EFF: Ring App Sends Your Personal Data to Third-Parties

Amazon-owned Ring has been more apt to brush aside privacy concerns than other smart home companies. It has defended controversial initiatives like its cooperation with police by claiming that it only wants to make communities safer. It’s going to be harder to deflect the latest troubling chapter in the Ring saga, though. The Electronic Frontier Foundation (EFF) says it has completed an exhaustive analysis of Ring’s Android app, and the company appears to be sharing a great deal of private user data with third-parties. 

Ring rose to prominence on the strength of its video doorbells,SEEAMAZON_ET_135 See Amazon ET commerce which were far and away the best devices of their kind for years. Privacy advocates have kept a close eye on Ring ever since it admitted human employees previously had unfettered access to wide swaths of user video. Ring’s laissez-faire attitude manifested again when it began working with police to promote Ring products and encourage users to provide video to investigators in its Neighbors app. 

To use Ring’s admittedly excellent cameras, you need to install the app on a mobile device. The EFF had to poke and prod the app to learn its secrets, but it finally managed to observe the https data the app sends as you use it. The EFF says Ring’s app beams personally identifiable information to four different companies: Facebook, branch.io, Mixpanel, and AppsFlyer. Not only are some of these firms getting an unreasonable amount of data, but they’re also not all listed on Ring’s privacy disclosures. 

Almost every app has trackers of some sort that evaluate how people use them, but the EFF says Ring’s use of trackers is out of step with other smart home companies. Through Facebook’s Graph API, the app sends data like when you open the app, your time zone, device model, and a unique identifier. Branch gets your IP address, device model, and a few unique identifiers. AppsFlyer seems mostly focused on tracking when and how you installed the Ring app, which isn’t excessively personal. However, it also gets the current state of sensors on your phone like the accelerometer and gyroscope. 

An example of data sent to MixPanel.

The EFF cites the tracker from analytics firm MixPanel as the most troubling. This company gets your email, full name, device model, Bluetooth status, and even the number of Ring devices attached to your account and where they are. User experience metrics are an important part of mobile development, but there’s no reason a third-party needs this kind of data. 

We’ve reached out to Ring for comment, but the company has not replied at this time. We will update with a statement when and if we have one.

Update: Ring has provided a response, which you can see below. It boils down to, “trust us.”

Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimize the customer experience, and evaluate the effectiveness of our marketing. Ring ensures that service providers’ use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes.

Now read:

  • PCMag’s Best Video Doorbells for 2020
  • Hackers Openly Peddle Tools to Hack Ring Cameras
  • Report: Ring Cameras Leak Location Details in Neighbors App