Ring, the Inc.-owned maker of high-tech doorbells and home security cameras, markets itself as protection from the world outside users’ homes. But its app collects data from users’ phones and shares that information with multiple third-party trackers, according to a report by the Electronic Frontier Foundation.

The information includes users’ full names, email addresses, IP addresses, mobile network carriers and data about sensors installed in the phone, according to the civil liberties group, whose work focuses on privacy and other digital rights.

The EFF said it parsed web traffic on Ring’s app for Android devices and found that the company distributes customer data mainly to four analytics and marketing firms: Facebook, Branch, AppsFlyer and Mixpanel. Google-owned Crashlytics also receives data from Ring, according to the report.

“Customers should really look hard and see, ‘Is this something that I trust? This surveillance device that can be used to surveil my neighbors is actually surveilling me now,’” said William Budington, a security engineer and technologist at the EFF.

Ring said in a statement that it allows third parties to use the data only for “appropriate purposes.”

But only one of the third-party companies the EFF identified, Mixpanel, is named in Ring’s list of third-party analytics services.

AppsFlyer, a mobile marketing analytics company, collects information on user actions within the Ring app and on calibration settings and sensors installed on the device.

“Just having the information on what sensors your phone has is quite in-depth,” Budington said. “It’s concerning because of the level of detail and insight into your device’s characteristics. A tracking company can stitch together and create a fingerprint of your device — a cohesive whole about what your device looks like.”

It doesn’t take much to fingerprint a device, said Eric Goldman, a Santa Clara University School of Law professor who co-directs the school’s High Tech Law Institute.

“For example, if you can see all the apps on a person’s device, that alone might be unique to everyone else in the universe,” Goldman said. “We have all probably configured our apps differently.”

Bringing together some of the data Ring provides could show, hypothetically, that you opened a gameor joined a Wi-Fi hotspot in your home, Budington said. The more information collected, the better a company can put together a picture of what you’re doing in your digital life.

“Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimize the customer experience, and evaluate the effectiveness of our marketing,” a Ring spokesperson said in a statement. “Ring ensures that service providers’ use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes.”

Ring said it uses MixPanel to target messaging within the app when it launches new features. Generally the company may collect and disclose personal information — such as when users interact with the app or their Ring devices — to third-party services in order to track the performance of various features, the company said.

Budington noted that Ring may not necessarily be in violation of its own privacy policy. But he said Ring’s privacy policy is too broad and vague, and it’s concerning that even the company’s list of third-party services is not accurate.

Goldman said it’s unclear why Branch or Facebook would need information from Ring to help with analytics or targeting ads.

Branch spokesperson Alex Austin said the company provides a service that fixes mobile links that take users to the correct page. “To perform this service for Ring and many others, we must process some data from within the app but take extreme care when handling it,” Austin said in an email. Per the company’s user data policy, Branch collects device data like advertising identifiers, IP address and cookies but does not collect or store information such as names, emails or physical addresses.

Other companies named in EFF’s report did not respond to requests for comment.

The new California Consumer Privacy Act, which the state will start enforcing in July, could help regulate this type of activity by Ring, Goldman said. Depending on how the state attorney general’s office interprets the law, it could force the company to disclose more about the third parties that piggyback off its data.

Read or Share this story: