Ring's app caught spying on users, sharing data with third-parties

The Electronic Frontier Foundation has discovered that third-party tracking software within the Ring doorbell app is sending customer data to four analytics and marketing companies, including Facebook, Google, MixPanel and AppsFlyer. That data includes personally identifiable information such as names and private IP addresses.

Facebook, for example, is alerted when users open the Ring app, as well as when they perform certain device actions. Mobile analytics company AppsFlyer is sent a similar mix of data, but also receives information collected from a device's sensors including its gyroscope and magnetometer. The information sent to MixPanel, another data analytics firm, includes a user's full name, email address, device data and app settings.

While Ring also sends data to Google's Crashalytics service, the EFF wasn't able to determine the extent of the sharing in the report published on Tuesday.

The EFF points out that even small bits of user data can be combined by tracking firms to create a larger picture of a user's digital habits. That "fingerprint" could allow third-party companies to surveil what users are doing across various apps and devices.

Importantly, the nonprofit group claims that this tracking is taking place without a user's knowledge, consent or ability to disable it.

The data collected is sent over encrypted HTTPS and is delivered in a way that eludes analysis, the EFF said. The investigation's methodology included observing that data flow via man-in-the-middle techniques, a tactic often used by hackers to intercept internet traffic.

Since the EFF investigation focused on Ring's Android app, it isn't clear whether the iOS version has similar privacy risks. Apple's App Store Review Guidelines do include provisions that protect users from many data collection practices, however.

In light of the potential for abuse and other privacy risks, at least one Amazon engineer is calling for the smart doorbell company to be shut down.

"The deployment of connected home security cameras that allow footage to be queried centrally are simply not compatible with a free society. The privacy issues are not fixable with regulation and there is no balance that can be struck," said Max Eliaser in a Medium post. "Ring should be shut down immediately and not brought back."

Repeat offender

This isn't the first time Ring has been in the spotlight for alleged privacy blunders.

In 2019, The Intercept reported that both engineers and executives at Ring had "highly privileged access" to live feeds from customer cameras. And earlier this month, Ring fired four employees who had allegedly abused that access to spy on customers.

Privacy advocates have also raised concerns about Ring's links to law enforcement, as well as the potential implementation of facial recognition in a platform already beset by surveillance and privacy controversies.

Ring's response

Following publication of this story, a Ring spokesperson reached out to AppleInsider

"Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimize the customer experience, and evaluate the effectiveness of our marketing," Ring said. "Ring ensures that service providers' use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes."