As far as I know, the only home surveillance products that use E2EE are ones that support HomeKit Secure Video .
Maybe... just maybe... technology is not really what should be the core issue here? But we should perhaps look at our policies and legislation? Adding proper liability there will make technology come by itself. The magic of free market doesn't seem to be working here.
The cultural conceit of 'disruptors' is that society has made everything complicated and therefore society is 'ripe for disruption' which if you read between the lines means 'stupid'. Lack of respect means lack of care. Lack of care leads to injury (theirs, and/or ours).
You are right. It's not the tech. It's the arrogance.
From my knothole, legislation comes for things that aren't policing themselves adequately. I think what we are discovering is that there are a lot of domains where the old guard were self-policing to a degree, and the newcomers have absolutely no reverence for anything.
I expect it won't be long before you'll see industries taking a hard look at their internal culture, and then engaging in regulatory capture to keep out the disruptors.
You can create penalties, punishments, hire security guards to watch the door. But the most efficient and effective way is just a lock.
The main, and usually only, real reason for the lock on the door is to serve as a physical symbol which establishes a particular legal status of the property behind the doors, with associated consequences for unlawful entry. The legal apparatus - penalties, punishments - is what deters crime. Lock is an XML tag made of matter.
(The additional, secondary role of a lock is being a trivial inconvenience. Not enough to deter a thief determined to rob your place, but enough for a thief determined to rob a place to skip yours and pick a different one.)
All accesses to customers data should require multiple people not by policy but by mandatory access controls.
The fact that employees could hack their employer is true and not meaningful.
The number willing to commit felonies is less than the number willing to risk termination.
What systems are out there for requiring consensus for access? I know about K of N protocols for hardware cryptography, but I'm fuzzy on such systems for, say, admin functionality or data retrieval. Are they all in-house at this point?
I've found over and over again in my work that it's much easier to spout rhetoric about process change when I have provided tools to facilitate those changes. Maybe it's time for us to collaborate on some tooling in this space.
There are also locks on e.g. cell doors in prisons. Those are pretty essential to the function of the cell, and tend to survive anything prisoners might try to do to them.
There are also locks (specifically, interlocks) on e.g. dam spillways, or on the airlocks on submarines. (For these, the "key" is a button somewhere else that's not necessarily itself secured, but it is still very crucial that they keep things out when that button has not been pushed.) They hold up pretty well—even against malicious infiltrators—mostly because they fail closed and have no UI components mechanically linked to the locking mechanism.
I think the gp is not 'absolutely not true'.. I have a fair amount of hobby interest experience dealing with petty thieves / criminals for the past couple decades; studying them locally and through polls and news articles... stories about locked up thieves admitting they will generally skip houses that have big dogs and security systems for example.
Certainly there are certain types of people to take into consideration from what you are mentioning, and petty criminals vary from locale to locale in significant ways sometimes. From what I understand places like frisco often have car hoppers busting out windows of cars on a regular basis, however in my area they generally only check for doors to be locked or unlocked when choosing to rummage through a car. A portion of the criminals around here will make an exception and bust a window if they see a purse or briefcase, but generally move on to the next without making too much noise, for example.
In most neighborhoods seeing someone crouched down playing with a door lock would attract attention and likely calls to the police. Kicking in a door would also create an amount of noise that brings attention the average criminal does not want to deal with.
Sure if a delivery person has seen you have a box of gold and sapphires next to the door (or notice your vintage guitar collection hanging on the walls while trick or treating) - they may target you with a door kick / other means of juice that is worth the squeeze..
but most of the thieves in my area will skip the locked houses and move to the next softer target. (often ringing the doorbell to see if anyone is home first)
I don't think most petty thieves are willing to learn lock-picking, even though it's easier to learn today than it was 20 years ago.. The added time it takes is not really worth it. (for most in most situations)
It's easier to find a neighbor that has a window air conditioner that can be pushed in with ease (at least around here, this technique in Minnesota may not be used as often)
The only place I can think of in regards to "establishes a particular legal status of the property behind the doors, with associated consequences for unlawful entry." would be Kennesaw, Ga - every person who lives there has a gun - there, the legal status of kicking in a locked door and it's associated consequences are proportionally different than most apartments in NY.
Some of the street thugs know that robbing with tools (that can be labeled burglary tools) carries an extra charge, just like robbing with a loaded gun is different time for the crime of stealing using threat of other force..
I do agree that certain situations / threats make "The additional, secondary role of a lock is being a trivial inconvenience. Not enough to deter a thief determined to rob your place, but enough for a thief determined to rob a place to skip yours and pick a different one." true - but that does not make the above statement absolutely not true.
