Ring's app caught spying on users, sharing data with third-parties

Posted:
in General Discussion edited January 2020
Amazon's Ring for Android app is loaded with third-party trackers harvesting a "plethora" of customer data, a new investigation claims -- and an Amazon engineer for the product wants it completely shut down.




The Electronic Frontier Foundation has discovered that third-party tracking software within the Ring doorbell app is sending customer data to four analytics and marketing companies, including Facebook, Google, MixPanel and AppsFlyer. That data includes personally identifiable information such as names and private IP addresses.

Facebook, for example, is alerted when users open the Ring app, as well as when they perform certain device actions. Mobile analytics company AppsFlyer is sent a similar mix of data, but also receives information collected from a device's sensors including its gyroscope and magnetometer. The information sent to MixPanel, another data analytics firm, includes a user's full name, email address, device data and app settings.

While Ring also sends data to Google's Crashalytics service, the EFF wasn't able to determine the extent of the sharing in the report published on Tuesday.

The EFF points out that even small bits of user data can be combined by tracking firms to create a larger picture of a user's digital habits. That "fingerprint" could allow third-party companies to surveil what users are doing across various apps and devices.

Importantly, the nonprofit group claims that this tracking is taking place without a user's knowledge, consent or ability to disable it.

The data collected is sent over encrypted HTTPS and is delivered in a way that eludes analysis, the EFF said. The investigation's methodology included observing that data flow via man-in-the-middle techniques, a tactic often used by hackers to intercept internet traffic.

Since the EFF investigation focused on Ring's Android app, it isn't clear whether the iOS version has similar privacy risks. Apple's App Store Review Guidelines do include provisions that protect users from many data collection practices, however.

In light of the potential for abuse and other privacy risks, at least one Amazon engineer is calling for the smart doorbell company to be shut down.

"The deployment of connected home security cameras that allow footage to be queried centrally are simply not compatible with a free society. The privacy issues are not fixable with regulation and there is no balance that can be struck," said Max Eliaser in a Medium post. "Ring should be shut down immediately and not brought back."

Repeat offender

This isn't the first time Ring has been in the spotlight for alleged privacy blunders.

In 2019, The Intercept reported that both engineers and executives at Ring had "highly privileged access" to live feeds from customer cameras. And earlier this month, Ring fired four employees who had allegedly abused that access to spy on customers.

Privacy advocates have also raised concerns about Ring's links to law enforcement, as well as the potential implementation of facial recognition in a platform already beset by surveillance and privacy controversies.

Ring's response

Following publication of this story, a Ring spokesperson reached out to AppleInsider

"Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimize the customer experience, and evaluate the effectiveness of our marketing," Ring said. "Ring ensures that service providers' use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes."
«1

Comments

  • Reply 1 of 29
    Yikes, here we go again. My parents have these and admin them on Android phones. Tried to get me some for Xmas, I took a hard pass, specifically for this reason. 
    I do want some security cams for my home, but won’t install until I do enough research to put together a proper closed circuit system that doesn’t rely on 3rd party cloud monitoring. 
    These are our homes we’re talking about, I don’t get how people just turn their privacy over so easily. I guess the convenience out weighs the risk?
    edited January 2020 supadav03viclauyycchiaDAalsethtmayjbdragonwatto_cobra
  • Reply 2 of 29
    And this is why I laughed when I saw Ring’s new commercial for smart home security systems, fire alarms, leak detectors, etc. This company/brand cannot be trusted to protect the consumer, no way am I allowing them into my house with more products. 
    Panamaniakagilealtitudechiadysamoriawatto_cobra
  • Reply 3 of 29
    mjtomlinmjtomlin Posts: 2,573member
    Just wait until we start getting these kind of reports on Echo and other Alexa enabled devices.

    Although in all fairness (if that can be applied), it was the app and not the device. Even though I would assume the app has access to the devices.
    edited January 2020 agilealtitudechiawatto_cobra
  • Reply 4 of 29
    JinTechJinTech Posts: 923member
    Is it time for Apple to get into this market just so we can have safe and secure doorbell cameras?
    viclauyycktappewatto_cobra
  • Reply 5 of 29
    Today’s news: ”Ring spying on users” headline. Checks calendar: Yes, it’s Tuesday. Ok headline, see you again next week. 
    dysamoriawatto_cobrachasm
  • Reply 6 of 29
    mike1mike1 Posts: 3,024member
    Just for clarity, it sounds like the iOS app doesn't allow this type of data to be shared. True?
    watto_cobra
  • Reply 7 of 29
    Mike WuertheleMike Wuerthele Posts: 6,516administrator
    mike1 said:
    Just for clarity, it sounds like the iOS app doesn't allow this type of data to be shared. True?
    Unclear. We're trying to find out.
    pulseimageswatto_cobrachasm
  • Reply 8 of 29
    gatorguygatorguy Posts: 23,424member
    I dumped Ring some time back for precisely the reason that they shared video and other personally-connected information with 3rd parties. That's been known for months. The EFF has since determined more specifics on the data sharing.

