
Ring Doorbell App Packed with Third-Party Trackers - panarky
https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-party-trackers
======
code4tee
Other product companies take note: the tide is turning on all this “tracking”
nonsense. Clean up your house now or find yourself shamed into submission
later.

Consumers increasingly don’t care that “the lawyers said it was OK because
it’s on page 73 subsection C line 4 of the use agreement For the product.”
Privacy is the new black.

~~~
zionic
Honestly what we need is an equifax-style hack at the NSA/Facebook/Google to
absolutely shock people into reality about privacy.

Imagine being able to type in anyone's name and see their entire search
history for the last 10 years. It would be total chaos. We'd have a
constitutional amendment enforcing digital privacy within a few months.

~~~
jason0597
I'm already thinking of doing any "sensitive" searches (i.e. stuff i would
rather google not know, e.g. my mental health state) on google through
chrome's incognito mode, but then I think about it more and I realise that if
I do a search on incognito mode, the browser probably knows and marks it as an
extra special search and hence becomes even more "sensitive" (and reports back
to Google)

~~~
kdtsh
If you’re worried about Google knowing, you shouldn’t use Google’s browser.
While they might not mark searches like that, we don’t know what Chrome does
when we tell it to search for something we’re sensitive about.

~~~
buckminster
If you’re worried about Google knowing, you shouldn’t use Google’s search
engine!

------
sliken
For those that want to avoid such sillyness, Reolink sells relatively cheap
cameras. Rated for out doors, power over ethernet, $50-$60 per camera, and
includes a microphone.

They can easily be connected to zone minder, or any software that can take a
rtsp:// URL. Even handles motion detection for specific areas of camera, so
you can include the driveway but exclude the sidewalk. You can have it email
or upload videos... without access to any reolink related cloud.

So you could easily put them in production with zero network access and let
something you control notify you with images or video clips for any activity.

There's numerous cheap products, but the reolink seems to be one of the better
ones that play well with others and doesn't require any WAN network access.

Ubiquiti and Axis also have some very nice products, but generally are more
expensive.

~~~
Jsharm
Having thrown countless hours into zoneminder I had to give up. It's just too
buggy. Does anyone have any other alternatives they've got to work? Open
Source or otherwise

~~~
sliken
Try shinobi or motioneye if you want open source.

There's quite a few solutions in this space: free, freemium, and commercial.

~~~
shifto
I don't recommend Shinobi after using it for a few months. It's far from
finished, can't do most basic stuff and the interface is horrible.

------
kingosticks
Are many Ring units sold outside of the US? I see them advertised as a way to
combat this "porch pirate" thing. But to me, as someone living in the UK, the
idea of a delivery person leaving a package on my doorstep for someone to
steal is mad. If I'm not in I expect another delivery attempt or for the
package to be taken to the secure local* depot where I can pick it up. If they
decide to leave it outside my door and it gets stolen, I fully expect (and
will get) another one delivered at no cost to me, other than the time penalty.
Why is this even a thing? Is this a new thing that Amazon created with their
delivery strategy and now you also get to buy the solution from them?!

And if it's just a security camera watching my property/car, then a dumb one
sounds fine and cheaper. Not to mention it'll actually look like a security
camera which is arguably more valuable as a deterrent.

* rarely that local.

~~~
tw04
So do you just always have someone at home? Or do your packages always go to
the secure local depot?

Neither is really a great option in the US because:

most families have both adults working.

Other than a handful of cities, people are so spread out that having enough
secure depot's in the right locations would be astronomically expensive.

~~~
viceroyalbean
In Sweden most packages are delivered to third party businesses that sign
agreements with the delivery companies. Places like gas stations, convenience
stores and grocery stores.

Nowadays there are companies that offer evening time home delivery so that you
can always be there.

~~~
Noos
we have this here in the USA too. UPS has what's called "access points" where
things can be delivered, or are dropped off if they can't get you. Some
packages are signature required, so if no signing, it gets sent there.
Convenience stores, etc.

