So I joined the DuckDuckGo App Tracking Protection beta, and I learned some frightening things. The Wyze app was top of the list for tracking app attempts at collecting your information. That isn’t the scary part. The scary part is the sub apps are attempting to collect info 100’s of times a week and they are collecting info like your name, your unique identifier, your GPS coordinates, and 15 other identification fields. I attached pics of the findings for those that are interested.
Sales of Personal Data: Wyze does not sell your personal information. We do allow third parties to collect certain device identifiers and internet and electronic network activity via our Services for advertising purposes. Please see the “Advertising and Analytics Services Provided by Others” section above for more details.
Location Information: We derive the approximate location of your computer or mobile device from your IP address. When you use our mobile app, we also collect information about the precise location of your mobile device in accordance with the permission process established by your mobile device.
If you initially consent to our collection of precise location from our mobile app, you should be able to subsequently stop this collection by changing the preferences on your mobile device. If you do so, our mobile applications, or certain features, may no longer function properly. You may also stop our collection of this information by deleting our app from your mobile device.
(ie: we are allowed to change settings to not have our location tracked, we’ll just lose location-based rules and some functionality like I like to use for a lot of my automations…but we absolutely can restrict that info if we want)
Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject browser cookies. Please note that if you choose to remove or reject cookies, this could affect the availability and functionality of our Services.
Website and Mobile App Log and Usage Information: When you use our websites and mobile apps, we collect log and usage information, including the type of browser you use, app version, access times, pages viewed or features selected, IP address, and the page you visited before navigating to our websites.
(basically the same thing 99% of domains do when we visit them…)
Computer or Mobile Device Information: We collect information about the computer or mobile device you use to access our websites and mobile apps, including the hardware model, operating system and version, unique device identifiers, and mobile network information.
(Same as 99% of all domains)
Information Collected by Cookies and Similar Tracking Technologies: We use different technologies to collect information, including cookies and web beacons. Cookies are small data files stored on your hard drive or in device memory that help us improve our Services and your experience, see which areas and features of our Services are popular, and count visits. Web beacons (also known as “pixel tags” or “clear GIFs”) are electronic images that may be used in our Services or emails and help deliver cookies, count visits, and understand usage and campaign effectiveness.
And many other things. They have been pretty upfront about what they collect, and a lot of those things are not uncommon with competitor companies offering IOT devices and services. On phones, some permissions are totally lumped together with others. As an example, I recall that if someone wants to allow Bluetooth permissions to an app, the phone requires that you also give the app location permissions even if they don’t use or care about location for any reason. Android does this to ensure the user knows their location may leak when they use Bluetooth. So in many cases, privacy apps would say an app is collecting their location when in fact it is not, but it is indicating that this information COULD be collected because it was given the permission to do so by giving it bluetooth permissions. So sometimes it gets tricky between what an app actually does vs what we gave it permissions to be able to do.
What is important [to me] is that they have a policy that they are not selling our personal data to others to do whatever they want with it, but some of it is needed for certain functionality. For example, I like being able to have rules based on my location, so I want them to track my location, and I give them those permissions so I can have that extra functionality…but I can also disable that permission if I want. I can also hide my IP address by using a VPN if I want. There are a number of things that could be done if one is concerned. I, personally, am just not concerned as they don’t seem to be doing anything unreasonable that isn’t also being done on the same level or often being done worse by their competitors.
Regardless, the above screenshots are really interesting. I am tempted to try to download and use that new DuckDuckGo app. I appreciate you sharing, that is pretty cool to see everything it can tell us about each app!
I downloaded the DDG app and got approved for the App Tracking Protection Beta so I could check it out and learn more about it. Just to clarify, they basically have a list of known tracking companies and block them specifically. For example as it relates to the Wyze app, if you disable location permissions to the Wyze app, the Wyze app will not track your location at all, BUT the DDG beta will still say that GPS and location are items commonly tracked by Braze or Segment-io in some apps. That does not mean your GPS location is necessarily actually being tracked, and in fact it is definitely not being tracked if you have disabled the permission to that app in your settings. Some trackers are contracted with a company to only collect specific information based on their particular agreement with the company. So while a tracker in question may collect GPS coordinates for a particular client app, it may not be part of the contract nor even possible to do through another client app they contract with. The list of all the things a tracker is known to collect in some cases does not mean all that information is infact being tracked and logged from you in this particular case. DDG just lists every known possibility so that you can make informed decisions, including possibly changing or verifying your permission settings to a particular app. Basically, the DDG app tells us that Wyze has contracts with Braze and Segment-io (which they already disclosed to us in past posts, including what they use them for), but DDG does not tell us exactly what is actually being tracked with each logged attempt, just what the companies have ever tracked for other contracted parties. If you disabled the location permission, then they aren’t tracking your location because they don’t have access to it. If you did give it the location permission to track GPS for automations to execute based on whether you’re home or away, it also doesn’t mean that those third parties are necessarily trying to log that every time DDG shows a ping attempt for something related to the Wyze app, nor exactly what counts as a “tracking Attempt.”
