Ring, the smart home device startup Amazon acquired for $1 billion in March 2018, reportedly has a security problem: Some of its employees were given unfettered access to footage from customers’ security cameras.

The Intercept, citing an anonymous source, today reported that beginning in 2016, Ring provided its Ukraine-based research and development division — Ring Labs — access to a folder on Amazon’s S3 cloud storage service containing every video recorded by every Ring camera around the world. Moreover, it says that team members were provided a database linking each video to corresponding Ring customers.

Downloading the files wouldn’t have required more than a few clicks, the publication notes — they weren’t encrypted, reportedly because Ring leadership believed it would be too costly and would rule out future revenue opportunities.

News of Ring’s lax security practices emerged late last year, but The Intercept’s report pulls back the curtain on specific lapses. It comes roughly three months after it was revealed that IBM secretly collaborated with the New York City Police Department to develop a camera system that could search for people by skin color and gender, and six months after the American Civil Liberties Union found that Amazon helped law enforcement in Florida and Oregon to test its facial detection services.

Ring Labs staff was tasked with manually tagging and labeling objects to build databases that could be used to improve Ring’s computer vision algorithms. A second source told The Intercept that recorded videos came from both in-home and exterior Ring cameras, and that some of the frames employees annotated showed “people kissing, firing guns, and stealing.”

Ring’s privacy terms of service and privacy policy make no mention of manual video labeling, noting only that owners “may choose to use additional functionality in … Ring product[s] that, through video data from your device, can recognize facial characteristics of familiar visitors.”

The reported reason for the annotation was to make more robust Ring’s object detection and facial recognition software. According to a recent report in The Information, its cameras’ Neighbors feature, which Ring advertises as a distributed surveillance platform that can detect attempted burglaries and distinguish between familiar and unfamiliar people, frequently reports false positives.

Additionally, The Intercept says, Ring liberally provided U.S.-based executives and engineers access to its support video portal, allowing them to view live footage from cameras “regardless of whether they needed access to … do their jobs.” With no more than an email address, these employees could pull up feeds from any customer.

The Intercept’s source claims that they never witnessed Ring staff abusing the feature, but recalled occasions when engineers “‘[teased] each other about who they brought home'” after dates.

According to The Intercept, Ring reigned in access to live and recorded video footage following its acquisition by Amazon. But sources told the publication that staffers in Ukraine sometimes work around the restrictions.

In a statement provided to VentureBeat, a Ring spokeperson denied that employees had ever been provided employees access to live streams of Ring devices. Here’s Ring’s response in full:

“We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring video recordings. These recordings are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes. Ring employees do not have access to livestreams from Ring products.

We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them.”

Updated at 8:10 p.m. Pacific: Added a statement from a Ring spokesperson.