Ring Doorbell Andorid App leaks personal information to third parties

[WillyW]

The EFF has confirmed that the Ring Doorbell leaks privacy information of it's customers:

 

Quote

An investigation by EFF of the Ring doorbell app for Android found it to be packed with third-party trackers sending out a plethora of customers’ personally identifiable information (PII). Four main analytics and marketing companies were discovered to be receiving information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers.

 

Quote

All this takes place without meaningful user notification or consent and, in most cases, no way to mitigate the damage done. Even when this information is not misused and employed for precisely its stated purpose (in most cases marketing), this can lead to a whole host of social ills.

 

Which means that a device that is supposed to keep you secure is in some ways making your life insecure as you do not have control over what happens to the data that is collected on your phone.

 

Quote

Ring made changes to its security regimen and ensured that new customers enabled two-factor authentication to further lockdown accounts. But now, Ring is under fire again with respect to its Android app. According to the Electronic Frontier Foundation (EFF), the Android version of Ring's app is filled with third-party trackers that are leaking customer data.

 

The list of companies that it gives the data to do not have the best record for privacy:

Quote

In this case, Ring’s data leaking is even more egregious than Avast's privacy nightmare that we told you about yesterday. The EFF found that Ring, which is owned by Amazon, is transmitting customer data to four primary firms: AppsFlyer, MixPanel, Branch, and Facebook. 

 

Facebook on that list alone would give me pause to them getting data.

 

The real issue is that you can by having an app on your phone de-anonymize the data that is supposed to be anonymized. The recent NYT article showed how this is done and this is a concern, especially for people with legitimate security concerns (politicians, celebrities, or anyone with kids, etc) so by having a 'security device' (and the app to controls it) leak information to companies that well helped put the orange faced baby in the office with the nuclear football is um quite concerning and doesn't really live up to the industry that Ring is playing in. If you want cameras on your doorbell you should probably look elsewhere for your gadget.

 

The original source is the EFF:

https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers

 

Hot hardware does an easier to read summary here:

https://hothardware.com/news/eff-busts-ring-doorbell-app-for-leaking-private-customer-data-to-third-party-firms

Edited January 28, 2020 by WillyW
fix sentence, added tag, title

[RonnieOP]

I have a ring doorbell.

 

Kinda wondering what info it could actually give away that would bother me.

[jagdtigger]

Said this many times, if someone is dumb enough to buy smart junk they deserve it....

[WereCat]

10 hours ago, RonnieOP said:

I have a ring doorbell.

 

Kinda wondering what info it could actually give away that would bother me.

When you get home/leave? There may be a pattern than can be used to make a profile. 

Not sure why you would ring your own doorbell though... 

[Arika]

[TempestCatto]

12 minutes ago, WereCat said:

Not sure why you would ring your own doorbell though

Motion activation. It will just turn on and start recording simply by walking past it. Or if a squirrel or bird goes by it.

 

But that begs the question: Who is obtaining this info that wants to break into your house?

[ARikozuM]

Hmm... I wonder if my Nest thermometer will start advertising low-cost homes in Oregon, Washington, or Colorado... 

 

Also, this is not OK. Data profiling needs to be controlled before it gets out of hand and we have a dystopian "mega city" problem. 

[RonnieOP]

10 hours ago, WereCat said:

When you get home/leave? There may be a pattern than can be used to make a profile. 

Not sure why you would ring your own doorbell though... 

I mean that info i dont really care who knows that info.

 

Depending on the day i leave anywhere between 4:30 and 6:30am and get home anywhere between 4 and 10pm.

 

If they wanna waste their time profiling that then go for it lol.

[WereCat]

10 minutes ago, RonnieOP said:

I mean that info i dont really care who knows that info.

 

Depending on the day i leave anywhere between 4:30 and 6:30am and get home anywhere between 4 and 10pm.

 

If they wanna waste their time profiling that then go for it lol.

I mean, the info in itself isn't that useful but combined with the rest of things that are tracked about you via phone, browser, etc... it may be significant.

[RonnieOP]

17 minutes ago, WereCat said:

I mean, the info in itself isn't that useful but combined with the rest of things that are tracked about you via phone, browser, etc... it may be significant.

Thats kinda what i was getting at.

 

The info my doorbell has on me is meaningless imo. 

 

The data my phone and its apps collect are worrysome though. 

 

Of course i just have the doorbell. Not the security cameras.

[Master Disaster]

The deployment of connected home security cameras that allow footage to be queried centrally are simply not compatible with a free society. The privacy issues are not fixable with regulation and there is no balance that can be struck. Ring should be shut down immediately and not brought back

 

This is a direct quote from an Amazon employee.

 

https://thenextweb.com/artificial-intelligence/2020/01/28/amazon-engineer-ring-should-be-shut-down-immediately-and-not-brought-back/

 

[ZacoAttaco]

On 1/29/2020 at 4:44 AM, WillyW said:

Hot hardware does an easier to read summary here:

https://hothardware.com/news/eff-busts-ring-doorbell-app-for-leaking-private-customer-data-to-third-party-firms

Quote

"Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system."

It's all bad right now

[SPARTAN VI]

18 hours ago, jagdtigger said:

Said this many times, if someone is dumb enough to buy smart junk they deserve it....

 

18 hours ago, WereCat said:

When you get home/leave? There may be a pattern than can be used to make a profile. 

Not sure why you would ring your own doorbell though... 

 

On 1/28/2020 at 10:28 AM, RonnieOP said:

I have a ring doorbell.

 

Kinda wondering what info it could actually give away that would bother me.

To all above, kinda need to RTFA: the EFF article is stating the information they share with 3rd parties is device information such as BOSD data (browser, OS, device), sensor data (gyroscope, accelerometer), and network data (e.g. carrier type, IP address) among other things that can be used to build a profile and identify you (e.g. even email addresses). It's not about them peeping into your Ring cameras, watching you leave your home, watching your dog poopy in the yard, watching the mailman drop off a box, etc.

 

Basically, this tracker scandal has very little to do with the Ring doorbells and cameras themselves, this is about the mobile app sharing data about your device (e.g. Android/iPhone device) and how/when/where you use your devices. This sort of sharing happens with just about ANY app on your smart phones, tablets, computers, etc., but to varying degrees of severity. Just by virtue of having one (an android/iOS device, tablet, etc.) at all: you're being tracked. Install an app? Now they're tracking you too. Simply browsing a website? You're still being tracked.

 

To be clear, I'm not downplaying that this is as among the more egrigious tracking revealed to date. I just want to set the record straight that this is about a mobile app sharing device data and user telemetry, not about 3rd party corporations surreptitiously gaining access to your Ring doorbells or security camera feeds. 

[RonnieOP]

54 minutes ago, SPARTAN VI said:

 

 

To all above, kinda need to RTFA: the EFF article is stating the information they share with 3rd parties is device information such as BOSD data (browser, OS, device), sensor data (gyroscope, accelerometer), and network data (e.g. carrier type, IP address) among other things that can be used to build a profile and identify you (e.g. even email addresses). It's not about them peeping into your Ring cameras, watching you leave your home, watching your dog poopy in the yard, watching the mailman drop off a box, etc.

 

Basically, this tracker scandal has very little to do with the Ring doorbells and cameras themselves, this is about the mobile app sharing data about your device (e.g. Android/iPhone device) and how/when/where you use your devices. This sort of sharing happens with just about ANY app on your smart phones, tablets, computers, etc., but to varying degrees of severity. Just by virtue of having one (an android/iOS device, tablet, etc.) at all: you're being tracked. Install an app? Now they're tracking you too. Simply browsing a website? You're still being tracked.

 

To be clear, I'm not downplaying that this is as among the more egrigious tracking revealed to date. I just want to set the record straight that this is about a mobile app sharing device data and user telemetry, not about 3rd party corporations surreptitiously gaining access to your Ring doorbells or security camera feeds. 

Ok Thanks for explaining that.

 

In that case...i dont care to be honest. Like you said our phones are already doing all that. And the government already have literally everything about me and my dna on file. 

 

So ive given up on my privacy in that sense. Theres not much they can do with that info to harm me that i can see.

[jagdtigger]

18 hours ago, SPARTAN VI said:

 Just by virtue of having one (an android/iOS device, tablet, etc.) at all: you're being tracked.

(Im talking about strictly android phones.)

Nope, pretty much false. Having play services installed is what you want to write. As long as you use an AOSP ROM without it it wont track you.

18 hours ago, SPARTAN VI said:

Simply browsing a website? You're still being tracked.

Again, can be prevented. (Pretty easily with all the addons out there)

 

 

But with these so called "smart" devices you cant do much. They wont work without contacting their server and we all know how non-existent their security is.....

[SPARTAN VI]

@jagdtigger For sure, there are ways to obscure your Internet footprint. My point is that this is about installing an app on your device that's sharing data with 3rd parties, most likely unbeknownst to the user. It's not about the smart doorbells/cameras, the "smart junk" as you called it. It's the apps we choose to install and what those companies do with whatever telemetry they harvest. "if someone is dumb enough to trust corporations/apps/etc with their data, they deserve it..." would be more appropriate. 

[fredrichnietze]

On 1/28/2020 at 1:28 PM, RonnieOP said:

Kinda wondering what info it could actually give away that would bother me.

 

On 1/29/2020 at 6:47 PM, RonnieOP said:

In that case...i dont care to be honest. Like you said our phones are already doing all that. And the government already have literally everything about me and my dna on file. 

So ive given up on my privacy in that sense. Theres not much they can do with that info to harm me that i can see.

 

in court it has been shown that a ip address does not equal a person. with this data and the network discovery on ring you could have a complete list of every device on your network form the rings installation along with times, and depending on the device what they were doing. how much of your modem/routers local network communication with your pc is encrypted? with this it would be simple to prove in the court of law you are the guy who downloaded "fishermans wife and fishermans wife two the retentacling" and then sue you for it even if you used a vpn because they are inside your network. 

lately many of these groups that go after people have been going after the uploaders not the downloaders because it is very difficult to prove who downloaded/viewed X from X ip address, but if they have a spy inside your network it is easy. 

 

remember just because you think you have done nothing wrong doesnt mean their is not someone somewhere that disagrees and if everything you do is tracked, that someone can go after you. same logic as the classic "say nothing" law advice. 

 

 

and unrelated to quote

you dont *accidentally* send all this data form every single one of your devices to facebook. ring does not deserve any benefit of doubt here and neither does facebook. if you find the mafia disposing corpses you dont assume they stumbled upon the corpses and had nothing to do with their deaths. one of the groups being sent the data is the ring app which we know is intentional, is there any reason to think it is not all intentional? 

Edited January 31, 2020 by fredrichnietze
added "unrelated to quote"