Senior Associate Matthew Evans writes on how the rapidly growing use of smart doorbells in UK homes may lead to potential breaches of data protection regulations.
Matthew’s article was published in Police Professional.
Amazon has a long history of innovation. Between 2019 and 2021, the world’s largest internet retailer secured 17 innovative patents for bio-metric surveillance capabilities, which are reported to include facial recognition, gait analysis, and possibly even smell signatures. These patents relate to Ring, the video doorbell business which Amazon acquired for one billion dollars in 2018.
As residential surveillance continues to proliferate, more than one in five UK households now have installed a smart, camera-enabled doorbell. But concerns are mounting over the collection, use, and privacy of the diverse data harvested by these devices with an increasing number of disputes between neighbours over smart doorbells ending up in court.
Ring’s mission is to reduce crime in neighbourhoods by creating what it labels as “a Ring of Security” around homes and communities with its suite of home security products. Centred on affordable home and neighbourhood security, the Ring door- bell camera and related products enable audio and visual footage of activity on users’ property to be collected.
Surveillance technologies can be interconnected, allowing information to be shared or linked easily. In this way, audio and visual footage can be stored by subscribers to Ring Project. Understandably, this gives residents peace of mind and a sense of security. But as is invariably the case with such technology, there is always the risk of mission creep or, as it should be known in tech circles, ‘permission creep’.
Having secured patents in the US for doorbell camera technology relating to the use of biometric surveillance capability for potential use in the Ring suite of products, Amazon stated that “patents filed or granted do not necessarily reflect products and services that are in development”. They key words here are “not necessarily’ – much more nuanced than a flat denial.
So, what about the patents’ potential capability to collect and analyse an individual’s biometric qualities: enabling facial recognition, gait analysis and, reportedly, smell signature? Amazon’s justification for deployment of this technology would rely upon users’ security and peace of mind.
But UK users face a risk of privacy breaches stemming from their collection of video footage. Meanwhile, improper usage of these devices in home security opens up a legal can of worms in relation to data privacy.
These users would have to be made aware that by processing such personal data, including special category data, they (not Amazon/Ring) may be breaching data protection regulation. Specifically, these would be breaches of The Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR).
Central to determining whether a breach has occurred is how data is stored and handled after it has been collected. Ring only records and stores videos for Ring Protect subscribers. Videos can remain in their account for up to 180 days, although subscribers can adjust the storage period. After the storage period for their account expires, video recordings are automatically deleted.
In response to potential cyberattacks, Amazon and Ring have tightened up their data storage security over the past few years, which has in turn provided users with similar increased control. For example, video recordings in transit are secured and stored on secure Amazon Web Services (AWS) servers. Advanced Encryption Standard and Transport Layer Security is used to secure data between Ring devices and AWS.
Storage of this type of data is not usually a problem; the key issue is who can access it. Amazon/Ring now state that a user’s recordings
are only accessible in certain circumstances – for example, by the research and development department if prior consent has been given by the user.
For someone who believes that a neighbour may be using these systems to spy on them, there are potential remedies. The UK Information Commissioner’s Office (ICO) has issued guidance on the use of smart doorbells. Owners of such doorbells should try to position them away from their neighbours’ homes and gardens.
Inevitably, this can be difficult in practice. As was evident in the case of Fairhurst v Woodard, heard in October 2021, a user can be found to be in breach of data protection regulations and various torts, dependent on the circumstances of how the surveillance equipment operates. The judge ruled that security cameras and a Ring doorbell which were installed in a house in Oxfordshire “unjustifiably invaded” the privacy of a neighbour.
Buyers of surveillance technology need to be made aware of the risk. At the very least, multinational businesses such as Amazon/Ring should publish jurisdictional guidance on how to operate their products in order to avoid potential legal claims. In doing so, users should be made aware that data protection regulations can apply to the use of surveillance technology. Should Amazon proceed with the roll-out of the aforementioned ‘permission creep’ biometric functions, it will mean walking a legal tightrope.
If you believe that your neighbour is using their smart doorbell to record you, the ICO suggests that you take the following steps:
- Contact the person;
- Ask why they are using CCTV;
- Explain your concerns; and
- Ask to see what they are recording.
The ICO goes further, suggesting that you should follow government guidance if you have an ongoing dispute with your neighbour in relation to their smart doorbell. This guidance includes:
- Try to solve the problem informally by talking to them;
- If your neighbour is a tenant, you could contact their landlord;
- You could use a mediation service if raising the issue informally does not work; and
- Contact the police if your neighbour is breaking the law by being violent or harassing you.
A neighbour who has exhausted all of the above avenues may seek legal advice with a view to taking action through the courts. This would involve commencing proceedings in a similar manner to that found in Fairhurst v Woodard. But litigation is time-consuming, stressful and costly – if possible, it should be avoided.
Notably, Amazon has added end-to-end encryption in Ring. By restricting access to video and audio streams to specified devices and permitted users, this aims to keep personal data that has been captured secure against misuse by third parties.