Wyze App is Tracking you

Soccerman · April 7, 2022, 6:16pm

So I joined the DuckDuckGo App Tracking Protection beta, and I learned some frightening things. The Wyze app was top of the list for tracking app attempts at collecting your information. That isn’t the scary part. The scary part is the sub apps are attempting to collect info 100’s of times a week and they are collecting info like your name, your unique identifier, your GPS coordinates, and 15 other identification fields. I attached pics of the findings for those that are interested.

carverofchoice · April 7, 2022, 7:48pm

I was aware of most of these since I read the privacy policy, and Wyze employees have also discussed these in various threads in the past. We were reassured that Wyze doesn’t sell our personal data and their responses to the questions being asked in the past were pretty reasonable IMO. Wyze has been pretty straightforward with it as far as I saw. Here are some selections of interest from the privacy policy:

Sales of Personal Data: Wyze does not sell your personal information. We do allow third parties to collect certain device identifiers and internet and electronic network activity via our Services for advertising purposes. Please see the “Advertising and Analytics Services Provided by Others” section above for more details.

We allow others to provide analytics services and serve advertisements for us across the web and in mobile applications. These entities may use cookies, web beacons, device identifiers and other technologies to collect information about your use of the Services and other websites and applications, including your IP address, web browser, mobile network information, pages viewed, time spent on pages or in apps, links clicked, and conversion information. This information may be used by Wyze and others to, among other things, analyze and track data, determine the popularity of certain content, deliver advertising and content targeted to your interests on our Services and other websites and online services, and better understand your online activity. For more information about interest-based ads, or to opt out of having your web browsing information used for behavioral advertising purposes, please visit www.aboutads.info/choices in the United States or www.youradchoices.ca in Canada.

Location Information: We derive the approximate location of your computer or mobile device from your IP address. When you use our mobile app, we also collect information about the precise location of your mobile device in accordance with the permission process established by your mobile device.

If you initially consent to our collection of precise location from our mobile app, you should be able to subsequently stop this collection by changing the preferences on your mobile device. If you do so, our mobile applications, or certain features, may no longer function properly. You may also stop our collection of this information by deleting our app from your mobile device.

(ie: we are allowed to change settings to not have our location tracked, we’ll just lose location-based rules and some functionality like I like to use for a lot of my automations…but we absolutely can restrict that info if we want)

Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject browser cookies. Please note that if you choose to remove or reject cookies, this could affect the availability and functionality of our Services.

Website and Mobile App Log and Usage Information: When you use our websites and mobile apps, we collect log and usage information, including the type of browser you use, app version, access times, pages viewed or features selected, IP address, and the page you visited before navigating to our websites.

(basically the same thing 99% of domains do when we visit them…)

Computer or Mobile Device Information: We collect information about the computer or mobile device you use to access our websites and mobile apps, including the hardware model, operating system and version, unique device identifiers, and mobile network information.

(Same as 99% of all domains)

Information Collected by Cookies and Similar Tracking Technologies: We use different technologies to collect information, including cookies and web beacons. Cookies are small data files stored on your hard drive or in device memory that help us improve our Services and your experience, see which areas and features of our Services are popular, and count visits. Web beacons (also known as “pixel tags” or “clear GIFs”) are electronic images that may be used in our Services or emails and help deliver cookies, count visits, and understand usage and campaign effectiveness.

And many other things. They have been pretty upfront about what they collect, and a lot of those things are not uncommon with competitor companies offering IOT devices and services. On phones, some permissions are totally lumped together with others. As an example, I recall that if someone wants to allow Bluetooth permissions to an app, the phone requires that you also give the app location permissions even if they don’t use or care about location for any reason. Android does this to ensure the user knows their location may leak when they use Bluetooth. So in many cases, privacy apps would say an app is collecting their location when in fact it is not, but it is indicating that this information COULD be collected because it was given the permission to do so by giving it bluetooth permissions. So sometimes it gets tricky between what an app actually does vs what we gave it permissions to be able to do.

What is important [to me] is that they have a policy that they are not selling our personal data to others to do whatever they want with it, but some of it is needed for certain functionality. For example, I like being able to have rules based on my location, so I want them to track my location, and I give them those permissions so I can have that extra functionality…but I can also disable that permission if I want. I can also hide my IP address by using a VPN if I want. There are a number of things that could be done if one is concerned. I, personally, am just not concerned as they don’t seem to be doing anything unreasonable that isn’t also being done on the same level or often being done worse by their competitors.

Regardless, the above screenshots are really interesting. I am tempted to try to download and use that new DuckDuckGo app. I appreciate you sharing, that is pretty cool to see everything it can tell us about each app!

