Dennis Desmond: Ring Doorbell Security Concerns

Show Notes

Interview with Dennis Desmond, Lecturer in Cyber-intelligence and Cyber-crime at the University of the Sunshine Coast – by Allan Boyd RTRFM

INTRO: Every day, more of us are installing smart doorbells. These devices promise safety and convenience. And may even find your lost pet. 
But cyber-experts warn these A.I. incorporated tools are quietly creating a vast surveillance network, one that’s not controlled by governments, but by massive tech companies.

How safe are we? On The Record’s Allan Boyd had a chat with a cyber-security expert

Source: https://theconversation.com/amazons-ring-wanted-to-track-your-pets-it-revealed-the-future-of-surveillance-276020

Transcript

SPEAKER_00 0:01

Do you have a ring doorbell? Recently, Amazon's ring doorbell camera company advertised a new feature called search party. If there's a lost pet in your area, local ring cameras scan your footage for animals that match the description. If there's a sighting, the owner can be notified, essentially turning neighborhood cameras into a wonderful pet tracking network. But critics say this masks the normalization of mass surveillance and that a system designed to track pets will also attract people. Indeed, Ring already has a facial recognition feature where users can catalogue the faces of people who often visit their homes. And then there are potential partnerships with Flock Safety, a maker of AI-powered surveillance cameras that share footage with law enforcement or Clearview AI, which provides facial recognition software to law enforcement, matching faces against the database of billions of scraped online images. So what happens when intelligence collection moves into corporate hands? And what does it mean for privacy, accountability, and the way our communities are monitored to discuss this and the concept of intelligence as a service? I'm joined by Dr. Dennis Desmond, lecturer in cyber intelligence and cybercrime investigations at the University of the Sunshine Coast. Welcome, Dennis. Hey, good morning. How are you? I am good. So could you just break down briefly or simplify how Rings Search Party feature would work and could this also track people?

SPEAKER_01 1:28

Sure. So the the big breakthrough patent over the last several years has been what's called object recognition. And what this means is based on shape, color, configuration, or movement, that an object can be extracted from a video feed. Now, this is incredibly important with the integration of AI, they literally could recognize the shape, color, movement of a specific animal, in this case a dog, and then basically crowdsource, which is gather the information from several ring cameras throughout a neighborhood or a community and look for specifically that dog based on its object recognition software. Now that means that if a dog ran away, supposedly the different ring cameras could be leveraged to identify its movement patterns and where it's been sighted and try to match that object that the original uh owner has identified.

SPEAKER_00 2:22

It's a pretty uh but I mean it sounds like a good service. So it could be great if if you lost a dog or a cat or something like that. That's a great way to find it.

SPEAKER_01 2:29

Absolutely. And historically, the companies have used this to track vehicles. For instance, bank robbers get into a red sedan. That red sedan is then tracked through various cameras throughout a city, and they can then track the movements of that vehicle. And this can be used pretty much for any object, large object that a camera might capture. So this is a pretty important technology development that's been uh around now for a few years.

SPEAKER_00 2:54

I suppose the growth of these things happened after or during COVID, where we get lots of things started to get delivered to our homes and to deter port piracy and things like that. These cameras were lots of people bought them, including myself.

SPEAKER_01 3:07

Yeah, absolutely. Absolutely. And I mean, these things, I mean, you know, I'm a wildlife carer, and as an example, we have several cameras set up around our property to track where we do releases and to see if we get the uh the possums or whatever are returning to feed stations so we can kind of track their movements, track their health, track how they move over a period of hours during the day and night. So there is a useful application for these kinds of technologies.

SPEAKER_00 3:35

These things are everywhere. The uh smart doorbells and neighborhood cameras are everywhere. What's happening now, though, that people should why should we be concerned about this?

