The Electronic Frontier Foundation (EFF) on Monday announced that its research into the Ring app’s Android version identified several embedded third-party trackers sucking up “a plethora” of personal information.
Three of the trackers aren’t included in Ring’s privacy notice—a list last updated a year and eight months ago.
The civil liberties group, whose work focuses on privacy and other digital rights, said it had observed Ring for Android’s activity using tools for inspecting web traffic. EFF researchers found it was delivering users’ personal information to four marketing and analytics firms, including Facebook.
In Facebook’s case, Ring hands over data whether its customers have Facebook accounts or not, the EFF said.
The list, last updated in May 2018, does not include Facebook and other trackers currently in use.
“Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimize the customer experience, and evaluate the effectiveness of our marketing,” a Ring spokesperson told Gizmodo.
According to EFF’s research, Ring for Android version 3.21.1 delivers a range of personal information to the following sites: branch.io, mixpanel.com, appsflyer.com and facebook.com.
Gizmodo also inspected Ring’s web traffic can confirm the EFF’s findings.
“The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user’s device,” EFF said. Privacy researchers refer to this as a digital “fingerprint,” which marketing companies use to paint a complete portrait of a person’s likes and activities.
A Ring spokesperson said that Ring takes steps to ensure its service providers’ use of customer data is “contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes.”
In the case of business analytics service MixPanel—the only tracker identified by EFF listed among Ring’s third-party services—Ring provides access to users’ names, email addresses, and device information, such OS version and model, EFF said.
Ring told Gizmodo that MixPanel is used to target messaging within the app when new features become available, including security-related settings. Other trackers help the company identify which in-app features are performing the best, it said.
Ring was purchased by Amazon in the summer of 2018. The company markets a line of home security products, including the popular Ring Doorbell, which uses Amazon Web Services (AWS) servers to store footage.
Privacy advocates have scrutinized Ring heavily over the past year, largely due to its quickly expanding local law enforcement partnerships, the terms of which appear often to restrain public officials from speaking freely about the services Ring provides.
Gizmodo reported last year, for example, that Ring had edited the written statements of police officials. In some cases, Ring’s intervened to omit the word “surveillance” from quotes attributed to senior police officials, warning them that use of the term could elicit “privacy concerns” among consumers.
“Ring claims to prioritize the security and privacy of its customers,” EFF Senior Staff Technologist William Budington said in a statement, “yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system.”
Updated, 11pm: Article was updated to reflect Ring data collected by Gizmodo confirmed EFF’s findings.