GDPR?
How is this even remotely compliant?
Smart-home biz Ring sends its users’ personal app data to a range of analytics and marketing companies, according to an analysis carried out by the Electronic Frontier Foundation (EFF). Already under fire for giving the cops access to footage from its ubiquitous video doorbells, the Amazon-owned manufacturer is also apparently …
Article 77 of GDPR - the data subject can choose which supervisory authority they lodge the complaint with...
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.
I have a camera. It appears as though my data has been unlawfully shared. I don't think I consented to this... Now I'm aware of it, I don't like it, anyway.
So, what can a layperson such as myself do to get my money back for my device as I uninstall it from my premises? Where's the breach of contract I can cite?
I have some of their cameras as well, and an unanswered question is if this tracking was added after Amazon bought the company or was it integral to the app from the very beginning.
I have a suspicion it is the former, also incidentally explaining the added connectivity delays now seen in the app since Amazon took over. It used to be that clicking on an alert got you very rapid connection to a live feed, but ever since Amazon has been involved the alert connectivity delay has gotten worse and worse, many times refusing to connect from the alert at all.
If this snooping is correct, can we start a class-action lawsuit for violation of trust and unlawful data collection?
The ability for you to combat this will depend a lot on where you are. European residents have access to GDPR and California residents to CCPA, and they can report these violations. However, that doesn't necessarily mean the various authorities will do something about the problem. It's worth doing if you live in one of those areas, but you will probably have to have owned and activated such a camera to do so. Unfortunately, in many other areas, the laws around when a company can gather information and sell it without informing you are much looser, and this does nothing for you if you've been filmed by someone else's camera. Depending on the violations that can be easily proven, it may be possible to involve biometrics protection laws, but I'm guessing they had a EULA that included legal protections for them somewhere on page six.
I have some of their cameras as well, and an unanswered question is if this tracking was added after Amazon bought the company or was it integral to the app from the very beginning.
The Exodus reports for the app go back to July 2018 and the trackers built into the app have not changed from then to now. Amazon bought Ring in February 2018 so it looks like it's a pre-Amazon thing, but there's no definitive proof.
This post has been deleted by its author
Just as the majority of people have a lot of their shopping tracked through loyalty cards and the like we'll all end up with information like this shared all over the place. Now, I don't really mind, to a point. That point being there is no reason at all to send information that can identify me as a person. I don't care if they know that someone with x device had it fail on y version of software on z device. But they should keep that information to themselves. I also don't care if they pass to their marketing team very abstract data such as "only 10% of x device users have also purchased such and such add-on" so email those that allow it some ads for the addons.
This all seems reasonable. But where is crosses that line is having information that identifies me when they don't need it and not giving me the option to opt out of the kind of example I've listed above.
It does make me consider creating my own options - blocking some of them at device level as my own enforced consent manager.
Wouldn't it be more effective to attack this issue at the back-end where the information is being sold and made use of? Wouldn't calling for regulation and transparency on the _sale and purchase_ be a better starting point than trying to control and regulate what data companies collect? If Facebook, Google and other actors had to divulge what personal information the sold to whom and for what purpose I think we would start to see companies be a lot less interested in participating in this marketplace.
Already covered by GDPR.
Under GDPR, whoever is collecting any PII (in this case, Ring) is required to tell you before they collect any of it :
What they are going to collect
What it will be used for
Who else will be allowed access to it
How long they will keep it
If it isn't PII that they require for a "legitimate need" (such as needing your address in order to post your order to you, or keeping details for 7 years in case the tax man asks to audit their books, etc) then they MUST ask for your informed and freely given consent. "Informed" means that they have laid it out in terms you can reasonably be expected to understand, made it easily accessible (ie not buried in the 6 point footnotes to page 57 of an EULA), and you must have the option of just saying no.
If the make use of the item or service dependent on your consent, then any consent is not freely given. If they pre-tick the consent box then that's not consent - it is required to be affirmative, ie you agree to it, rather than having failed to opt out. If they don't tell you what they are supposed to, then you can't give informed consent.
And if they use PII for any purpose whatsoever other than what you agreed to, or were informed about in the case of "legitimate interest", then that's a breach as well.
So yes, the collection and dissemination of the information described in the article is absolutely illegal under EU law. It needs enough "users" to make complaints that the various bodies can't ignore those complaints. You can complain to the information protection department/organisation in teh country where the offender is based - or another useful feature of GDPR, to your own (ie in the UK, to the ICO) who will take care of liaising with their colleagues in the appropriate country.
...for working out how much of mydata is likely to be slurped:
(Purchase price of "traditional" solution) - (purchase price of "alternative" system) = (value of my data to be re-sold)
For Ring home security I reckon: £400 - £200 = £200
So that's £200 of my data that Ring will have to sell to hit their target. Same goes for contract phones etc.
This post has been deleted by its author
Are people naive enough to think Ring are the only connected camera maker (or any other app maker for that matter) using analytics? Is this any more concerning than accepting cookies on a web page? Solution - Something like Pi-Hole?
The "Police accessing cameras" was nothing more than looking at videos in the neighbourhood app that people have publicly shared. Solution - Don't share what you're not happy for everyone to see.
The hackers accessing cameras seems to have been down to people using the same weak passwords for everything and other site user databases getting compromised. Solution - Enable 2 factor auth and don't use the same password on everything.
Ring aren't entirely blameless in any of this of course, but everyone else seems to be sitting happily in the shadows at the moment while Ring takes all the fire.
Two days ago I was asked to help setup a friend's new smart TV. As I don't own a TV I may not be the best person for this sort of advice. The TV was connected via wifi and I searched for a browser. As the TV had inbuilt Chromecast I was expecting to find the Chrome browser. All I found was something called Vewd.
I read the EULA which had to be accepted before it would work. It said something like this: "We will install Vewd and also some third party software, we accept no liability for this software". It did not say what this software was but I'm guessing that it's spyware. I declined their kind offer.
Then when I tried to pair my phone it wanted access to my my contacts and browsing history. Feck that! <goes back to my cave>
"The researchers managed to crack that approach by injecting code that forced the app to trust a certificate provided by the mitmproxy analysis software they were using – at which point they were able to see what types of information were being shared and to whom."
If white hat researchers can do it, what's stopping black hats from doing the same?