Ring Sends Private Data to Third-Party Companies

The Ring doorbell company and its smart devices are in hot water once more after digital rights advocacy group Electronic Frontier Foundation (EFF) discovered that the Android application shares user data with several third-party services, including Facebook and Google.

Companies that build hardware and operate it through apps are expected to get back some telemetry from their customers, but this is usually done with the consent, or is at least mentioned in the EULA agreements. From what the EFF revealed, most of the data sent to third-party organizations is private, and the EULA does not cover its sharing.

EFF investigated the traffic from the Android version of the Ring doorbell app and found that it was sending private data to a number of services, including Facebook and Google. It doesn’t matter whether the user has a Facebook account. The information sent to Facebook includes time zone, device model, language preferences, screen resolution, and a unique identifier.

Other partners that receive data include deep-linking platform Branch (local IP address, mode, screen resolution, DPI, and more) and AppsFlyer (data from interactions with the Ring app and with the AppsFlyer tracking system, if it’s already on the device).

MixPanel, a business analytics service company, gets the bulk of the data, which includes the user’s full name, email address, OS version, Bluetooth state, and various Ring data. This is the only company that appears on the list of third-party services.

“Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system,” reads the EFF statement. “In the past, we’ve illuminated the mismanagement of user information which has led to data breaches, and the attempt to place the blame for such blunders at the customers’ feet.”

Recently, Bitdefender identified a vulnerability in Ring, which was later patched, that allowed an attacker to intercept the Wi-Fi password of the smart doorbell user.