The Electronic Frontier Foundation (EFF) has discovered that Ring’s Android doorbell camera app is being used to surveil customers.
According to the EFF, the Ring Android app is “packed with third-party trackers sending out a plethora of customers’ personally identifiable information (PII). Four main analytics and marketing companies were discovered to be receiving information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers.”
Specifically, the data is shared with Branch, AppsFlyer, MixPanel and Google’s Crashalytics. EFF’s investigation was able to uncover what data was being sent to each entity.
Branch is a “deep linking” platform that receives several unique identifiers, “as well as your device’s local IP address, model, screen resolution, and DPI.”
AppsFlyer is “a big data company focused on the mobile platform,” and receives information that includes unique identifiers, when Ring was installed, interactions with the “Neighbors” section and more. Even worse, AppsFlyer “receives the sensors installed on your device (on our test device, this included the magnetometer, gyroscope, and accelerometer) and current calibration settings.”
MixPanel receives the most information, including “users’ full names, email addresses, device information such as OS version and model, whether bluetooth is enabled, and app settings such as the number of locations a user has Ring devices installed in.”
It’s unknown what data is sent to Crashalytics, although it’s likely that’s the most benign of the data-sharing partnerships.
The worst part is that, while all of these companies are listed in Ring’s third-party services list, the amount of data collection is not. As a result, there is no way for a customer to know how much data is being collected or what is being done with it, let alone have the option to opt out of it.
Ring has been in the news recently for several high-profile security issues, including its cameras being hacked and a VICE investigation revealing an abysmal lack of basic security features. While both of these can be chalked up to errors or incompetence, this latest discovery is deeply disturbing because it speaks to how Ring is designed to function—namely as a way for the company to profit off of surveilling its own customers.