Ring says your indoor camera has encryption, but it's turned off by default. If you turn it on, many important features stop working — like being able to tell the difference between a person and a pet, sharing video with family members, or viewing your camera on an Echo Show. Most people will never turn it on, which means Amazon can access your home video on their servers. Ring says police can't directly access your camera footage. But Amazon has already handed over indoor camera recordings to police without asking homeowners at least 11 times. They promised to stop, then quietly started sharing video again through different companies. Your bedroom camera footage could be shared with police without you ever knowing.
What they claim: Ring Indoor Cam is marketed as a simple home security camera for monitoring your home.
What we found: The Ring app (com.ringapp v3.99.1) requests 39 permissions including: ACCESS_BACKGROUND_LOCATION (tracking location even when app closed), READ_CONTACTS and WRITE_CONTACTS (access to entire contact list), READ_PHONE_STATE (phone identity and call status), CAMERA (phone camera access beyond the Ring device), RECORD_AUDIO, NFC, BLUETOOTH_PRIVILEGED, and CHANGE_WIFI_STATE. A security camera app should not need to read/write contacts or track background location.
What they claim: Ring markets the Indoor Cam 2nd Gen as giving users control over their home security with features like a physical privacy cover.
What we found: The device has NO local storage option and NO local API. All video is processed through Amazon cloud infrastructure (api.ring.com, fw.ring.com, es.ring.com, ps.ring.com, nw.ring.com, oauth.ring.com, app.ring.com, account.ring.com, ring.amazon.dev, app-gw.ring.com). The camera cannot function without an Amazon account and internet connection. The physical privacy cover only blocks the lens — it does not prevent the microphone from recording or the device from communicating with Amazon servers.
What they claim: Ring positions the Indoor Cam as a security device to protect families and homes.
What we found: Ring's Familiar Faces facial recognition feature (announced December 2025 rollout) scans visitors' faces without their consent. Amazon confirmed Ring's privacy protections apply only to device owners, not members of the public or household guests captured on camera. Combined with ACCESS_BACKGROUND_LOCATION permission and contact list access (READ_CONTACTS, WRITE_CONTACTS), the Indoor Cam creates a comprehensive surveillance profile of everyone in the home — not just intruders.
What they claim: Ring's privacy notice shifts legal responsibility for surveillance to users, stating 'You are solely responsible for ensuring that you comply with applicable law.'
What we found: Ring actively designs features that create surveillance capability (24/7 recording, cloud storage, law enforcement partnerships, facial recognition) and markets them as safety features, while disclaiming all legal responsibility for how that surveillance data is used. The FTC found Ring itself failed to comply with basic security requirements, yet the privacy notice puts the legal burden entirely on consumers who buy an indoor camera for their home.
What they claim: Ring markets the 2nd Gen Indoor Cam's physical privacy cover as giving users meaningful control over when they are recorded.
What we found: The privacy cover slides over the camera lens and microphone. However, the device remains connected to Amazon cloud infrastructure even with the cover closed — maintaining network connections to api.ring.com and other endpoints. Ring's privacy notice does not clarify what data (motion sensor, ambient audio, device telemetry, network information) continues to be transmitted when the cover is closed. The FTC settlement required Ring to delete improperly retained data, suggesting historical overcollection.
What they claim: Ring's privacy notice states it does not provide law enforcement agencies with 'direct access' to customer video and that users control their recordings.
What we found: Amazon admitted sharing Ring footage with police without owner consent at least 11 times in 2022 using an 'emergency request' process. After announcing in January 2024 it would stop police requests via the Neighbors app, Ring quietly reintroduced video sharing in July 2025 through partnerships with Axon (law enforcement tech) and Flock Safety (license plate readers). Indoor Cam footage from bedrooms and living rooms is subject to the same sharing mechanisms.
What they claim: Ring's privacy page claims the company protects customer privacy and implements appropriate security safeguards for video data.
What we found: FTC charged Ring LLC (2023-05-31) with giving employees and hundreds of Ukraine-based contractors unrestricted access to customer video feeds — including bedrooms, bathrooms, and cameras labelled 'Spy Cam'. One employee viewed thousands of videos from at least 81 female users over months. $5.8M settlement. The Indoor Cam specifically captures the most private domestic spaces.
What they claim: Ring's privacy notice describes limited data collection necessary for device operation.
What we found: EFF investigation (2020-01-27) found the Ring app sends customer PII to four analytics/marketing companies: Facebook (app open events, device actions), AppsFlyer (device sensor data — magnetometer, gyroscope, accelerometer), MixPanel (full names, email addresses, device info, Bluetooth status, number of Ring locations), and Google. Exodus Privacy confirms 2 trackers (Bugsnag, Google Firebase Analytics) embedded in the app. This undisclosed data sharing contradicts Ring's stated privacy practices.
What they claim: Ring Indoor Cam 2nd Gen is marketed as an affordable, simple security camera suitable for any room in the home.
What we found: The device operates on 2.4GHz Wi-Fi only (802.11 b/g/n) with no 5GHz support, using BLE for setup. It connects to 10+ Amazon cloud endpoints. Despite being positioned inside private domestic spaces (bedrooms, nurseries, living rooms), it has the same cloud-dependent architecture and law enforcement data sharing as Ring's outdoor products. There is no technical distinction in how indoor footage from private spaces is handled compared to outdoor footage of public areas.
What they claim: Ring markets end-to-end encryption (E2EE) as a key privacy feature of the Indoor Cam 2nd Gen, suggesting strong privacy protection for in-home video.
What we found: E2EE is NOT enabled by default. Enabling it disables person detection, Alexa Greetings, shared accounts, 24/7 recording, pre-roll video, video sharing, and Echo Show viewing. This creates a deliberate trade-off where users must sacrifice core functionality for privacy, ensuring most users leave encryption disabled and Amazon retains server-side access to video from inside people's homes.
What they claim: Ring device firmware should implement robust security to protect video streams from inside people's homes.
What we found: Mozilla/Cure53 penetration test (2022) found Ring devices vulnerable to Wi-Fi deauthentication attacks. Attackers can disconnect the camera from Wi-Fi using freely available tools, taking it offline so their activities go unrecorded. After reconnection, users receive no alert about the attack. Amazon was notified and waited 90+ days with no fix. CVE-2019-9483: Ring devices sent Wi-Fi credentials in plaintext during setup. CVE-2022-25809: Ring app exposed personal data and camera recordings via stolen authentication cookies.
What they claim: The Ring app requires BLUETOOTH_PRIVILEGED permission, which is a system-level permission normally reserved for pre-installed apps.
What we found: The Ring Indoor Cam 2nd Gen uses BLE only for initial device setup pairing. BLUETOOTH_PRIVILEGED grants elevated Bluetooth access beyond what is needed for BLE setup — it allows silently pairing with devices without user confirmation. Combined with CHANGE_WIFI_STATE and CHANGE_NETWORK_STATE, the app has the capability to modify network settings and Bluetooth connections without explicit user approval for each action.