The Electronic Frontier Foundation (EFF) has published the results of an investigation into the Android version of the Ring app which reportedly includes a plethora of trackers sending out customer data to third parties.
On Monday, the digital rights group said Ring for Android version 3.21.1 is “packed” with third-party trackers that collect customers’ personally identifiable information (PII) including names, private IP addresses, mobile network carriers, persistent identifiers (PIDs) — long-lasting references to digital objects — as well as sensor data.
According to the report, this information, which together establishes a solid picture of a device and its user, has been sent to four main analytics and marketing companies. The PII collected is sent to Branch, MixPanel, AppsFlyer, and Facebook.
“The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user’s device,” the EFF says. “This cohesive whole represents a fingerprint that follows the user as they interact with other apps and use their device, in essence providing trackers the ability to spy on what a user is doing in their digital lives and when they are doing it.”
Facebook apparently receives an alert when the Ring application is opened via the Graph API, as well as when actions including app deactivation due to inactivity occur — whether or not the user is also present on the social network.
The EFF says that time zones, device models, language preferences, screen resolution, and unique identifiers are also sent to the company.
Branch receives unique device identifiers alongside local IP addresses, device models, screen resolutions and DPI, whereas AppsFlyer is granted mobile carrier data, user action information, and unique identifiers, as well as sensor data.
MixPanel, however, reportedly receives the most information “by far,” including names, email addresses, device models and operating systems, whether or not Bluetooth is enabled, and Ring app settings.
The EFF added that Google-owned crash logging system Crashalytics is also a data recipient, but the extent of which is unknown.
While user data is sent via encrypted HTTPS, the organization says that this information, even if only used for marketing purposes, is being collected and sent without “meaningful” user notification or consent.
“Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short but harm the customers and community members who engage with Ring’s surveillance system,” the digital rights group added. “This goes a step beyond that, by simply delivering sensitive data to third parties not accountable to Ring or bound by the trust placed in the customer-vendor relationship.”
Earlier this month, Amazon said that four employees from Ring were fired for improperly accessing customer video feeds, generated from their products, over the past four years.
ZDNet has reached out to Ring and companies mentioned in the report for comment and will update when we hear back.