back to article Ding-dong. Who's there? Any marketing outfit willing to pay: Not content with giving cops access to doorbell cams, Ring also touts personal info

Smart-home biz Ring sends its users’ personal app data to a range of analytics and marketing companies, according to an analysis carried out by the Electronic Frontier Foundation (EFF). Already under fire for giving the cops access to footage from its ubiquitous video doorbells, the Amazon-owned manufacturer is also apparently …

  1. IGotOut

    GDPR?

    How is this even remotely compliant?

    1. Chris G Silver badge

      Re: GDPR?

      Trouble is, it needs some complaints made to the EDPS so that they can take action.

      Trouble is that most of the idiots who buy this stuff can only see out through their navels.

    2. Timmy B Silver badge

      Re: GDPR?

      As the GDPR says that you must be given the option to opt out without any detrimental effects then I cannot see that it is.

      I have started the ball rolling on a GDPR complaint.

    3. Charlie Clark Silver badge

      Re: GDPR?

      It isn't. But perhaps more of a problem for Amazon is that it is also against the new Californian rules which could lead to those class action suit.

    4. EnviableOne Silver badge

      Re: GDPR?

      short answer is it isn't:

      The problem is Amazon EU HQ is in Luxembourg and the CNPD (ICO for Luxembourg) is only 8 people and they would be lead on GDPR enforcement....

      the CCPA falls over as they are based in Seattle WA, not Silicon Valley

      1. GreggS

        Re: GDPR?

        Yes, but RING's EMEA HQ is in the Netherlands.

        1. natatron

          Re: GDPR?

          Article 77 of GDPR - the data subject can choose which supervisory authority they lodge the complaint with...

          Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

  2. Ambivalous Crowboard

    So... what now?

    I have a camera. It appears as though my data has been unlawfully shared. I don't think I consented to this... Now I'm aware of it, I don't like it, anyway.

    So, what can a layperson such as myself do to get my money back for my device as I uninstall it from my premises? Where's the breach of contract I can cite?

    1. Danny 14 Silver badge

      Re: So... what now?

      GDPR should do. When they refuse shop em to ICO.

    2. Snake Silver badge

      Re: So... what now?

      I have some of their cameras as well, and an unanswered question is if this tracking was added after Amazon bought the company or was it integral to the app from the very beginning.

      I have a suspicion it is the former, also incidentally explaining the added connectivity delays now seen in the app since Amazon took over. It used to be that clicking on an alert got you very rapid connection to a live feed, but ever since Amazon has been involved the alert connectivity delay has gotten worse and worse, many times refusing to connect from the alert at all.

      If this snooping is correct, can we start a class-action lawsuit for violation of trust and unlawful data collection?

      1. doublelayer Silver badge

        Re: So... what now?

        The ability for you to combat this will depend a lot on where you are. European residents have access to GDPR and California residents to CCPA, and they can report these violations. However, that doesn't necessarily mean the various authorities will do something about the problem. It's worth doing if you live in one of those areas, but you will probably have to have owned and activated such a camera to do so. Unfortunately, in many other areas, the laws around when a company can gather information and sell it without informing you are much looser, and this does nothing for you if you've been filmed by someone else's camera. Depending on the violations that can be easily proven, it may be possible to involve biometrics protection laws, but I'm guessing they had a EULA that included legal protections for them somewhere on page six.

      2. Dan 55 Silver badge

        Re: So... what now?

        I have some of their cameras as well, and an unanswered question is if this tracking was added after Amazon bought the company or was it integral to the app from the very beginning.

        The Exodus reports for the app go back to July 2018 and the trackers built into the app have not changed from then to now. Amazon bought Ring in February 2018 so it looks like it's a pre-Amazon thing, but there's no definitive proof.

      3. rmason Silver badge

        Re: So... what now?

        It'll be the former. More specifically that will be what attracted amazon in the first place.

        See also the purchase of fitbit, roomba et al by various parties.

        They don't care about the hoover/step counting watch/doorbell. they wanted all that yummy data.

  3. razorfishsl

    They are just liars and the sooner people stop using & trusting these companies the better.

  4. NanoMeter

    Who in the world wide world can you trust?

    No one, really.

    1. This post has been deleted by its author

  5. Winkypop Silver badge
    Thumb Down

    I file this under "IOT"

    I avoid all IOT tech.

    Sounds creepy BTW.

    1. big_D Silver badge
      Black Helicopters

      Re: I file this under "IOT"

      Yes, such products are consigned to my IoT bin - Internet of Trash(bin).

  6. Anonymous Coward
    Anonymous Coward

    Your ID and the IoT

    IDIoT

    1. Highinthemountains

      Re: Your ID and the IoT

      A first cousin of the id10t error

  7. Timmy B Silver badge

    Sadly this will become the norm...

    Just as the majority of people have a lot of their shopping tracked through loyalty cards and the like we'll all end up with information like this shared all over the place. Now, I don't really mind, to a point. That point being there is no reason at all to send information that can identify me as a person. I don't care if they know that someone with x device had it fail on y version of software on z device. But they should keep that information to themselves. I also don't care if they pass to their marketing team very abstract data such as "only 10% of x device users have also purchased such and such add-on" so email those that allow it some ads for the addons.

    This all seems reasonable. But where is crosses that line is having information that identifies me when they don't need it and not giving me the option to opt out of the kind of example I've listed above.

    It does make me consider creating my own options - blocking some of them at device level as my own enforced consent manager.

    1. fidodogbreath Silver badge

      Re: Sadly this will become the norm...

      This became the norm a long time ago...

  8. Anonymous Coward
    Anonymous Coward

    robbers

    Seems like, should I want to rob homes, I need a Ring subscription. Amazing.

