Senators’ Letter to Amazon on Ring Cameras
Nov. 20 2019 — 4:00p.m.
??nittd 0%tatts serum WASHINGTON, DC 20510 November 20, 2019 Mr. Jeffrey Bezos Chief Executive Of?cer Amazon.com, Inc. 410 Terry Avenue N. Seattle, WA 98109 Dear Mr. Bezos: We write to request information about the data security practices of Ring, the home security company Amazon purchased last year. Millions of consumers use Ring?s products and services, which include internet-connected video doorbells, spotlight cameras and alarm systems. Ring devices routinely upload data, including video recordings, to Amazon?s servers. Amazon therefore holds a vast amount of deeply sensitive data and Video footage detailing the lives of millions of Americans in and near their homes. If hackers or foreign actors were to gain access to this data, it would not only threaten the privacy and safety of the impacted Americans; it could also threaten US. national security. Personal data can be exploited by foreign intelligence services to amplify the impact of espionage and in?uence operations. Ring?s emphasis on safety and security has not always extended to the massive amount of data it amasses, retains and shares, according to public reports. Last week, researchers discovered a now-patched vulnerability in Ring doorbells that left Wi?Fi network passwords exposed to hackers. Security experts have similarly discovered a number of vulnerabilities in Ring products that, though since patched, left customer video feeds vulnerable to eavesdropping and manipulation by malicious actors. In addition to these security incidents, we are concerned about media reports suggesting a lack of respect for the privacy of Ring customers. Earlier this year, The Intercept and other outlets indicated that Ring employees in Ukraine were provided with ?virtually unfettered access? to a folder containing every video created by every Ring camera around the world. That same report also detailed how Ring executives and engineers in the US. were given ?highly privileged access to the company?s technical support video portal, allowing un?ltered, round-the?clock live feeds from some customer cameras.? These reports raise serious questions about Ring?s internal cybersecurity and privacy safeguards, particularly if employees and contractors in foreign countries have access to American consumers? data. Americans who make the choice to install Ring products in and outside their homes do so under the assumption that they are as your website proclaims ?making the neighborhood safer.? As such, the American people have a right to know who else is looking at the data they provide to Ring, and if that data is secure from hackers. To that end, please provide us with responses to the following questions by January 6, 2020:
1. How many units has Ring sold to Americans? 2. Does Ring delete users? video footage generated by Ring devices? a. Does Ring ever delete a user?s video footage it has retained? b. Please detail Ring?s default data retention policy. 3. Please detail the security measures Ring has employed in order to protect data generated by or stored on Ring devices. a. Does Ring video footage, both in storage and transmission? If not, please explain why this is not a current practice. b. Please detail Ring?s policies and practices regarding third-party disclosed security vulnerabilities, including whether or not Ring has implemented the International Organization for Standardization?s 291472014 guidelines for vulnerability disclosure. c. How regularly does Ring perform in-depth security tests, audits, vulnerability scans, source code reviews and penetration testing? d. Are independent security audits performed? If so, how often are these audits performed on a routine basis? e. How many security incidents have you detected over the past two years? Please describe the severity of each incident, how each incident was remedied, and which federal, state, or local government agencies were noti?ed about the incidents. 4. According to media reports, Ring has provided its Ukraine?based research and development team with unrestricted access to Ring?s entire camera database in form, with each video ?le reportedly linked to a speci?c Ring user. a. How many employees of Amazon and Ring have access to American users? camera data? b. How is employee access to customer video data controlled, logged, and audited? c. Do employees have access to live feeds? d. Do employees have access to any other information regarding the customer?s account other than camera data g. user name(s), email address(es), physical address, geolocation)? e. Do employees have access to any previously tagged information in video feeds that speci?cally identify a person or vehicle g. are employees able to determine the homeowner or specific license plates from the data which they have access to)? f. To your knowledge, have there been any documented instances of this access being abused? 5. Ring?s online career postings suggest that the company is still hiring Ukrainians to view and tag videos of Americans. Please con?rm this practice and explain its purpose. a. Please describe the process by which Americans? data is accessed by employees or contractors in Ukraine or any other country outside the United States and the standards by which they are held. b. Please detail in how many other countries employees have access to Americans? Ring data. c. Please detail, for each country where employees have access to Americans? Ring data, what data privacy and retention policies are in place and any ability for a
foreign government to access (through a legal process within that country or otherwise) any Americans? Ring data stored within that country. 6. According to media reports, Ring employs a ?head of facial recognition research? and has applied for a ?facial recognition patent.? Please describe Ring?s plans regarding the addition of facial recognition capabilities to its products. a. Does Ring intend to use, currently use, or has it used, any type of image matching software capable of facial recognition, including Amazon's Rekognition? i. Has Amazon submitted the Rekognition tool to the NIST face recognition vendor test? ii. Please provide as an addendum any relevant guidance Amazon may have on the development and intended use of facial recognition technology. b. Does Ring contract out to, or request assistance from, any entity regarding facial recognition? Which entities or agencies? Please provide any relevant guidelines or memoranda outlining this relationship, including any audits or analysis you have undertaken to evaluate the use of facial recognition. Thank you for your prompt attention to this important matter. Sincerely, Ron Wyden? Chris Van Hollen United States Senator States Senator Edward %y nator United States 6 Gary eters United States Senator ristopher ons United States Senator