Etcher secretly spies on the user without consent.

[sneak]

Reopening #2057 - the issue is still valid.

• Etcher version: 1.5.63
• Operating system and architecture: darwin x64

Wikipedia defines spyware as:

Spyware is a software that aims to gather information about a person or organization, sometimes without their knowledge, and send such information to another entity without the consumer's consent.

Required Elements

1. is software ✅ etcher is software
2. gather information about a person ✅ information: that the user is launching etcher
3. without their knowledge ✅ no indication is displayed at any time that this is happening
4. send information to another entity ✅ information is transmitted to LAN, ISP, interchange points, and hundreds of others
5. without consent ✅ no consent is asked for or given (and indeed, none exists)

Etcher has done precisely this for some time.

This silent tracking includes IP address and timestamp information, which is more than sufficient to identify a user (and perhaps even their physical location) to the other people who gain access to this data, such as analytics providers, network hosts, interchange points, ISPs, and intelligence services (hi Ed!).

Upon opening Etcher for the first time, the following connections are attempted:

At no point am I prompted for consent, or provided the ability or UI to opt out. This happens silently, regardless of user intent or consent. Only after balena has been contacted by the software does the main application window open:

Then, the user could attempt to disable the settings, but by then their IP address (and physical location) has by this time already been transmitted to the manufacturer, likely against their consent and wishes.

This issue is not about the GDPR, or the legality of this collection, simply the very practical issue that the software phones home and leaks the user's IP address to the developers and hundreds of others without consent or even notification. At no point does the user have the ability to disable this on first launch. By simply phoning home, thousands of other people have gained access to the piece of information that a given user is using this software.

At present, that makes this application fit the definition of spyware.

Remember: humans have an inalienable right to privacy. By leaking users' personal data (even if you do not save it, or don't receive it yourself - by causing it to be sent out of their computer at all) you have infringed upon their human rights.

Do not abuse the human rights of your users. Ask the user for consent before transmitting any data out of their computer.

[ukd1]

Looks like there were some updates shipped to try stop this a while back;

• https://github.com/balena-io/etcher/blob/a155811678bfaac5439a301bf8e74d1d8b86b0b1/CHANGELOG.md#v121---2017-12-06

but that it's probably this line doing the request -

etcher/lib/gui/app/modules/analytics.js

Line 30 in a155811

const configUrl = settings.get('configUrl') || 'https://balena.io/etcher/static/config.json'

-that's causing your alert.

That url returns;

{
  "version": 1,
  "analytics": {
    "mixpanel": {
      "HTTP_PROTOCOL": "https",
      "api_host": "api.balena-cloud.com/mixpanel",
      "probability": 0.1
    }
  },
  "autoUpdates": {
    "checkForUpdatesTimer": 300000,
    "autoUpdaterConfig": {
      "autoDownload": false
    }
  }
}

This should probably not be requested, as it doesn't look like it's needed?

[sneak]

The line you quoted does not make a network request, it just sets a constant.

Regardless, any request the application makes to the manufacturer automatically upon open serves as telemetry, regardless of how it was intended to be used. Telemetry requires consent, otherwise it is unethical spying.

[sneak]

Comparing an unethically-produced, dangerous app to another unethically-produced, dangerous app does not make either one good or safe.

The issue is not for people like you who block it, obviously - you are not affected by it. You are an outlier.

The issue is for the thousands and thousands of people who are silently being spied on without their knowledge and without their consent.

[thundron]

As you may or may not know, all data Etcher gathers is anonymous which doesn't violate any "user" or "person" data (as in, there's nothing in our analytics that points to you specifically)
We had a discussion for opt-in vs. opt-out a while ago, but we still don't see enough reasons for us to switch over to opt-in, even more so since if it's really an issue, you can disable the analytics in the settings and the only calls you'll see will be for external content that is better placed outside of the application (i.e. the featured project)

[sneak]

As you may or may not know, all data Etcher gathers is anonymous which doesn't violate any "user" or "person" data (as in, there's nothing in our analytics that points to you specifically)

This is a false statement. The data Etcher transmits from my machine includes my IP address, which uniquely identifies me. It also identifies my location. IP addresses are not anonymous. Causing any transmission that includes a source IP address cannot be anonymous.

Additionally, it transmits data out of my machine without my consent, leaking to thousands of people that I just opened Etcher, with no way to opt out of this data leakage. It amounts to telemetry, regardless of your intention for the functionality.

[TricolorHen061]

Looks like it's time to move to UNetBootin...

[lurch]

@sneak Out of curiosity, how did you download Etcher in the first place without "leaking your IP address and physical location to thousands of people" ??

[sneak]

I don’t use Etcher (funny because it seems I will likely soon be forking it); I know how to use dd. Anyone who wishes, however, can download Etcher using Tor and it will not disclose their ip/location/identity to the manufacturer.

[jordanius]

@sneak You could always just run Tor on your router, and then ditto for any phone-home telemetry by any program. Problem solved.

Incidentally, I wonder why you're trying to pick on this one application when, to the best of my knowledge, at least one out of four Mac apps "phones home" with similar telemetry. Of course you're going to say that just because others are doing it too doesn't make it ok, but in any case, it seems you really have your work cut out for you, and had better get to writing all of the services promoting all of those other apps too. Or, actually, on second thought, please don't. Most people aren't really bothered by this sort of telemetry. For those who are, like you, there's always the route of installing Tor directly on your router and having all outgoing connections that you make from any app anonymized. So just solve your own problem, and quit bothering other people who couldn't care less about this "invasion of their privacy" (or if they did care, they probably already thought of the Tor-router thing and solved their own problem themselves, unlike you).

[pinchies]

"most people aren't really bothered" -> Citation needed. AFAIK, most people aren't aware. If that were true, and most people really weren't bothered, then why not ask before transmitting?
GDPR set the standard to be expected.

[sneak]

It is unethical to assume consent.

[rradar]

Easy nowadays. Don't use software which comes bundled with adware and spyware (namely balena etcher).

You can have a 'clean' version of etcher which is called usbimager, does things right, respects your privacy and comes in a executable package of 250kb 🎉

[sneak]

usbimager's UI is super confusing, especially for new users who just want the 1-2-3 of "select image, select disk, hit flash". There's a reason people recommend Etcher. The correct answer is to fork this free software, rename it, remove the spyware, and re-release it.

[neildmd]

Etcher used to be a great program, now that balena has taken over the size of the software has doubled and now it's tracking us & phoning home without our consent. Someone please fork this and remove the remote calls. Seems most popular, open source software tends to end up this way lately. It goes against the whole spirit of the open source community.

[shideneyu]

Popups started to come up BECAUSE of this dumpy software. That's why I hate Windows. Thank you, Belena, for installing all of those adware on my friend's machine.

[thundron]

@shideneyu Etcher doesn't install any adware and will never do. Either your friend installed some bloatware coming from another website/application, downloaded from a highly untrusted source or has something else on his PC that is causing trouble.
Either way, Etcher isn't the issue and is definitely not spying on anyone's PC.
There is an option in the settings that disables the anonymous data collection (which means there's nothing related to you but only how the application is working, errors and the likes) - as such, there's no need to continue the conversation any further.