Ring's app caught spying on users, sharing data with third-parties
Amazon's Ring for Android app is loaded with third-party trackers harvesting a "plethora" of customer data, a new investigation claims -- and an Amazon engineer for the product wants it completely shut down.
The Electronic Frontier Foundation has discovered that third-party tracking software within the Ring doorbell app is sending customer data to four analytics and marketing companies, including Facebook, Google, MixPanel and AppsFlyer. That data includes personally identifiable information such as names and private IP addresses.
Facebook, for example, is alerted when users open the Ring app, as well as when they perform certain device actions. Mobile analytics company AppsFlyer is sent a similar mix of data, but also receives information collected from a device's sensors including its gyroscope and magnetometer. The information sent to MixPanel, another data analytics firm, includes a user's full name, email address, device data and app settings.
While Ring also sends data to Google's Crashalytics service, the EFF wasn't able to determine the extent of the sharing in the report published on Tuesday.
The EFF points out that even small bits of user data can be combined by tracking firms to create a larger picture of a user's digital habits. That "fingerprint" could allow third-party companies to surveil what users are doing across various apps and devices.
Importantly, the nonprofit group claims that this tracking is taking place without a user's knowledge, consent or ability to disable it.
The data collected is sent over encrypted HTTPS and is delivered in a way that eludes analysis, the EFF said. The investigation's methodology included observing that data flow via man-in-the-middle techniques, a tactic often used by hackers to intercept internet traffic.
Since the EFF investigation focused on Ring's Android app, it isn't clear whether the iOS version has similar privacy risks. Apple's App Store Review Guidelines do include provisions that protect users from many data collection practices, however.
In light of the potential for abuse and other privacy risks, at least one Amazon engineer is calling for the smart doorbell company to be shut down.
"The deployment of connected home security cameras that allow footage to be queried centrally are simply not compatible with a free society. The privacy issues are not fixable with regulation and there is no balance that can be struck," said Max Eliaser in a Medium post. "Ring should be shut down immediately and not brought back."
In 2019, The Intercept reported that both engineers and executives at Ring had "highly privileged access" to live feeds from customer cameras. And earlier this month, Ring fired four employees who had allegedly abused that access to spy on customers.
Privacy advocates have also raised concerns about Ring's links to law enforcement, as well as the potential implementation of facial recognition in a platform already beset by surveillance and privacy controversies.
"Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimize the customer experience, and evaluate the effectiveness of our marketing," Ring said. "Ring ensures that service providers' use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes."
The Electronic Frontier Foundation has discovered that third-party tracking software within the Ring doorbell app is sending customer data to four analytics and marketing companies, including Facebook, Google, MixPanel and AppsFlyer. That data includes personally identifiable information such as names and private IP addresses.
Facebook, for example, is alerted when users open the Ring app, as well as when they perform certain device actions. Mobile analytics company AppsFlyer is sent a similar mix of data, but also receives information collected from a device's sensors including its gyroscope and magnetometer. The information sent to MixPanel, another data analytics firm, includes a user's full name, email address, device data and app settings.
While Ring also sends data to Google's Crashalytics service, the EFF wasn't able to determine the extent of the sharing in the report published on Tuesday.
The EFF points out that even small bits of user data can be combined by tracking firms to create a larger picture of a user's digital habits. That "fingerprint" could allow third-party companies to surveil what users are doing across various apps and devices.
Importantly, the nonprofit group claims that this tracking is taking place without a user's knowledge, consent or ability to disable it.
The data collected is sent over encrypted HTTPS and is delivered in a way that eludes analysis, the EFF said. The investigation's methodology included observing that data flow via man-in-the-middle techniques, a tactic often used by hackers to intercept internet traffic.
Since the EFF investigation focused on Ring's Android app, it isn't clear whether the iOS version has similar privacy risks. Apple's App Store Review Guidelines do include provisions that protect users from many data collection practices, however.
In light of the potential for abuse and other privacy risks, at least one Amazon engineer is calling for the smart doorbell company to be shut down.
"The deployment of connected home security cameras that allow footage to be queried centrally are simply not compatible with a free society. The privacy issues are not fixable with regulation and there is no balance that can be struck," said Max Eliaser in a Medium post. "Ring should be shut down immediately and not brought back."
Repeat offender
This isn't the first time Ring has been in the spotlight for alleged privacy blunders.In 2019, The Intercept reported that both engineers and executives at Ring had "highly privileged access" to live feeds from customer cameras. And earlier this month, Ring fired four employees who had allegedly abused that access to spy on customers.
Privacy advocates have also raised concerns about Ring's links to law enforcement, as well as the potential implementation of facial recognition in a platform already beset by surveillance and privacy controversies.
Ring's response
Following publication of this story, a Ring spokesperson reached out to AppleInsider"Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimize the customer experience, and evaluate the effectiveness of our marketing," Ring said. "Ring ensures that service providers' use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes."
Comments
Although in all fairness (if that can be applied), it was the app and not the device. Even though I would assume the app has access to the devices.
I've since moved to Nest, and yes I'm 100% confident that all personal data remains firmly under Google control and is not shared.
BTW the sharing with Google would not appear to be anything beyond the typical Firebase crash reports. meant for discovering app stability issues and identifying problems that lead to an app crash. Developers here would be familiar with what is shared with Google Crashlytics but I doubt there is any personal data involved.
https://firebase.google.com/products/crashlytics
Regarding Facebook I don't know what service they would be providing Ring so why anything would be sent their way is a mystery. Perhaps Facebook pays for marketing data from Ring? Dunno.
Makes you wonder what other data Amazon collects. Many of Amazons tablets are in the hands of kids, and the browser sends everything through an Amazon proxy server...
At a certain point, people are responsible for their own decisions and if people choose to continue to use shady products, then they obviously don't care about their privacy, and I don't care about their privacy either.
As for sandboxing that's long been part of Android security. It's not a unique iOS thing.
This is my solution. It's a bit more expensive up front, built out of solid metal, with a great lens and lots of features, by one of the early leaders in IP cameras, is infinitely configurable and works with MY server.
https://www.axis.com/en-au/products/axis-a8105-e