Amazon-owned connected doorbell app Ring contains trackers sending personally identifiable information to third parties, including Facebook and Google, according to a new investigation.
The study, from the Electronic Frontier Foundation (EFF) found that the the Ring Doorbell app (Ring for Android v3.21.1) sends data to five major analytics and marketing companies. This data includes full names, IP addresses, sensor data from the doorbells and “persistent identifiers”.
The five companies identified as receiving information were:
- Facebook, via its Graph API - each user's time zone, device model and screen resolution and a unique identifier
- Branch, which describes itself as a deep-linking platform - a number of unique identifiers, as well as each user's IP address, device model and screen resolution
- AppsFlyer, a big data company - a range of information, including sensor data related to the magnetometer, gyroscope and accelerometer on users' phones
- MixPanel - the most information, including users' full names, email addresses, device information and app settings
- Google-owned Crashalytics - an amount of customer data "yet to be determined"
Out of these, only MixPanel is mentioned in Ring's privacy notice, along with Google Analytics, HotJar and Optimizely.
The investigation by EFF tested Ring for Android, version 3.21.1.
Amazon bought Ring in 2018 and sells a range of home security cameras as well as doorbells.
Ring is best known for its connected doorbell, which features an HD camera, motion sensor, microphone, speaker and other sensors, integrated with an app to let users view real-time video and communicate with visitors from anywhere in the world.
It has been criticised for partnering with at least 200 law-enforcement agencies to carry out surveillance via its devices.
“The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user’s device,” wrote EFF security researcher Bill Budington. The EFF asserts that this all occurs without meaningful notification or consent, with the third parties either never mentioned or mentioned only briefly on an internal page, which users are unlikely to check.
Facebook is alerted when the Ring app is opened and when other device actions occur, with other information sent to the social media company including time zone, device, language preferences, screen resolution and a unique identifier. AppsFlyer, a big data company, is sent information including data from the Ring Doorbell sensors (its magnetometer, gyroscope and accelerometer), while MixPanel is sent users’ full names, email addresses, device information and app settings.
“Ring claims to prioritise the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system. This goes a step beyond that, by simply delivering sensitive data to third parties not accountable to Ring or bound by the trust placed in the customer-vendor relationship,” Budington wrote.
Privacy advocates and lawmakers have raised concerns about Ring’s ability to function as a surveillance tool, particularly due to its partnership with more than 600 law enforcement agencies, a characterisation Amazon has rejected.
In a statement, Ring told technology blog Gizmodo: "Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimise the customer experience and evaluate the effectiveness of our marketing."