Wacom tablets track every app you open(robertheaton.com) |
Wacom tablets track every app you open(robertheaton.com) |
I'd imagine simply turning off the "User Experience Program" opt-in is a flaky setting that probably gets reverted to "on" when you do updates etc
A better option is to install LittleSnitch and block the traffic.
It doesn't at all surprise me that it's sneaking around.
This might be some cargo-cult level religion of mine , but if a driver package has a lot of flashy UI stuff (Wacom, Logitech, Creative), it's probably doing something suspect.
The more the apps look like key-gens, that's when you have to start wiresharkin'.
https://www.reddit.com/r/virtualreality/comments/ezln7j/face...
Until that happens, use a piHole.
It makes little real sense for Wacom, a manufacturer of tablets, to capture this amount of data, and doing so has a cost. But it makes heaps of sense for Google to do it since they can infer all sorts of stuff from the applications you install.
It also explains why this crap is so pervasive, why the privacy policy is so vague (Wacom may not even know the extent of the exfiltration - don’t ask don’t tell), and why the quality of the data collection is so good.
I mean I’m guessing there a google product called something like “Google Analytics for OSX Drivers” and google would want that in popular products.
These sort of back room deals and outreach programs are pretty common in general, but if I’m right, then Wacom, while certainly an accomplice, is not the root cause of this.
Burp suite is amazing and more people should use it. That is all.
They might be great, I don't know. But if something as non-standard as that is done, what other weirdness behavior does their software have?
It's worth learning though. I haven't found a better intercepting proxy, and the community edition is pretty powerful.
This is why a software firewall can be helpful. Since I use Windows I expect there are no alternative drivers.
You can use the tablets without drivers in a very restricted manner. I don't know how to solve this besides strong regulations. Big firewall to China?
Is this really what tech customers want?
> Activity controls no longer include the Device Information setting
But that doesn't mean they need to transmit that information off your computer.
Although I agree, this is likely relatively benign, it's most likely useful as a market research tool to see what applications they should prioritize support/testing for.
There is a pretty big between crash/error reporting vs constantly throwing data into Google Analytics.
I say: better to be incompatible instead.
[...]
> since Wacom’s privacy policy makes no mention of their intention to record the name of every application I open on my personal laptop, I’d argue that it doesn’t even give them the technical-fig-leaf-right to do so. In fact, I’d argue that even if someone had read and understood Wacom’s privacy policy, and had knowingly consented to a reasonable interpretation of the words inside it, that person would still not have agreed to allow Wacom to log and track the name of every application that they opened on their personal laptop.
The "document" is actually comprised of three documents. Lawyers call this "incorporation by reference." The link given by the author is therefore only a starting point. When we incorporate the other two^1 documents -- https://www.wacom.com/privacy and https://www.wacom.com/cookie-notice, this is not a "short" document.
1. Actually it is comprised of four documents if we include the external list of companies -- www.wacom.com/about-wacom/our-passion/our-company that are also beneficiaries of the terms of these policies. Unless the user reads all three documents, she has not reviewed the entire contents of the "policy".
"Wacom didn't say exactly what data they were going to send themselves."
Looking at the privacy policy is there anything that could be in HTTP traffic from the tablet that would be outside the scope of what Wacom has stated they might collect.
Excerpts
3. Scope of this Privacy Policy
This privacy policy explains how we collect and use information that relates to you when you:
- use our other software and products; or
We refer to these uses and interactions as our "Services."
|------------------------------------------------------------+----------------------------------------+------------------------------------------------------------|
|Usage Information (e.g., indicators of engagement with our |(1) to improve our products and create |(a) with our service providers, including analytics |
|website or usage of Services, IP address, device identifier,|new products |providers, to help us deliver and improve the Services, and |
|etc.) | |to provide targeted advertising |
| |(2) to provide targeted advertising | |
| | |(b) our Affiliates |
| |(3) to better understand how our | |
| |customers' use our Services | |
| | | |
| |(4) for our internal accounting, | |
| |security, and operational purposes | |
| | | |
| |(5) for purposes required by law | |
|------------------------------------------------------------+----------------------------------------+------------------------------------------------------------|
"Some of the events that Wacom were recording were arguably within their purview, such as "driver started" and "driver shutdown". I still don't want them to take this information because there's nothing in it for me, but their attempt to do so feels broadly justifiable.
