Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy

Ring Doorbell App Packed With Third-Party Trackers (eff.org) 150

Ring isn't just a product that allows users to surveil their neighbors. The company also uses it to surveil its customers. An investigation by EFF of the Ring doorbell app for Android found it to be packed with third-party trackers sending out a plethora of customers' personally identifiable information (PII). From the report, shared by reader AmiMoJo: Four main analytics and marketing companies were discovered to be receiving information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers. The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user's device. This cohesive whole represents a fingerprint that follows the user as they interact with other apps and use their device, in essence providing trackers the ability to spy on what a user is doing in their digital lives and when they are doing it.

All this takes place without meaningful user notification or consent and, in most cases, no way to mitigate the damage done. Even when this information is not misused and employed for precisely its stated purpose (in most cases marketing), this can lead to a whole host of social ills. Ring has exhibited a pattern of behavior that attempts to mitigate exposure to criticism and scrutiny while benefiting from the wide array of customer data available to them. It has been able to do so by leveraging an image of the secure home, while profiting from a surveillance network which facilitates police departments' unprecedented access into the private lives of citizens, as we have previously covered. For consumers, this image has cultivated a sense of trust in Ring that should be shaken by the reality of how the app functions: not only does Ring mismanage consumer data, but it also intentionally hands over that data to trackers and data miners.

This discussion has been archived. No new comments can be posted.

Ring Doorbell App Packed With Third-Party Trackers

Comments Filter:
  • Quite the irony (Score:5, Insightful)

    by Anonymouse 2 ( 6383096 ) on Tuesday January 28, 2020 @10:26AM (#59664310)
    That we, the consumer, are paying to lose our privacy. It used to be we got free stuff in exchange for losing privacy. Talk about a race to the bottom.
    • Of course it's full of trackers. Why wouldn't it be?
      • Re:Quite the irony (Score:4, Insightful)

        by 110010001000 ( 697113 ) on Tuesday January 28, 2020 @10:52AM (#59664408) Homepage Journal

        The only thing shocking is when people bring it up. This very website has seven trackers embedded on it.

      • by spun ( 1352 )

        It shouldn't be because, in general, we don't want our personal information used by unknown third parties. We, the people have the ability to pass laws to restrict behaviors we don't want, as long as those restrictions do not infringe constitutional rights. Restricting access to information about us does not violate any rights, so we should enact laws restricting what is done with said information.

        • by bobby ( 109046 )

          Absolutely agree. In fact, we can amend the Constitution if needed, albeit difficult to do.

          Trouble is: we have laws, but people, especially corporations, ignore and violate them. From where I sit, law enforcement is overwhelmed and just prosecutes a few seemingly random cases.

          Plus, this stuff can be difficult to investigate, gather evidence, and present in court.

          Plus, the penalties are too lenient- too often "civil" only, meaning not criminal / jail-time.

          Europe seems to be significantly ahead of us in pri

          • by spun ( 1352 )

            We just need to elect politicians who are not a part of the corrupt establishment. Which just means we need to pay attention. They have lived in their bubble so long, the establishment types can't even fake being a normal person convincingly.

            • by bobby ( 109046 )

              We just need to elect politicians who are not a part of the corrupt establishment.

              What? You're trying to break the system? /s

              Seriously, I don't think there are any such politicians to be found. I think politics has devolved to the point where only inherently corrupt people run for office. And my bigger (cynical) fear is that the system corrupts anyone who gets in, even if they were mostly not corrupt before getting in.

              Sigh. Sorry, I'm sure there are enough good people out there, but getting them to run for office may never happen. Maybe we need to nominate people whether they like it

        • by HiThere ( 15173 )

          Actually, "we the people" can only pass laws in states the have the initiative process, and those usually come with significant restrictions. (And that's *good*. Even with those restrictions in place some really stupid initiatives get passed.)

          If you mean we have the option to vote for whichever pre-bribed candidate we choose, well, that's correct, but it's a far different statement.

          • by spun ( 1352 )

            Take a look at the history of, oh say worker safety laws in the US and tell me we can't get laws passed. Because I will laugh in your face. We, the people, get laws passed when we want to. We even get the constitution ammended when we fight for it. Remember, there was a time when women could not vote.

            Don't you dare try to compare us to tyrannies around the globe, or imply that our process is completely corrupt. It has problems, but they are fixable and will be fixed. Anyone who opines otherwise does not h

        • It shouldn't be because, in general, we don't want our personal information used by unknown third parties. We, the people have the ability to pass laws to restrict behaviors we don't want, as long as those restrictions do not infringe constitutional rights. Restricting access to information about us does not violate any rights, so we should enact laws restricting what is done with said information.

          TLDR; "I don't want cuts on my face, but darn it why I can't I stab my face with this knife repeatedly and not bleed?! Somebody protect me!"

