Arlo
Support

MarkLeSage42 · ‎2018-10-21

Hi there, Mark here.

Background and disclaimer: I currently work on GDPR regulation for my clients.

With all the recent data breaches and misuses of private information, I would need to know how Arlo/Netgear ensures that video footage stored in the cloud (likely Amazon S3 - US zone) is not improperly accessed by either support staff or third parties. That question can be extended to all the data (metadata) also stored in the magical "cloud".

I just learned that foreign governments groomed Twitter employees to spy on citizens abroad ... and attempt to kidnap/jail them later on (this is not fake news). If you remember, a couple years ago, a Google engineer was fired for stalking users conversations on Hangouts/Chats and later on stalking them *physically*. Just a couple months ago GoDaddy leaked large amounts of private, sensitive data due to poor Amazon S3 bucket configuration... and I could go on for hours like this 🙂

So my point is, beyond encrypting data in transit with good old SSL like any other decent service out there, how do you guys prevent data from being accessed by someone ELSE than the user/account owner?

I'm more specifically looking at protection of videos at rest, privileged/temporary access management, encryption key management, auditing, etc. What makes you different than others?

I believe Arlo/Netgear, having already a vast experience on the security subject as a company, should have something pertinent to say... since we're looking at security systems here 🙂

Thanks!

JamesC · ‎2018-10-22

MarkLeSage42,

Take a look here for our GDPR and privacy information: GDPR and Privacy

JamesC

MarkLeSage42 · ‎2018-10-23

Hi James,

Thanks for your quick reply! I reviewed this document (legalese is not easy to digest for most people!) and also reviewed your updated privacy policy, but everything sounds very vague. I dont understand how you protect our data. In fact the 2 documents look more like a declaration of intent than a description of the security controls in place to actually prevent misuses and abuses of your products containing private, sensitive information.

Paragraph 9 states "We maintain administrative, technical and physical safeguards to protect Personal Information against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Information in our possession."

This is a typical boilerplate legal clause, and pretty much every major (bigger) company that has suffered a serious breach had the same. So I think the question remains unanswered: in simple technical terms, how do you ensure that the same admin privilege abuse that happened at Twitter or Google in the past does not happen with our sensitive footage? How do you make sure that when you get breached footage of your customers cannot be accessed?

We agree that protecting account passwords is nowhere near the state of the art of security 🙂 Since Arlo is marketed as a security system I would like to understand how it is secure.

Maybe you periodically execute third party security verifications (penetration tests, vulnerability scans)? Maybe you have implemented an industry-standard security framework such as ISO 27001?

I'm sure you already have controls in place, but current documentation fails to describe it, so we're ... in the dark. Not great for a security solution.

Mark

JamesC · ‎2018-10-23

MarkLeSage42,

If you'd like more information on this, please reach out here for more info: privacy.policy@arlo.com

JamesC

Who's accessing my Arlo footage in the cloud?

Arlo
Support

Arlo App
for Support

Who's accessing my Arlo footage in the cloud?

Arlo Support

Arlo App for Support

Arlo
Support

Arlo App
for Support