Assuming Wacom respects resolv.conf as it does system-wide HTTP proxy settings, why not run localhost or LAN DNS server, either authoritative or recursive, that does not return a Google IP address for queries like www.google-analytics.com originating from the tablet IP address
The "broadly justifiable" reasoning does not account for the possibility Wacom may collect the data and then fail to improve the product, service or "user experience". Wacom is making no promises of any user benefits arising from collection of data. Even if there were "something in it" for the author, he has no way to hold Wacom to this promise. They get his data and he may or may not get something in return.
I love how he MITM'd Wacom on his host machine. Slick!
Also this: "I dug around in the driver’s logfile and found the following snippet that confirmed my suspicions..."
Arms race time: this is an alert to shady developers to not put meaningful messages about data collection in their log files.
> even if someone had read and understood Wacom’s privacy policy, and had knowingly consented to a reasonable interpretation of the words inside it, that person would still not have agreed to allow Wacom to log and track the name of every application that they opened on their personal laptop.
I agree completely. Tracking every application one uses and reporting on that to third party Google is so contrary to their stated EULA that both a class action lawsuit, and prosecution in jurisdictions that protect privacy, are warranted.
If Wacom's users are starting to use a niche program outside of the Adobe suite, I'd like them to know about it so they can fully support it.
And its not like I'm going to be using my Wacom tablet with very many programs. Its not like it can replace a mouse unless you are a crazy person...
Edit: While this post was meant to be tongue in cheek, it is possible and I'm not sure which is worse.
... that has per-application configuration settings that change how the tablet can be used. They aren't just wantonly collecting unrelated data. They have features tied to this.
I read the whole article to see if there was any mention of app-specific config. Doesn't come up once.
It makes it feel less nefarious, I guess. But I still don't want a C&C server knowing this much about me.
For me, I've used it to make the pen work like a touchpad stylus while normally working, but map to the screen corners when working in photoshop.
If, and only if, I had set up an app-specific config, then maybe Wacom would be vaguely justified in tracking when I open that specific app.
'wantonly collecting unrelated data' is exactly what they're doing.
Most companies aren't well-oiled, gigantic machines of user-data-manipulation. I'm sure there is a better way for Wacom to do things. I'm also pretty sure their staff are doing the best they can.
I'm fairly comfortable with data collection if the user opts in, but the current trend--dark patterns where you put out a blanket "we will collect stuff" disclaimer that lacks any specifics, while not making it clear what the consequences are of declining--is deeply troubling and, I hope, becomes illegal thanks to things like GDPR and CCPA.
I'm not sure what that has to do with a third party peripheral. You may be confusing a Wacom tablet for something like an iPad or Nexus 7?
EDIT: For others who may be confused, a Wacom tablet is used to provide a pen/stylus interface to a computer. It's an additional peripheral, similar to your keyboard or mouse, for your computer. It is not a standalone independent computing platform.
More broadly, we need to get away from this whole "but don't other people do the same thing?" dialogue when it comes to privacy. Yes, these issues are prevalent. That doesn't mean it's trivial---quite the opposite, in fact.
> How do I know that data doesn’t go back to Apple with “telemetry”?
By checking the privacy policy. Also, you can opt out of telemetry on iOS.
> Help Apple improve its products and services by allowing analytics of usage and data from your iPhone.
It’s enabled by default, but when you set up a new iPhone, it prompts you and gives you a button to turn it off (it’s not just buried in settings).
They do mostly make external pen input devices, with or without screens. Which people have been calling “drawing tablets” since loooong before “tablet computer” was a phrase anyone used outside of maybe science fiction.
GP must have confused with the currently better known use of tablet, which is a full-blown computer with touch screen and no keyboard.
[1] https://www.reddit.com/r/privacy/comments/8klf7a/razer_synap...
[2] https://www.techradar.com/news/razer-synapse-3-app-delivers-...
As a better example, suppose it were a game controller. Then the question "what games are people using this controller with?" seems quite reasonable. Filter to games only and anonymize the data and that would be fine.
But as far as I can tell, there's not equivalent Open Wacom drivers for Windows. People with more Windows knowledge than me: any thoughts on why? Is it just that someone using Windows probably doesn't care about Open drivers, so the demand isn't there? Or is there something about Windows that makes substituting drivers harder?
Wacom doesn't provide their own Linux drivers, but looking at the state of drivers around GPUs, printers, I vaguely suspect that somebody in Linux would be working on Open alternatives even if they did. I'm trying to think off the top of my head what Windows-compatible hardware has 3rd-party driver options. Maybe some printers?
