpose. "Amazon Ring’s policies are an open door for privacy and civil liberty violations. If you're an adult walking your dog or a child playing, you shouldn't have to worry that Ring's products are amassing footage of you and that law enforcement may hold that footage indefinitely or share that footage with third parties."
Amazon subsidiary Ring, which makes home surveillance equipment and cameras, has "partnerships" with more than 600 law enforcement agencies nationwide, allowing those police access to users' footage. And while Ring says it sets terms around how and when it will share that footage with police, anything the police do with it afterward is entirely out of its hands, the company says.
The partnerships between Ring and police, and the terms of the agreements, have not been transparent to the general public. Instead, they've come out in bits and pieces in media reports throughout the year. Sen. Ed Markey (D-Mass.) in September demanded clearer answers from Amazon about Ring and published the company's responses this week.
In the pair of replies Ring repeatedly deflects responsibility for the contents of captured footage to the consumers who capture it and the police departments that acquire it.

Who else watches the watchers?

Amazon in the last week of August agreed to share publicly a list of where it has police partnerships. At that time, there were 405 such agreements. As of November 15, however, that map now boasts 630 police partnerships, a greater than 50% increase.
Customers who buy Ring systems for their homes can connect to an app called Neighbors. Police who work in partnerships with Ring have a companion app to Neighbors that allows them to request footage from users in a given geographic area when it's pertinent to an investigation.What police do after that, however, is a mystery in which Ring says it has no part.
"Ring does not require law enforcement to delete materials shared through a video request after a certain period of time," the company said. Law enforcement departments set their own terms for record retention in accordance with the laws of their jurisdiction and can keep it as long as they see fit.
Amazon and Ring also do not have any minimum security requirements for the use of user footage. Partners use their own "requirements, protocols, and security measures" for protecting any Ring data they acquire. And they can share it with whomever they like: "If videos are downloaded by law enforcement, Ring does not require police departments to agree to additional restrictions," the company said, citing potential public records law and police investigative procedures.
"Ring is constantly seeking ways to maximize transparency and user control, including adding additional information on how video footage may be used when a customer consents," the company added.

“Volunteered” data and privacy

Amazon has repeatedly said throughout the year that Ring users must volunteer to share their footage in response to a police request. In August, the company told Ars that participating law enforcement agencies must go through Ring to request footage, adding, "Customers can choose to opt out or decline any request, and law enforcement agencies have no visibility into which customers have received a request and which have opted out or declined."
The minimum region for requesting footage is 0.025 square miles, Ring told Sen. Markey, in order to prevent police from targeting specific individuals. The maximum region is 0.5 square miles, in order to prevent broad blanketing. The maximum time frame of data police can ask for is 12 hours, and they can only get footage less than 45 days old.
In some neighborhoods, housing may be dense enough to effectively mask the identity of someone in a radius of a few blocks. But in lower-density neighborhoods zoned for single-family homes, it could be trivial for police to figure out which residence in a 0.025-square-mile radius is using a camera, regardless of if it shares footage willingly, and which residents they may wish to talk to.All that said, however, Ring said it believes that "state and federal procedures, regulations, and statutes serve to ensure that police departments do not open investigations or seek information for improper purposes."
Respecting users and non-users' privacy is also the camera owner's problem, Amazon said.
"Ring's Terms of Service state that users are responsible for their use of our products and services, including use in accordance with any applicable privacy laws," the company said in response to a question about cameras pointed at public space such as municipal sidewalks that aren't part of a homeowner's property. "Ring includes a door/window sticker in the box with each device that is equipped with audiovisual recording capabilities" so that homeowners can prominently notify anyone in the neighborhood that they may be recorded, Amazon added. It has no oversight or compliance program in place for owners, however.
"Amazon Ring’s policies are an open door for privacy and civil liberty violations," Markey said in a statement following Amazon's response. "If you're an adult walking your dog or a child playing on the sidewalk, you shouldn't have to worry that Ring's products are amassing footage of you and that law enforcement may hold that footage indefinitely or share that footage with any third parties."

