Amazon’s smart doorbell company Ring has found itself at the centre of yet another user privacy scandal.
A report published by the Electronic Frontier Foundation (EFF) claims that Ring's Android app is sending an excessive amount of personally identifiable data to third parties.
EFF's report suggests that the app sends personal data to four trackers including Facebook's Graph API, analytics firms Mixpanel and AppsFlyer, and "deep linking" platform Branch.
The most concerning part of the allegations is that the EFF claims Ring is sending the data without explicit consent from users. In some jurisdictions, this is likely a breach of privacy laws such as the EU's GDPR.
Information sent to the trackers reportedly includes names, IP addresses, device identifiers, timezones, language preferences, and even certain actions performed via the app.
Here’s an example of some data the EFF found Ring’s Android app sending to Facebook:
According to Ring, “like many companies, Ring uses third-party service providers to evaluate the use of our mobile app” and the company “ensures that service providers’ use of the data provided is contractually limited to appropriate purposes.”
Of course, the concern here is that the third parties aren’t truly accountable to Ring and such trackers can build a much bigger profile of an individual using even small bits of data.
“The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user’s device,” the EFF notes in their report.
Ever since Ring was acquired by Amazon, it has naturally come under increased scrutiny with regards to user privacy and security.
One of the most recent concerns surrounded a controversial partnership with 300 police forces across the US for a feature called Neighbors. Because the Neighbors app allows people to be flagged as suspicious, privacy campaigners are concerned it may lead to increased racial profiling or more surveillance of innocent individuals.
A report published by Mozilla last September highlighted Ring’s weak privacy measures. Only nine of 76 devices failed Mozilla’s test, and four of them were Ring’s (essentially the company’s whole product line). The main reasons for Ring’s products failing Mozilla’s tests were poor encryption policies and vulnerability management.
Also last year, a couple’s Ring doorbell was hacked and the perpetrator demanded 50 Bitcoins (worth ~$400,000) as a ransom – issuing a death threat if they did not comply. A report from Motherboard found software available for as little as $6 to compromise Ring doorbells.
Ring was often cited as an example of how the smart home can modernise things which have been left relatively unchanged for decades. Hopefully, Ring will begin setting a better example of user privacy and security practices for the IoT industry.