SPEAKER_01 3:43

One of the biggest concerns, and this is part of the Internet of Things development in the technology field, is who's collecting the data, who has access to the data, where's the data stored, and do you have full control over whether or not that data is accessed, shared, or used commercially, or even by law enforcement or intelligence services? And that I think is the biggest concern when we start talking about Internet of Things devices collecting information about individuals. And it's not just faces, it's not just movement, your voice, it's behaviors. And when that data is linked with other aspects of your lifestyle, a pretty detailed and complex map of your life really exists, which is available for law enforcement or intelligence to get a hold of, or worse case, hackers than even to intercept if the data is stored on servers.

SPEAKER_00 4:39

I can see the obvious problems here, but many people say, Look, I've got nothing to hide. How do you respond to that?

SPEAKER_01 4:45

Well, you know, there's that that idea that if you have nothing to hide and you want to share everything about you, uh, your behavioral lifestyle may be analyzed and used for a lot of things for which you had not intended. For instance, if you go to a beverage store, that might impact uh your ability to get a driver's license. It might impact your ability to get health insurance, if you're seeing purchase tobacco products, if you're seeing speeding, any of those things, when aggregated with other data, could be used to your detriment. And we don't know specifically to what extent that information is being used. The other problem is misidentification. We've seen cameras used for uh seatbelt and phone holding when individuals have been wrongly accused of not having their seatbelts on or not holding a phone. That can also lead to obviously fines, points on your license, but also can adversely affect your insurance or your ability to just conduct day-to-day routine activities. How the data is used or misused is the greatest concern. It's not about being honest, it's not about being forthright, it's about how that data is actually used, which may include something as innocuous as targeted marketing, or may include something more nefarious as to how you are actually managed by government and private companies.

SPEAKER_00 6:06

Yeah, so if if you were tracked buying alcohol and you're not supposed to have any alcohol for all smoking, and your insurance company would stop insuring you for that kind of thing, I suppose.

SPEAKER_01 6:15

Absolutely. And there are indications that health insurance companies and providers have great interest in behavioral information about their subscribers and about their policy holders. And again, that is of great concern.

SPEAKER_00 6:28

Yeah, it's all that data is just sitting there ripe for the uh for the hacking or something.

SPEAKER_01 6:32

It is, and that's one of the concerns, as we've seen with you know several of the major banks, with major organizations, telecoms, that just because you do everything right, if somebody else, a third party, is holding your data and they make a mistake or they compromise that information, you're the one ultimately who pays, either through scams, fraud, identity theft, or uh damage to your credit score or other livelihoods.

SPEAKER_00 6:57

Uh in your article in the conversation, you use the term intelligence as a service. Now we we often hear the term of uh software as a service and that kind of thing. But what does intelligence as a service mean in plain language and why should everybody care about that?

SPEAKER_01 7:10

Well, originally, the you know, government agencies were the primarily the uh intelligence collectors. They were the ones that processed and analyzed it and then produced products for internal consumption and for consumption by law enforcement and intelligence and defense agencies. Well, over the years, the infrastructure became very expensive. Technology development was largely in the hands with the Silicon Valley crew and other entrepreneurs, and they started seeing value in developing advanced technologies which could collect all kinds of intelligence. Well, small to medium businesses and even government agencies recognized that it was cheaper for them to lease the capability rather than it was internally or organically to develop it on their own. Imagine installing a network of cameras to track vehicle license plates. Well, yes, the government theoretically could do that if they were within the confines of their constitutional controls or privacy laws, but it was much easier just to contract out for a company who not only invested in development of that product, but also could deploy them at a much cheaper rate than a government entity could. So we started to see basically companies uh soliciting for different kinds of intelligence collection and then incorporating that intelligence product into their day-to-day activities. And that really became intelligence as a service. It's a leased capability. And obviously, there are some benefits to the government to lease those capabilities because they're under such tight controls about collecting on their own citizens. If they outsource it, they can circumvent a lot of those controls.

SPEAKER_00 8:49

With governments having access to uh private company data that's been collected instead of building their own surveillance systems, does that create new privacy risks and legal gray areas?

