The Ring Doorbell App reportedly sends a lot of data to third-party trackers
Making your home smarter will nearly always compromise on privacy in some ways, no matter how mundane that product may be. A smart home assistant such as the Google Home or Amazon Echo will undoubtedly be an aid in any home in some ways; but for many, the privacy trade-offs simply aren’t worth it. But that’s to be expected from a device that’s so integrated into your home with an always-polling microphone. But can privacy concerns crop up for a more mundane household object, such as a doorbell? As it turns out, the official app for Ring Doorbells has a lot of third-party trackers, according to a report by the Electronic Frontier Foundation.
The EFF found that the Ring app for Android was sending a lot of data in bits and pieces to four different analytic and marketing companies. The data includes names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data from paying customers. While none of this information can be paired individually to a singular user, the overall data creates a unique fingerprint for a device that can be combined and used to track a given user. Personally-Identifying Information was found to be sent to branch.io, mixpanel.com, appsflyer.com, and facebook.com.
When the Ring Doorbell app is opened, even if the user does not have a linked Facebook account on-device, Facebook receives data when you open and close the Ring app and under certain device conditions such as locking due to device inactivity. Also received by Facebook is data on time zone, device model, language preferences, screen resolution, and a unique identifier.
Branch (self-described as a “deep-linking” platform), meanwhile, receives unique identifiers along with the device’s local IP, model, screen resolution, and DPI. AppsFlyer also gets information such as in-app actions like visiting the “Neighbours” section of the app, and other data such as mobile carrier, data related to Ring app’s first installation and subsequent launches, unique identifiers, and whether AppsFlyer tracking came pre-installed. Companies can pre-install bloatware in order to offset some production costs of a smartphone, thus resulting in a lower price for the consumer at the cost of privacy. AppsFlyer even gets more in-depth sensor data such as magnetometer, gyroscope, and accelerometer.
However, MixPanel gets the most information by far. Users’ full names, email addresses, device information such as OS version and model, whether Bluetooth is enabled, and app settings such as the number of locations a user has Ring devices installed in, are all collected and reported to MixPanel. MixPanel also gets a mention in Ring’s list of third-party services, but Facebook, Branch, and AppsFlyer do not.
As you can see, a lot of data is being sent to third parties, and the extent of the data being shared is not disclosed by Ring. The data was collected via intercepting traffic sent from a device with the Ring Doorbell application installed. AFWall+ was used to block all other apps on the device from communicating with the internet, to remove any unnecessary noise. The app was found to be trying very hard to elude analysis, but the team at the EFF was eventually able to bypass its safeguards regardless.