EDIT UPDATE:

I downloaded the DDG app and got approved for the App Tracking Protection Beta so I could check it out and learn more about it. Just to clarify, they basically have a list of known tracking companies and block them specifically. For example as it relates to the Wyze app, if you disable location permissions to the Wyze app, the Wyze app will not track your location at all, BUT the DDG beta will still say that GPS and location are items commonly tracked by Braze or Segment-io in some apps. That does not mean your GPS location is necessarily actually being tracked, and in fact it is definitely not being tracked if you have disabled the permission to that app in your settings. Some trackers are contracted with a company to only collect specific information based on their particular agreement with the company. So while a tracker in question may collect GPS coordinates for a particular client app, it may not be part of the contract nor even possible to do through another client app they contract with. The list of all the things a tracker is known to collect in some cases does not mean all that information is infact being tracked and logged from you in this particular case. DDG just lists every known possibility so that you can make informed decisions, including possibly changing or verifying your permission settings to a particular app. Basically, the DDG app tells us that Wyze has contracts with Braze and Segment-io (which they already disclosed to us in past posts, including what they use them for), but DDG does not tell us exactly what is actually being tracked with each logged attempt, just what the companies have ever tracked for other contracted parties. If you disabled the location permission, then they aren’t tracking your location because they don’t have access to it. If you did give it the location permission to track GPS for automations to execute based on whether you’re home or away, it also doesn’t mean that those third parties are necessarily trying to log that every time DDG shows a ping attempt for something related to the Wyze app, nor exactly what counts as a “tracking Attempt.”

See my post below for More details on what Wyze disclosed they use these 3rd party companies for. I HIGHLY recommend reading the explanation for what Wyze has these companies actually doing:

Also here is a more recent quote from Wyze employees that R.Good pulled from the discord server:

R.Good:

This was a direct response from a Wyze associate (Community Manager) in the thread,

"Tracking is a really broad term and I don’t like how this app makes people super nervous about things that are common and not harmful to you in any way. in this case, duckduckgo is blocking segment. io. we use this to understand how you use the app and interact with different screens, and to know when there’s a spike in errors and stuff like that. to be clear, wyze doesn’t and will never sell your data, so this is just blocking our ability to get wyze-specific info about how your use the app that is aggregated to educate our UX, app, and design teams

segment basically is for stuff like - “this app update that changed the design was bad because 30% less people than normal visited this screen that they need” - “this app update caused 20% more people to get this error screen” - “the microSD button is only tapped by 30% of our users, but the area dedicated to it is massive. maybe we should change the design”

FullOfBeans · April 7, 2022, 8:08pm

Customers give permission for Wyze to store and share their information in certain ways, but history shows there’s no guarantees that it’s secure and trustworthy.

Soccerman · April 7, 2022, 10:17pm

You’re joking, right? 1st, you are 100% naive or just stupid, if you think this information isn’t going beyond Wyze. 2nd, I gave you actual proof that your GPS coordinates are being tracked 200+ times in a week through the Wyzw app. Why on earth would that information be necessary to wyze, especially at that frequency??? 3rd, the sub apps that are collecting the data aren’t even going to Wyze, they are most likely going to the source that provides the sub app, and Wyze is getting paid for that data.

I get you are a forum maven, so you are drowning in the Wyze coolaid, but use some common sense for just a few minutes.

FullOfBeans · April 7, 2022, 10:20pm

Hey, man. Pick apart the content of a post to your heart’s content, but don’t attack the poster.

I mean, based on Wyze’s own history of data leaks and outrageously poor communication and response to the Bitdefender report and it’s customers, I am more prone to distrust than trust anything Wyze says in its slick marketing platitudes or performance claims.

But you’ll accomplish more by debating on the basis of facts rather than personal character assassination, which is also against the forum Community Guidelines and can get a person banned. Just sayin’.

Some people are set in their opinions for various reasons. We aren’t gonna change that by calling them “stupid”.

Soccerman · April 7, 2022, 10:52pm

Point taken. I should have just stuck with 100% naive, which is probably more accurate.

And to the point of debating the facts, I know I agreed to let Wyze use some of my personal information, but the difference here is these sub apps embedded within the Wyze app that are collecting the information and most likely sending it directly to sources outside of Wyze. So I guess wyze isn’t actually collecting and selling my data. What Wyze is selling is access to my data so OTHERS CAN COLLECT and USE or SELL it.

Hopefully you can see the difference I am pointing out.

peepeep · April 7, 2022, 10:55pm

Grain o’ salt, but it’s possible that the high number of attempts per tracker are due to repeated attempts because initial attempt is blocked. Maybe check w/ DDG.

https://www.reddit.com/r/duckduckgo/

R.Good · April 7, 2022, 11:01pm

This was brought up on the Wyze discord server recently.

This was a direct response from a Wyze associate (Community Manager) in the thread,

"Tracking is a really broad term and I don’t like how this app makes people super nervous about things that are common and not harmful to you in any way. in this case, duckduckgo is blocking segment. io. we use this to understand how you use the app and interact with different screens, and to know when there’s a spike in errors and stuff like that. to be clear, wyze doesn’t and will never sell your data, so this is just blocking our ability to get wyze-specific info about how your use the app that is aggregated to educate our UX, app, and design teams

segment basically is for stuff like - “this app update that changed the design was bad because 30% less people than normal visited this screen that they need” - “this app update caused 20% more people to get this error screen” - “the microSD button is only tapped by 30% of our users, but the area dedicated to it is massive. maybe we should change the design”

carverofchoice · April 7, 2022, 11:05pm

Here’s an older thread that interested people can review as well, which includes direct responses from Wyze in a bit more detail about those contracted 3rd party companies:

Key responses include the following:

Wyze app data collection

Hey All, @WyzeGwendolyn hunted me down and diligently made sure I got back to all of you here. I am not saying that to downplay the importance of responding here or of downplaying the importance of letting you know what information we collect. I only added that to let you know that Gwen is awesome.

