Ring App packed with third-party trackers and data shared with analytics firms

Privacy group accuses Amazon's Ring security doorbell app of sharing data with analytics firms, including Facebook

Amazon's Ring has been accused of invading users' privacy by including various third-party trackers in its doorbell app, which send users' confidential information to marketing firms.

That's according to privacy pressure group Electronic Frontier Foundation (EEF), following a thorough analysis of Ring's Android app.

They found the Ring app to be "sending out a plethora of customers' personally identifiable information (PII)" to four main data analytics and marketing firms - Mixpanel, AppsFlyer, Branch and Facebook.

The data collected by third-party data trackers includes user names and email addresses; device and mobile carrier information; data on user interactions with the app; identifiers that enable marketing firms to track users across various apps, and more.

"The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user's device," the EEF said.

"This cohesive whole represents a fingerprint that follows the user as they interact with other apps and use their device, in essence providing trackers the ability to spy on what a user is doing in their digital lives and when they are doing it. All this takes place without meaningful user notification or consent and, in most cases, no way to mitigate the damage done."

Facebook, for example, receives an alert whenever a user opens the Ring app or carries out certain device actions, or when the app is deactivated after screen lock. The company receives a variety of information, such as user's device model, time zone, unique identifier, screen resolution, and language preferences. The social media giant continues to receive information even if users don't have an account on Facebook or reset OS-level advertiser ID.

Mobile analytics firm AppsFlyer receives a similar mix of data, although it is also sent information collected from a device's sensors. In its investigation, EFF found the Ring app sending out data from the device's gyroscope, magnetometer, and the accelerometer.

The data sent to MixPanel includes user's name, email address, device information and app settings. MixPanel is the only company mentioned in Ring's list of third party services.

Branch, which calls itself a "deep linking" platform, gets various unique identifiers (hardware_id, identity_id, device_fingerprint_id) as well as device's model, local IP address, and screen resolution.

EEF also found Ring to be sending information to the Google-owned crash logging service Crashalytics, although it is yet to determine the extent of Ring's data sharing with Crashalytics.

EFF said all the data they monitored in the investigation was sent using encrypted HTTPS. Moreover, it was being delivered in a way to escape analysis, thereby making it difficult for security researchers to report serious privacy breaches.