The Electronic Frontier Foundation (EFF) has published the results of an investigation into the Android version of the Ring app which reportedly includes a plethora of trackers sending out customer data to third parties.
On Monday, the digital rights group said Ring for Android version 3.21.1 is "packed" with third-party trackers that collect customers' personally identifiable information (PII) including names, private IP addresses, mobile network carriers, persistent identifiers (PIDs) -- long-lasting references to digital objects -- as well as sensor data.
According to the report, this information, which together establishes a solid picture of a device and its user, has been sent to four main analytics and marketing companies. The PII collected is sent to Branch, MixPanel, AppsFlyer, and Facebook.
"The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user's device," the EFF says. "This cohesive whole represents a fingerprint that follows the user as they interact with other apps and use their device, in essence providing trackers the ability to spy on what a user is doing in their digital lives and when they are doing it."
Facebook apparently receives an alert when the Ring application is opened via the Graph API, as well as when actions including app deactivation due to inactivity occur -- whether or not the user is also present on the social network.
The EFF says that time zones, device models, language preferences, screen resolution, and unique identifiers are also sent to the company.
Branch receives unique device identifiers alongside local IP addresses, device models, screen resolutions and DPI, whereas AppsFlyer is granted mobile carrier data, user action information, and unique identifiers, as well as sensor data.
MixPanel, however, reportedly receives the most information "by far," including names, email addresses, device models and operating systems, whether or not Bluetooth is enabled, and Ring app settings.
The EFF added that Google-owned crash logging system Crashalytics is also a data recipient, but the extent of which is unknown.
While user data is sent via encrypted HTTPS, the organization says that this information, even if only used for marketing purposes, is being collected and sent without "meaningful" user notification or consent.
TechRepublic: Risk managers: Here are the must-have skills for 2020
"Ring claims to prioritize the security and privacy of its customers, yet time and again we've seen these claims not only fall short but harm the customers and community members who engage with Ring's surveillance system," the digital rights group added. "This goes a step beyond that, by simply delivering sensitive data to third parties not accountable to Ring or bound by the trust placed in the customer-vendor relationship."
Earlier this month, Amazon said that four employees from Ring were fired for improperly accessing customer video feeds, generated from their products, over the past four years.
Update 17.56 GMT: A Branch spokesperson told ZDNet:
"Branch provides a service that gives users better experiences by fixing the links in mobile. Branch makes it so that when you click a link, it opens the app and takes you to the correct page. It's an essential part of the ecosystem, and not something that app companies can build on their own.
To perform this service for Ring and many others, we must process some data from within the app but take extreme care when handling it. Beyond supporting government regulations to ensure the user's right to control over their data, we take a strong internal policy stance as well. Here's a summary of our policy with respect to user data:
1. We don't collect any more information than we need to perform our service -- what we collect is limited to device data like advertising identifiers, IP addresses, and cookies. We do not collect or store information such as names, lat/lon, email addresses, physical addresses, or SSNs. At any rate, the personal data we do collect is then pseudonymized and purged from raw logs after 7 days.
2. The data is only used to perform our linking and analytics services for Ring and we would never sell or license user data to anyone else.
3. We've invested substantially in industry-leading security protocols to ensure safekeeping, such as SOC2 and ISO27001."
ZDNet has reached out to Ring and companies mentioned in the report for comment and will update when we hear back.
Previous and related coverage
- CES 2020: Ring will add privacy and security Control Center to mobile app this month, adds new hardware to its lineup
- Amazon fixes Ring Video Doorbell wi-fi security vulnerability
- Hackers keep dumping Ring credentials online 'for the giggles'
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0