Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Etcher secretly spies on the user without consent. #2977

Closed
sneak opened this issue Nov 26, 2019 · 8 comments
Closed

Etcher secretly spies on the user without consent. #2977

sneak opened this issue Nov 26, 2019 · 8 comments

Comments

@sneak
Copy link

@sneak sneak commented Nov 26, 2019

Reopening #2057 - the issue is still valid.

  • Etcher version: 1.5.63
  • Operating system and architecture: darwin x64

Wikipedia defines spyware as:

Spyware is a software that aims to gather information about a person or organization, sometimes without their knowledge, and send such information to another entity without the consumer's consent.

Required Elements

  1. is software etcher is software
  2. gather information about a person information: that the user is launching etcher
  3. without their knowledge no indication is displayed at any time that this is happening
  4. send information to another entity information is transmitted to LAN, ISP, interchange points, and hundreds of others
  5. without consent no consent is asked for or given (and indeed, none exists)

Etcher has done precisely this for some time.

This silent tracking includes IP address and timestamp information, which is more than sufficient to identify a user (and perhaps even their physical location) to the other people who gain access to this data, such as analytics providers, network hosts, interchange points, ISPs, and intelligence services (hi Ed!).

Upon opening Etcher for the first time, the following connections are attempted:

Screen Shot 2019-11-26 at 09 51 53

Screen Shot 2019-11-26 at 09 52 01

At no point am I prompted for consent, or provided the ability or UI to opt out. This happens silently, regardless of user intent or consent. Only after balena has been contacted by the software does the main application window open:

Screen Shot 2019-11-26 at 09 52 04

Then, the user could attempt to disable the settings, but by then their IP address (and physical location) has by this time already been transmitted to the manufacturer, likely against their consent and wishes.

This issue is not about the GDPR, or the legality of this collection, simply the very practical issue that the software phones home and leaks the user's IP address to the developers and hundreds of others without consent or even notification. At no point does the user have the ability to disable this on first launch. By simply phoning home, thousands of other people have gained access to the piece of information that a given user is using this software.

At present, that makes this application fit the definition of spyware.

Remember: humans have an inalienable right to privacy. By leaking users' personal data (even if you do not save it, or don't receive it yourself - by causing it to be sent out of their computer at all) you have infringed upon their human rights.

Do not abuse the human rights of your users. Ask the user for consent before transmitting any data out of their computer.

@sneak sneak changed the title Etcher spies on the user without consent. Etcher secretly spies on the user without consent. Nov 26, 2019
@ukd1

This comment has been minimized.

Copy link

@ukd1 ukd1 commented Nov 27, 2019

Looks like there were some updates shipped to try stop this a while back;

but that it's probably this line doing the request -

const configUrl = settings.get('configUrl') || 'https://balena.io/etcher/static/config.json'
-that's causing your alert.

That url returns;

{
  "version": 1,
  "analytics": {
    "mixpanel": {
      "HTTP_PROTOCOL": "https",
      "api_host": "api.balena-cloud.com/mixpanel",
      "probability": 0.1
    }
  },
  "autoUpdates": {
    "checkForUpdatesTimer": 300000,
    "autoUpdaterConfig": {
      "autoDownload": false
    }
  }
}

This should probably not be requested, as it doesn't look like it's needed?

@sneak

This comment has been minimized.

Copy link
Author

@sneak sneak commented Nov 27, 2019

The line you quoted does not make a network request, it just sets a constant.

Regardless, any request the application makes to the manufacturer automatically upon open serves as telemetry, regardless of how it was intended to be used. Telemetry requires consent, otherwise it is unethical spying.

@sneak

This comment has been minimized.

Copy link
Author

@sneak sneak commented Nov 28, 2019

Comparing an unethically-produced, dangerous app to another unethically-produced, dangerous app does not make either one good or safe.

The issue is not for people like you who block it, obviously - you are not affected by it. You are an outlier.

The issue is for the thousands and thousands of people who are silently being spied on without their knowledge and without their consent.

@thundron

This comment has been minimized.

Copy link
Contributor

@thundron thundron commented Nov 28, 2019

As you may or may not know, all data Etcher gathers is anonymous which doesn't violate any "user" or "person" data (as in, there's nothing in our analytics that points to you specifically)
We had a discussion for opt-in vs. opt-out a while ago, but we still don't see enough reasons for us to switch over to opt-in, even more so since if it's really an issue, you can disable the analytics in the settings and the only calls you'll see will be for external content that is better placed outside of the application (i.e. the featured project)

@thundron thundron closed this Nov 28, 2019
@sneak

This comment has been minimized.

Copy link
Author

@sneak sneak commented Nov 29, 2019

As you may or may not know, all data Etcher gathers is anonymous which doesn't violate any "user" or "person" data (as in, there's nothing in our analytics that points to you specifically)

This is a false statement. The data Etcher transmits from my machine includes my IP address, which uniquely identifies me. It also identifies my location. IP addresses are not anonymous. Causing any transmission that includes a source IP address cannot be anonymous.

Additionally, it transmits data out of my machine without my consent, leaking to thousands of people that I just opened Etcher, with no way to opt out of this data leakage. It amounts to telemetry, regardless of your intention for the functionality.

@evanlandreneau

This comment has been minimized.

Copy link

@evanlandreneau evanlandreneau commented Nov 29, 2019

Looks like it's time to move to UNetBootin...

@lurch

This comment has been minimized.

Copy link
Contributor

@lurch lurch commented Dec 2, 2019

@sneak Out of curiosity, how did you download Etcher in the first place without "leaking your IP address and physical location to thousands of people" ??

@sneak

This comment has been minimized.

Copy link
Author

@sneak sneak commented Dec 4, 2019

I don’t use Etcher (funny because it seems I will likely soon be forking it); I know how to use dd. Anyone who wishes, however, can download Etcher using Tor and it will not disclose their ip/location/identity to the manufacturer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.