It's just mostly people aren't used to doing that and are hard to change.
People often just send packages to work or a friends house instead. With
access points, they can and will return a package to sender beyond a certain
time.

~~~
JohnFen
> People often just send packages to work or a friends house instead.

I'd say that about half of the packages that get delivered where I work are
for individuals getting their personal stuff.

------
snowwolf
I wonder why Ring is being specifically called out for this practice. This
combination of “trackers” are very common in the app ecosystem as they perform
much the same analytics functions used on the web ecosystem (e.g. Branch
offers ad campaign attribution - did this user sign up from an ad campaign and
which one so I can work out ad ROI). I’d hazard a guess that analysis of the
apps on your phone (Android and iOS) would result in well over 50% of them
using some combination of these services.

What’s more interesting is that it could be argued these fall under the intent
of the EU cookie directive (even though in a lot of cases they don’t actually
use cookies). The only app I have seen asking for cookie like consent is
Airbnb (who use all of these same services and more)

~~~
arexxbifs
I think several companies are routinely called out for nefarious privacy
invasions. Ring is extra interesting because of the hypocrisy in claiming
they're in the home security business, while actually gathering and selling
information that can be be directly counter-productive in that effort (such as
when a customer is likely to be home or not).

~~~
snowwolf
The thing is they aren’t actually selling that data. All the services
mentioned are paid services that ring are paying to use. And ironically they
sprang up to fill a need because Google and Apple made it almost impossible to
do app install attribution to protect people’s privacy. So we now get more
invasive tracking to work around that.

~~~
blaser-waffle
> The thing is they aren’t actually selling that data.

Says who, the company itself? Why install trackers if you're not going to use
them?

~~~
snowwolf
They aren’t trackers in that respect. Read up on the companies in question.
They basically provide analytics to mobile apps so they can better understand
their customers to allow them to improve the experience of the app.

It’s the equivalent of Google Analytics.

Now how those companies then use the data they collect as part of providing
analytics is another question (and why lots of people prefer to block Google
Analytics for example)

~~~
JohnFen
OK, not technically trackers, but certainly spyware.

~~~
WWLink
Bingo! Spyware. Let's call it what it really is.

------
bdcravens
So how many developers here use Google Analytics, Intercom, Segment, error
logging like BugSnag or Sentry, etc?

Wait until the BBC finds out how many of us are giving Amazon user data. (I
mean, it's s3 and RDS, but that clarification would be overly pedantic)

~~~
Nextgrid
The difference is that Amazon isn’t an advertising company and has little
incentive going through user data on their systems. In addition, the data
isn’t in a standardised format so they would have to spend considerable
efforts parsing the data first.

Facebook and Google on the other hand make their money from stalking people
and developers are giving them data in a nice standardised format.

~~~
bdcravens
> Facebook and Google on the other hand make their money from stalking people
> and developers

Yet React and Angular are quite popular

~~~
Nextgrid
I fail to see the correlation. You can be an asshole on one side and still
make a great product on the other side.

------
surround
I could show this article to my neighbor who owns a Ring doorbell and he
wouldn’t care. Nobody I know seems to care about digital privacy. And it’s not
just people who are less technically knowledgeable, either. A friend of mine
who has worked in computer sciences his entire life doesn’t care about
privacy. A different friend, who already has a raspberry-pi connected to his
home network, refused to install pi-hole (pi-hole.net) because, in his words,
“I don’t really care.” Nobody cares.

------
andrewxhill
For those interested in alternatives, check out this project to build an open,
privacy-preserving home AI/ML platform
[https://www.kickstarter.com/projects/aikea5/aikea-your-
priva...](https://www.kickstarter.com/projects/aikea5/aikea-your-private-
camera-at-home)

~~~
BubRoss
What does 'home AI' even mean? Most people just want a video camera with a
webserver on their doorbell.

~~~
jacquesm
Quite likely many people don't even want the webserver.

~~~
ta999999171
webservers can be local, homes.