Ok, to the question posed by @Daniel_SA. We are working on implementing both Segment and Braze . They are still not fully implemented, but we do have their basic SDKs inside of our apps starting with release 2.10 and 2.11. So, what do these collect? Let me start by giving a little context on each of these tools.

Segment
Segment is a customer data platform (CDP) and is intended to be a single place where we can unify the data that we collect. One of the reasons we chose to use a platform to unify the data that we collect is because it helps manage data privacy. It can control what platforms get what data and easily let us report the data that we collect to our customers as well as quickly remove data from ALL sources.

Braze
Braze is a customer engagement tool. We chose Braze because it allows us to send all messages from a single platform (email, push messages, in-app messages, etc.) rather than have data spread across multiple tools (like most companies). The data that goes into Braze is managed by Segment. Again, Segment allows us to control what data gets sent in as well as allowing us to quickly pull what we have collected and delete data upon customer request (delete ALL data across multiple sources).

What data do Braze and Segment collect?
Segment and Braze collect usage data from the apps. Currently, they track which screens a Wyze user visits and select actions a user takes within the Wyze app. An example of a select action would be “Turns on Auto-unlock in the Wyze app.” These were all things that we were already tracking and able to see. In addition to app usage tracking, Braze is able to see how a customer engages with any messages that are sent. We are able to see what messages a user received, open rates on messages, if a user closed a message, or if the users chose to visit an additional page after viewing the message, etc.

All message engagement data is tracked by pretty much every platform that sends messages. Our prior email service provider before Braze would do the same.

It is important for us to have this in a single platform because 1) it is actually safer than having duplicate data spread across multiple sources, and 2) it allows us to do things such as set frequency caps on how often a user gets messages and only send messages to those that need them (i.e., don’t send messages about Wyze Sense outages to users that don’t have Wyze Sense products).

These apps DO NOT store or even have access to credit card or password information. We do not intend them to ever do that. We do send in customer email addresses, first and last names (for those that have ordered with Wyze.com), order IDs and shipment tracking numbers. At this time we do not send in phone numbers or addresses.

This data collection and usage is covered in our privacy statement here:
https://wyze.com/privacy-statement

I get it that statements such as these are often overlooked. We tried to make our privacy statement user friendly and readable. The sections that best apply to apps such as Segment and Braze are the “COLLECTION OF INFORMATION,” USE OF INFORMATION," and “SHARING OF INFORMATION” sections.

I hope this helps answer your questions. I am open to feedback on how to communicate this to our users? Should we highlight it in our next privacy statement update? Should we post here in the forum? Should we announce it over social? Thoughts?

Hopefully some of that information is helpful to those interested. Apparently, you can have all your data from Segment suppressed (not just from Wyze, but others too).

FullOfBeans · April 7, 2022, 11:06pm

iOS’s privacy settings allows me to pull up app privacy reports. In addition to hundreds of named domains I don’t like, such as doubleclick and facebook, the Wyze app has also had 385 exchanges with “unnamed domains” in the span of a couple of weeks.

This person asks a pertinent question:

FullOfBeans · April 7, 2022, 11:11pm

Personally, I would prefer Wyze focus it’s energy and attention more on making its firmware and software updates less bug infested in order to STOP BREAKING THE EQUIPMENT WE OWN than examining which app screens I view the most.

Why do their explanations always sound like a steaming pile of manure?

peepeep · April 7, 2022, 11:12pm

Maybe you’ve got some stuck in your ears?

FullOfBeans · April 7, 2022, 11:15pm

I have been listening to you on occasion.

FullOfBeans · April 7, 2022, 11:22pm

I suppose, once the products they sell are out if Wyze’s door, there’s no money to be made in supporting them. It becomes less of a priority.

As with Facebook and everywhere else, “If you’re not paying for a product, you are the product.”

peepeep · April 7, 2022, 11:23pm

Beyond annoying. Pretend transparency. Bitter pacifier.

(not you @carverofchoice , the reality you relay.)

FullOfBeans · April 7, 2022, 11:26pm

The privacy report I’m looking at is specifically pertaining to the Wyze App’s communication with its own and other domains. Permissions are a totally different thing.

I have bluetooth enabled for the Wyze app but I’ve had the location permission set to “Never” from the start.

peepeep · April 7, 2022, 11:27pm

A distinction without a difference for average people using the technology?

FullOfBeans · April 7, 2022, 11:29pm

Maybe in meaning but not in function.

peepeep · April 7, 2022, 11:35pm

The average person can’t meaningfully set the settings. Hell, most exceptional people can’t either - with any certainty they’ve achieved what they aim to.

FullOfBeans · April 7, 2022, 11:38pm

Welp, point taken on @carverofchoice’s comments. So I just turned off blue tooth permission for the Wyze app as well.