These were made to reduce input latency to increase performance in a rhythm game called "osu!"
Never thought of using a tablet for it, but I am so going to try that!
Proprietary drivers on Linux are often crap, if they even exist at all.
It seems like forcing the all or nothing choice made a lot of OEMs open source their drivers or provide none which lead to the community making them.
So that puts a little damper on the whole "open source" thing. Of course it is also not effective at all, Stuxnet was famously signed by Realtek.
Not so with Nvidia GPUs. The open drivers are awful; the proprietary drivers are good.
(But IS the case with AMD GPUs, to the point where the proprietary driver seems to perform worse[0] and everyone pretends it doesn't even exist, which is upside down unintuitive coming from A.) Windows and B.) Nvidia.)
0: https://www.phoronix.com/scan.php?page=article&item=nvidia-a...
Add that to the complications that already arise from interfacing a 3D (touch sensitivity) precision input device with a computer and you end up with poor official driver support, and even worse community driver support
Even then, to me the drivers on Linux have been perpetually less buggy. On Windows I found myself needing to restart the usermode service and restart applications frequently, especially if the USB connection was unreliable. The Linux driver did not have similar issues.
For example, you’ll never have to follow this guide on Linux: https://www.deviantart.com/kiiroikat/art/How-to-Fix-Wacom-Dr...
I don’t recall having issues with the Mac drivers either.
The cynical side of me wonders how long it will be before prosecutors argue, with a straight face, that using evidence obtained from mass surveillance against people using Microsoft Windows is okay because Microsoft collects a massive amount of data so nobody should expect their files and activities to remain private; that there is or should be no expectation of privacy on such a system.
And then how long until warrant applications come in with supporting evidence that the subject of the warrant uses Linux and therefore their increased desire for privacy is prima facia evidence that they're doing something illegal.
It is certainly on Wacom for not providing better drivers to Linux, but neither is the FOSS solution a complete one.
This, perhaps not, but Linux distros track app usage, too: https://popcon.debian.org/
[0] http://www.linuxandubuntu.com/wp-content/uploads/2019/07/con...
Having worked on projects that did and did not have telemetrics, working without them feels absurd - it seems like you're just randomly fixing the side mirror on a car without any idea what's actually broken on it (independently of your overall testing posture).
Vendors tracking excessive information without proper disclosure destroy this information source for those developers that try to collect reasonable information (with consent, disclosure, in context, etc).
- open "Wacom Desktop Center"
- Top right (next to "Login") is "More" (click!)
- "Data Privacy Settings" (click!)
- "Participate In Wacom Experience Program" => on => off!
My setting was "On" - and I swear: whenever a program/website/installer asks I go "No thankx". So it must be dark UI patterns with evil defaults that this super-hidden thing was "on" for me. Shame on you, Wacom!
So you have to click "Disagree" and continue the install to have it on.
I guess I'll have to send a company-wide emailer along with the above instructions. Thank you very much for your writeup.
That said, yep, it seems lame they don’t disclose this tracking. I can understand why they’d want to know what apps their device pairs most often with, but tracking all app opens seems aggressive, but maybe it’s the only way to identify what app is open when the device is used.
(I work for an analytics company)
https://www.kali.org/downloads/
(Also make sure to check out Maltego, Metasploit Framework and Armitage.)
The trend over the last 10 years is to collect tons of data to improve the product. Some PMs and UXrs believe that they’ll get a magic insight from the data, and the skeptics do it anyways because is another data point to have. For engineering, services like GA are cheap and easy to integrate.
Nobody has a bad intention. But, we are distracted by the next product release to see the long term consequences for the society.
The reality is that some data is useful, but most of it is BS. To measure adoption and engagement you can do a pilot and then deactivate data collection. Big app errors are reported soon after a release, and you don’t need to continue collecting that for a long time.
To improve the UX you can do research with less data points, and smaller groups. The irony: I wish to have data to prove it, my hypothesis is based on my experience. I got more actionable insights from qualitative research, self-reported metrics, or quantitative data focused in certain aspects (instead of collecting all just in case). Some times having nice reports based on tons of data is more useful as an argument for corporate politics rather than to improve the product, but users doesn’t need to pay the consequences of your company stupidity (I’m looking at you MS telemetry ;-) )
There is a simple thing that we can do to change this trend. Ask yourself: What is the goal of collecting the data? What product hypothesis you want to prove? Can you get insights from a small group? If you don’t know.... hold on your data collection desires.