      • Of course it's full of trackers. Why wouldn't it be?

        From a new book/film from the ghosts of Arthur C. Clarke and Stanley Kubrick, "2020: An App-Space Odyssey":

        David Bowman's grandson Jake is walking down a quiet, lonely street in Houston, TX on his way to Mission Control, busily tapping on his smartphone and staring fervently at its screen, not realizing he had walked into the street against the light. Moments before being struck by a bread truck, he exclaimed, "The thing's hollow -- it goes on forever -- and -- oh my God! -- it's full of trackers!"

    • That we, the consumer, are paying to lose our privacy.

      Speak for yourself. Use the word "I."

      This is slashdot. "We" don't treat ourselves that way here. We run our own cameras, on our own cloud.

  • by JustAnotherOldGuy ( 4145623 ) on Tuesday January 28, 2020 @10:36AM (#59664338) Journal

    Sounds like it's time for Pi-Hole [pi-hole.net].

    "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole, intended for use on a private network."

    Although I have to wonder if those dickheads at Ring would allow your Ring doorbell to function if they weren't able to suck up your sweet, sweet data.

    • by bobby ( 109046 )

      Thank you! I had not heard of Pi-Hole before, but I've envisioned it.

      Have you deployed it? It looks like it only runs on a small set of Linux distros... all 64-bit. A quick glance looks like it's just some python and shell scripts? If so, shouldn't it run on most any 32 or 64 bit Linux distro? What am I missing...

      • I've not deployed it myself (not yet, anyway).

        When Adblock stops doing the job, then I'll probably look into it. I think it'll run on almost any distro.

        From what I gather it takes a bit of tweaking to get everything working properly. And, as someone else mentioned, it can/will break some sites, but once it's configured it's supposed to work very well.

    • I actually just set mine up over the weekend. I recommend the OSID blocklist: https://www.reddit.com/r/oisd_... [reddit.com]
    • by AmiMoJo ( 196126 ) on Tuesday January 28, 2020 @12:48PM (#59664902) Homepage Journal

      But this is an app on your phone, so even if you block those services on your home wifi as soon as you leave the house it will just upload all the cached data over the cellular network.

      Also if you do block all the servers then the app won't work for viewing the doorbell anyway so it useless.

      What you really want is a Raspberry Pi based CCTV system.

      • But this is an app on your phone

        Mmmm, I don't think so, this is a hardware device that goes between your WAN and the router (usually).

        • by AmiMoJo ( 196126 )

          No, I mean the Ring app is what is exfiltrating the data and a PiHole won't be very effective at stopping it.

    • Seeing as how this is an Android app problem, wouldn't AdAway [adaway.org] be more convenient?
    • That might not help at all.

      You see, these are Appers. They're busy apping. It isn't the doorbell itself that is stalking them, that thing is only stalking their neighbors. It is their jeejah that is stalking them. Their jeejah is on the public network. And it is full of apps.

      Don't put apps on your jeejah. And turn off push notifications already.

    • by imidan ( 559239 )
      I set up Pi-Hole on a Pi that I bought for the purpose last summer. It's been great; it just sits on the network, blocking DNS requests for ads, malware, and other junk. I was a little worried at first that it would impact the speed of legitimate requests, but I don't notice any difference.
  • but a few lengths of wire, a transformer, and way too much work on my part could see me have a Skybell instead. I wonder if they're as skeevy.

    I chose ring for the convenience - battery power, mounted through existing peephole in the door.. I may have to reexamine my choice.

    • by sremick ( 91371 )

      I have a Skybell so I'm curious as well as to whether they send off personal data.

      I chose Skybell over Ring due to the wider operating temperature range, and the 7 days of free video retention without having to pay money for a subscription. Plus I like rooting for the little man since competition is a good thing for consumers.

      • You will never know because the source is closed and the behavior of the device can change at the corporations whim.

        • Ring is closed and these fellas found it. Failed arg.

          • Correct. Both Skybell and Ring are closed. You will never know what it is doing. What these people "found" are what the app developers didn't bother to hide.

            • by bobby ( 109046 )

              Correct. Both Skybell and Ring are closed. You will never know what it is doing.

              A packet sniffer should reveal much- at least the IP addresses that encrypted stuff is being sent to.

              • Makes no difference. If someone wants to hide what they are doing they will just send it to their IPs. The point is if you run closed code you don't know what is going on.

      • skybell integrates with my existing alarm, so that was my 1st choice.. when I saw it was 24-vdc only I went the other route.

        Had they had something a slick as the ring peephole, i would've gone with them in a heartbeat.

      • Unless you built it yourself, it spies on you.
      • by Pascoea ( 968200 )

        and the 7 days of free video retention without having to pay money for a subscription.

        (emphasis mine) Nothing is free. You are paying something for this free service. Likely paying in the same way that ring pays for its "free" service, siphoning off every piece of personal data they can get away with.

