The Android app used to control Ring video doorbells is packed with third-party trackers which send personal information about the user to analytics and marketing companies, including Facebook.
That is the claim of Electronic Frontier Foundation (EFF), which said in a report this week how the Ring app sends data including the user's name, private ID address and mobile network carrier, plus data from sensors inside Ring devices, to marketing firms including Facebook.
- How to make your Ring system more secure - and why you need to do it right now
- US senators ask Amazon: Is Ring data 'secure from hackers'
These firms, EFF says, also include Branch, MixPanel and AppsFlyer. Facebook, via its Graph API, is alerted when the Ring app is opened. When this happens, the Ring user's time zone, smartphone model, language preferences, screen resolution and unique identifier are sent to Facebook, even if the person doesn't have a Facebook account.
MixPanel, which describes itself as a user behavior analytics company, receives the most data from Ring customers. This includes their full name, email address, their smartphone model and the version of Android it is running, whether Bluetooth is switched on, and the number of Ring devices they have installed in their home. As EFF points out, MixPanel is mentioned as a third-party service on Ring's website, but what data it collects is not.
Honeywell SkyBell Slim Design 1080p Wi-Fi Video Doorbell Bronze Finish
None of the other companies EFF found to receive data from Ring customers are mentioned on Ring's list of third-party services.
The data sent to these companies is described as personally identifiable information, or PII.
A Ring spokesperson said in a statement emailed to GearBrain: "Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimize the customer experience, and evaluate the effectiveness of our marketing. Ring ensures that service providers' use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes."
While sending such data to analytics companies isn't unusual, EFF says: "The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user's device. This cohesive whole represents a fingerprint that follows the user as they interact with other apps and use their device, in essence providing trackers the ability to spy on what a user is doing in their digital lives and when they are doing it."
This collection of personal data takes place "without meaningful user notification or consent," EFF says, adding that, in most cases, there is "no way to mitigate the damage done."
The Amazon-owned company positions itself as a home security firmRing
It might not be unusual for an internet-connected device to share such data with marketing firms, but when the device is sold as something to boost the security of your home, there is potential for violating customer trust. Customers of Amazon-owned Ring buy its products to increase the security of their home and in a bid to increase their privacy, but while a doorbell with a camera helps them keep an eye on their property, it also helps Ring's marketing and analytics partners keep a closer eye on largely unwitting customers.
EFF adds: "All traffic we observed on the [Ring] app was being sent using encrypted HTTPS. What's more, the encrypted information was delivered in a way that eludes analysis, making it more difficult (but not impossible) for security researchers to learn of and report these serious privacy breaches."
This news comes just a month after Ring was criticized for its response to multiple reports of user's security cameras and video doorbells being hijacked and viewed by strangers over the internet. In one case, a stranger spoke to an eight-year-old child through a Ring security camera.
The company responded by suggesting its customers use better passwords. Instead of making it compulsory for customers to enable two-factor authentication, which would prevent such hijacking, Ring put the blame at its customers' feet. The company said in a blog post: "Unfortunately, when people reuse the same username and password on multiple services, it's possible for bad actors to gain access to many accounts."
Maximus Answer DualCam Video Doorbell
Ring's lack of basic safeguards is a concern. It is possible for multiple people in multiple countries to log into one Ring account and view the cameras together, without the app becoming suspicious or asking for everyone to confirm they are the account holder.
Logging into a Ring account and viewing a camera from a foreign country, using a phone or tablet which has never been used by that account before, also fails to raise any alarms. Logging into other web services like this, from the likes of Google and Apple, prompts a security check or contacts the account holder to check it's them.