~~~
Jamwinner
Still just another useless attack surface.

~~~
ta999999171
Put it on its own subnet.

------
ActorNightly
There is a big difference between saying Ring Doorbell leaks user data, and
Ring App leaks user data.

Even though BBC purposefully puts the wrong thing in the title for clicks, I
would hope that HN users would pay more attention to detail.

In other news, smartphones spy on you.

~~~
supercanuck
This is pedantic. The Ring Doorbell doesn't function without the App.

~~~
_jal
"No, you see? It is the remote control that explodes when you push the button.
Not the TV! That's entirely different!"

------
boboguitar
The user data for Google is just crashlytics. Saved a few people a click.

~~~
reaperducer
_The user data for Google is just crashlytics_

Is there an opt-out? Or, more importantly, was there an explicit opt-in?

Data from crashes on my device is still my data, not Google's. Google can pop
up an alert telling me things went pear-shaped, and then _ask_ to send it back
to the devs for analysis.

~~~
izacus
Every single app on your phone will use such service (Android or iOS,).

You're not wrong about ownership of data. But highlighting Ring and Google in
this manner is some seriously biased and dishonest reporting.

~~~
7777fps
Well maybe Ring shouldn't have bundled so many third party trackers.

If it really were just crash reporting, this would have probably gone
unreported on.

~~~
UweSchmidt
Worth noting that "crash reporting" is very much worth reporting on and paying
attention to, as transmitting a lot of sensitive data in crash reports could
be beneficial to fixing bugs (but obviously not beneficial to the indiviual's
rights).

~~~
bradly
Crash reporting can be important, but there isn't a requirement to use an
advertising company to facilitate it.

~~~
avree
This sort of pedantic hand-wringing is tiring. Google sells many things, one
of which is advertising. Firebase Crashlytics may be free, but it's made
available by Google in the hopes that developers pay for Firebase's full suite
of paid offerings—it's not to populate additional user data to their ad or
search algorithms.

~~~
bradly
> it's not to populate additional user data to their ad or search algorithms.

How do you know this?

Is it "pedantic hand-wringing" to not want my DNA analyzed by an advertising
company as well?

------
MR4D
Should be retitled “ _Android_ Ring Doorbell App...” because there is no
mention of iOS or iPhone anywhere in the article.

Still sucks, but to iPhone users, this just validates their Apple purchase
even more.

~~~
dangus
Do you have some kind of source that would indicate that phone apps on iOS
cannot possibly have any sort of 3rd party trackers?

No claims in the article were made regarding the iOS version of the app, so I
don't know why we should jump to the conclusion that the iOS version doesn't
track what you do and report to 3rd parties.

It looks like the iOS app was not included in the test at all, so no
conclusion can be assumed.

~~~
MR4D
I agree. But the titling is wrong because it only addresses Android.

Likewise, if the reverse were true, and it only dealt with iPhone, then it
should say iPhone in the headline because it didn’t address Android.

This isn’t a preference argument for one phone or the other - it’s about
clarity of what the article is about.

------
5cott0
Half a dozen ad trackers, a/b testing frameworks, & analytics libraries have
been the standard in mobile apps for years.

Growth at all costs.

~~~
rooam-dev
How should someone grow a product without a/b testing and/or metrics?

~~~
5cott0
Did I say you could? Just pointing out the standard because I’m somewhat
surprised this is news to anyone here.

A growth at all costs mindset in many cases leads to redundant and
irresponsible overuse.

------
aembleton
Loads of Android apps do this. If you are running Android >=9 then you can
block the trackers by changing your DNS settings to use one from
[https://nextdns.io/](https://nextdns.io/)

Instructions on changing DNS settings [https://joyofandroid.com/how-to-change-
dns-on-android/](https://joyofandroid.com/how-to-change-dns-on-android/)

------
dpkonofa
Does this only apply to the Android version? Wouldn't the iOS version need
permission to collect things like bluetooth info?

