wyze app vs data.flurry.com vs customer privacy

I was working on some projects yesterday and while I was taking a break thinking, I decided to tinker with my wyzecams.

When I was using the Wyze app I noticed that a pattern of connections to a host data.flurry.com would occur at the same time. When I looked inside the connection at what it was sending, I was rather surprised and disappointed at the same time.

Here is what I saw that the Wyze app is handing data.flurry.com even before I login thorough the Wyse app into the Wyse service.

  • bnd.ver - "bind" or DNS information memory.used.active.start device.os.version device.arch scr.height - screen scr.width device.model com.hualai.WyzeCam default.timezone boot.time memory.used.inactive.start memory.used.wired.start memory.total disk.size.total dbg - usually means "debug" cpu.load.start device.locale - where you are disk.size.used memory.used.inactive.end memory.used.wired.end device.locale cpu.load.end memory.used.active.end
more....

Given that the software needs to know this internally so it can make best use of the local computing resources, it makes sense that the software would be able to reach this information. What does not make sense is that the Wyse app is supplying this to https://data.flurry.com

By the way, my privacy settings are such that I am not sharing iPhone analytics with Apple or anyone else as noted in the photo.

So why are these data points being exfil’d from my iPhone?

 

Ref:

  • https://flurry.com

“to improve app based upon usage information”… then it is ok to take my information without my knowledge or consent?

 

When the “Share iPhone & Watch Analytics” is togged on, we see this:

and it shows a link “About App Analytics and Privacy”… as well as showing that the “Share with App Developers” is turned off. Again, my data, my choice, my privacy.

The “About App Analytics and Privacy” shows this:

“At Apple, we believe privacy is a fundamental human right.” as do I.

So what kind of phone do you have? How much did you pay for it? Where did you buy it? Couldn’t you afford a better phone? How did you pay for it? Credit card? What is the interest rate on that credit card? That high? How come you could not get a better rate? (bad credit? can’t hold a job, not smart enough?). Where do you go with the phone? Why do you use it so much while you are at work when it is your personal phone? What are you doing on that phone at 2am that takes up so much bandwidth an processor? None of my business? I couldn’t agree more…

So when we get “Free” service or a “free” phone, some people understand that there is no such thing as free… others are too naïve to understand. Regardless, it does not make it “Ok” to steal my data (a la FaceBook). And then when we pay for something, any <i>any possible excuse</i> for violating our privacy is completely off the table.

So Wyze wants to improve the product performance and wants to know what kind of phone I have and what kind of processor and what kind of memory and how much of the memory and process are available to the system when Wyse is running and this is a good justification to take the data without my consent, and expressly against my wishes?

When it is time to improve the microphone, will it be OK for Wyse to listen in on our cameras, just to sample the audio to make sure it is up to standard? And the video, the glare we see in the night vision when it is pointed out a window… to help fix that, is it ok for Wyse to sample the video our cameras are capturing to get better night vision… and for better image tracking perhaps? Many cameras are inside pointing out a window which causes reflection… maybe the video they get from my camera will help them figure out how to reflection-cancel the video? What about the camera I have mounted pointing out my bedroom window at the backyard? Room audio? Window reflection?

Oh but that’s violating our privacy? Really? It is only for product improvement and marketing…

There is a very simple line that must not be crossed here… it’s not about what kind of data is being collected via the Wyse camera system without the user’s permission, it is that there is any data being collected without permission. The line in the sand is “permission” and taking something of mine without my permission is stealing.

 

And did you know that even if you put a memory card in the camera to “keep your video private”, the video is being stored on a Wyse server anyway? I wonder where it goes from there and who all has access to it?

#ectogammat

1 Like

I have asked the Wyze reps to look at this thread. Hopefully you will get a response from one of them soon.

Dis gonna be good! Hell, it’s good already…

Btw, the more the sellers know about me, the fewer adds for tampons get I…(Yoda voice).

Not a robot am I…

Hi, thanks for raising this question and bringing this to our attention. We completely understand your concern.

We use Flurry (a mobile analytic service owned by Yahoo Inc.) to collect some non-PII app data for product improvements. For example, we collect connection success/failure rates and error codes to validate changes to our firmware so that we can improve our connection rates over time.

I understand your concern and we will be reviewing our privacy policy to make it more clear for you and other our users. In the meantime, if you have any other questions or would like to discuss this further, please send us an email at support@wyzecam.com.

