Ring, the amazon.com-owned maker of high-tech doorbells and home security cameras, markets itself as protection from the world outside users' homes. But its app collects data from users' phones and shares that information with multiple third-party trackers, according to a report by the Electronic Frontier Foundation.
The information includes users' full names, e-mail addresses, IP addresses, mobile network carriers and data about sensors installed in the phone, according to the civil liberties group, whose work focuses on privacy and other digital rights.
The EFF said it parsed web traffic on Ring's app for Android devices and found that the company distributes customer data mainly to four analytics and marketing firms: Facebook, Branch, AppsFlyer and Mixpanel. Google-owned Crashlytics also receives data from Ring, according to the report.
"Customers should really look hard and see, 'Is this something that I trust? This surveillance device that can be used to surveil my neighbors is actually surveilling me now,'" said William Budington, a security engineer and technologist at the EFF.
Ring said in a statement that it allows third parties to use the data only for "appropriate purposes."
But only one of the third-party companies the EFF identified, Mixpanel, is named in Ring's list of third-party analytics services. AppsFlyer, a mobile marketing analytics company, collects information on user actions within the Ring app and on calibration settings and sensors installed on the device.
"Just having the information on what sensors your phone has is quite in-depth," Budington said. "It's concerning because of the level of detail and insight into your device's characteristics. A tracking company can stitch together and create a fingerprint of your device - a cohesive whole about what your device looks like."
It doesn't take much to fingerprint a device, said Eric Goldman, a Santa Clara University School of Law professor who codirects the school's High Tech Law Institute. "For example, if you can see all the apps on a person's device, that alone might be unique to everyone else in the universe. We have all probably configured our apps differently."
Bringing together some of the data Ring provides could show, hypothetically, that you opened a game, or that you joined a Wi-Fi hotspot in your home, Budington said. The more information collected, the better a company can put together a picture of what you're doing in your digital life.
"Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimize the customer experience, and evaluate the effectiveness of our marketing," said a Ring employee.
"Ring ensures that service providers' use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes."
Ring said it uses MixPanel to target messaging within the app when it launches new features. Generally the company may collect and disclose personal information - such as when users interact with the app or their Ring devices - to third-party services in order to track the performance of various features.
Goldman said it's unclear why Branch or Facebook would need information from Ring to help with analytics or targeting ads.
Branch spokesman Alex Austin said the company provides a service that fixes mobile links that take users to the correct page. "To perform this service for Ring and many others, we must process some data from within the app but take extreme care when handling it," he said.
Per the company's user data policy, Branch collects device data like advertising identifiers, IP addresses, and cookies.
Other companies named in EFF's report did not immediately respond to requests for comment.
Last month a hacker accessed a Ring camera in an eight-year-old girl's room in Mississippi and used it to harass her. A couple in Texas woke up to a hacker saying via their Ring camera that they would "get terminated" unless they paid a 50-bitcoin (HK$3.6 million) ransom.
Ring has said that these incidents are in "no way related to a breach or compromise of security" and noted that malicious actors can obtain account credentials (especially when people reuse usernames and passwords) from external, non-Ring services.
A Motherboard report last month detailed some lax security practices by Ring, such as allowing multiple logins from various locations and IP addresses without informing the owners, making it easy for hackers to turn the cameras against its customers.
In mid-December, the log-in credentials of more than 3,600 Ring account holders were reportedly breached. The company says those breaches were not a result of flaws in its own system, telling lawmakers in early January that it fired workers in recent years for improperly accessing users' video data.
According to the Verge, the company said that it would add a new privacy dashboard to its mobile apps that will let users manage their connected devices, third-party services, and police requests to access video from their devices.
At least one Amazon worker has said the company should shut down Ring, arguing that the privacy concerns are "not compatible with a free society."
"The privacy issues are not fixable with regulation and there is no balance that can be struck," software development engineer Max Eliaser wrote. "Ring should be shut down immediately and not brought back." His comment was part of a slew of employee criticism of Amazon.
Los aAngeles Times (TNS)