Wednesday, February 12th 2020
Wacom Graphics Tablets Dial Home with Info on Every Application You Run: Investigation
Wacom is a brand graphics artists swear by, thanks to its near monopoly over the pen-digitizer tablet market. These are essentially input devices in which convert pen-like input on a surface to 2D graphics on the screen, which high precision. Software engineer Robert Heaton discovered that the driver of Wacom tablets leak information on every application you open, to an entity that's using Google Analytics to collect the data.
Heaton used Wireshark to first detect that his Wacom's driver is sending data packets to Google Analytics by monitoring its DNS lookups. The payload of data sent to the analytics website was encrypted by TLS. He then set up an internal proxy using Burp Suite that convinced the Wacom driver that it is sending data over a secure connection, and intercepted its payload. It was then discovered that Wacom driver tracks every application its users open (and not just applications of interest to the company). The company's EULA don't seek even implicit consent to collect this data, and it presents a big privacy challenge. Heaton argues that what if this could be used by Wacom employees to, say, discover that Valve software is working on "Half Life 3," by querying its data heap for executables that sound like "Half Life 3"? Find a fascinating technical run down of Heaton's discovery on his blog.
Heaton used Wireshark to first detect that his Wacom's driver is sending data packets to Google Analytics by monitoring its DNS lookups. The payload of data sent to the analytics website was encrypted by TLS. He then set up an internal proxy using Burp Suite that convinced the Wacom driver that it is sending data over a secure connection, and intercepted its payload. It was then discovered that Wacom driver tracks every application its users open (and not just applications of interest to the company). The company's EULA don't seek even implicit consent to collect this data, and it presents a big privacy challenge. Heaton argues that what if this could be used by Wacom employees to, say, discover that Valve software is working on "Half Life 3," by querying its data heap for executables that sound like "Half Life 3"? Find a fascinating technical run down of Heaton's discovery on his blog.
24 Comments on Wacom Graphics Tablets Dial Home with Info on Every Application You Run: Investigation
Complaining is not needed, it is not just about the HL3, they could be nailed to the cross within EU now. Kinda foreign companies don't grasp the amount penalties GDPR implies - fines up to €20 million or 4% of annual global revenue, whichever is highest...
Data theft is a real problem and concern, only EU has cleaned the shed and gave us properly defined rights.
If you own a Wacom device, you have ground to sue them and ask the compensation yourself!
And you can disable it at any time:
Also, for EU members the IP is anonymised: So, it's more a situation of blindly clicking "Accept".
Here's the complete EULA, pretty short and easy to understand:
This was the exact reason I stopped using their products when I did graphic design many moons ago, why it is just now becoming a headline I don't know, as it was a well known & proven fact way back then....
As with most things nowadays, when in doubt, just R.T.F.M. :D
This is a fine example that we should be using 2 EULAs, essentially, one for general purposes and one for Privacy. The way most EULAs are now is more or less blackmail. You purchase a program for big big bucks and if you disagree with EULA (any part of it really) you are usually stuck with the program without recourse. There is no political solution any time soon, so we are all FK'd until we take things into our own hands like this guy basic did.
Setting up and using a proxy server to intercept this data, like this guy did, is for advanced users. I wonder if a windows firewall rule can do the same thing, block access. My guess is not, not if you want the program to check for updates from within itself.
And yes that's all outlined in their EULA, and yes some you can opt out, of and delete info in google's privacy options, but what many people miss is that according to the EU's GDPR there are things which require you to send the company you wish to not make use of your information an e-mail; specifically stating so.
But seeing that nobody realizes I don't think even mega companies get more than a handful of such e-mails. And people will think the online buttons are all you need to use.
It's perhaps a bit curious why the GDPR has that bit in it. But to be fair, it's always mentioned in the EULA's ('always' might not include Wacom? :).
For me an additional issue is that to 'opt out' often requires you to have an account in the first place, and to opt out of all stuff via e-mail requires you to identify yourself to the companies of course; else they can't tell who opted out, but that in itself gives them a lot of info.
It's an epidemic. Yes. Just block google analytics in this case. That won't always save you.
I'll have to see if it's there, and if it is that's pretty nasty.
Then again Google repeatedly tried to guilt you into reenabling their call home stuff in their Android apps.
Never had an app actually nag me for going in to turn off connecting to an assistant app until I started using Google's SMS/MMS messaging app on my phone. I have caught it resetting the data scraping options before too.
I really believe these things should be 100% opt in. Not default in and force you to opt out, often made difficult to opt out as well.
1) it's only a matter of time to get caught
2) if tue fines are small, companies will chose the fines instead of ceasing the mischievious activities
3) people are dumb enough to continue trusting bad companies
In the EU, you dó own your data, its just that the penny hasn't dropped for everyone yet. I can go out to anyone holding my personal details and demand they tell me how and where they use it. And they must have a direct, verifiable use for the specific service I asked for. If not, shoot to kill... The fines aren't small. And they will repeat for every offense. And people aren't dumb, there is just too much info to keep track of. So we want, and need regulation to do it for us. Simple.
The US and many other countries can learn from 'us', here. We're the beacon of progress when it comes to data ownership in the world right now. Its just a matter of time. It was even your THIRD post on TPU. *gasp*
You think businesses should go around ingnoring a market with 500+ million customers because you think it's 'insanity' that people (and thus consumers) have rights. Got it.
Seriously, blocking is a legit strategy though. The insanity more comes from running an online site that collects user data by nature than anything else. It gets legally complicated fast. More correctly, he's saying his personal business will.
I, as a private citizen, do not have the legal or financial resources to combat lawsuits regarding the GDPR which is the crux of the issue and I don't want to expose myself to that legal mess. This literally makes it so I can't write software of certain types because I would be legally bound to comply, which I'll never do without the aid of a business or LLC. That's wrong.
Edit: This has actually happened to me. I was writing software for gathering WCG statistics from willing individuals (since it required getting a token that only a user can provide, and changes with a password reset,) and suddenly I'm in a position of either signing a legal document legally binding me to the GDPR because IBM itself is in compliance or giving up on the project altogether. In the end, I let the project die and the GDPR is to blame (and to some degree, IBM as well.)
GDPR defines personal data in Art. 4 (1). Personal data are any information which are related to an identified or identifiable natural person. There is also a definition of sensitive personal data, these data include genetic, biometric and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership. Considering the fact that you launched a certain application while using the Wacom Tablet Driver as personal data or sensitive personal data seems a bit of a stretch to me. But then again, I'm not an expert.
GDPR is neither draconic or complicated to understand. It does what every country should do, really... protect citizens from abusive entities. If you ask me, it's insufficiently restrictive.
The punishment and rules are also geared towards large corporations and not private individuals.
But yeah obviously IBM is a large commercial org ... who should be curtailed by some basic rules IMHO. 'October 2015, following a court decision by the Court of Justice of the European Union, the safe harbor agreement between the EU and US was declared invalid on the grounds that the US was not supplying an equally adequate level of protection against surveillance for data being transferred there.'
Unfortunately they replaced it with the exact same thing renamed.. but that's goddamn politicians for you.
But anyway, it's not called 'safe harbor' when dealing with the EU.