    • Check out DoorBird [doorbird.com]. They provide a ready to go cloud service, but if you want you can firewall that sucker and use a SIP client through your own PBX, integrate with an existing smart home system, and/or pull a live feed through an RTSP stream. You'll have to run a wire for it though.
    • by MobyDisk ( 75490 )

      but a few lengths of wire, a transformer, and way too much work on my part could see me have a Skybell instead...I chose ring for the convenience - battery power, mounted through existing peephole in the door..

      I'm confused. How do you charge the battery? A relative of mine has one and they connected it to their existing doorbell transformer. The idea of bringing in my doorbell to recharge it periodically just seems absurd to me. I don't have to take down my smoke detectors or my microwave or my router to recharge them.

      The idea of not having a doorbell transformer also seems odd to me since I've never seen a house without one. Is this a new construction thing? How are people doing doorbells without it?

      • On the Peephole ring, the battery's on the inside side of the door. Change it from inside the house. This one cannot accept hard wired power.

        On the regular ring, the batter's on the outside. You have to go out to change it. This one (I think) can accept power.

        The difference is, the Pro (it's really small, like the Peephole) uses pixel detection, not IR.

        The biggest bone to pick I have -- besides leaking our data -- is that the IR rings are dismal at capturing motion coming to our headed out the lens.

        The

      • If you're capable of building it yourself you could also easily build a wireless inductive charging power bank. With some magnets, you just touch the charger to the device, it sticks and charges, when the light turns green, pull it off and plug it in somewhere.

  • by DavenH ( 1065780 ) on Tuesday January 28, 2020 @10:39AM (#59664348)
    Cannot there be a certification program that confirms that no personal data is being distributed? Some trusted agency that can hook up wireshark and prove nothing untoward is escaping, over long time periods? Ideally, an international non-partisan body, but I'd take anything without direct interests in monetizing data. If a device has to respond to internet signals (i.e. a command from a phone), is the amount of information exchanged in proportion to the need, or is it padded with telemetry data snuck in?

    Privacy policies clearly aren't worth the bytes they're printed on. They will all say whatever sounds most placating. We greatly value customer privacy yadda yadda.

    I don't know of anybody under the age of 65 that trusts smart devices, and why should they? Employees at the big techs confirm listening to the recordings from smart assistants. Orbivo (manufactors smart devices) leaves ElasticSearch port listening for connections, exposing all collected data. This Ring stuff. LG, Samsung, and Vizio caught spying with smart TVs. At this point, the rule should be guilty until proven innocent.

    • Re: (Score:3, Interesting)

      by OrangeTide ( 124937 )

      We should start regulating the sale of anything that has a network connection. It'll stunt the IoT market, but the technology would benefit long term from tapping the brakes a bit. Making money through hard work and ingenuity instead of grifting advertisers with our mostly useless personal information.

      • And here is the endgame: "Regulation of the sale of anything that has a network connection." This is EXACTLY what corporations want. Seriously, what is wrong with you people?

      • by DavenH ( 1065780 )
        I agree that long term it would be a boon to the IoT market. Trust is a required feature for most people, and it's simply unavailable at the moment. When people have evidence they can trust a smart device, I think a substantially greater market would be opened.
      • So far as I'm concerned 'stunting the IoT market' would be a good thing for our species and for Earth in general anyway, it'll cut down on all the e-waste this crap is generating.
        ..and now, some nudnik will chime in with how many industrial uses there are for 'IoT', blah blah blah
        I'm ONLY talking about CONSUMER 'IoT' crap, 99% of which IS NOTHING BUT CRAP. Get rid of it.
    • Cannot there be a certification program that confirms that no personal data is being distributed? Some trusted agency that can hook up wireshark and prove nothing untoward is escaping, over long time periods?

      Probably not. Such oversight bodies are almost always dominated by the people they're supposed to be overseeing, because those people care so much more about shaping the oversight to their own ends than anybody else does.

    • Write to your EU representative (if you don't have one, get a friend in the EU to do it). The EU loves making stuff like that into law, and considering that companies hardly want to produce one item for the EU and another one for other markets, you should at the very least be able to flash EU firmware into your appliance to get what you want.

    • by eth1 ( 94901 )

      Cannot there be a certification program that confirms that no personal data is being distributed? Some trusted agency that can hook up wireshark and prove nothing untoward is escaping, over long time periods?

      I guess you could, but it would be a mess. Version 1 of the firmware has certification X, Version 2 didn't get certified, Version 3 has certification Y, and the most recent 5 releases haven't had time to have been looked at yet.

      Unless we can also have regulation along with it that requires the certification before release, or something.

    • by AmiMoJo ( 196126 )

      You can't really prove it isn't leaking data by looking at packets.

      All you see are some encrypted packets being sent to the Ring servers. Can't tell what's in them, or what Ring does with that data once they have it.