I think you are both right.
> In most neighborhoods seeing someone crouched down playing with a door lock would attract attention and likely calls to the police.
Not if that someone is wearing a hi-vis safety vest (perhaps with "Cory & Trevor Locksmith Company" or something similar written on it).
My point is that the effectiveness of locks primarily comes from laws and economics, not from their physical properties.
The point I think you were trying to make is that it's mathematically possible to create a cryptographic lock that's inviolable. This is a different way of thinking.
I agree strongly - it's one thing to have a process or rule on what to do, and another to build a system that forces the processes and rules to be followed.
(I say inviolable, but I'm aware you can typically defeat a cryptographic lock by taking a crowbar to the physical locks watched by your Ring doorbell and subsequently using the crowbar on the person whose mind holds the key to said lock...but that's not the lock's fault.)
To destructure the analogy and give a concrete example, if I'm dying of allergic shock I don't want my doctor unable to access my medical history because somebody in the process can't remember how to "break glass" on the encryption on my medical records, even if there's a procedure to do so. I want my records in plain text format and as readable as possible.
All that said, I get your point, but I'm not sure how it applies to this discussion anyway.
- If you normally keep the door locked, unlocking it with the thumb turn is what you do every time anyway
- In cases where there are many people expected to use doors that they're unfamiliar with, it's typically even simpler to exit (panic bar on business fire exits, automatically-unlocking deadbolt on hotel doors, etc)
It's weird, now that I think about it. I was just some kid they hired as a temp. We've never really known who's looking at our private data.
Am I wrong about this?
E2E Encryption is usually referenced in messaging applications where the ends are understood to be the two communicating parties, while in this scenario it's a little more nebulous.
Facebook, if I recall correctly, at one point seemed to be trying to redefine the term to be "encrypted on its way to us and then back out again", which IMO is nothing short of propagandizing to confuse people, I assume to foil demand for real E2E encrypted products and gain unearned trust.
I just wish I could read the source code to make sure theory and practice are reasonably congruent.
But as soon as a camera came out that supported this I finally got one (flat out refused to get one before... even though I wanted to get one).
It feels pretty good knowing its stored encrypted in my iCloud and all of the processing happens on my devices (HomePod and Apple TV)
I can always just revert to using an SD card instead of sending my data over to them on the other hand. I am okay with this so far though, they delete videos after 15 days anyway.
I'm also waiting for the outdoor / weather resistant Wyze cams that are set to come out this year, so I can put them facing the front door from the front part of my porch. I hope to have it trigger a Wyze lightbulb, though I'm not sure if they're that smart or if they need the sensor instead.
Matter of fact, I have a window next to the Ring where I have a Wyze cam looking outside, but the IR doesn't work through window, so I'm just waiting for the outside Wyze cams to be a thing. Once I get those I might repurpose some of the regular wyze cams to do time lapse videos of the weather from upstairs. Florida has interesting weather.
That's a good idea, I had not thought about that, adding an IR bulb outside. I'm thinking of getting Wyze bulbs for outside though, I'm sick of coming home to complete darkness, just bought the home and there's no smart lights outside yet.
I do need to worry about weather mainly because I do live in Florida, and hurricanes do come through now and then. I will be sure to mount it securely though.
Unless you intend for someone else to oversee your surveillance operation, your footage shouldn't leave your premises unless encrypted, using keys which don't leave your possession. You enter them out-of-band on the device on which you wish to watch remotely.
Is there some implied benefit to not encrypting end-to-end or are they just being lazy and using nothing more than TLS because security isn't really the goal?
But that cannot work with a cloud-based Motion Detection feature (arguably the second most important feature of Ring doorbell cameras, after the doorbell functionality). The Motion Detection is done server side so the server has to be able to see unencrypted video. Maybe if there was a lot more powerful (and programmable) hardware on the camera side you could do it there.
Your wouldn't need anything much more powerful than a Pi4B to do that part for a couple of cams, but I guess this keeps the cost down for a security-unconscious public.
I can't think of a legitimate reason for 1 employee at Ring to have the capability of viewing customer videos.
1. Law enforcement requests? Blind-forward what the warrant asks for.
2. Verifying service is functioning? Canary devices utilizing the normal application workflow. Login to your canary account and make sure the video is working.
3. Customer asks you to review something? Just say you can't. The world will be happier.
For example, you have a customer support phone number, and you want your call centre workers to be able to see exactly what the user sees, and help the user do anything the user can do through the website. After all, if you're keeping your support costs down, the website should be able to do 99% of what users call support for already.