    I've since moved to Nest, and yes I'm 100% confident that all personal data remains firmly under Google control and is not shared. 
    BTW the sharing with Google would not appear to be anything beyond the typical Firebase crash reports. meant for discovering app stability issues and  identifying problems that lead to an app crash. Developers here would be familiar with what is shared with Google Crashlytics but I doubt there is any personal data involved. 
    https://firebase.google.com/products/crashlytics

    Regarding Facebook I don't know what service they would be providing Ring so why anything would be sent their way is a mystery. Perhaps Facebook pays for marketing data from Ring? Dunno. 
    edited January 2020 viclauyycpulseimages
  • Reply 9 of 29
    mystigomystigo Posts: 151member
    My company obsesses over privacy issues. We do annual code audits, we do regular mandatory individual and group training, we consider it at every step of the development process. How is it people at these companies just don't seem to care? Not even slightly. The only effort they make is to encrypt the data they should not be taking in the first place. That could be interpreted as an attempt to hide what they are doing. It probably isn't, but it does seem like a possibility.
    dysamoriawatto_cobra
  • Reply 10 of 29
    Yikes, here we go again. My parents have these and admin them on Android phones. Tried to get me some for Xmas, I took a hard pass, specifically for this reason. 
    I do want some security cams for my home, but won’t install until I do enough research to put together a proper closed circuit system that doesn’t rely on 3rd party cloud monitoring. 
    These are our homes we’re talking about, I don’t get how people just turn their privacy over so easily. I guess the convenience out weighs the risk?
    1 Word - FaceCrook!
    watto_cobra
  • Reply 11 of 29
    gatorguygatorguy Posts: 23,424member
    mike1 said:
    Just for clarity, it sounds like the iOS app doesn't allow this type of data to be shared. True?
    Unclear. We're trying to find out.
    I would pretty much guarantee that some app data is being shared with Google crashlytics also. It's for the app stability
  • Reply 12 of 29
    It’s not a blunder is a feature.

    Makes you wonder what other data Amazon collects.  Many of Amazons tablets are in the hands of kids, and the browser sends everything through an Amazon proxy server...
    dysamoriawatto_cobra
  • Reply 13 of 29
    apple ][apple ][ Posts: 9,233member
    That's hilarious. :D

    At a certain point, people are responsible for their own decisions and if people choose to continue to use shady products, then they obviously don't care about their privacy, and I don't care about their privacy either.
    larryjwwatto_cobra
  • Reply 14 of 29
    M68000M68000 Posts: 486member
    apple ][ said:
    That's hilarious. :D

    At a certain point, people are responsible for their own decisions and if people choose to continue to use shady products, then they obviously don't care about their privacy, and I don't care about their privacy either.
    Not sure it’s hilarious if the buyer has no idea this is going on.  What would be hilarious is the company making the product gets shut down or pay huge settlement in damages. 
    StrangeDaysdysamoriawatto_cobra
  • Reply 15 of 29
    ktappektappe Posts: 808member
    mike1 said:
    Just for clarity, it sounds like the iOS app doesn't allow this type of data to be shared. True?
    Unclear. We're trying to find out.
    Apple doesn't allow this type of data to be accessed without user knowledge. Personal user data, contacts, locations, etc. are all sandboxed by Apple so even if a bad app like this leaks thru their review process, it still can't sneakily get the info that it could on an Android.
    watto_cobra
  • Reply 16 of 29
    mystigo said:
    My company obsesses over privacy issues. We do annual code audits, we do regular mandatory individual and group training, we consider it at every step of the development process. How is it people at these companies just don't seem to care? Not even slightly. The only effort they make is to encrypt the data they should not be taking in the first place. That could be interpreted as an attempt to hide what they are doing. It probably isn't, but it does seem like a possibility.
    It’s this way by design. I don’t think this is overlooked by any means. Wall Street has made Data an extremely valuable commodity, it’s here to stay that’s for sure. 
    watto_cobra
  • Reply 17 of 29
    gatorguygatorguy Posts: 23,424member
    ktappe said:
    mike1 said:
    Just for clarity, it sounds like the iOS app doesn't allow this type of data to be shared. True?
    Unclear. We're trying to find out.
    Apple doesn't allow this type of data to be accessed without user knowledge. 
    Neither does Android 10. 

    As for sandboxing that's long been part of Android security. It's not a unique iOS thing. 
    edited January 2020 Panamaniak
  • Reply 18 of 29
    What else is new. 

    The public’s sentiment has significantly shifted on this issue. Attention to privacy is why Apple has the valuation that it does. 
    watto_cobra
  • Reply 19 of 29
    prokipprokip Posts: 172member
    Tried August, but was not going to pay a regular rent check to some company to keep my private video data on their servers.  I will certainly not trust Google (are you kidding me) Amazon or anyone else with my private info.

    This is my solution.  It's a bit more expensive up front, built out of solid metal, with a great lens and lots of features, by one of the early leaders in IP cameras, is infinitely configurable and works with MY server.

    https://www.axis.com/en-au/products/axis-a8105-e
    dysamoriawatto_cobra
  • Reply 20 of 29
    dewmedewme Posts: 4,401member
    This is very troubling and disappointing. Ring has the potential to be a very low cost and effective alternative to the long established home security companies like ADT who have been milking their customers with cable TV like abandon, to the tune of 10X higher yearly costs versus Ring. There’s no logical nor business reason why Amazon should allow their Ring investment to fail when they have the vast Amazon human and capital resources and massive connected infrastructure at their disposal. Amazon could make Ring the best in class and crush the competition without breaking a sweat. 

    The types of privacy breaches being alleged against Ring/Amazon in this story are totally amateurish and chickenshit level embarrassments that are totally unbecoming of an industry leader like Amazon. If Jeff Bezos can’t keep his whole ship tidy and held to the high standards expected from a company that customers entrust with their personal and home security he should put someone else in charge and step aside. Based on recent events Jeff Bezos must completely understand the negative impacts that privacy violations have on someone’s sense of self determination and wellbeing. So why is he allowing one of his subsidiaries to engage in activities that may subject his so-called “valued customers” to the same kind of embarrassment and personal violation that he has suffered from? 

    Not cool from any perspective. Amazon needs to get its act together on this immediately. 

    agilealtitudeGG1watto_cobra
Sign In or Register to comment.