      The best option is regulation. I actually wonder if European Ring customers are spied on like this because if so it seems to be a fairly clear cut GDPR violation of the kind that attracts the maximum fine. Since Ring is owned by Google that could be billions of Euros.

      • Since Ring is owned by Google that could be billions of Euros.

        Ring is owned by Amazon, not Google.

        • by AmiMoJo ( 196126 )

          Yeah, my mistake. Still potentially billions though.

          • Yeah, my mistake. Still potentially billions though.

            My point was that Google doesn't share data with third parties, so it couldn't have been a Google device.

            • by AmiMoJo ( 196126 )

              This is true, but usually gets you modded down for stating it. Let's see if you get targeted.

  • One way to avoid this crap is to use a separate, non-IoT* camera to send alerts.

    I use Blue Iris with a cheap dedicated cam that just watches the front door, completely separate from the RCA video doorbell. When the cam 'sees' something it sends me a text with an image. The doorbell is superfluous (but nice to have as a backup).

    And no, I don't trust that the RCA doorbell is any more secure OR less intrusive than a Ring doorbell. I just don't like the Ring garbage.

    -
    *IoT = Internet of Targets

    • by DogDude ( 805747 )
      What happens at your house that you need so much surveillance at your front door? Is your house a nuclear missile launch site or something?
      • by Pascoea ( 968200 )
        My neighbor had someone gain entry to their house, and I live in a nice neighborhood. That alone is a good enough reason to have a camera up. if that's not a concern, maybe they just like catching porch pirates?
      • What happens at your house that you need so much surveillance at your front door?

        If you had ever had your home broken into, you wouldn't be asking this question.

        I also receive a lot of packages and it's nice to get a notification when that happens, but that's really more of a convenience thing and not a security thing.

      • Where I'm at it's a weekly thing to get 2 or 3 clips of miscreants tugging on car doorhandles. Sometimes they get lucky and hit an unlocked car and clean it out in plain view of a Ring (or other) camera.

        But you forget the other function of a Ring is as a two-way intercom. It's scratchy AM-radio quality, but it is just the thing to tell travelling salespeople to go beat it. Don't need a new roof, don't need new windows, don't want to hear about the Church of Whatever, and especially not interested in bein

  • I'm wondering what the firmware looked like pre-Amazon take over of Ring.
    • Wonder as much as you want. It is closed source so you never know what it is doing and it can change daily.

      • by Hydrian ( 183536 )
        I was more interested if the application was corrupt at the start or if it was Amazon's influence that corrupted the application.
        • How many people you're spying on is the business argument for the sale.

          You perceive "corruption" where it is actually the intended, well known business intent.

          Stop wondering.

  • by nitehawk214 ( 222219 ) on Tuesday January 28, 2020 @10:49AM (#59664400)

    This is why "If you are not the customer... you are the product." is junk. Even when you do pay for the product, if a company can squeeze some extra cash out of you by selling your data, they will.

    The only way companies will learn is by making it illegal and jail time for executives. Fines won't do it, as that is the shareholder's money, not the executives. They will still get paid in real cash with real golden parachutes, not seemingly worthless stock options.

  • THIS is why ANYBODY with ANY brains at ALL keeps these insidious devices OUT of their homes.. If I recall correctly, in George Orwell's "how-to" on surveillance and other topics, the state provided the surveillance equipment. In our reality, the corporations entice the sheep to spend their hard-earned money on the surveillance equipment. Guess the corporations are one-up on George Orwell....

    • And yet you are being tracked right now on this very website. It has seven trackers on it. But please continue your rant if it makes you feel better.

      • We made the decision to visit slashdot, but we did not decide to be tracked by facebook, google and whoever else those trackers belong to.

        • Well too bad, because slashdot decided you should be tracked by facebook, google and whoever else. You should get rid of your computer since it is an insidious device (or stop visiting tracking sites).

  • Frankly, IOT devices have gotten so out of hand that government intervention seems to be the only solution. Europe has the GDPR, which is at least a start. The rest of the world has nothing, afaik.

    - It should be illegal to sell devices that share information with third parties without customer opt in. Devices must provide full functionality if the user does not opt in to data sharing.

    - The company must not collect unnecessary data for itself; only data required for the correct functioning of the device and

  • of an Intelligently Designed Internet Of Things Solution that is bought by its acronym.

    Like most of them, come to think of it...

  • And consign it to Hell
    {and Amazon along with it}

  • From IoT proponents to discovering it was a bad idea. Again, I was ahead of the game.
  • Someone had to say it, may as well be me.
    In their futile quest for 'security' people are putting themselves into a cage.
    Anyone want to bet on if and when they'll wake up and realize how stupid they're being?

The trouble with being punctual is that nobody's there to appreciate it. -- Franklin P. Jones

Working...