So you give your call centre workers a 'log in as customer' option. And you justify to yourself that there's access logging, and staff are under strict orders. Maybe it's before you've released any indoor cameras, and it's not like people are putting doorbells in their showers.
Sure, it'd be a sensible extra feature if log-in-as-customer was a special mode that didn't show videos. But is that really a minimum viable product? We'll put that on the backlog to attend to later.
Et voilà, your call centre workers can watch customer videos.
There are some agents/admins with override abilities but the overrides are logged and reason (with ticket number) is required to create the override.
This creates a new problem of managing keys, of course, but that's been solved many times now in other parts of the industry.
However, worse, features that use AI to detect movement/people/etc can't be implemented without access to the underlying video stream. The only remotely viable way would be via homomorphic encryption, which has serious limitations still.
It's far easier to do what they did, and just limit root access to a very small number of trusted people.
The "decryption key" can be a password-like object rather than an AES key, though that does require some security, and browsers are, if not quite ready to decrypt a stream and then render it as a video file, getting pretty close to that.
However, any client provided to the user by the video company itself, web or app, has the risk of exfiltrating the key back up to the video company, and I don't think the market will support a video company where you have the inconvenience of being required to get a third-party client to use it.
"However, worse, features that use AI to detect movement/people/etc can't be implemented without access to the underlying video stream."
The hardware to do this locally isn't that expensive, but again, the market would have a hard time standing for it, because this is inevitably going to be more expensive than the competition.
Wyze cams do "edge detection" AI in-camera, and those cameras are only $20-25. It seems to work pretty well to me. Although, the company that developed the AI is pulling out of the contract with Wyze. Nonetheless, it shows that it can be done cheap.
Either carry it with them or enter a passphrase (for use with a key derivation function; I guess/hope that Ring requires some passphrase to view video via their website anyway). That's a rather common problem.
As for "AI", depending on what you mean by that, it can be implemented in the device itself (unless it's something particularly fancy, requiring more resources than viable to dedicate there).
It's indeed easier and slightly more convenient to not care about security, but that's also a general/common case.
But yeah, I imagine you'd have a passphrase/key that can be found on a new device, perhaps via a QR code, and then signing into a new client device would require you have access to the old device to approve it/allow the private keys to transfer between the two, etc.
Google makes billions from doing this, if we wanted Google to not be able to do this at all, we would have to pay them the same money (more!) collectively to incentivise them to do that instead. And I don't see any movement to take that into account and be willing to do it.
I don't know much about Ring, but I would be amazed if there was no plan or dream in their business model for things like "face recognition to let your friends in", or "tracking suspicious people around your neighbourhood" as a police contractor, or "selling info to FedEx about what their drivers are up to as seen from the customer side", or "selling data to real estate sites about which roads are busiest or quietest", or anything else they can gather.
Saying "my data, my property!" is a principle I can support, but without facing up to this, Ring's answer is very likely to be "we're secure don't worry about a thing .. behind you! a three headed monkey!".
Ring's biggest product is their doorbell and I'd be willing to bet that a big chunk of their customer base isn't that concerned if somebody accesses their doorbell video. I'm not sure I'd care...
Pretty soon Ring will shift to working primarily with security and insurance companies who will bundle this into their own service offerings. The end customer will never even know what gets recorded, where it's stored or who has access.
It would really suck if someone could watch my front door. Like, they might know when my package arrives?
Or what if someone checked my naked footage?
I really don't care. Should I care?
I've always thought that was a bit of a strawman. In the case of my front door, I really wouldn't mind even if it were livestreamed for the whole world to watch. I agree that "I have nothing to hide" is generally a poor argument, but I think when it's more specific it can be a valid statement, e.g. "I have nothing to hide when it comes to things that go on outside my front door". I can't recall in my entire life a single event outside my front door that I would care about other people being able to watch. Can I imagine a scenario where I might want privacy at my front door? Sure. Maybe my friend becomes a fugitive and comes to me looking for help. Maybe I become a CIA informant and they come to secretly meet with me. But in the few situations I can think of where I would actually care about total privacy around my front door, I'd hope I would have the prescience to pop out the batteries in advance. I legitimately cannot think of a single case in which I might care that someone is watching my front entryway.
Of course, I don't feel the same way about other camera positions. But I think I'm a pretty security-conscious guy (my in-home security cameras are airgapped and streamed to a local server) and I have a Ring on my front door and have no qualms about it.
