Unauthorized analytics are running on a fresh install

[jake-tulip]

Summary

Hey guys, thanks so much for the hard work and effort you put into this open source project!

Mattermost server, has enabled segment.io analytics by default on a fresh install. There was no indication that I could see that gives the user warning or a choice. There is an opt-out feature post-installation, but it should be opt-in since it seems not obvious and not authorized. (note I did not use an absolute latest version, so this may have changed in the latest). The segment.io analytics go to to a third-party that users don't know who has access to the data.

I've read: https://docs.mattermost.com/administration/telemetry.html but this doesn't necessarily help.

It collects (among other pieces of obfuscated information) IP address of the user, time of messages sent, and user agent. All 3 of those are something neither the admins nor the users consented to sending to a 3rd party website.

Steps to reproduce

Install mattermost. Notice in console / network tab that there are constant pings to segment.io without enabling such analytics or installing a plugin for all users without their permission or consent.

Mattermost Version: 5.6.1
Database Schema Version: 5.6.0
Database: mysql

Expected behaviour

For this feature to be opt-in or just not there.

Observed behaviour (that appears unintentional)

This feature seems to be opt-out / not obvious to the admin when installing MM.

Possible fixes

Make analytics an opt-in feature, not an opt-out feature.

[amyblais]

Hi @jake-tulip,

The documentation you shared outlines the reasons it's enabled and what data is collected.

This was forwarded to our product managers and they will take your feedback into consideration as we have plans to work on improving administrator on-boarding experience and our privacy policy.

Let us know any questions,

[amyblais]

Hi @jake-tulip,

I'll close this issue for now as there haven't been updates for a while.

Please re-open this issue if you have any further questions.

Thank you for the feedback,

[jake-tulip]

I'll close this issue for now as there haven't been updates for a while.

@amyblais do you know if this is an issue that is being considered by Mattermost Org at all, or is it abandoned as a possible change?

[amyblais]

Hi @jake-tulip,

Yes, this will be taken into consideration as we have plans to work on improving administrator on-boarding experience and our privacy policy.

I'll add some of our PMs to this thread if they have further details to add: @jasonblais @wiersgallak

[wiersgallak]

Thank you for your feedback on our telemetry opt-out processes @jake-tulip . All feedback is considered when making changes to the product. Even if we do not address directly in the near term, it is used for making future decisions on how we improve this specific feature and design other features that may include a decision around opt-in vs. opt-out.

I also wanted to take the opportunity to clarify a few things.

• We do not collect IP addresses of the user. An IP address of the server is collected for the Security Update Check Feature. Server IP information is used to help us identify the environment of servers (private cloud, self-hosted etc) which helps us understand the conditions that may affect the performance and deployment of the Mattermost.
• We do not collect any information that could be used to identify individual users. The user information we do get is the GUID, with no ability to connect the GUID to any other data that would identify the user’s name or other personal information.
• Additionally, our Privacy Policy that is included at the initial installation login page, outlines more information on the Error and Diagnostics Reporting feature and how data is protected.

[jake-tulip]

Thanks for the response @wiersgallak

I think the core issue is that this is an opt-out feature which has tracking spyware enabled in a fresh installation. Data gets sent to an unauthorized third-party (Segment and Mattermost-org). The data leaves a user's browser through a tracking script, and the servers it reaches have access to the user's IP address, a GUID, timestamp of messages, and user-agent. This information is very sufficient in pinning down a "profile" of a user. I'm not sure that Mattermost falls under the definition of "free open source software".

I understand that Mattermost-org wants to have this tracking enabled by default to collect as much information about their users and activities as possible, but it seems not ideal that this is not obvious to first installers, it's opt-out (not opt-in), and the non-admin users don't have much of a choice.

[sneak]

Yeah, this is totally unacceptable. I had no idea this software was spying on my server.

This needs to be EXPLICIT opt-in. Proceeding as if you have consent when you've only assumed consent for spying is unethical.

Why even publish a Privacy Policy if I'm going to be forcibly opted-in to it without my ever having been able to read it and decide first, or even been made aware of its existence?

[sneak]

Turns out, as far as I can tell, the environment variables to change this setting (documented nowhere) is MM_LOGSETTINGS_ENABLEDIAGNOSTICS = "false" as well as MM_SERVICESETTINGS_ENABLESECURITYFIXALERT = "false". I haven't tested it.

You can also do the following in a Dockerfile:

FROM mattermost/mattermost-team-edition:latest
RUN sed -i 's#api.segment.io#xx.example.com#gI' /mattermost/bin/mattermost
RUN sed -i 's#securityupdatecheck.mattermost.com#xxxxxxxxxxxxxxxxxxxxxx.example.com#gI' /mattermost/bin/mattermost

That should give you a clean image that doesn't phone home.

[sneak]

From https://docs.mattermost.com/developer/manifesto.html :

6. No surprises

Users should never run into anything unexpected with Mattermost.

Phoning home without consent is absolutely unexpected.

[working-name]

#9466, #8066

Given above history, I think MatterMost is more comfortable continuing to collect analytics behind admin's backs. Awkward.

