Ring, the Amazon.com Inc.-owned maker of high-tech doorbells and home security cameras, markets itself as protection from the world outside users’ homes. But its app collects data from users’ phones and shares that information with multiple third-party trackers, a report by the Electronic Frontier Foundation revealed this week.
The information includes users’ full names, email addresses, IP addresses, mobile network carriers and data about sensors installed in the phone, according to the civil liberties group, whose work focuses on privacy and other digital rights.
The EFF said it parsed web traffic on Ring’s app for Android devices and found that the company distributes customer data mainly to four analytics and marketing firms: Facebook, Branch, AppsFlyer and Mixpanel. Google-owned Crashlytics also receives data from Ring, according to the report.
“Customers should really look hard and see, ‘Is this something that I trust? This surveillance device that can be used to surveil my neighbors is actually surveilling me now,’” said William Budington, a security engineer and technologist at the EFF.
Ring said in a statement that it allows third parties to use the data only for “appropriate purposes.”
But only one of the third-party companies the EFF identified, Mixpanel, is named in Ring’s list of third-party analytics services.
AppsFlyer, a mobile marketing analytics company, collects information on user actions within the Ring app and on calibration settings and sensors installed on the device.
“Just having the information on what sensors your phone has is quite in-depth,” the EFF’s Budington said. “It’s concerning because of the level of detail and insight into your device’s characteristics. A tracking company can stitch together and create a fingerprint of your device — a cohesive whole about what your device looks like.”
It doesn’t take much to fingerprint a device, said Eric Goldman, a Santa Clara University School of Law professor who co-directs the school’s High Tech Law Institute.
“For example, if you can see all the apps on a person’s device, that alone might be unique to everyone else in the universe,” Goldman said. “We have all probably configured our apps differently.”
Bringing together some of the data Ring provides could show, hypothetically, that you opened a game, or that you joined a Wi-Fi hotspot in your home, Budington said. The more information collected, the better a company can put together a picture of what you’re doing in your digital life.
“Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimize the customer experience, and evaluate the effectiveness of our marketing,” a Ring spokesperson said in a statement. “Ring ensures that service providers’ use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes.”
Ring said it uses MixPanel to target messaging within the app when it launches new features. Generally the company may collect and disclose personal information — such as when users interact with the app or their Ring devices — to third-party services in order to track the performance of various features, the company said.
Goldman said it’s unclear why Branch or Facebook would need information from Ring to help with analytics or targeting ads.
Branch spokesperson Alex Austin said the company provides a service that fixes mobile links that take users to the correct page. “To perform this service for Ring and many others, we must process some data from within the app but take extreme care when handling it,” Austin said in an email. Per the company’s user data policy, Branch collects device data like advertising identifiers, IP address, and cookies but does not collect or store information such as names, emails or physical addresses.
Other companies named in EFF’s report did not immediately respond to requests for comment.
The new California Consumer Privacy Act, which the state will start enforcing in July, could help regulate this type of activity by Ring, Goldman said. Depending on how the state attorney general’s office interprets the law, it could force the company to disclose more about the third parties that piggyback off its data.
The state law “is going to change the ecosystem. I’m not sure how much, but it’s clear changes are coming,” Goldman said.
Amazon acquired Ring in 2018, and the doorbell camera company has faced considerable scrutiny and criticism in recent months for privacy issues around its agreements with law enforcement agencies and around hacks and breaches that compromised Ring owners’ video feeds.
Last month a hacker accessed a Ring camera in an 8-year-old girl’s room in Mississippi and used it to harass her. A couple in Texas woke up to a hacker saying via their Ring camera that they would “get terminated” unless they paid a 50-bitcoin ransom. Ring has previously said that these incidents are in “no way related to a breach or compromise of Ring’s security” and noted that malicious actors can obtain account credentials (especially when people re-use usernames and passwords) from external, non-Ring services.
A Motherboard report last month detailed some lax security practices by Ring, such as allowing multiple logins from various locations and IP addresses without informing the owners, making it easy for hackers to turn the company’s cameras against its customers.
Sen. Edward J. Markey (D-Mass.) harshly criticized the company in November for making deals with law enforcement agencies that could expose customers and their neighbors to “invasive or even discriminatory information-gathering practices” by police. Amazon’s top hardware executive has said that he’s proud of the program and that partnerships with police departments are good for neighborhoods.
In mid-December, the log-in credentials of more than 3,600 Ring account holders were reportedly breached. The company says those breaches were not a result of flaws in its own system. The incidents and others have fueled lawsuits, including a class-action suit filed in December in federal court in Los Angeles.
Ring told lawmakers in early January that it fired workers in recent years for improperly accessing users’ video data. According to the Verge, the company said that it would add a new privacy dashboard to its mobile apps that will let users manage their connected devices, third-party services, and police requests to access video from their devices.
At least one Amazon worker has said the company should shut down Ring entirely, arguing that the privacy concerns are “not compatible with a free society.”
“The privacy issues are not fixable with regulation and there is no balance that can be struck,” software development engineer Max Eliaser wrote. “Ring should be shut down immediately and not brought back.” His comment was part of a slew of employee criticism of Amazon, published Sunday in defiance of company rules restricting when workers can speak out.