No that’s not a typo. Following the debate around Ring security after a users account was “hacked”, Ring is in the media again for an unfavourable reason. The report released by EFF outlines details of Ring sending user data to not just one, but multiple third parties. If this was an issue from six months ago, it might possibly be easier to overlook but the issue is present in the current version of the Ring app in the Play store.
There is something of an ass-covering clause in Ring’s privacy notice – yes I read it AFTER this came to light – if you look under information sharing:
We do not sell or otherwise share personal information about you except as described in this Privacy Notice. We may share your personal information with (1) our affiliates and subsidiaries and (2) our service providers who perform services on our behalf, such as marketing, customer service, order fulfilment and data analytics and storage.
We do not authorize our service providers to use or disclose your personal information except as necessary to perform services on our behalf or comply with legal requirements.
We also may share personal information with our business partners (1) with whom we jointly offer products and services; (2) to the extent you use Ring+ to connect to third-party products or services, and (3) for payment processing and fraud prevention purposes.
We also may disclose personal information about you (1) if we are required to do so by law or legal process (such as a court order or subpoena); (2) to establish, exercise or defend our legal rights; (3) when we believe disclosure is necessary or appropriate to prevent physical or other harm or financial loss; (4) in connection with an investigation of suspected or actual illegal activity; or (5) otherwise with your consent.
Those last three words are the bone of contention for a lot of users around this particular issue. Consent was not given and users are having their information shared to third parties they are not at all involved with, nor do they want to be.
The report outlines who is receiving information, what information they get and somewhat disturbingly when. In some cases, this is to the granular level of when you open your app and close it.
Our testing, using Ring for Android version 3.21.1, revealed PII delivery to branch.io, mixpanel.com, appsflyer.com and facebook.com.
Facebook, via its Graph API, is alerted when the app is opened and upon device actions such as app deactivation after screen lock due to inactivity.
Mixpanel is the only service listed on the third-party services page, which is grossly out of date, showing the last update to be 22nd of May 2018 and not listing several of these parties. The services listed are:
- Google Analytics
- Mixpanel
- Hotjar
- Optimizely
It’s a depressing hit of reality when your personal data is shared without consent, but when it’s a company which recently hit the PR trail to assure users their data is safe and their own privacy standards say exactly that, it’s a very bad look.
What information went where?
There are five destinations where your data is sent by the current version of the Ring app.
Crashalytics – a crash logging service owned by Google
While any data logging and sharing externally can be used for evil, I choose to believe that Ring is trying to do the right thing here. Crashalytics is a real-time crash data capture service offered by Google that – used correctly – can be hugely beneficial to the user experience by eliminating bugs much faster than conventional user reporting pathways.
That being said, crash reporting typically captures a lot of information about the user, their device and general usage patterns. Potentially location data as well, but this would be an unusual data segment to capture.
Who else would head the list of getting your data without you consenting to it? Facebook has rapidly developed a reputation for private data mining over the last year. Similar to other issues in the past, they’re receiving your data if you’re a Facebook user or not. The other data they receive include
- Your timezone
- Device details such as model, screen resolution and a unique ID
- Language preference
Branch is essentially a company you can pay to get access to users who are going to want your products. They achieve this by data mining and acquisition allowing them to offer a “deep linking” pathway where they know they’re displaying to the right people.
Branch handles all the complexity so that your links work across every platform and channel. Our strong link matching guarantees that your users are delivered exactly where you want them.
Branch gets a pile of information too, including
- Device information – model, screen res and DPI
- Unique identifiers to your device including: device_fingerprint_id, hardware_id, identity_id
The next two are where I’m particularly bothered by the amount of information being shared without explicit consent.
It’s not really okay for the other mentioned data to be handed over to third parties but much of it is more about data capture for use of the app vs personally identifiable data. These following companies get data that can specifically identify individual users and that’s really not okay.
The data that Apps Flyer gets from the Ring app is quite specific to an individual user and their daily habits.
- App launch and interactions inside the app
- When you installed Ring, from what pathway and your first launch info
- Your mobile carrier
- If AppsFlyer is installed or not – it can come installed on some low-end devices. This is a potential cost-saving pathway for manufacturers by selling your data.
- Sensor data from your phone – accelerometer, gyroscope, Magnetometer and calibration
It’s already been mentioned that Mixpanel is the only party listed as a third party that Ring work with. So technically, you have consented to them having some analytical data about you and your usage patterns.
But the amount of information they receive is beyond what many consider to be appropriate for this setting and without consent being sought. This includes users full names, email address and some pretty detailed data about your device. The data captured includes device model and OS version, if your Bluetooth is enabled and the number of locations you have devices installed at.
Tech hive has received a statement from Ring about the emerging situation:
Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimize the customer experience, and evaluate the effectiveness of our marketing. Ring ensures that service providers’ use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes.
While this does solidify the stance from the privacy statement to some degree, particularly considering the parties involved, it still begs the question why this wasn’t far clearer – including up to date information – in the documentation they provide online.
Do you think Ring has crossed the line by sending this amount of personal data to third parties, or do you expect that your data is being moved around by companies like this?
I wonder if OAIC would be interested in this. I wonder if this would qualify as a reportable data breach. I think I’ll give it a go.
Unfortunately, these days it seems that if you choose to use an online service of almost any kind you need to assume you’re data is being shared or sold on without your knowledge, regardless of what organisations put in their privacy policies. The only way to prevent it is to not use those services.
Yep, if all this information is correct and they have been sharing my data especially with Facebook then I don’t think I’ll be purchasing anymore Ring products and may end up offloading the ones I already have.