The US-based digital rights group the Electronic Frontier Foundation (EFF) has found that Amazon-owned Ring doorbell app is “packed” with third-party tracking, sending out a plethora of customers’ personally identifiable information.
An investigation of the Ring doorbell app for Android discovered that four main analytics and marketing companies – including Facebook and Google — were receiving information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers.
“Not only does Ring mismanage consumer data, but it also intentionally hands over that data to trackers and data miners,” the EFF said in a release late Tuesday.
“Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system,” said the non-profit group.
In a statement to Gizmodo, the Amazon-owned home security and smart home company said it limited the amount of data it shared.
“Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimise the customer experience and evaluate the effectiveness of our marketing,” the company said.
In November 2019, Amazon rolled out a security patch for its Ring Video Doorbell Pro after Bitdefender security researchers found that it was exposing Wi-Fi network credentials, thus, allowing nearby attackers to intercept them and compromise the household network.
Security researchers from Bitdefender said the Amazon-owned doorbell was sending owners’ Wi-Fi passwords in cleartext as the doorbell joins the local network, thus, allowing nearby hackers to intercept the Wi-Fi password and gain access to the network to launch larger attacks or conduct surveillance.
The EFF said that Ring has exhibited a pattern of behaviour that attempts to mitigate exposure to criticism and scrutiny while benefiting from the wide array of customer data available to them.
“Our testing, using Ring for Android version 3.21.1, revealed PII (personally identifiable information) delivery to branch.io, mixpanel.com, appsflyer.com and facebook.com. Ring also sends information to the Google-owned crash logging service Crashalytics. The exact extent of data sharing with this service is yet to be determined,” said the group.
The group has in the past alerted about the mismanagement of user information which has led to data breaches.
“This goes a step beyond that, by simply delivering sensitive data to third parties not accountable to Ring or bound by the trust placed in the customer-vendor relationship, it added.
Amazon bought Ring in 2018 that sells a range of home security cameras as well as doorbells.
In December last year, parents of an eight-year-old girl in the US were left stunned when a hacker accessed a Ring video camera installed in their daughter’s room and taunted her.
In the video, the hacker can be heard taunting the eight-year-old several times as she is seen clueless as where the voice is coming from.