This week, the Electronic Frontier Foundation (EFF) shared the results of its investigation into smart doorbell maker Ring. “Ring isn’t just a product that allows users to surveil their neighbors,” the report reads. “The company also uses it to surveil its customers.” Ring for Android covertly sends personally identifiable information of its customers to third parties, including AppsFlyer, Branch, Facebook, and MixPanel.
Great, here we go again.
Except this time, it’s different. Amazon acquired Ring in February 2018, and it seems like there has been a new Ring scandal every month since. (I ran out of words for links so here are a few more.) An Amazon engineer this week even called for Ring’s shutdown.
This latest scandal isn’t unique to Amazon’s Ring, though. There is a lesson here for every company with an app. Ring is an easy punching bag given all its questionable practices. But next time it could be your company. Whether you consider yourself “a tech company” or not, chances are your app or website is collecting data on your users. You might be using some of the data, your partners might be using some of the data, or a third party you’re not even aware of might be capturing all the data. Regardless, an audit may be overdue.
Nothing makes this clearer than Ring’s response to the EFF’s report. In short, the statement boils down to this is no big deal.
“Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimize the customer experience, and evaluate the effectiveness of our marketing,” a Ring spokesperson told VentureBeat. “Ring ensures that service providers’ use of the data provided is contractually limited to appropriate purposes such as performing these services on our behalf and not for other purposes.”
It’s true that Ring’s privacy notice states that “We do not authorize our service providers to use or disclose your personal information except as necessary to perform services on our behalf or comply with legal requirements. We also may share personal information with our business partners (1) with whom we jointly offer products and services; (2) to the extent you use Ring+ to connect to third-party products or services; and (3) for payment processing and fraud prevention purposes.”
In other words, Ring and its partners are collecting personal information to make the app better. And they essentially claim that it’s fine, because this is standard practice and the partners promise not to do anything with it.
Clean up your apps
Come on. Have we learned nothing from the Cambridge Analytica debacle? Agreements and contracts only go so far. They won’t stop parties with vested interests from collecting personal data and using it for their own purposes.
We’re already seeing a backlash on the web to this laissez-faire attitude. The ad blockers were just the start — now even browser makers are cracking down on trackers, fingerprinting, and everything in between. The same is happening with apps.
The “standard practice” excuse and “business as usual” approach is not going to cut it for much longer. Users are going to uninstall apps that get caught pilfering their data en masse. And for those that don’t, Apple and Google will step in to restrict what apps can do — in fact, they’ve already started.
If your company wants to avoid a rude awakening, my advice is to start with reading up on GDPR and CCPA. But if you really care about your users, start even simpler. The only way to avoid your customers’ data getting into the wrong hands is to not collect it in the first place. Go through and make sure you need every single little data point. Then anonymize the ones you need and remove the rest. That might seem like a lot of work, but it’s peanuts compared to dealing with being the next data privacy scandal.
ProBeat is a column in which Emil rants about whatever crosses him that week.
You can't solo security COVID-19 game security report: Learn the latest attack trends in gaming. Access here