------
sys_64738
Don't install any apps on your Android telephone.

~~~
jrepinc
Or better, but still not perfect advice: Do no install any closed-source app
on your telephone/computer of any brand.

~~~
ta999999171
www.f-droid.org

------
prodigyboi
The article references Crashalytics and MixPanel as third party services where
the data is sent. Aren’t those just tools for error logging and usage
measurement? Not sure about the others though.

------
habosa
I work at Google (on Firebase) but I am asking this question as a regular
mobile developer.

What do people on HN find acceptable in the apps they use? As a developer I
want some basic analytics and crash reporting so I'm not just stumbling in the
dark but I would hate for my users to say that I'm tracking them
involuntarily. Is there a way to strike a balance that seems fair? Are there
particular services people trust?

~~~
woutr_be
I think it all depends on what you use that data for. I have no problem with a
developer tracking me throughout the app, as long as they use the data to
improve their app. The same goes for crash reporting.

But as soon as that data is sold, or used to somehow push sales or content,
then it becomes a problem for me.

------
ogre_codes
It's frustrating that Amazon is trying to hard to win the prize for being the
creepiest tech giant. I generally like Amazon and much of my online shopping
is through them, but this makes me more inclined to try alternatives.

I've already mostly dropped Facebook and Google, it'll be harder for me to
ween myself off of Amazon.

------
bogomipz
Wow what a great irony - a device that's designed to help your surveil your
own property is being used to surveil the people that bought the device and by
extension put their trust in it and the company.

It's one thing to have a business model where it's understood that a service
is free in exchange for user data but what we are seeing increasingly is this
greed where its not enough to sell a good or service for cash because that
would be leaving money on the table. These companies seem to have an
expectation and entitlement that your data is part of the business model
despite not disclosing that to their customers.

------
bozoUser
How does Ring compare with Nest in terms of the privacy issues noted in the
article ?

------
notsureifgood
This may be a workaround for the app for those who are more technical. Since I
have NextCloud Server set up, I added a custom script on the server to auto-
download all my ring MP4s from the Ring Server every 15 mins. Also:

\- creates GIF for faster viewing through the nextcloud app. \- updates info
for current status of the ring devices.

[https://gist.github.com/parvez/f8375438070fa3b0572013efbe72c...](https://gist.github.com/parvez/f8375438070fa3b0572013efbe72c03d)

It could be enhanced to support SIP for live viewing.

------
0x7B
Has anyone contacted Ring and asked them to enumerate all the third party
services they send data to, why they do it and how to opt out?

I’m a long time Ring customer and this is completely unacceptable.

~~~
nocturnial
If you are an EU citizen, you can ask the company for that data yourself and
if they don't reply, file a complaint with privacy commission of your country.

The various privacy commissions (PC) in the EU are actually talking to each
other. The privacy invading companies are testing whether or not they can
force their case to be decided only in the jurisdiction of the PC in Ireland.
(legally, this is just nonsense... )

I've seen many try this tactic and it has always failed. I'm guessing they are
using this as a delay tactic to prevent it being decided by the courts.

------
chiefalchemist
Is there any legal precedent for a retailer being held accountable for the
products they sell. Enough to sway decision making at the C-Level? Perhaps
we're one Home Depot or one Lowe's away from "Sorry. We're not going to sell
these type of products." A massive return of unsold product could crush a
young company. If CVS can stop selling cigarettes, perhaps others might follow
but in a different way.