I worked on a desktop product with this type of data collection. Usually what happens is that after a new release you may see new errors coming up, and then they start to repeat. The data collection becomes a burden, new reports of the same error type doesn’t give you more information.
It’s a good opportunity for a good UX, e.g point the user to the relevant support info to solve the problem.
For support cases you may be able to ask for diagnostics on demand. The app can collect it internally without sharing and send part of it when an exception occurs and the user accepts to send it.
I am guessing that the answer will be "they should test everything in house and tell users to complain via email when shit is broken"... but we all know that synthetic QA is never going to be as good as "ground truth", and that 99% of users will just silently be unhappy. So I wonder what the privacy balance is here.
I mean, crash logs, but yes -- defining question for our time
drivers shouldn't connect to the internet unless that's what they're for. crash logs should be managed by a third party thing that the user can configure
The problem then seems to be more about the false positives. If you use "Half Life 3 Test Build" that is useless info for wacom because it (presumably) doesn't care about pen input. Q: If the data were filtered to just art/graphics apps using the pen, would that still be problematic?
Yes. When thinking about data, you need to think about orthogonal uses. Can you imagine reasons why someone might subpoena data to determine whether Photoshop was being used on my home desktop machines at a particular time? They might not care that it was Photoshop at all.
What about aggregate data limited to art apps? For example if it only sends a monthly summary: used photoshop with a wacom tablet for 15 hours this month, illustrator for 3 hours this month?
Yes.
But essentially, coming from a 3rd world country where censorship was the norm before Internet came along, and seeing how TLS and DoH is giving similar states like China a headache, I have to say that I am extremely happy, but concerned.
I believe it is a regulatory problem. In essense, make collecting data punishable but personally (i.e. Person X signed on decision to collect data, person X gets jail time)
I know that's probably not even remotely possible because employees "operate on behalf on the company" but removing that shield will effectively eliminate this. The same way dumping stock at a company means the FTC/SEC/FBI will have you ass on a platter, personally.
By the way, My tablet works MUCH BETTER on Ubuntu and Mint than on Windows 10. Krita and MyPaint are cross platform so I might just do my art on a *nix box instead.
I'm currently doing all of my digital drawing on an old SP3 tablet running Manjaro, via Krita. The driver support is... acceptable, I guess. Krita has more than a few annoying edges, but shows a lot of potential so I've been sticking with it.
For a long time I've been considering springing for a dedicated setup with one of Wacom's larger devices, but I've held back because I need it to have completely solid Linux support and I can't figure out how to test that in advance. I'm always curious to get more info about what issues other people have seen.
I wish I could find a physical store where I could just bring in a laptop, plug it into the actual device, and draw for maybe an hour to figure out if there are any dealbreaking problems.
I'm using a Wacom Intuos pen & touch M graphics tablet, connected to a Thinkpad 430. Over the years I was using Debian Stable, MINT, and finally Ubuntu.
The experience is great. Like I mentioned, much better than windows. I only just started to use Krita (I prefer MyPaint, however I feel I should branch out). The work I do isn't special, just stupid doodles and cartoon type of stuff. The wacom I'm using is older, I think I bought it 5 years ago or so.
I don't really have much to add besides that. I remember WAYYY back in the day having to compile the driver myself for an older wacom (Ubuntu 6 or 7 era). It's practically plug and play now, however, I think there is some other apt-get stuff that I did once for some reason that I forget (eraser wasn't working?). If you are having issues maybe try another tablet. I think the one I have can be bought for $50 on ebay. Maybe try a 30 day return place like best buy and sorry to say try the latest ubuntu or mint for compatibility (have a dedicated art machine?)
Makes me think one should try declining these kinds of agreements to see what happens, before accepting. As someone who also has an "anti-privacy-policy-policy," I wonder how many of these kinds of things I've agreed to when it was unnecessary.
Might be different with the latest update, I haven’t bothered with that.
I can see an app like autohotkey could click the "no" button and automatically remove it, but could you (assuming it's not modal; which it probably is) tell Windows not to show it?
Does it only happen if the pen is touching the tablet, or does it happen all the time even if the pen isn't touching the tablet?
Because there's a huge difference between the 2. Normally you would keep your tablet plugged into a USB port but the pen isn't actively being used.
How was the day he got famous internally in Wacom, just because some XML that no one was meant to see..
> •Successfully activating insights to optimize value propositions, user experiences, and marketing
Well done & great work.
