I am NOT talking about Wyze collecting and selling my information.
What I AM making the point about is that it’s clear to me that wyze is selling access to my data through its app so that OTHER companies can collect and sell it. That’s what these sub programs are specifically designed to do, that are embedded in the Wyze app.
This way, Wyze can still say they aren’t selling the data they collect. They probably aren’t.
But our data is still getting collected and sold by these other companies who’s apps are embedded in the Wyze app.
Perhaps the distinction is escaping me because I don’t know how to determine if or what other apps are embedded in the Wyze app. I won’t ask you to explain it, but can you please point me to any references that can show me how that works?
Yeah, so in looking at my other apps that DuckDuckGo is blocking, the Wyze app has by far more blocked accesses than any of the other protected apps. The fact that the one sub app, “segment.io” buried in the Wyze app may have lots of attempts because it’s being blocked is kinda irrelevant when compared to what it’s collecting, like your GPS coordinates, unique identifier, etc.
Keep in mind, this data isn’t going to Wyze, it’s going to where segment.io wants to send it, and neither I nor you have any say in that happening unless you get a root firewall and manually block the IPs, or you get on DuckDuckGo’s beta like I did. Even if you block a few permissions, the list of 20 fields it’s collecting is still identifying you and tracking you through data you can’t remove access to.
Please go access the DuckDuckGo App Tracking Protection beta information. They have faqs that explain the embedded tracking apps they are blocking. I provided screenshots of the specific apps that were detected, but I’m attaching one of them again, just so you’ll see it.
Both of the apps embedded within the Wyze app, Segment.io and Braze, collect your unique identifier, GPS coordinates, zip code, etc. The apps are designed to collect your information, but they don’t send the info to Wyze. They send the data where they want to send it.
So, if I have a privacy concern about the information Wyze is collecting and not selling, or allowing subs to collect and sell, I have only one logical decision to make rather than blather on about it…
…it’s my understanding that most of the idle apps installed on your device have permission to collect info and phone it home to the dev.
Not used for months or years. Permitted to mine your life.
One guy here who claimed to be in the business said, essentially, don’t uninstall your idle apps to avoid it, that data collection is the model that funds independent development!
Having judiciously chosen for privacy the apps I’ve installed, I was curious to see what DDG had to say about the extent of 3rd party tracking. I was encouraged to find that there was virtually no indication of it if an app wasn’t active.
But as I said, how many may be collecting and sending straight to the dev is still a mystery.
I looked for DDG’s App Tracking Protection and found it’s only for Android. I use iOS. But I do have a stack of retired Android devices and hope to experiment. Thanks.
A wildcard is app parts running in the background to serve notifications. I don’t have a lot of these outside of Wyze’s (which are reported as tracked by DDG.)
BTW, I have sympathy for the ‘don’t-screw-the-independent-developer’ and ‘we’re-tracking-to-improve-app-performance-which-you’re-always-complaining-about’ arguments.
I guess I just chafe at this:
Also, I was a little hostile to this gent (both now and in the past) for which I apologize…
For what it’s worth, here is the privacy policy for segment.io, specifically as it pertains to their customers (Wyze) and their end users (you) and how their data is used. It explicitly states that your data will not be sold to 3rd parties.
As for Braze, their publicly posted privacy policy is specifically about their use of their customers’ data (Wyze’s data) and it explicitly says that there are separate end user privacy policies for each customer. So unless Wyze has made that privacy policy available, we don’t know what’s in it. That said, I’ve been a software engineer for 20 years and this type of API development and mobile integration is my bread and butter. Segment.io and Braze aren’t much to worry about. GDPR and CPPA have changed the game and transparency is now the road of least resistance.
I’m far more concerned about Wyze’s fumbled response to that camera vulnerability than any analytics SDKs they implement. That said, from an infosec standpoint, a company that has one large breach in their past is far more likely to be taking security seriously today than a company that claims to have a clean record (which is usually a company that simply hasn’t noticed their own vulnerabilities). I still have my wyze cams in the yard, even with my disproportionate paranoia.
If you don’t need location based rules, turn of the location permission. If you want to block analytics services with DuckDuckGo, by all means do. Want to throw your Wyze cams in the trash? Go for it. No one should do anything that makes them feel unsafe. I’m not too concerned about the analytics myself.
Given the verbiage and that the list in every screen shot in this thread for braze/whatever is the same number of items, I’m guessing that it’s not saying “Braze attempted to collect this info”, but rather is saying “Braze attempted to collect info. It is known to collect info such as…”
It could have just pinged for your advert id 17 times.
Likewise, if you have (android) location permissions set, then (unless something is wrong with android rather than wyze/braze/whatever) your location isn’t being sent anywhere even if it did ask for it.
Honestly, though, I’m sticking with the idea that duckduckgo is telling you what that company/API/whatever is known to collect; not necessarily what it’s attempting to.
As to why Braze/Wyze/Segment/whatever needs to know your GPS coordinates and therefore may be running something that is known to ping for it- many, many people use the location-based triggers/rules available in the wyze app. Location-based triggers are awwwwwesome, though admittedly I try to limit my global/“always” location permissions to google since they’re gonna know anyway. But still. Having walkway/hall/kitchen/driveway lights come on whenever you arrive home after dark is something everyone should have.
@peepeep I have no firsthand knowledge of Wyze’s actual efforts. Only that in general, companies who store PII and have a very public security issue will take steps. I would be willing to make the statement that users who purchase Wyze products a year from now will enjoy a more secure experience than those of us with data currently in the system, but that isn’t even worth saying as even the barest minimum effort from Wyze would make that technically true. “Safer than before” isn’t the same as “safe”.
LastPass had a large breach or two and they are still one of the most reputable and secure options for consumer password management. Whether to use a password manager is a decision on the same level as whether to trust a company after they’ve had a breach. There is more than just the obvious to consider. Storing all your passwords in one place seems like a bad idea, but if you are using it correctly (generating unique, secure passwords for each individual service) then you are removing a lot of the risk of having to keep track of 50 different passwords on your own (reusing passwords, maybe writing them down to remember, saving them to your browser, etc). The end result is that using a password manager generally yields a net positive effect despite what may seem on it’s face like a security risk. Likewise, trusting a company that has had their eyes open to security in a very real way and is taking steps to mitigate risk for their users and themselves can have a net positive effect over trusting a service that claims to have no security flaws (no such service exists).
But, as everything, it’s situational. I don’t advocate giving any organization the benefit of a doubt where your privacy is concerned.
But if you look at the explanation provided by the Forum maven, he explains that the Segment io is only collecting and sending how I use the app screens, NOT enabling location based functionality.
My whole reason for starting this thread was because I don’t believe the reasons given for using segment.io. And none of the response explains why they are using an app specifically designed to grab information from your device that Wyze doesn’t need and shouldn’t have.
I spent 40 years in IT, most of that time managing application development. When you have a backend server that’s already configured to interact with both the cameras and the application on your device, it’s literally just a few lines of code per screen to collect how users are using each screen, and a periodic upload of data.
Most of the fields segment io has access to, you CAN’T limit access to. Some data you might be able to limit like GPS. And why is Segment io attempting to access data 500+ times in a week, which is at least 15 times more than I access the app. Yes it could be retrying because it was blocked, but that’s still 70+ times a day.
So IMO either the explanation from Wyze is incomplete or it’s just bogus.
