Amazon’s Ring Doorbell App isn’t quite as private as might be expected and actually hands out user data to several third-parties without consent. That’s based on a recent investigation conducted by Electronic Frontier Foundation (EFF).
Among the largest of the receiving parties is Facebook. EFF found data was being shared with the social media giant not only without permission. The Ring Doorbell App didn’t even take into account whether or not users have a Facebook account. That’s worrying with consideration for how poorly Facebook has treated its own users’ information within the past year.
Facebook isn’t the only third-party to receive data from the Ring Doorbell App either. Amazon’s security products wing has also inadvertently been sharing data with Google. That’s via the crash logging service Crashalytics, which is owned by the search giant.
Finally, three other data aggregate companies — Branch, MixPanel, and AppsFlyer — have also been receiving an inordinate amount of data from Amazon’s Ring Doorbell App.
What user data is the Ring Doorbell App passing out?
EFF says that the concern with the spread of even small pieces of information is that data companies and analytics can easily be used to form a unique picture of a user’s device and the user. Without meaningful user consent and knowledge, home and business owners are summarily left unknowingly open to risks associated with that as a result.
Based on the information discovered by EFF, the bigger story here may be just how much data is being parceled out. Namely, the companies may not need to perform much by way of analytics to build that picture here.
Starting with Facebook, EFF discovered that Facebook’s Graph API is at use in Amazon’s Ring Doorbell App. That’s alerted when the app is open and when device actions are implemented. The information collected includes time zone, language preferences, and screen resolution. But it also includes device identifier information such as model and a unique device identifier.
For ‘deep linking’ platform Branch, unique identifiers are also recorded and sent. But local IP address, model, screen resolution, and DPI are received by the company as well.
AppsFlyer takes things a step further again, tacking on information from device sensors. That includes readouts from the magnetometer, gyroscope, and accelerometer as well as calibration settings.
Worst of all is the data being sent to MixPanel. Not only does MixPanel receive the number of locations a user has Ring devices installed, which could potentially be used to scout a location for theft. The company also collects device OS version and model, Bluetooth and other app settings, and highly-personal identifiable data. For instance, EFF says MixPanel receives users’ full names and email addresses.
Amazon has dropped the ball here on transparency too
Making matters worse for Amazon, Ring only mentions one of the trackers that are found within its Doorbell App. To its credit, that’s the MixPanel tracker which collects the most data. But the tracker is only briefly mentioned in its list of third-party services. The online retail and warehouse giant does not elaborate on what’s being collected or how it’s used.
This isn’t the first time that Amazon has dropped the ball with its Alexa-driven smart home products either. But in those other instances, such as the recent issue surrounding Wi-Fi credentials, the breach of trust was accidental. The breach in question was also fixed quickly.
The company has yet to respond to reports about the data collecting habits of its smart doorbell application. And, in this instance, the collections appear to have been far more deliberate.