For years I've avoided the software packaged with hardware whenever possible, e.g. printer drivers (a few MB of actual driver at most, and a few hundred MB of useless bloatware all installed together); now I guess there's another reason to do that.
My other wacom, and older model, was awesome as a mouse replacement; but it toke months to work in Linux and I don't feel too much inclined to repeat the experience.
It was a nice piece of hardware. Is a pity to hear that they are now tracking what users do with their computers. For me this is a no-way (It seems that I did the right thing dismissing the second model).
I'm not trying. In fact, I rejected that Wacom tablet exactly for that.
Some time ago when you unbox a product it was not uncommon to hear something like: "Sorry but as you are a Linux user we, the makers, will try to make your journey miserable not providing any support. Ha haa!. Maybe some volunteer working for free will fix this new model in six months. Maybe not".
Sorry maker but as you don't provide drivers for users like me, I will not use it. Bye. Have a good day.
They do not laught so much today
And you’re worried about their data handling policy?
A short and very incomplete list of the things a purchaser of a Wacom tablet is trusting to be true:
- That the tablet is safe to use - it will not fail in a way that exposes the user to electric shock hazards, sharp edges, dangerous chemicals, etc. - that the EM emissions used to communicate between the pen and tablet don’t interfere with other systems in ways that could compromise safety - that the device complies with usb standards and won’t damage electronics you interface it to - that there are no hidden surveillance devices in the tablet or pen - that, as an input device with access to your usb bus it doesn’t have the ability to be remotely induced to control your computer
Then you’re installing a piece of driver software, giving it sufficient permissions that it can read what application is currently running, and you are worried about it exfiltrating that information, rather than - say - the fact that as an input driver, again, it has complete control over your computer; it can record input - what if you use your Wacom to sign a pdf? Now it knows your signature. Or you tap out your banking password using an on screen keyboard. Who knows what else it can do - acting at the user input level presumably it can do anything you the user can do.
So sure, be concerned about what happens to the data it sends to Wacom, but if you don’t trust Wacom, your problems started much sooner than when you accepted the data sharing agreement.
But why are they sending this data to a server? My best guess is that this helps them focus on what software people are using. This allows them access to the popularity of graphic applications. They get to see what percentage of users use say Photoshop vs [Other program here] - so they know where to prioritize integrations and testing.
But I'm not sure how much "integrations" or work with third parties Wacom does - the drawing tablets are following an api standard after all. But maybe wacom does work directly with application devs, I don't really know.
I doubt they're doing this to try to track individual users - even if there are ways to do it. That said I really wish they approached this with a more friendly "Would you like to enable some basic Telemetry to improve Wacom products - Yes, No" instead of a very unfriendly user agreement where they try to force it.
Pretty much every site you visit puts PII in the title, which the browser dutifully includes in it's title.
GSuite leaks my email address:
"Inbox - my.email@example.corp - Example Corp Mail - Mozilla Firefox"
Outlook leaks my email address, and subject lines of emails or meeting information:
"Inbox - my.email@example.corp - Outlook"
"EMBARGOED Friday 7th ::: Corp Revenue for 2019, +25% over expectations! - Mesage (HTML)"
"Meeting: Pre-Announcement, Dial-In +1 555 1234 ext 1234"
"page.html - corp-project-repo - Visual Studio Code"
Heya - I could swear that wasn't there when I originally wrote the comment, but obviously it is there. Thanks for pointing that out. With that said, it doesn't change the substance of my comment too much - as I pointed out one can get a pretty solid unique identifier many ways, not limited to what I said above, you could even call out the presence of a permanently identifying header that Chrome gives some users[0].
You can catch slightly more aggressive malware by forcing all DNS traffic to your server at the network level but you’re now playing the role of malicious network operator. I would whitelist this to only devices you own.
(Also sad to say that GA is so big that a lot of websites/app rely on it)
Wow, that's weird. I don't remember ever seeing one site like that. Can you point one out? I mean, GA has been blocked at my places since 2015, and I don't remember anything ever was broken, on phone or desktop.
In some VMs / computers, I'd like to whitelist Internet domains instead of blacklisting, for security reasons.
Edit: Seems PiHole supports whitelisting: "Manage White And Black Lists" https://pi-hole.net/
Hosts files are literally the devil. They break so much shit. Hostnames sometimes change behavior (like an ad server that starts hosting a redirect script for legitimate clicks), kids who are "good with computers" set them up on relatives computers over the holidays unmaintained, malware that uses them to block antivirus updates, etc.
