Ding-dong. Who's there? Any marketing outfit willing to pay: Not content with giving cops access to doorbell cams, Ring also touts personal info

Updated Smart-home biz Ring sends its users’ personal app data to a range of analytics and marketing companies, according to an analysis carried out by the Electronic Frontier Foundation (EFF).

Already under fire for giving the cops access to footage from its ubiquitous video doorbells, the Amazon-owned manufacturer is also apparently selling information including user email addresses and app settings to third parties who package and sell them to others.

As usual, Facebook and Google are in the thick of it. Facebook is “alerted when the app is opened and upon device actions such as app deactivation after screen lock due to inactivity,” according to the EFF. The antisocial network also learns your time zone, device model, language preferences, screen resolution, and gets a unique identifier that enables it to connect and track the data down to your individual phone.

Those details can be used to give a unique fingerprint for your device and, combined with other data from other apps on your phone – especially if you have the Facebook app installed – enables the company to build a comprehensive, constantly updated profile of what you are doing and where you are at any given time. Which it then compiles and sells.

Likewise Google: “Ring also sends information to the Google-owned crash logging service Crashalytics,” the EFF’s analysis discovered, although it notes that “the exact extent of data sharing with this service is yet to be determined.”

The analysis was carried out on the Android version of the Ring app, with the report’s author, Bill Budington telling The Reg that “because of the relatively open platform that Android provides, it makes it much easier to test these things than on iOS.” It doesn’t currently plan on investigating the company’s iPhone/iOS app.

Other slurpers

Other third-parties receiving data from the Ring app include Branch – which receives a range of unique identifiers that can connect you to your phone and other data derived from other apps.

Another partner is AppsFlyer, a data company that also accesses the controversial “Neighbors” section of Ring’s app, which the police uses to gain access to footage from people’s cameras. AppsFlyer learns the mobile operator of all users, a range of unique identifiers and details about the app, such as when it was installed and whether the company is already tracking the phone.

One stalker shop gets the most data, however, including full user name, email address, app and phone settings, devices information and a host of other information – that company, MixPanel, offers to “analyze user behavior across your sites and apps” to companies that pay it “from $89 per month.”

It’s worth noting that the EFF had to go to some trouble to find out what data the Ring app was sharing with third parties. All the data was encrypted in transit – which is good – but the EFF noted that “the encrypted information was delivered in a way that eludes analysis.”

The app uses certificate pinning – meaning that it checks on the certificate held on a remote server rather than using a list of root certificates within Android itself. Again, this could be seen as good additional security but it also has the effect of hindering eavesdropping and hiding what information is being sent from the app and where it is being sent – although it is possible to see where those certificates are held: Facebook, MixPanel etc.

The researchers managed to crack that approach by injecting code that forced the app to trust a certificate provided by the mitmproxy analysis software they were using – at which point they were able to see what types of information were being shared and to whom.

Trust issues

Ring does not make it clear to its users that this information is being shared with third parties nor who those companies are. It also doesn’t allow them to opt out of the data collection. In other words, it’s another black mark against the company whose customers pay it for the hardware and software that they install in their homes. Ring's response to criticism – a privacy dashboard – has been decried as a "total joke."

“Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system,” the EFF concluded, noting that the app was “delivering sensitive data to third parties not accountable to Ring or bound by the trust placed in the customer-vendor relationship.”

We have asked Ring and MixPanel for comment on the EFF’s findings and will update this article if they get back to us. It is also worth noting that in a post this week in which more than 350 Amazon employees actively criticized the company’s policies in response to it suggesting it would punish any employees that did so, one engineer took a very dim view of Ring.

“The deployment of connected home security cameras that allow footage to be queried centrally are simply not compatible with a free society. The privacy issues are not fixable with regulation and there is no balance that can be struck. Ring should be shut down immediately and not brought back,” he wrote. ®

Updated to add

A spokesperson for Ring has been in touch to say: "Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimise the customer experience, and evaluate the effectiveness of our marketing.

"Ring ensures that service providers’ use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf, and not for other purposes."