SPEAKER_01 8:59

It absolutely does. We just saw that Palantir just completed a contract with the Australian government as an example. Now, they don't necessarily provide intelligence, but they do provide database access and a lot of different feeds, which allows an analyst to actually look at data across a broad spectrum of ingested data sources. What that allows then is for that analyst to target specific individuals. And they may have inadvertent or peripheral collection, which may not be intended, but they didn't collect the data, so they were not necessarily under the same constraints. They may go through what's called a minimization process where they can eliminate non-targeted individuals. But as we've seen historically, that doesn't always work. Just because you associate with someone who may be a money launderer or maybe a criminal, even if you're not aware, you will get caught in part of that network of analysis, social network analysis, where you've had contacts with that individual that can then damage your reputation or potentially lead to you being interviewed or searched for information about that individual.

SPEAKER_00 10:10

So a guilty by association.

SPEAKER_01 10:12

Absolutely. And you know, Palantir, Clearview AI, analyst notebook, recorded future, there are such powerful intelligence products that their mass amount of data that they have access to and their ability, especially now with the integration of AI, to look for non-obvious relationships really creates a huge potential intelligence targeting database for law enforcement and intelligence to use.

SPEAKER_00 10:38

It is amazing. I don't think people really understand how much data companies uh already hold about our movements and behavior.

SPEAKER_01 10:45

Well, it's funny because I hear from a lot of folks how they're very concerned about what the government knows about them. The reality is it's not the government. No, it's all these private companies, what we call data aggregators, who buy up utility information, uh, mortgage information, vehicle information, educational data, anything that is a public record that they can then aggregate and then merge together into an entire profile is a really useful piece of information for an intelligence agency or law enforcement to use to their benefit.

SPEAKER_00 11:19

Little line surveillance capitalism for that.

SPEAKER_01 11:22

Absolutely. And because you know, our data has value. And every time we do anything, we buy a TV show or a movie online, we go to see a movie, we buy something, we go to dinner, all of that data has value to private companies for marketing a targeted advertisement, but also as a behavioral analysis on who we are, what we do, where we go, why we are there, things of that nature.

SPEAKER_00 11:48

Yeah, and how much money we spent. Yeah, everything. Um so if this trend continues as we say this surveillance as a service, what safeguards should be in place here to protect our privacy and democratic oversight?

SPEAKER_01 12:00

Well, I my personal belief is that the private companies who are collecting this data need to be held to the same rigorous and controlled standards that the governments are. The privacy act should apply. There should be the ability of individuals whose data has been collected to opt out, to have that data removed, uh, similar to the right to be forgotten that we've seen in Europe and the general GDPR uh statutes about privacy and control of data. We should have the right not to have someone else benefit or profit from the data that we create and inadvertently share.

SPEAKER_00 12:36

So, what advice do you give the normal person who might have a ring camera or in life in general as a cybersecurity expert? What do you recommend? What should we do?

SPEAKER_01 12:45

You know, first thing is be aware. Um, you don't necessarily have to give away information just because someone asks for it. Uh, you have the right to purchase products without giving away your phone number, without giving away personal details. You have the right to understand fully how they're using your data, what data they're collecting, where it's stored, how it's stored, and for how long. And you should also understand that you have the right to opt out of collection, to have your data removed if you find out that individuals have been collecting your information either with or without your permission. I also advise people to avoid identity theft or fraud is to put credit bans on so that your your credit cannot be stolen, and to monitor very carefully any purchases that you make, monitor phone calls, monitor any information that you give out on social media as well. You don't necessarily have to be completely honest and truthful about your biographical details that you put out on social media because that's the kind of information that when associated with your images, when associated with other things that you do, such as purchase history, that can be used to your detriment.

SPEAKER_00 13:59

The one thing that I try not to do, but I end up doing it all the time, is uh clicking the little button that says, Do you want 10% off? And so all I have to do is supply my email and then I'm good. But then I get this annoying uh level of newsletters every year. Exactly. But exactly also my data is collected somewhere and used somewhere for something else.

SPEAKER_01 14:15

Well, in that case, it's rarely it's really useful to have throwaway emails. Just take a temporary email that you can use for those what we call career spammers and give them that email that you can just throw away at any given time and then create a new one.