You are here

Amazon's Ring: One spyware app to rule them all, says EFF

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

Ring, the video doorbell company owned by Amazon, is under fire yet again this week. This time, it stands accused of silently sending customers’ PII to third-party data companies, including Google and Facebook.

As if that weren’t bad enough, there’s no informed consent. And none of the data companies is named in the privacy policy, bar one. And Amazon does it “in a way that eludes analysis.”

The EFF tested the Android app, but the iOS app is probably the same (but it’s harder to test, because—well, because Apple). In this week’s Security Blogwatch, we hit Uninstall.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: pre-net life.

[ Get up to speed on new privacy laws with this Webcast: California’s own GDPR? It’s not alone. Plus: Go deeper with TechBeacon's guide to GDPR and CCPA. ]

Jeff’s precioussss

What’s the craic? Suhauna Hussain reports—Ring app shares your personal data with Facebook and others:

Ring … markets itself as protection from the world outside users’ homes. But … EFF said it parsed web traffic … and found that the company distributes customer data mainly to … Facebook, Branch, AppsFlyer … Mixpanel [and] Google.

The information includes users’ full names, email addresses, IP addresses, mobile network carriers and data about sensors installed in the phone, according to the civil liberties group. … But only one of the third-party companies the EFF identified, Mixpanel, is named in … Ring’s privacy policy.

The new California Consumer Privacy Act, which the state will start enforcing in July, could help regulate this type of activity. … It could force the company to disclose more about the third parties that piggyback off its data.

And Ionut Ilascu adds—Ring Android App Sent Sensitive User Data to 3rd Party Trackers:

The EFF was able to intercept the traffic flowing from the Ring app and view the egress data. … The app was feeding personally identifiable information (PII) … to third-party trackers.

A Ring spokesperson [said]: … "Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimize the customer experience, and evaluate the effectiveness of our marketing. Ring ensures that service providers’ use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes."

Who found it? Bill Budington speaks for the EFF team—Ring Doorbell App Packed with Third-Party Trackers:

The danger in sending even small bits of information is that … companies are able to combine these bits together to form a unique picture of the user’s device. This cohesive whole represents a fingerprint that follows the user … in essence providing trackers the ability to spy on what a user is doing in their digital lives and when.

All this takes place without meaningful user notification or consent and, in most cases, no way to mitigate the damage done. Even when this information is not misused and employed for precisely its stated purpose … this can lead to a whole host of social ills.

Ring has exhibited a pattern of behavior that attempts to mitigate exposure to criticism and scrutiny while benefiting from the wide array of customer data available to them. It has been able to do so by leveraging an image of the secure home, while profiting from a surveillance network which facilitates police departments’ unprecedented access into the private lives of citizens.

Not only does Ring mismanage consumer data, but it also intentionally hands over that data to trackers and data miners. [And is] delivered in a way that eludes analysis, making it more difficult … for security researchers to learn of and report these serious privacy breaches.

Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm … customers and community members. … This goes a step beyond that, by simply delivering [PII] to third parties not accountable to Ring or bound by the trust placed in the customer-vendor relationship.

Time to block a bunch of domains? Think again, thinks geekfly:

Out of curiosity, I used NoRoot Firewall on my Android device to implement filters for the sites mentioned. … The app stops working completely.

I thought perhaps there may be some quasi-legitimate use for Facebook (e.g. authentication), so I unblocked just graph.facebook.com. Still broken. So it would seem that either I whore-out my personal information for an app/device that I also pay for, or find a different doorbell camera.

SRSLY? John Gruber reaches for a tasty, high-protein snack: [You’re fired—Ed.]

This is sort of nuts. Isn’t a doorbell camera the sort of product that obviously demands more attention to privacy from the company that makes it? Third-party trackers are a privacy scourge in any app, but a doorbell camera seems like one of the last apps that should contain them.

Seems like every week there are new disturbing disclosures about Ring. Were these egregious security, privacy, and law enforcement issues part of the company culture before Amazon bought them? … And why does Amazon, of all companies, need third-party trackers at all?

Well, quite. stormcrash is amazed:

It's amazing how all the fear about voice assistants spying on you turns out to have just been misdirected. Instead it's the doorbell that's spying on you.

The recent scandals and shenanigans coming out of ring have been the biggest destroyer of my goodwill and trust of anything smart devices coming into my home beyond the two echos I currently have hooked up.

And hermi calls it “Karmic justice”:

Instead of spying on their neighbours, ring users are getting spied on. That's overall still bad, but I can't help but feel Schadenfreude about this.

Wait. Pause. Dare Obasanjo—@Carnage4Life—has harsh words for the EFF:

Practically every mobile app uses analytics packages for user telemetry and conversion tracking of app install ads they run on ad networks. EFF framing this as a Ring specific privacy is misleading and just jumping on the Ring negative press bandwagon.

A bandwagon, you say? Here’s Amazon software development engineer Max Eliaser:

The deployment of connected home security cameras that allow footage to be queried centrally are simply not compatible with a free society. The privacy issues are not fixable with regulation and there is no balance that can be struck.
 
Ring should be shut down immediately and not brought back.

Meanwhile, UshirouJoJo demonstrates an expression:

An app made by a surveillance company shares a bunch of data? This is my shocked face.

The moral of the story?

You trust your analytics partners, but should you? And why would your customers trust them?

[ Get on top of access with TechBeacon's guide to identity governance. Plus: Learn how to secure and manage cloud-based Linux resources with Active Directory in this Webinar. ]

And finally

What was life like before the internet?

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Nicole (cc:by)

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]