  9. mmonroe

    I guess Trumop hasn't any comment on this - it's OK when a US company spies on the UK but not OK if we install Chinese made telecom equipment, which probably doesn't spy on us.

  10. Mr Dogshit
    FAIL

    One Ring to rule them all, One Ring to find them,

    One Ring to bring them all and in the darkness bind them.

  11. Moldskred

    Why are we focusing on the collection of personal information?

    Wouldn't it be more effective to attack this issue at the back-end where the information is being sold and made use of? Wouldn't calling for regulation and transparency on the _sale and purchase_ be a better starting point than trying to control and regulate what data companies collect? If Facebook, Google and other actors had to divulge what personal information the sold to whom and for what purpose I think we would start to see companies be a lot less interested in participating in this marketplace.

    1. Whitter

      Re: Why are we focusing on the collection of personal information?

      Or "as well"?

    2. SImon Hobson Silver badge

      Re: Why are we focusing on the collection of personal information?

      Already covered by GDPR.

      Under GDPR, whoever is collecting any PII (in this case, Ring) is required to tell you before they collect any of it :

      What they are going to collect

      What it will be used for

      Who else will be allowed access to it

      How long they will keep it

      If it isn't PII that they require for a "legitimate need" (such as needing your address in order to post your order to you, or keeping details for 7 years in case the tax man asks to audit their books, etc) then they MUST ask for your informed and freely given consent. "Informed" means that they have laid it out in terms you can reasonably be expected to understand, made it easily accessible (ie not buried in the 6 point footnotes to page 57 of an EULA), and you must have the option of just saying no.

      If the make use of the item or service dependent on your consent, then any consent is not freely given. If they pre-tick the consent box then that's not consent - it is required to be affirmative, ie you agree to it, rather than having failed to opt out. If they don't tell you what they are supposed to, then you can't give informed consent.

      And if they use PII for any purpose whatsoever other than what you agreed to, or were informed about in the case of "legitimate interest", then that's a breach as well.

      So yes, the collection and dissemination of the information described in the article is absolutely illegal under EU law. It needs enough "users" to make complaints that the various bodies can't ignore those complaints. You can complain to the information protection department/organisation in teh country where the offender is based - or another useful feature of GDPR, to your own (ie in the UK, to the ICO) who will take care of liaising with their colleagues in the appropriate country.

  12. Captain Hogwash

    Just wondering...

    Is the Ring really anything much more than a SIP videophone mounted outside your front door? Seems reasonably straightforward to implement without involving Team Slurp.

    1. Michael Wojcik Silver badge

      Re: Just wondering...

      But less profitable.

  13. Anonymous South African Coward Silver badge

    /points and laughs at IoT owners

  14. Nick

    My rule of thumb...

    ...for working out how much of mydata is likely to be slurped:

    (Purchase price of "traditional" solution) - (purchase price of "alternative" system) = (value of my data to be re-sold)

    For Ring home security I reckon: £400 - £200 = £200

    So that's £200 of my data that Ring will have to sell to hit their target. Same goes for contract phones etc.

  15. This post has been deleted by its author

  16. Raithmir

    Overblown?

    Are people naive enough to think Ring are the only connected camera maker (or any other app maker for that matter) using analytics? Is this any more concerning than accepting cookies on a web page? Solution - Something like Pi-Hole?

    The "Police accessing cameras" was nothing more than looking at videos in the neighbourhood app that people have publicly shared. Solution - Don't share what you're not happy for everyone to see.

    The hackers accessing cameras seems to have been down to people using the same weak passwords for everything and other site user databases getting compromised. Solution - Enable 2 factor auth and don't use the same password on everything.

    Ring aren't entirely blameless in any of this of course, but everyone else seems to be sitting happily in the shadows at the moment while Ring takes all the fire.

    1. Jellied Eel Silver badge

      Re: Overblown?

      Solution - Enable 2 factor auth and don't use the same password on everything.

      Often 2FA is part of the problem, not the solution. Why would I want to share/link my mobile phone to an account, and risk that data being sold or lost in an account database hack/leak?

      1. Raithmir

        Re: Overblown?

        True, I would prefer a time based one time password option for my 2-factor auth. Plenty of open source OTP implementations.

  17. imanidiot Silver badge
    Stop

    Just no.

    Ring was already on my "No, just, no.." list. It's now on my "oh HELL no!" list.

  18. BebopWeBop Silver badge
    Devil

    Ring - in principle a useful device. In practice, however, it is not just that the devil is in the detail, the Devil has written the details.

  19. Mystic Megabyte Silver badge
    Big Brother

    Sony Bravia TVs

    Two days ago I was asked to help setup a friend's new smart TV. As I don't own a TV I may not be the best person for this sort of advice. The TV was connected via wifi and I searched for a browser. As the TV had inbuilt Chromecast I was expecting to find the Chrome browser. All I found was something called Vewd.

    I read the EULA which had to be accepted before it would work. It said something like this: "We will install Vewd and also some third party software, we accept no liability for this software". It did not say what this software was but I'm guessing that it's spyware. I declined their kind offer.

    Then when I tried to pair my phone it wanted access to my my contacts and browsing history. Feck that! <goes back to my cave>

  20. MiguelC Silver badge

    "The researchers managed to crack that approach by injecting code that forced the app to trust a certificate provided by the mitmproxy analysis software they were using – at which point they were able to see what types of information were being shared and to whom."

    If white hat researchers can do it, what's stopping black hats from doing the same?

    1. imanidiot Silver badge

      I'm assuming that's a rhetorical question?

  21. The Central Scrutinizer

    And the stupid truck just keeps rolling down moron street.

  22. rskurat

    malgorithm

    perfect: right under Kieren's byline, a Ring ad

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020