On
Wednesday, December 4, eight-year-old Alyssa LeMay heard the sound of Tiny Tim
singing "Tiptoe Through the Tulips" coming from her bedroom upstairs
in her home in Mississippi. As she
walked into the room, the music stopped and she heard a voice say, "Hello
there." As she looked around the
room to see where the voice was coming from, it called her a racial slur which was
neither acceptable nor accurate, claimed that it was the voice of Santa Claus, and
told her to start misbehaving by, for example, breaking her TV.
Having
more sense than to listen to such temptations, she went downstairs and told her
father, "Someone's being weird upstairs." He discovered that a Ring security camera
that the family had bought during a Black Friday after-Thanksgiving sale had
been taken over by someone who obviously wasn't supposed to be able to do
that.
The
LeMays eventually contacted the Washington Post, whose story on the episode was republished
widely. When the LeMays called Ring to
complain, they were told basically that the breach was their fault. Ring determined that the bad actor had
obtained the LeMay's username and password from another site and used them to
hack into Alyssa's bedroom. Ring
castigated the LeMays for not using the two-step authorization method that Ring
recommends. In a statement published on
Ring's website, the company said "we have investigated this incident and have no
evidence of an unauthorized intrusion or compromise of Ring’s systems or
network."
Let's step back a moment
and parse that statement. What Ring
means by unauthorized, and what the LeMays mean by unauthorized, appear to be
two different things. Only an authority,
an entity or person capable of authorizing someone, can really authorize an intrusion
or compromise. For that matter, saying
"unauthorized intrusion" is like saying "impermissible
burglary." I'm not aware of any
kind of burglary that is permissible, or an intrusion that is
authorized. But the point is that the
LeMays were by any reasonable standard, the only people who are logically
empowered to authorize access to the camera, microphone, and speaker in their daughter
Alyssa's bedroom. They did not authorize
the criminal who gained access to the Ring device, and therefore, by this
reasonable, common-sense definition of "authorized," there was
unauthorized access.
Now look at it from Ring's
point of view, which by implication is Amazon's point of view, as Amazon owns
Ring. Think like a software lawyer for a
minute. When we sell a product to a
consumer, we have to make sure that the consumer has enough information to
avoid problems with the product. We as
lawyers observe the legal fiction that every one of our customers always reads all
the fine print and boilerplate that comes with all our products, including the
stuff about installing two-step verification for passwords, using strong
passwords, and so on. If we actually
made the product so that it wouldn't work unless the user really took all these
complicated measures, very few people except computer nerds and lawyers would
buy it, so we make it so it will work even if you leave your username as
"1234" and your password as "password." But if the user is so negligent, stupid,
(fill in your favorite lawyerly pejorative adjective here) as to not take the
recommended precautions, well, too bad.
We've done our lawyerly job, and if anything goes wrong it's on the
consumer's head. To us, "unauthorized"
means that somebody hacked into our system and was able to access a
device that even the most computer-savvy consumer installed with all the
security bells and whistles. And that
didn't happen here, so we are blameless.
Legally speaking.
There is a progression in the safety and
security of innovative technologies that often follows a well-known
pattern. At first, a new technology
requires the users to learn lots of detailed precautions that must be followed
to avoid injury or other types of harm. But
as the technology becomes more widespread and lesser-trained people use it, the
harms that can come from uneducated users sometimes happen more often, so often
that the very existence and continued use of the technology is threatened. Only then will the technology's designers
step back and ask themselves, "How can we make this really foolproof, so
that someone who knows next to nothing about it can nevertheless use it
safely?" At that point, engineers
begin to design safety into the technology itself. It may cost a little more, but the
improvement in safety when used by untrained personnel is usually worth it.
This pattern happened with railroading, it
happened with automobiles, and in some ways it's happened with computer and
information technology. But not nearly
enough, as Alyssa's story shows. In
consumer electronics, where ease of use and cheapness are two paramount
requirements, security often becomes an afterthought. A non-technically-trained user who simply
wants to be able to check on his or her daughter with a camera should not be
expected to do anything that isn't strictly necessary to set up the
system. The two-step verification
security precaution obviously wasn't necessary for the camera to work, so the
LeMays didn't do it. And by reusing
passwords—an unfortunate but understandable practice in these days of seventeen
gazillion passwords that all our devices and services demand of us—they created
a situation in which some hacker stole their credentials and used them to
access the Ring device in Alyssa's room.
Ring wants their consumers to be safe people—people
who don't reuse passwords and who read enough of the fine print in the online instructions
to go the extra mile and install extra, though non-necessary, security
precautions. But people, by and large,
want safe systems—systems that simply will not work unless they are set up with
sufficient security to begin with. And
history shows that the systems and technologies that survive beyond a highly
trained niche market are usually safe systems—systems that anybody off the
street can get running with a minimum of effort without running the risk of
endangering himself, herself, or one's family members.
Sources: The Austin American-Statesman carried
the Washington Post's article "Camera in child's room hacked, 8-year-old
harassed" on pp. E3-E4 of their Dec. 15, 2019 edition. The statement from Ring concerning this incident
can be found at https://blog.ring.com/2019/12/12/rings-services-have-not-been-compromised-heres-what-you-need-to-know/.
No comments:
Post a Comment