If you want to block ads, fine. Use a content aware proxy or browser extension.
But there's a some kind of an etiquette you need to follow, if a company wishes to collect data:
- Be straightforward. Say what information you are collecting, at what time and what for.
- Tell me in what way this information will be stored and how will it be anonymized.
- Will the data be stored forever? And is there a way for me to request the data or it's deletion?
- Don't collect data per default. Make it opt-in.
- Publicize the data in a suitable way. It may be useful to others.
Wacom simply ignored all of that human decency. How can you ever trust this company again?
I consider the nut of the problem to be informed consent. If you have user's informed consent to get the feedback, then there is no problem. If you don't, then the whole operation is unacceptable.
And no, mentioning it in the privacy policy or terms of use don't count as "informed consent".
It's not impossible at all, just in the current state of the industry there's a good reason we have vague agreements (also including good old-fashioned laziness, of course). It'd probably need to be developed ground up as an API with side effects, so when the code is compiled it spits out some details about how it's used.
Users are lazy and dumb, and the most ideological users are often the laziest and/or the dumbest, because they have an agenda. They will go out of their way not to give you the benefit of the doubt (”why was the font not 80pt? Clearly, you’re trying to hide something from users on high resolution screens!”)
It never ends.
> [having] an obligation to make their hardware work with any software the user might want to use.
They update drivers for 4 or 5 years then tell you to buy a new product if you expect it to work with current-gen software. Despite the fact that none of their tablets have had a substantial new feature in 20 years beyond the wireless connection kit, somehow a driver for a "Intuos Pro 4" cannot be used with a functionally-identical "Intuos Pro 3".
Some stuff is going to get through, but it should just be because you missed it. I'm sorry FOSS people; everyone is collecting way too much and I don't want to give Mozilla my data either. No, not even crash reports.
You’d think if keeping users happy was their primary goal, they might start by keeping their existing USB drivers compiled for the current macOS.
They don’t need me to email them to tell them it’s broken under current macOS. They’re the ones who told me!
Wow that last sentence really puts things into perspective. How can be reverse course and throw a wrench in the system? We are the makers, we should be able to wrestle back control and do it democratically and get politicians on our side to legislate this ad industry into the ground.
(And yes, I know ads enable a lot of free content on-line. But as countless problems like this show, it's a bad tradeoff.)
Sounds like a union? Also sounds like Galt's Gulch. Weird dovetail, there.
The kicker is that tech workers are in a FAR better position than the other groups that are pushing or considering a general strike. I suppose that makes the prospect more viable, but also more dangerous to the stability of the overall economy. I guess it's up to you if a shake-up now is worth stopping or forestalling the rising waters.
I refuse to work for companies I don't agree with, which hurts me financially. I will never work at a FAANG company, for example, or most of the other heavy weights that are funny l functionally similar.
For things without a clearly superior alternative, I have a list of business opportunities. For example, smart devices are becoming popular, and they're horrendous for privacy. That means there's a market for devices that don't spy on you, and the open source options after inconvenient enough that a packaged deal is attractive, even if it could be DIY. For example, I think there's room for a Ring competitor that is E2E encrypted, provided the app is well designed and the device is unobtrusive. Privacy respecting services and devices are unlikely to take over the alternatives, but merely existing puts pressure on the major players to act better.
My plan is to deploy it and a VPN tunnel and give certain folks access to keep in touch. I’ll have instructions for self hosting and VPN key creation/sharing (Wireguard ftw)
There’s absolutely no reason to bother with cloud services. They’re nothing but big corp coopting our problem solving.
It always comes down to be gatekeeped but no one having the guts to gate keep a rich douche whose money to buy security goes away as soon as we do
> How can be reverse course and throw a wrench in the system?
We start by taking the guillotines down to Sand Hill Road.
The idea of using government to crush an industry is a bit totalitarian — it “the people” agree with you, they should be happy to pay you for your product. If they don’t agree, then there isn’t anything democratic about using a government to shut down an industry you don’t like — that’s not democracy, that’s fascism.
I love technology and computer science but tech is so screwed up in terms of ethics.
I wish we'd see more people coming together that care about this (like truely care, not the #Tethics of the sillicon valley) to make some open and private alternatives to all this toxicity. But it is super hard to make things change.
I'll work in that direction in my free time, but I feel so alone. HN seems the only place people care a bit about that. Around me at uni or at work, the level of ethics and care for privacy is so low, it's depressing. It's not only that "rich boss" telling its employees to exploit people's data, it's also engineers themselves being happy collabo of this because they make huge salary working for those companies.