------
classified
This rampant surveillance economy will continue to fester until it bites some
influential people where it really hurts. Until then nobody will be safe.

~~~
chopin
There will be safeguards for influential people but not for us.

------
bogomipz
The privacy horror aside is there a possibility that this data sharing could
possibly be used to subvert the security of the owners home that ring is
protecting? Could patterns be inferred such as a home owner's work schedule,
when they are on vacation, that they might be using a device with outdated
firmware etc? Or is that too far fetched?

------
tasssko
Can you wipe the ring firmware and repurpose it?

------
mirimir
This is truly ironic. In that Amazon is using FUD about crime to expose people
to potentially criminal exploitation.

------
amriksohata
Makes you wonder why Facebook needs that data? To link who comes home to FB
location and people's profiles? I'm sure they pay them for this but then you
read what happened after the NSA leak in recent times where the NSA had put
intentional backdoors in with companies

------
bborud
I hope they do Audible next. I'd really like to know whether or not the
extreme sluggishness of the app is due to what I suspect: badly designed
activity tracking that implemented by developers who don't know how to do this
asynchronously.

------
panpanna
I would love to see some financial documents leaked from these companies.

Let's say Apple pre installs Google+ on all its phones. Then I want to know
how much apple got paid for this, i.e. how many cents is a users privacy worth
to them. And how much money did Google make by using this data, i.e. how much
was the data really worth.

Because until we have such data, companies can always hide behind phrases such
as "... share with partners ... to provide relevant services" and all that
nonsense.

~~~
Joeri
Does that really matter? Let’s say they get a hundred dollars per service,
does that make it better or worse, or maybe it doesn’t change anything?

Having said that, I’ve always wondered the same for TV ads. Let’s say I wanted
the option to pay extra to never see ads, how much would that be? Why doesn’t
the market give me that option?

------
sneak
Nanoleaf light panels also phone home (to Nanoleaf) constantly, from the
hardware itself.

------
Havoc
Time to set up a vpn pi hole combo on a VPS. This is getting ridiculous

------
ddggdd
does anyone know if xprivacylua and adaway can protect me from this kind of
bad behavior?

------
sjmulder
A blatant violation of European privacy law. I hope an ICO picks this up (I've
filed a notice with mine).

~~~
TeeWEE
Most apps that you have installed track information, ip, carrier etc. Its
called analytics. Its naive to think this app does it for evil purposes.

Note: Maybe all apps shouldnt be tracking this. But this is currently how
analytics in apps work.

~~~
sjmulder
That everyone does it is hardly a justification. And companies have no divine
right to analytics, especially not when it concerns PII and paying customers.

------
axelonet
This all is a side effect of the paranoia built by the corporation's. Why
would you even want to look at the door when you are 1000's of miles away from
your home. I understand pet and baby monitors but this information being on
the web for anyone is just bonkers. We are in an age where Technology is
advancing at a pace where we don't understand what we need to do with IoT
devices.

~~~
Johnny555
Aside from the obvious use of monitoring my door while I'm away, it's also
useful to knowing when a package is delivered unexpectedly when I'm away from
home so I can ask a friend or family member to pick it up so it's not sitting
on my front porch for a week or two.

~~~
ta999999171
> package is delivered unexpectedly

I...huh? How?

Are you a darknet dropshipper? (Nothing wrong with that, just can't imagine
what carrier doesn't give you a tracking number that you can get alerts on
delivery/check status of.)

~~~
scarejunba
All those Chinese products with free shipping were like that. They'd show up
one day randomly. Also, I buy most of my stuff online so there's always
something in flight. Books, toothpaste, whatever.

~~~
systemtest
I use 17track for that. It's an app that I drop all my AliExpress/Amazon/eBay
tracking codes in and I will get a push notification that the package has been
delivered. Don't need a camera monitoring my neighbours front door for that.

~~~
sliken
Heh, so never had a friend or family ship you something?

~~~
JohnFen
Not without them telling me in advance, no.

------
esseeayen
There goes the argument "if you're not paying for the product then you are the
product" because ring and associated services aren't cheap.

~~~
ardy42
> There goes the argument "if you're not paying for the product then you are
> the product" because ring and associated services aren't cheap.

Not really. If you aren't paying for the product, then you _certainly_ are the
product. If you are paying for the product, then you _may_ still be the
product, but you also _may_ not. It all boils down in that case to how
trustworthy and greedy the vendor is.

~~~
Barrin92
I think the OP's point is that the latter is so common nowadays that it makes
more sense to not give the benefit of the doubt and assume that paying for
something gives you privacy and makes vendors less data-hungry, and I think
that's probably becoming good advice.