[elandorr]

The more you dig around the more shocking it gets. #9466
What kind of trash behavior is this? Fancy marketing, but all lies.

'MM Inc.' has been unethical for the majority of its existence. Another example: the persistent lying regarding data retention/maintenance options for the non-enterprise version. Instead of being honest and flat out declaring 'we are greedy, f*ck off', they wasted everyone's time. Various admins, incl. myself, bothered creating their own tools to achieve minimum usability (and GDPR compliance, if you care), but that's clearly not a sustainable option. Instead, we get new useless corpo buzzwords and bloat with every update. We want a simple, lightweight, reliable, and private messenger for Christ's sake, that was the whole point of leaving slack!
Leave it to the corpo bots to turn a simple messenger into greed galore. I'd started building an alternative for everyone, but no time to work on yet another sideproject. It's not that much work, if you have a team. The default MM is entirely unsustainable due to complete lack of maintenance options anyway, so you can even just take a dump on the weekend and do just about equal. Real scalability would be nice, and even that's trivial. One could even offer different algos depending on intended use, that's what I was going for. (I.e. for bigger scale ala 'telegram' channels no non-profit could afford to keep a gazillion sockets open on a low-end server, so you could instead do staggered polls etc.) But I digress. Point is, a chat is nothing new, very doable, and there would be next to 0 need for updates, if you simply do it right once, and don't have a constant need for buzz for profit. Keeping it to the point (i.e. a box to add text to multiple tables called channels) also means no constant forced updates for security bugs. It's pretty odd nobody else bothered to build that. The mobile/desktop apps aren't native either, they're just web. Slap it in a webview and be done in a minute. But I suppose the ones who aren't greedy don't have time, and the rest.. you know. It's really more a convenience thing. Many just use IRC with their own scripts.

If there were any other option I'd switch immediately. Rocketchat was extremely unstable and a black hole for server res last time I tried, though.

Has anyone bothered digging into the latest updates? Anything new we ought to be aware of?

I manually override their CSP now, as they whitelist a spy domain. ('rudderlabs', another one of those slapping the term 'privacy' around, while having the sole purpose of being invasive. No data collection is acceptable. Data collection that you weren't asked for first is even illegal!) But obviously, we have no control over the server side. Most of us will use their images, and who has time to set up a lab environment to sniff and audit every time?

The basic tenet of open source for many many years was that your software won't betray you. Otherwise, you might as well just stick with slack or google or whatever.

The 'desktop' apps try to connect all over the place too. On linux there is no reliable/lightweight afw as of today (opensnitch is getting there, but right now I found it's too fat and slow and more of a hack). On windows you can use at least simplewall to only whitelist your server, and deploy the config as xml. It hardly needs any res and has been reliable. Utilizing a network wide blacklist doesn't seem too helpful. Then you have to dig through the source to find what to blacklist again.

Given the constant addition of new bloat, it's not sustainable to audit the entire code every time and build the image yourself.

Fun fact: If you had simply been honest instead of playing these dumb games, and showed admins a small textbox occasionally with some human readable statistics like yaml, and asked nicely for permission, I bet most would send it. I've seen this concept before, and it's truly the common sense solution. Of course this only works if your intentions are pure. If you want to collect hundreds of datapoints no sane person will hit yes, as nobody can dedicate half a lifetime to auditing. Not to mention, the more datapoints, the more identifiable. Google does not even need any of your content to clearly track you in real life, and even your non-google using friends, just via brute force scale metadata.

And these absurd lies are so unbelievable. Either clinically brain damaged, or deliberately misleading. Check this one out for example:

From my end we desperately need more data to help us understand what Admins are doing (or not doing) in the first 24 hours to help us understand why 75% of servers don't last longer than 1 day.

How did people produce high quality software before everything turned perma-online? Oh what mystery!
(Serious answer: Just talking to humans helps. Most are very willing to give you direct answers, instead of useless marketable data, if they think you're genuine. Hell, people want to like MM so badly, they dedicate many hours of their lifetime to writing tools to make it acceptable.)

And all this for a chat! What most modern techies wrote for fun at some point!

[jordanafung]

Hi @elandorr

Thank you for your feedback and thoughts on this matter.
We appreciate and understand your concern about privacy and data collection and protection.
We take the security and privacy of our customers and users very seriously.
We aim for clarity, security, and ensuring our community and customers are successful.
As such, our team has updated our Telemetry documentation page for clarity and have formatted the page so that it is easier to see what is collected and how to turn off Telemetry in Self-Hosted systems.
If you have any feedback on this page, we are happy to hear from you.
We are also internally discussing ways that we can enable more transparency and be more explicit about how we handle and process any data we may collect.

As mentioned before, we understand your concerns, but we would like to remind you that we expect our community to abide by our CoC (Code of Conduct) and communicate and collaborate guided by our Community expectations.
Some of the language used in your post does not align with these guidelines, and we urge you to reconsider and edit your post to align with these values, specifically paying attention to the We are respectful section.
We appreciate you being part of the Mattermost community and are looking forward to hearing from you.

Feel free to reach out if you have any other questions, concerns, or feedback.