By John Gruber
Kolide ensures only secure devices can access your cloud apps.
It’s Zero Trust for Okta.
Ry Crist, reporting for CNet:
Ring, the Amazon-owned video doorbell and home security company, came under renewed criticism from privacy activists this month after disclosing it gave video footage to police in more than 10 cases without users’ consent thus far in 2022 in what it described as “emergency situations.” That includes instances where the police didn’t have a warrant. [...]
The disclosure, released in response to questioning from Sen. Ed Markey, a Democrat from Massachusetts, comes after years of extensive and controversial partnerships between Ring and various police institutions. Now privacy advocates at organizations like the Electronic Frontier Foundation say that warrantless footage requests endanger civil liberties.
While Ring stands alone for its extensive history of police partnerships, it isn’t the only name I found with a carveout clause for sharing user footage with police during emergencies. Google, which makes and sells smart home cameras and video doorbells under the Nest brand, makes as much clear in its terms of service.
“If we reasonably believe that we can prevent someone from dying or from suffering serious physical harm, we may provide information to a government agency — for example, in the case of bomb threats, school shootings, kidnappings, suicide prevention and missing persons cases,” Google’s TOS page on government requests for user information reads. “We still consider these requests in light of applicable laws and our policies.”
Others, most notably Apple, use end-to-end encryption for user video as the default setting, which blocks the company from sharing user video at all.
“HomeKit Secure Video is end-to-end encrypted, meaning even Apple cannot access it,” a company spokesperson said.
Surveillance camera systems that don’t use end-to-end encryption should have a policy where footage is shared with third parties if and only if device owners have explicitly opted in to sharing footage with any entity, including the police, including in emergencies, without a warrant. Not just some small print in a long terms of service agreement, but a simple explicit dialog box along the lines of Apple’s “Ask not to track” opt-in. And in all cases, owners should be immediately notified when footage has been shared, with all pertinent details: what footage, shared with whom, for what reason.
I don’t know what Amazon is thinking with regard to this cozy-with-the-police policy with Ring. It’s the number one reason people are saying “Fuck no” regarding their prospective acquisition of One Medical. I’m no expert on HIPAA, but it looks like the law here in the U.S. has several carveouts allowing/requiring medical providers to share personal health records with law enforcement. So as a consumer, what it comes down to is trust. I trust every doctor I have an ongoing relationship with, and if I didn’t, I’d find new doctors.
I think Amazon has a good reputation on privacy — except for their ongoing stewardship of Ring. And handing camera footage over to police without a warrant is a big exception. I don’t know what Ring is worth to Amazon financially, but I genuinely wonder if they’ve done more reputational harm to Amazon’s overall brand than Ring is worth dollar-wise.
★ Wednesday, 27 July 2022