Amazon’s Ring is under fire yet again after security experts discovered that the Android app is sending customer information to third parties.
The names, private IP addresses, mobile network carriers, persistent identifiers and sensor data were discovered in the exchange with Facebook and Google, among others.
The report also found that some Ring users whose identity was shared with Facebook do not have an account with the social media network.
The findings were uncovered by the Electronic Frontier Foundation (EFF), a non-profit organizations that defends civil liberties in the digital world, which noted the information was encrypted in a way that it would go undetected by security researchers.
Ring’s Android app was found to be ‘packed’ with third-party tracking, which it uses to send customers’ personally identifiable information to Facebook, Google and other third-parties
While examining Ring’s updated Android app, the organization discovered four unlisted trackers lurking in the shadows that were sending user data back and forth to websites including branch.io, mixpanel.com, appsflyer.com and facebook.com.
Ring also sends information to the Google-owned crash logging service.
‘All traffic we observed on the app was being sent using encrypted HTTPS,’ EFF shared in the report.
‘What’s more, the encrypted information was delivered in a way that eludes analysis, making it more difficult (but not impossible) for security researchers to learn of and report these serious privacy breaches.’
‘The service providers that administer these services use automated technologies to collect data (such as email and IP addresses) to evaluate use of our websites and mobile apps,’ it reads.
However, the company behind the device also notes that it will identify which third-party services specifically are used by the company.
While examining Ring’s updated Android app, the organization discovered four unlisted trackers lurking in the shadows that were sending user data back and forth to websites including branch.io, mixpanel.com, appsflyer.com and facebook.com. Ring also sends information to the Google-owned crash logging service
Out of the companies being fed data only MixPanel is mentioned in Ring’s privacy notice, along with Google Analytics, HotJar and Optimizely. – but does not include Facebook.
‘The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user’s device,’ EFF said.
According to Gizmodo, a ring spokesperson said ‘that Ring takes steps to ensure its service providers’ use of customer data is ‘contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes’.
However, EFF is not sold on these claims.
‘Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system,’ it wrote in the report.
‘As we’ve mentioned, this includes information about your device and carrier, unique identifiers that allow these companies to track you across apps, real-time interaction data with the app, and information about your home network.’
‘In the case of MixPanel, it even includes your name and email address. This data is given to parties either only mentioned briefly, buried on an internal page users are unlikely to ever see, or not listed at all.’
Ring and Amazon found themselves in hot water in December when they were hit with a lawsuit, accusing them of failing to protect their customers from hackers.
The complaint, filed in US District Court for the Central District of California on Thursday, claims that Ring and Jeff Bezos’ Amazon, which bought the company last year, were negligent by not putting in place ‘robust’ security measures.
According to the lawsuit, first reported by TMZ, there have been at least six other instances involving Ring security systems getting hacked across the US in recent years.
WHAT IS RING AND WHY DID AMAZON BUY IT?
Amazon acquired home security startup Ring for a reported £700 million ($1 billion).
The home security startup sells doorbells that capture video and audio.
Clips can be streamed on smartphones and other devices, while the doorbell even allows homeowners to remotely chat to those standing at their door.
Ring sells doorbells (left) that capture video and audio. Clips can be streamed on smartphones and other devices, while the doorbell even allows homeowners to remotely chat to those standing at their door
Ring promotes its gadgets as a way to catch package thieves, a nuisance that Amazon has been looking to remedy.
Amazon late last year unveiled its own smart lock and camera combination called Amazon Key in a move into home security.
Key is designed to provide a secure and trackable way for packages to be delivered inside homes when people aren’t there.
Amazon has bought home security startup Ring for a reported £700 million ($1 billion)
Ring’s doorbell could work well with Amazon Key, which lets delivery personnel put packages inside a home to avoid theft or, in the case of fresh food, spoiling.
California-based Ring first caught the spotlight with a failed quest for funding about five years ago on reality television show Shark Tank.
Ring went on to win backing from the likes of billionaire Richard Branson and Amazon’s Alexa Fund.