Almost one year after EFF called on Amazon’s surveillance doorbell company Ring to encrypt footage end-to-end, it appears they are starting to make this necessary change. This call was a response to a number of problematic and potentially harmful incidents, including larger concerns about Ring’s security and reports that employees were fired for watching customers’ videos. Now, Ring is finally taking a necessary step—making sure that the transmission of footage from your Ring camera to your phone cannot be viewed by others, including while that footage is stored on Amazon’s cloud.
Ring should take the step to make this feature the default, but for the time being, you will still have to turn encryption on.
You can read more about Ring’s implementation of end-to-end encryption in Ring’s whitepaper.
How to Turn it On
Amazon is currently rolling out the feature, so it may not be available to you yet . When it is available for your device, you can follow Ring’s instructions. Make sure to note down the passphrase in a secure location such as a password manager, because it’s necessary to authorize additional mobile devices to view the video. A password manager is software that encrypts a database of your passwords, security questions, and other sensitive information, and is protected by a master password. Some examples are LastPass and 1Password.
How it Works
Videos taken by the Ring device for either streaming or later viewing are end-to-end encrypted such that only mobile devices you authorize can view them. As Amazon itself claims, “[w]ith video E2EE, only your enrolled mobile device has the special key needed to unlock these videos, designed so no one else can view your videos -- not even Ring or Amazon.”
The security whitepaper gives the details for how this is implemented. Your mobile device locally generates a passphrase and several keypairs, which are stored either locally or encrypted on the cloud in such a way that the passphrase is needed to decrypt it. This is helpful for enrolling additional mobile devices. The Ring device then sets up a local WiFi connection, which the mobile device connects to. The public key information for the enrolled mobile device is sent over that connection, and subsequently used to encrypt videos before sending them over the Internet.
To break the system, someone would have to gain access to the temporary local network you created while you were doing initial setup, or you would have to approve adding them as an authorized user by entering the passphrase while setting up an additional mobile device.
So long as the implementation in the software matches the whitepaper specification and footage is not escrowed in any other way, we have high hopes for the encryption scheme Ring has devised. It may be close to a best-practice implementation of this kind of technology.
What it Means for Privacy
Ring’s relationship to law enforcement has long been a concern for EFF. Ring now has over a thousand partnerships with police departments across the country that allow law enforcement to request, with a single click, footage from Ring users. When police are investigating a crime, they can click and drag on a map in the police portal and automatically generate a request email for footage from every Ring user within that designated area.
What happens when Ring users refuse to share that footage, without end-to-end encryption, has been a major concern. Even if a user refuses to share their footage, police can still bring a warrant to Amazon to obtain it. That means users’ video and audio could end up contributing to investigations they wish they had not facilitated—like immigration cases or enabling police spying on protests—even without the users knowing this had happened.
This access is made possible because Ring footage is stored by Amazon on Amazon servers. The end-to-end encryption model described in Ring’s whitepaper should cut off this access. If your footage on Amazon’s servers is encrypted and only your phone has the keys, then police would have to bring a warrant directly to you for your footage, rather than going behind your back and having Amazon share the video. Contrary to what law enforcement officials may claim, therefore, end-to-end encryption will not put these videos completely off limits from their investigations.
One question that remains unanswered is whether Ring’s encryption will block the ability for other companies to transmit live-streamed footage from Ring cameras to police. In November 2020, local media reported that Jackson, Mississippi would start a pilot program with the help of a company called PILEUM/Fusus that would allow police to live stream footage from the security cameras of consenting participants. Although camera registries and shared access to security cameras is not novel, what was particularly troubling about this was the insistence that this program would allow people with networked home security devices, including Ring cameras, to also transmit their live footage straight to the local police surveillance centers.
Ring reached out to a number of organizations, including EFF, to reaffirm that they are in no way involved with this pilot program. Fusus technology reportedly works by installing a “Fusus core” on your local network, which can supposedly find and transmit any live footage on your network, including Ring cameras.
These changes to Ring raise the question of whether turning on Ring’s new end-to-end encryption feature will undermine Fusus’s ability to transmit footage. It’s unclear why anyone would consent to participating in a similar pilot program and installing a Fusus core, and then undermine that decision by opting into Ring encryption. But this scenario still leaves us wondering what current and future schemes by law enforcement to get Ring footage will undermine the use of end-to-end encryption.
It may seem like EFF expends a lot of effort fighting against Ring and other Internet connected home security devices—but we do it for good reason. Police departments that could not legally build and use a large-scale government surveillance network are using Ring cameras as a loophole to avoid public input and accountability. Consumers’ choice to buy a camera cannot and should not be a way to launder mass surveillance and streamline digital racial profiling.
In the wake of investigative reporting and public advocacy, Ring has made a number of concessions. They’ve beefed up security measures, jettisoned undisclosed third party trackers, and even allowed people to opt out of receiving police requests for footage. These were all good steps, but they all did nothing to prevent police from bringing a warrant to Amazon in order to use your footage as evidence without your permission or even direct knowledge. One of Ring’s security and privacy soft spots has always been that it stores your footage for you. With end-to-end encryption enabled, a safeguard against blanket requests for footage from the cloud is introduced. It means that users have the ability to decide when and if to share their footage, in a way Amazon or Ring can not easily circumvent. It also means that law enforcement requests for footage have to go directly to the camera owner, just as they did before the advent of cloud storage.
We hope Ring takes the step to make this feature the default. With these safeguards in place, we can now move on to other concerns, like more federal regulation, ending consent searches so that police would be required to get a warrant any time they want your footage, preventing local police from sharing your footage with other agencies for unrelated reasons, and finding safeguards that prevent the technology from being used as a pipeline for sending racially biased “suspicions” straight to the police.