As a result, I'm extremely cautious about purchasing IoT products. I haven't given up smart devices entirely, but I avoid the ones that require an account to sign in or rely heavily on cloud services. Smart cameras are particularly tricky since they reveal so much about you, particularly combined with machine learning and face identification.
This is the best IoT advice I can give anyone. I've had at least a dozen "smart" lightbulbs orphaned by two different companies. One went out of business, the other just decided not to support them anymore.
The amazing thing is with the first group of bulbs, the IoT company actually pushed out a software update bricking the controller box before it went out of business. This was a box that could have functioned forever because there were several tinkerers who had reverse-engineered the protocol and seemed close to releasing open source integrations.
Naturally, there was no notice. The only way I found out was when the bulbs wouldn't respond anymore and I went to the company's web site where there was a notice.
You know what doesn't always work? Smart light bulbs.
You know what always works? Dumb light bulbs.
I do like my smart lights, but I'm for a good chunk of them I'm buying the ones where the brain is integrated into the switch and the switch defaults to being a dumb switch when it can't find the cloud connection.
Keep your camera footage local or demand end to end encryption.
Street-facing doorbell cameras on public sidewalks are in my opinion the worse problem. Pedestrians didn't opt-in. Operators of these cameras (both the buyer and the vendor) should be subject to the same legal obligations as other data collectors.
Disclaimer: This is not an invitation to do such a thing. Be mindful of laws in your jurisdiction and ethics of this.
GDPR is on your side here as well. I had to consent to the surveillance cameras when I joined my local gym.
Also at our workplace we had to consent to being taped by the main entry surveillance cameras and the company is not allowed to view the footage, like for performance reviews :), unless a theft or crime has occured.
Either put up a visual barrier or move.
This sort of thing is why I consider products like Ring to be terrible and highly antisocial. I would avoid even going into a neighborhood that had many of these installed, let alone live in one.
Also, am I the only one who thinks that the prevalence of these devices in a neighborhood is a very strong indicator that the neighborhood is sketchy -- either it has a lot of crime, or it has a lot of very paranoid people.
saying people are paranoid for having cameras is ridiculous, people also have security systems. It's a deterrent and doesn't necessarily mean high crime. if you live in Major City like I have my whole life, it's just a fact of life that you're going to want stuff like this.
If it's just you with a local server, then I only have to worry about you. If it's going to someone else's server, then I have to worry about them as well. And in the case of Ring specifically, that someone else is Amazon -- which is even more concerning.
> shouldn't people have the right to set up surveillance on their own house for protection and deterrence?
Sure, I never said otherwise. I have a surveillance system myself (on my own local servers), but I take great pains to ensure that no cameras are capturing anything that isn't my property.
> It's a deterrent and doesn't necessarily mean high crime.
I never said that it automatically means a high crime area. It's just highly suggestive of it. If it's a low crime area, far fewer people would feel the need for this sort of thing.
> if you live in Major City like I have my whole life, it's just a fact of life that you're going to want stuff like this.
No, it's not. I've lived in a number of major cities, and have never felt the need to point cameras at my neighbor's houses or the street.
> At the core of Ring, and guiding every action we take, is respect for the privacy and security of our neighbors
> Nobody can view your video recordings unless you allow it
Sounds pretty straightforward.
Send Ring's legal dept a letter telling them you don't allow it (email@example.com, then certified mail when they ignore you the first time).
Also any opinion about their recent fiasco with telemetry?
My plan is to run cable for PoE cameras soon. Will have 24/7 recording, but accessible only locally.
There are other solutions out there, like using a Raspberry Pi Zero  with some OSS. The caveat here is that it requires a greater time investment from the consumer.
Which is absolute nonsense if this is their data protection policy. They'll only ever catch maybe 5% of the people doing it. This is also likely meant to hide the fact that their Ring security is extremely porous and they may want to keep it like that because that may also be how law enforcement gets access to those videos right now. Changing this may mean disrupting the police's access to them for a while.
Combine this with all the security issues AWS buckets have had, along with employees also accessing Alexa recordings, and it's almost starting to look like Amazon doesn't care all that much about securing your data...
I wouldn’t be so confident about that. I’ve worked with a few large organisations where customer service staff needed to have access to sensitive customer data, and they usually had pretty good systems for detecting improper access to data, and would monitor it quite actively. I have no idea what monitoring systems Amazon has in place, but they could easily be doing quite a good job of it.
Siri is apparently activated at every mention of the word "si" and specifically even more during bed room conversations.
What's next, people installing microphones in their home that stream audio to Google or Amazon?