They don't pay for the paystub data. The employers give it to them.
Although it's an invasion of privacy, to be sure, it actually does have some benefits for the employee.
In places outside San Fran, where people actually get conforming mortgages, having your data in The Work Number's database automates and cuts out the employment & income verification so that you don't have to track down records and submit manually and can potentially skip multiple must-connect phone calls between the lender and employer.
Inspiring examples that I use daily include Linux, git, and Bitwarden.
Legislation is the only effective course.
While the author presents the graphics tablet as a glorified mouse, tablets usually offer many more features. How those features interact with various applications is important, and they have to prioritize which applications they support. The data collection that the author describes may be viewed, internally, as part of that process.
Now I am not claiming that Wacom is doing the right thing, nor am I claiming that they are doing the right thing in the wrong way. Yet it is entirely possible that they feel justified in collecting that data for product development without having ulterior motives. Their failure may simply lay in the failure to recognize that many people are sensitive to data collection due to real, potential, or perceived abuses by other parties.
Wacom is a $500M company. They don’t get the benefit of the doubt.
I'm not a graphic artist, but I hate mouse cords and hate having to recharge mice or deal with batteries.
So a series of Wacom "puck" mice on one (over the years, several) of their digitizer tablets has been my mouse substitute at my desktop. I bought the high end ones. On an average of every 3 to 4 years.
They stopped making the puck several years ago. Mine was starting to wear out, so I finally made the leap to Logitech's G703 and the Logitech G PowerPlay inductive mat. So same benefit -- the mouse is just magically always charged.
If I hadn't already switched, I would have anyway after the Wacom selling data thing...
Hackernews is NOT the people. HN represents a TINY TINY fraction of users.
The data collected has massive potential to improve medical research. Being able to validate database wide experiments on hundreds of millions of people at once is pretty incredible. There's likely to be a decade of insights to be found in this rapidly filling digital ocean of information.
In several years the clamour to get off the known web will empower a lot of security apps (not "privacy" apps, that are the opposite of their name) that are growing behind the scenes.
So no, fuck that.
The societal costs of surveillance capitalism are only just starting to appear, and it's going to get so much worse before it gets better.
And it's not all bad, but there's no preserving the little bit of good without canning the tons of bad.
Considering what should and shouldn't be done is much less popular than finding ways to do it.
It's a whole attitude. They're aware of their limited lifespan and intend to either buy their way into more and better lifespan (if possible), but in any event become actually powerful and rich.
At least on a certain scale, they're not wrong. It does work.
This is not to say, however, that they're not slugs deserving of a good salting.
The discussions around these issues always follow the same pattern that reminds me of a dialogue I recently saw posted somewhere, where an Amish person and a non-Amish person talked about technology and the amish person asked the other one, "do you think having the television on is good for you and your family?" and the other person responded "no, but we don't want to get rid of it because it may be useful", and the amish guy responded with "that's the difference between us, if something is bad for our family we throw it out."
The discussions around tech are the exact same. We all agree the modern internet is screwed, large companies put ads into everything, we're getting screwed over, non-profit domain spaces are being sold, everyone's unhappy, and we do .... nothing. Because of 'innovation' or some other conjured up fantasy term.
On the other hand leaking the list of apps on your local computer, and to a third-party to top it off, is unexpected and thus more harmful.
Given that the Wacom utility is full of app-specific references and "customize your tablet, per app", I'd say that this is on par.
Ask random person, "Hey, do you know that when you visit John's blog, he sends your information to Google, too, not just himself?" and I guarantee you the answer is probably closer to 7% than 70%.
HTTP Log analysis is slow, and requires a lot of server side setup. Also, it will not give you navigation events in a SPA.
Using GA... just drop a line of JavaScript and you are done, with near real-time insights that are more detailed than an access log. You don’t need any server conf, or extra knowledge (not even JS knowledge: copy & paste the embed code). And Google gives you that for “free”... that’s why tons of sites doesn’t care about Http access log analysis anymore.
For desktop apps is easy too. The GA API is very simple: send the app id, event + any event data you want. Your dev team can do that with self service (no need to setup a service, no extra costs to handle data).
Google receiving browsing histories for a single website is rude, but it probably isn't a serious problem for many websites (although the risk will depend on the nature of the website). In isolation, the fact that Alice read Bob's webpage isn't isn't very interesting, but Google can aggregate that data into s very accurate pattern of life[1].
