Neighborhood watch 2.0: Ring’s privacy practices put under the spotlight

(Image credit: Amazon)

Ring, a Shark Tank reject that shot to success after being bought by Amazon in 2018 for almost $1bn, is reshaping the idea of neighbourhood watch for the smart home generation. 

What once comprised a group of paranoid civilians on the lookout for petty crime has since been replaced by an army of internet-connected doorbells and security cameras affixed to the homes of millions. 

This has created a makeshift surveillance network that Ring claims will bring communities together and give law enforcement more resources to help solve and, ultimately, reduce crime. 

As part of this mission to make neighborhoods safer, Ring has partnered with police departments across the US, and in some areas, security cameras are being offered at a discounted rate by cops that hope to be able tap into the crowdsourced footage hosted on Ring’s Neighbors app. 

While there are already success stories - Arcadia in Los Angeles claims it saw a 25 percent decrease in residential burglaries following its cut-price-cam rollout in 2017 - privacy concerns surrounding Ring, and in particular its Neighbors app, are on the rise. 

Some critics have slammed the wannabe-cop system as "an unmitigated disaster" for privacy, while others fear Ring is building up a for-profit private surveillance network. 

What’s more, a recent data breach that exposed the personal data of more than 3,000 device owners has added to the unease surrounding Ring’s sprawling  network, and seen many question how seriously the company is taking the security of its customers. 

(Image credit: Ring)

Your friendly Neighborhood Ring door cam

Ring launched Neighbors in May 2018, a sort of social network for the nosey and suspicious that the company describes as an “open space for people who wish to make their community safer”. 

The app, which is available for free on both Android and iOS, features a Facebook News Feed-like neighborhood watch feature that provides users with real-time crime and safety alerts from their neighbors, local police and the Ring News team.

Though Ring touts Neighbors as “opt-in”, if you install a Ring device - be it a doorbell camera, security system or even smart lights - you’re automatically enrolled in the app. 

This means if you have a Ring security camera, for example, you can upload video content straight from the gadget to Neighbors - such as someone stealing an Amazon package from your front porch - for others to gawp at. 

Neighbors is also available to non-Ring customers, who can anonymously read or post about crime, safety, suspicious activity, and lost pets within five miles of their home.

Uh oh, that’s the sound of the police

In an expansion of its supposed crime-stopping program, Amazon has been partnering with law enforcement, and as of the beginning of December 2019, it had joined forces with 677 police departments - up from 405 in August - in the US.

These partnerships give cops a direct portal through which they can request video from Ring users in the event of an active nearby crime investigation. Law enforcement officials are required to get explicit permission from the camera’s owner, which they can request via a general post in the Neighbors app or via an exclusive law enforcement portal provided by Amazon. 

Owners aren’t required to hand over video, though, with Ring offering customers three different options: you can choose to share all of the videos from a requested timeline, select specific videos from that timeline, or simply do nothing.

However, despite this seemingly user-first approach, some reports claim Amazon has been coaching police on how to successfully obtain footage without a warrant. 

Furthermore, police departments that partnered with Ring also had access for more than a year to a map outlining where the video doorbells were installed before that so-called 'feature' was removed in July.

(Image credit: Ring / Amazon)

Data breach sets alarm bells ringing 

That isn’t the only thing that has set alarm bells, er, ringing. Though Ring’s devices, along with its aforementioned police partnerships, are designed to make users feel safer, it seems the company’s own security credentials are somewhat lacking. Back in December, the log-in details of 3,672 Ring camera owners were compromised, exposing log-in emails, passwords and the names people give to specific Ring cameras.

Ring has denied a data breach, saying in a statement that “it has no evidence of an unauthorized intrusion or compromise”, but this has been strongly contested by security experts who claim that given the format of the breach - which allowed bad actors to access information including home addresses, telephone number and payment information - it was likely taken from a company database.

As well as giving intruders access to a whole host of customer data, intruders could also access live camera footage from all active Ring cameras associated with an account, as well as a 30- to 60-day video history, depending on the user’s cloud storage plan. Since news of the breach broke, user horror stories have started to emerge; a man in Alabama claims his Ring camera was used to harass his two young children, a couple in Texas alleges a hacker harassed them and demanded a ransom of $350,000 in Bitcoin, and, alarmingly, a mother has released a video of a hacker talking to her eight-year-old daughter through a Ring camera set up in the child’s bedroom.

This isn’t the first time Ring’s security practices have been thrown in to doubt. The Mozilla Foundation, makers of the Firefox browser, last year warned that the company was among its worst privacy offenders, claiming Ring doorbells have "vulnerabilities that could let someone go Big Brother on you in your own home.”

However, it’s worth noting that Ring isn’t the only smart home company that has suffered such an incident. Back in September, Google was forced to soup-up the security of its Nest devices after users reported a number of breaches; one family in Illinois claimed a hacker accessed their security camera and spewed racial slurs, while a family in Texas said a hacker threatened to kidnap their four-month-old baby.

Arlo Smart Home also recently urged its users to increase the security on their accounts, pointing to specific cases of "suspicious activity”. 

(Image credit: Future)

Ringing in the new year with better security

Thankfully, Ring seems to be stepping up in the face of these security concerns, and at this year’s CES it unveiled a new web dashboard of privacy controls that will, according to the company, let users better manage the access settings on their devices and, more importantly, better keep hackers out.

"This latest feature will make it easy to view and control privacy and security settings from one dashboard," Ring explains. "The Control Center will initially let you see and manage your connected mobile, desktop, and tablet devices, as well as third-party services; it will also enable you to opt out of receiving video requests in areas where local police have joined the Neighbors app.”

While it remains to be seen if this will ward off wannabe doorbell hackers, there are some steps you can take to make your Ring account more secure; with the company denying that hardware or software has been compromised, it’s likely that lax security and password practices are to blame for the the recent data breach. 

Firstly, it’s essential to ensure you’re using a unique password for your Ring account in order to prevent ‘credentials stuffing’, a hacking method whereby intruders attempt to access accounts using username and password combinations that have been made public through security breaches at other companies. 

Two-factor authentication (2FA) is also a must-have, and Ring offers its own 2FA method when you first set up the app. If you’ve already skipped this step, you can access it by heading to Settings > Account Settings > Enhanced Security. Open the Ring app. 

Of course, you should also check if your information has already been accessed. Using a website such as Have I Been Pwned will show you if your credentials have been included in any data breaches over the past several years. If they have, make sure you follow the above steps before you put on your novelty cop cap and get back to fighting crime. 

After all, your security system should keep hackers out, not invite them into your home. 

Carly Page

Carly Page is a Freelance journalist, copywriter and editor specialising in Consumer/B2B technology. She has written for a range of titles including Computer Shopper, Expert Reviews, IT Pro, the Metro, PC Pro, TechRadar and Tes.