Amazon's Ring line of home surveillance products has come under intense scrutiny in recent months following a seemingly endless litany of worrying revelations about Ring's police partnerships, account security, vulnerabilities, employee snooping, and sharing of extremely detailed location data. Now, we have a new report to add to the pile: it seems the app users use to manage and control a Ring camera is sending all kinds of personal data around as well.
The Electronic Frontier Foundation took a deep dive into the Android version of the Ring app, which it determined to be "packed with third-party trackers sending out a plethora of customers' personally identifiable information." Moreover, the EFF adds, this data sharing happens "without meaningful user notification or consent and, in most cases, no way to mitigate the damage done."
The personal data sent by Ring seems to go to four main recipients, the EFF found: Branch, ApplsFlyer, MixPanel, and Facebook. Those recipients presumably combine data they gather from the Ring app with data they collect from other sources—either information they collect in-house or buy/trade from other third parties—to build a fleshed-out digital doppelgänger profile for any given user.
Each of those four platforms receives a slightly different mix of user data. Facebook finds out when the app is opened and "upon device actions such as app deactivation after screen lock due to inactivity." Facebook also gets your time zone, device model, language preferences, and screen resolution tied to a unique identifier. The EFF notes that this data goes to Facebook regardless of whether the user has a Facebook account, and it adds that the user identifier persists even when you reset your advertiser ID in your OS.
Branch likewise gets several unique identifiers relating to user identity and device fingerprint, along with other device data points such as IP address, phone model, screen resolution, and DPI. Branch describes itself as an "industry-leading mobile measurement and deep linking platform" that exists to tie as much cross-platform data as possible together into single user profiles for marketers.
The other two services get more detailed information. AppsFlyer, which likewise offers an array of deep linking, mobile, and cross-platform analytics services, also receives a unique identifier as well as information about your wireless carrier. AppsFlyer also receives information about all your phone's onboard sensors, including the magnetometer, gyroscope, and accelerometer, and the sensors' calibration settings. It also gathers data about when Ring was installed and launched, what app you used to install Ring from, and whether AppsFlyer came pre-installed on your device, as often happens with low-end Android phones.
MixPanel—which provides, you guessed it, user-behavior analytics and data—gets the most personal information out of the whole set, the EFF found. That firm gathers users' names and full email addresses in addition to device information, device Bluetooth information, and app settings including information about how many locations the user has Ring devices in.
Keeping it quiet
At this point in the 21st century, it seems sadly predictable that any device you use or account you maintain is in some way tracking you and trading your data. However, the EFF notes that, of these four services, only MixPanel is on the list of third-party services Ring says it works with. The other three services on that list are Google Analytics, HotJar, and Optimizely.
The data harvested from a Ring user's phone is at least sent encrypted. That's good inasmuch as personal data isn't just flying through the ether to be grabbed by anyone, but doing so makes it harder for security researchers to figure out what kind of information is being transmitted.
The data collection is most troubling as part of a pattern of behavior by Ring, the EFF notes. The company kept the scope of its police partnerships under wraps until August, at which point reports from several media outlets tipped the company's hand. That's when Ring admitted to 405 such arrangements. A look at the list today reveals that the number has more than doubled in the past six months and now stands at 845 partnerships. The terms of those agreements are also somewhat murky and generally kept out of the public eye.
Congress has been demanding answers from Ring in relations to user privacy. Meanwhile, the company is facing a lawsuit (PDF) from several users following a wave of device hijackings. The plaintiffs, who seek class-action status for their suit, allege that the company has failed to provide sufficient security measures for its users and has blamed those users for their own misfortune.