We appreciate any feedback you have on how we can improve in this area, and will forward it directly to the team working on it.

Thanks again, Elana (Co-Founder of Wyze)

Thank you for your reply.

I would humbly suggest that “no means no” and it would be appropriate to conform to the wishes of the customer as indicated in the Analytics section of the Privacy settings under the Settings app.

I would also suggest that a full disclosure of what information is being extracted would be appropriate. This would include the untagged binary in the data block (sections of the snapshot that are redacted).

all indications suggest the bytes north of 0x039D include:

  • Application identifier (com.hualai.wyzecam)
  • Application version
  • Device type (what)
  • Device version
  • GPS Coordinates (where)
  • Local IP address (identifies the device's location in a corporate organization)
  • MAC Address (unique identifier for the network interface which thus uniquely identifies the iPhone)
  • OS locale
  • OS type
  • OS version
  • Radio type (Wifi or 3G)
  • Screen resolution and orientation
  • Time zone/location
  • Unique identifier (which maps back to the wyzecam.com user account to produce the "who")
While the information does not contain PII, it does not need to be "identifying" to be "personal" or "invasive".

You have a great equation for beating the other camera players … if your equation for inexpensive product does not include selling user’s personal information. If selling user’s data through flurry.com collection is part of your profit model… the derivative may be tangential to success.

As a friendly note, your app identifier domain looks to be invalid. It is using com.hualai yet the com.hualai domain is for sale:

 

1 Like

Thanks for these suggestions. I have shared them with the team working on this. Feel free to reach out any time through support@wyzecam.com to continue the conversation, and I will let you know as we make updates on our end. These things take a little bit of time, but do know that this is a priority for us and we are working on it.

Thanks again,
Elana

I’d rather have this conversation remain on here vice email (if OP agrees). That way everybody is in the loop of what’s going on and what’s being done.

2 Likes

well as long as it is a yahoo company, i know my data is perfectly safe.

 

what is the worst that could happen ?

 

You might want to check out https://pi-hole.net/

By default it blocks all calls to flurry.com and various other advertising, tracking, and telemetry sites that websites and apps report back to.

I’m a satisfied customer. It’s free. And no device in my home network has seen an ad for months.

BTW, flurry.com is not the only api that Wyze calls that is on the blacklist.

1 Like

I agree. After buying 20+ cameras I expect honesty in direct questions.

And did you know that even if you put a memory card in the camera to “keep your video private”, the video is being stored on a Wyse server anyway? I wonder where it goes from there and who all has access to it?

How do you claim this to be true? Can i disconnect my sdcard, and still view those videos through the wyze app?

Hi Elana,
@williamc claimed this:
And did you know that even if you put a memory card in the camera to “keep your video private”, the video is being stored on a Wyse server anyway? I wonder where it goes from there and who all has access to it?

apart from the data that he mentiones going to flurry.com, i am more concerned of my actual videos getting saved to cloud even if they are stored on sdcard.

Would you comment on his claim?
Thanks.

How is that not identifying? I’m giving these as gifts and this concerns me. Especially for those of us choosing not to send analytic data on our phones.

Cloud alert videos (12 second clips) are stored on an AWS server. See this for more info about its security:

https://support.wyzecam.com/hc/en-us/articles/360009314072-Security-Privacy-

SD Card video is not uploaded to a server. So only if you have motion/sound alerts turned on is any video being uploaded to a server.

Ok. So when i use the playback feature to view videos on the sdcard remotely, do i make a p2p connection with the camera, which sends in the stream to the wyze app directly? Or does the camera first uploads it to the the wyze / aws server, which in turn gets streamed to the wyze app?

Just verified mine is off (“Never”) in the app also, but is it the iOS app or the camera that’s giving up data? Or both? Don’t routers report location to devices? The stuff that is bought and sold on the dark web is scary and consolidating data to actually identify people is the goal of way too many people.

The location permission is optional for now for Wyze App. You can deny the permission request. In our upcoming V2.0 app we don’t request the location permission. In the future if we implement Geofencing we will need the permission for those enabling the feature. Thanks!

2 Likes

You can test this by disabling your modem on your local network but leaving your wifi router active. You will still be able to view the live stream and playback from the SD card. This confirms that the connection is P2P.

Note that you must be logged into the app before disconnecting the modem, as this step does require outside internet access.

1 Like