See my post below for More details on what Wyze disclosed they use these 3rd party companies for. I HIGHLY recommend reading the explanation for what Wyze has these companies actually doing:
Customers give permission for Wyze to store and share their information in certain ways, but history shows there’s no guarantees that it’s secure and trustworthy.
You’re joking, right? 1st, you are 100% naive or just stupid, if you think this information isn’t going beyond Wyze. 2nd, I gave you actual proof that your GPS coordinates are being tracked 200+ times in a week through the Wyzw app. Why on earth would that information be necessary to wyze, especially at that frequency??? 3rd, the sub apps that are collecting the data aren’t even going to Wyze, they are most likely going to the source that provides the sub app, and Wyze is getting paid for that data.
I get you are a forum maven, so you are drowning in the Wyze coolaid, but use some common sense for just a few minutes.
Hey, man. Pick apart the content of a post to your heart’s content, but don’t attack the poster.
I mean, based on Wyze’s own history of data leaks and outrageously poor communication and response to the Bitdefender report and it’s customers, I am more prone to distrust than trust anything Wyze says in its slick marketing platitudes or performance claims.
But you’ll accomplish more by debating on the basis of facts rather than personal character assassination, which is also against the forum Community Guidelines and can get a person banned. Just sayin’.
Some people are set in their opinions for various reasons. We aren’t gonna change that by calling them “stupid”.
Point taken. I should have just stuck with 100% naive, which is probably more accurate.
And to the point of debating the facts, I know I agreed to let Wyze use some of my personal information, but the difference here is these sub apps embedded within the Wyze app that are collecting the information and most likely sending it directly to sources outside of Wyze. So I guess wyze isn’t actually collecting and selling my data. What Wyze is selling is access to my data so OTHERS CAN COLLECT and USE or SELL it.
Hopefully you can see the difference I am pointing out.
Grain o’ salt, but it’s possible that the high number of attempts per tracker are due to repeated attempts because initial attempt is blocked. Maybe check w/ DDG.
This was brought up on the Wyze discord server recently.
This was a direct response from a Wyze associate (Community Manager) in the thread,
"Tracking is a really broad term and I don’t like how this app makes people super nervous about things that are common and not harmful to you in any way. in this case, duckduckgo is blocking segment. io. we use this to understand how you use the app and interact with different screens, and to know when there’s a spike in errors and stuff like that. to be clear, wyze doesn’t and will never sell your data, so this is just blocking our ability to get wyze-specific info about how your use the app that is aggregated to educate our UX, app, and design teams
segment basically is for stuff like - “this app update that changed the design was bad because 30% less people than normal visited this screen that they need” - “this app update caused 20% more people to get this error screen” - “the microSD button is only tapped by 30% of our users, but the area dedicated to it is massive. maybe we should change the design”
Here’s an older thread that interested people can review as well, which includes direct responses from Wyze in a bit more detail about those contracted 3rd party companies:
Key responses include the following:
Hopefully some of that information is helpful to those interested. Apparently, you can have all your data from Segment suppressed (not just from Wyze, but others too).
iOS’s privacy settings allows me to pull up app privacy reports. In addition to hundreds of named domains I don’t like, such as doubleclick and facebook, the Wyze app has also had 385 exchanges with “unnamed domains” in the span of a couple of weeks.
This person asks a pertinent question:
Personally, I would prefer Wyze focus it’s energy and attention more on making its firmware and software updates less bug infested in order to STOP BREAKING THE EQUIPMENT WE OWN than examining which app screens I view the most.
Why do their explanations always sound like a steaming pile of manure?
Maybe you’ve got some stuck in your ears?
I have been listening to you on occasion.
I suppose, once the products they sell are out if Wyze’s door, there’s no money to be made in supporting them. It becomes less of a priority.
As with Facebook and everywhere else, “If you’re not paying for a product, you are the product.”
Beyond annoying. Pretend transparency. Bitter pacifier.
(not you @carverofchoice , the reality you relay.)
The privacy report I’m looking at is specifically pertaining to the Wyze App’s communication with its own and other domains. Permissions are a totally different thing.
I have bluetooth enabled for the Wyze app but I’ve had the location permission set to “Never” from the start.
A distinction without a difference for average people using the technology?
Maybe in meaning but not in function.
The average person can’t meaningfully set the settings. Hell, most exceptional people can’t either - with any certainty they’ve achieved what they aim to.
Welp, point taken on @carverofchoice’s comments. So I just turned off blue tooth permission for the Wyze app as well.