Ring, the home security company owned by Amazon, promises to watch the world around you and keep your property safe. But the doorbell app is also surveilling its users, sending personally identifiable information out to third-party vendors, according to a new report from the Electronic Frontier Foundation (EFF), the San Francisco civil liberties nonprofit.
Bill Budington, the senior staff technologist who wrote the report, tested the Ring for Android version 3.21.1 app and found it was sharing data such as users private IP addresses, full names, email address, information about whether bluetooth is enabled and even sensor data from the device being used to access the app.
Budington identified four main companies receiving this information, including Branch, which calls itself a “deep linking” platform (meaning it takes people to specific web pages or products). Facebook also received information such as a person's time zone and was alerted when the app was opened. AppsFlyer, a big data firm, received information such as when users engage with the Neighbors section of the app, as well as what marketplace the app you installed is from and when it was first launched. Mixpanel, a business analytics company that tracks user engagement with apps, received the most identifiable data including the number of locations where a user has Ring devices installed, and user names and emails.
Analytics companies take these discrete forms of data and combine them with other internet user data to create a cohesive picture of device usage.
"This increases the risk of exposure, since Ring hasn't vetted for the security of these trackers," says Budington. "It also means that unaccountable marketers have access to customer data, and can follow their actions around as they use their mobile devices. It was revealed that a few Ring employees were fired for directly spying on customers and, again, these trackers, whose business model is to follow users, are not subject to the same level of scrutiny."
This is the most recent in a long line of revelations involving Ring. For example, it partnered with more 400 police departments in sharing device images, accidentally exposed the data of more than 3,000 users including login details and names of Ring devices (which are often labeled with terms like “bedroom”), and created neighborhood-wide panopticons in which neighbors are surveilling neighbors and paying for the privilege to do so.
Decentralization may provide one option when it come to alternative models that are less exploitative of user data.
"It's possible to envision a privacy-centric marketing technique that allows users to have targeted ads without a big, centralized database of users information," says Budington. "The Brave browser has experimented with providing these ads via a locally stored database so that you own that data and can clear it when you like. One thing we can be sure of is that the tracking industry isn't interested in these solutions so long as [it] can make big money out of slurping up as much data as [it] can."
UPDATE (Jan. 31, 16:21 UTC): This post has been updated to include comments from the author of the report.
UPDATE (Jan. 31, 18:5 UTC): This post has been updated to specify the IP addresses shared were private IP addresses.