Amazon-owned Ring, a maker of home security cameras, has a number of third-party trackers on its Android app, which allows it to share users’ personally identifiable information (PII) to companies such as Facebook, and Google-owned Crashlytics, an investigation done by advocacy group Electronic Frontier Foundation (EFF) found out. Three trackers that were found to be sharing information with third-parties are not even mentioned in Ring’s privacy policy EFF said, and added that the list of trackers was last updated a year and eight months ago. EFF did not clarify if Ring was selling users’ data to all these companies. 

“Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system…This data is given to parties either only mentioned briefly, buried on an internal page users are unlikely to ever see, or not listed at all.” — EFF 

“The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user’s device,” EFF noted. This tracks users’ interactions with other apps, and worryingly, happens without notifying them, or soliciting explicit consent from them. “Even when this information is not misused and employed for precisely its stated purpose (in most cases marketing), this can lead to a whole host of social ills,” the organisation said.

Information being shared included users’ names, email addresses: Ring tested version 3.21.1 of Ring’s Android app, and found out that personal identifiers of users was being transmitted to: branch.io, mixpanel.com, appsflyer.com and facebook.com.

  • In Facebook’s case, the app was found sharing information including users’ time zone, device model, language preferences, screen resolution  and unique identifier, with Facebook, even if users don’t have a Facebook account. This transmission was happening via Facebook’s Graph AI.
  • Branch, which offers a “mobile deep linking software kit” was receiving information such as a unique identifier, IP address, device model and screen resolution.
  • Big data company, AppsFlyer was given information such as users’ interaction with the “Neighbours” section of the app, mobile carrier, first installation and launch dates of the Ring app, a number of unique identifiers, and if AppsFlyer came preloaded on a device.
    • EFF pointed out that the last bit of information was presumably to gauge whether AppsFlyer tracking was included as bloatware on a low-end Android device, since low-end phone manufacturers often sell customers’ data to offset the cost of manufacturing. This “disproportionately” affects low-income earners, EFF highlighted.
    • AppsFlyer was also receiving information on the sensors fitted to a phone.
  • MixPanel, a business analytics service company was receiving users’ full names, email addresses, device information, status of bluetooth, and the locations at which a user has installed Ring’s cameras.
    • EFF pointed out that while Mixpanel is listed on Ring’s list of third party services, no information is provided about the kinds of data that Ring shares with the business.
  • Google-owned Crashlytics, a software development company, was also found to be receiving information, although EFF is yet to determine the exact extent of data sharing with Crashlytics.

EFF said that all the information was being shared using encrypted HTTPS, and was delivered in a way that “eludes analysis,” which makes it difficult for security researchers to learn and report these “serious privacy breaches”.

Privacy concerns have been raised against Ring several times: Amazon had purchased Ring in 2018 for a billion dollars, and had revealed, in November 2019, of its plans of adding a facial recognition system to Ring’s doorbell cameras. Last year, Senator Ed Markey had questioned Ring’s partnership with the police and said that it raised serious privacy and civil liberties concerns.

  • Following that, more than 30 digital rights and civil liberties organisations had demanded that local, state, and federal officials end partnerships between Ring and over 400 law enforcement agencies in the US, claiming that these partnerships a serious threat to civil rights and liberties, especially for black and brown communities already targeted and surveilled by law enforcement.

Avast was found selling users’ data: Yesterday, it was reported that anti-virus company Avast has been selling users’ data to companies such as Google, Microsoft, IBM, Home Depot, sometimes for millions of dollars. The information being sold included users’ Google searches, Google Maps location searches, activity on companies’ LinkedIn pages, YouTube video visits and data on people visiting porn websites.