------
sillysaurusx
Little story for you.

When I made the GPT-2 Chess notebook (sigh... do I link to it and risk seeming
like I'm plugging my stuff, or let people google for it? Whatever:
[https://colab.research.google.com/drive/12hlppt1f2N0L9Orp8YC...](https://colab.research.google.com/drive/12hlppt1f2N0L9Orp8YCLgon6EF5V3vuR))
one of the first questions a reporter asked me was "How many people played
it?"

I had to be like "I have no idea. A few thousand at least, based on bandwidth
bills."

Then they started asking if I was tracking the games. "Nope. I don't like apps
that track data, so I didn't want to make one here."

And at the end of it, I was like... this is stupid. I should have tracked
clicks and tracked the games.

We should have a clear distinction between "user data" and "data that common
people might reasonably care about being tracked." The headlines are a strange
game of telephone. Every app tracks data. That's what most apps are for.

~~~
bmgxyz
> And at the end of it, I was like... this is stupid. I should have tracked
> clicks and tracked the games.

Why do you feel this way? I agree with your positions at the beginning ("I
don't like apps that track data, so I didn't want to make one here.") and the
end ("Every app tracks data. That's what most apps are for."), but I don't see
why that would cause you to want to have tracked games and interaction data on
your own project.

Perhaps if I'd ever built something that got popular I'd know the feeling
better.

~~~
sliken
Well generally I think anyone who creates something is interested in some
feedback on how well it's going.

A developer might react differently if 10 people used their software or
10,000. Or even if 10 people used the program 1000 times vs 10,000 people
using it once.

Not to mention that it's hard to iterate on something and make clear
improvements if you can't tell how the software is being used. Sure you can
read forums, tickets, issues, etc. But if your settings allow 1000 different
configurations and 99% of your users use one of 5 different configurations
that can be a very useful thing to know.

------
SlowRobotAhead
I had a ring for one week. After about 24hrs of ridiculous setup, constant
notifications when I left the house or anything happened inside the detection
zone even shadows, and realizing I didn’t coming home to look into a camera
that was constantly uploading to someone’s computer I’ll never be allowed to
access - I put that POS back in the box and returned it.

Nice idea in theory, exploitive data mine in practice. I hate it.

~~~
ActorNightly
Ring doesn't upload data unless you pay for a cloud storage account.

You could argue that the doorbell transmits the video/audio over the internet,
but that transport is encrypted to the Ring app, and its deleted off of AWS
after its viewed on the App.

If you really want privacy, you should also return your cellphone and go back
to using a flip phone.

~~~
mojuba
> If you really want privacy, you should also return your cellphone and go
> back to using a flip phone.

Or how about an iPhone with minimal or no 3rd party apps?

Which is practically impossible unfortunately because in order operate in the
modern world you need at least a few 3rd party messenger apps, your bank's app
and maybe a few more. Theoretically, however, I can have a phone free from
social platforms and 3rd party analytics platforms like MixPanel or AppsFlyer,
with regard to whom I have absolute zero trust.

~~~
JadeNB
> Which is practically impossible unfortunately because in order operate in
> the modern world you need at least a few 3rd party messenger apps, your
> bank's app and maybe a few more.

I think that this may be true for _convenient_ operation, but not for
operating period. I have none of these apps on my phone and, in fact, don't
regularly use my phone for anything but receiving calls and listening to
audiobooks. (Oh, and alarms, and probably some other stuff I'm forgetting; but
not otherwise for interacting with the outside world.)

~~~
mojuba
I've tried that. All things aside, in business if there's even one important
person you deal with (your investor?) you will have to install at least one of
the messengers they use. It's a question of the balance of power. And you'd
likely end up having more than one VIP in your contact list anyway, unless you
live a totally isolated life.

~~~
JadeNB
That's a good point—in academia, we're a lot more tolerant of technologically
backwards folk like me.