Especially the kids

Ring's privacy policy says it does not knowingly collect personal information from anyone under the age of 13. But the cameras, of course, collect footage of whoever happens to be nearby. "Ring has no way to know or verify that a child has come within range of a device," Amazon wrote. "Customers own and control their video recordings."
And yet Ring itself seems to have no compunction about showing children under 13 in footage if it's good for their marketing. For example: 15.8 million Ring doorbells rang in the 24 hours of Halloween, the company said in a blog post.
The company shared some harmless data about all those trick-or-treaters. (Peak time on the East Coast was around 6:30pm, while West Coast kids peaked about 20 minutes later, apparently.) But the company also released a promotional video using captured Halloween footage, including several very clear images of children both with and without their parents present.
Website Mashable asked Ring whether parents consented to their children's appearance in the advertisement video, but the company did not respond.
Ring's terms of service allow for it, BuzzFeed pointed out earlier this year:
You hereby grant Ring and its licensees an unlimited, irrevocable, fully paid and royalty-free, perpetual, worldwide right to re-use, distribute, store, delete, translate, copy, modify, display, sell, create derivative works from and otherwise exploit such Shared Content for any purpose and in any media formats in any media channels without compensation to you.

All your face are belong to us

Markey also pressed Ring several times about the use of facial-recognition technology. The company responded that it does not use any facial recognition yet but may do so in the future.
A sentence in its privacy policy to the effect that Ring may "obtain certain facial feature information about the visitors you ask your Ring product to recognize" refers to "a contemplated, but unreleased feature," the company said. "If our customers want these features in Ring security cameras," it added, "we will only release these features with thoughtful design including privacy, security, and user control; and we will clearly communicate with our customers as we offer new features."What Ring users choose, however, affects not just homeowners who buy the systems but also anyone who gets close enough to their house for any reason.
"Connected doorbells are well on their way to becoming a mainstay of American households, and the lack of privacy and civil rights protections for innocent residents is nothing short of chilling," Markey said in his statement—a sentiment echoed by civil liberties organizations and advocates.
"Through consumer products like Ring, Amazon is collecting footage and all the data needed to build a nationwide surveillance network," Fight for the Future deputy director Evan Greer said in a statement.
"They leverage government relationships to promote their own products, gain consumer trust, and secure their position in the market. This is an unprecedented assault on our security, constitutionally protected rights, and communities," Greer added, calling on Congress to launch an investigation.
The American Civil Liberties Union and Electronic Frontier Foundation have also both repeatedly expressed concerns about Ring, about facial recognition, and about both of them together.
Staff attorney Mohammad Tajsar of the ACLU of Southern California told the Associated Press that the potential for facial recognition in Ring products raised significant concerns. "Even if you don't sell data or provide data to law enforcement, you're creating a mechanism whereby people can express latent biases and racism and classism in a portal that encourages it," he said.

We’re not through

A group of senators, including Markey, found Amazon's response insufficient. Senators Ron Wyden (D-Ore.), Chris Van Hollen (D-Md.), Chris Coons (D-Del.), and Gary Peters (D-Mich.) joined Markey in a new letter (PDF) dated today asking pointed follow-up questions, particularly about Amazon's handling of consumer data.
"Ring's emphasis on safety and security has not always extended to the massive amount of data it amasses, retains, and shares," the senators wrote, referring to a vulnerability that sent WiFi network passwords in plaintext.
Additionally, the senators wrote, Amazon has reportedly sent footage to contractors in Ukraine and apparently is still doing so. "Please describe the process by which Americans' data is accessed by employees or contractors in Ukraine or any other country" outside the United States, the letter asks.Amazon is also told to provide data on how many consumers own Ring devices; what kind of encryption Ring uses for the data; what data retention or deletion policy is used on the data; what employees, and where, have access to what content, and why; what consumer-identifying data might be included in that content; and what the company plans to do about facial recognition in the future.
Amazon has until January 6 to respond to the latest round of questions.

0 comments:

Post a Comment