Ring’s response to senators: it tells about Ukrainian employees and data privacy

In November 2019, the U.S. senators sent a letter to Amazon regarding the privacy of users of Ring smart cameras.

Previously, an American startup with a large R&D office in Ukraine was involved in several scandals. In particular, Ukrainian employees were accused of illegal access to video from cameras. The senators wanted to clarify the details of the situation as well as other measures that Ring takes to ensure secure data storage.

In a response letter, obtained by Morherboard, representatives of Ring tell about the scandals and the company policy. A strong focus was on the company’s representative office in Ukraine.

AIN.UA provides the main points.

  • Camera-recorded videos are stored on servers for 60 up to 180 days depending on the type and time of subscription. Then they are automatically deleted, but users can do it manually at any time. The data itself is stored in an encrypted video.
  • Ring is not aware of any breach of a customer’s personally identifiable information that would require reporting to government agencies. But the company is aware of incidents when stolen credentials and passwords (from other applications and sites) are used by some bad actors to gain access to Ring devices.
  • The R&D team in Ukraine has no unrestricted access to customer’s camera data. The employees can only access publicly available videos and videos available from Ring employees, contractors, and friends and family of employees or contractors with their express consent.
  • The employees in the Ukrainian office use these videos to deliver high-quality services and to maintain and improve the customer experience.
  • Aside from the technical support, members of the R&D team with public access, only three people in Ring have access to the stored customer videos.
  • Over the last four years, Ring has received four complaints or inquiries regarding a team member’s access to Ring video data. Although each of the individuals involved in these incidents was authorized to view video data, the attempted access to that data exceeded what was necessary for their job functions. Ring has terminated these individuals and has taken multiple actions to limit such data access to a smaller number of team members.
  • Ring does not yet offer facial recognition functions. But if users want it, it will think about implementing it.

Previously, Ring introduced mandatory two-factor authentication to ensure security. But the requirement applied only to new accounts – in their letter, the senators indicated that the measure should have been introduced for all users. There was no mention of this in Ring’s response.