> Is it not anonymised?
Not for any meaningful definition of "anonyms". At best GA will zero the low 8 bits of the IP address by request of the website. (The opinion of the person visiting the website apparently isn't worth considering) See this[2] post for a more detailed explanation of GA's perfunctory "Anonymize IP" feature.
I block it because the data it collects is none of Google's business. Being "anonymized" doesn't make it any better.
GA is used by countless websites. It's likely hooked into the adwords codebase so that they can track websites you visit even if that website does not have Adwords ads on it.
After reading his analysis, I'm not sure how much I can trust Wacom's behavior when it comes to data collection. My concerns don't then jump to sharp edges and electrical shocks. I think about data retention. How well do they protect that data? I think about what Wacom might do with that detail of personal behavioral information if approached by a data broker with cash in hand and ready to make a purchase.
So why are you plugging their device into your USB port, logging in to your computer, and letting it operate your computer for you?
Like the whole 'internet-connected-cars' panic that occasionally grips developers. You know what's more dangerous than putting a car on the internet? putting a car on the road. There are other drivers out there who could kill you. Thousands of people actually die in accidents. And you want to worry about the infotainment system containing a remote execution vulnerability?
No idea about Windows, I never use that.
This is why some blockers like uBlock Origin stub out the Google Analytics interface.
When I find a site with this problem I go elsewhere.
There's enough of a delta in both the money paid for online advertising of a target nature and in the better results that yields for the advertisers for them to fund a very rapid turn-over.
There's enough money in it that if they must, they'll be able and willing to buy their way past any unionization issues.
Using browser extensions to block ads is much higher risk than doing DNS blocking. Most ad blockers have full access to all web pages, which essentially means they could trivially scrape your usernames/passwords for your email/banks/etc or perform actions on your behalf.
There's room for this to go bad (AdBlocker dev turns bad, or sells extension to a bad guy for a wad of cash, or extension has security vulnerabilities, or keys for publishing extension are not propery secured) so while DNS-level blocking might not work as well, it's definitely not an obviously-worse solution.
(though FIWI PiHole in the past had some really agressive default lists which stopped my from using it - though I set it up again recently and it's been much better - I haven't had any broken websites besides Amazon's own sponsored product links at the top of their own search results pages).
They're not good people, but if it weren't this set of people, another would take their place. The world is rife with opportunity for people of low morals.
It is society's fault that we have not explicitly codified what will not be allowed and constructed the right laws and enforcement to ensure that violators are ruinously punished.
Telling some poor person that they have to pay $10 per month to use Google or send Facebook messages isn’t democracy. Don’t want surveillance? Don’t use the products the employ it, but some people, especially those that don’t have means, might be perfectly fine to trade privacy for a “free” service. Destroying the ad industry is elitism and tone deaf — ads are imperfect, but they have enabled people to do things that would have been impossible or unaffordable 20 years ago.
This pitchforks and guillotines talk is ridiculous. Build something better if you don’t like the way things are.
That’s as simple as saying “don’t like crime? Don’t be near criminals.”
Data’s being stolen and we’re being watched whether we like it or not. Only sometimes can we easily opt out and have those decisions respected.
This does not solve the problem, not even close.
Privacy of varying levels is and has been a functional requirement for smooth working of free society.
Economic disparities make the impact of lower levels of overall societal privacy have a disproportionate negative impact to those on the lower end of the scale.
Still just using email. It’s web scale, and just needs UX love.
But really even that is overkill. Self hosting is too easy and cheap for me to justify cloud services privacy and just generally being in the habit of externalizing every aspect of utilitarian life.
I’m not talking webscale loads. And it could be a hub for IOT. My data streams are not Google scale. But don’t take your eye off them sticks & options. Ooo shiny
Share my data with my doctor directly over local area WiFi, by making it adhere to a specific format. No data middle men needed.
For a culture constantly climbing up its own ass about austerity in economics, we sure enjoy selling ridiculously uneconomical means of communication.
It’s almost as if it’s a purpose built emotional response but who could believe so many people would fall for an emotional mass delusion?
The only reason "we" do nothing, is that "we" have no agency. Other reasons are just rationalization to cope with our powerlessness: we pretend ideological debates among the people decide the faith of the country. The only vote "we" have is voting with our wallet, which only works in a truly free market.
Also, wouldn't your argument equally imply that mechanical engineers should drop their parochial belief that hardware issues are terrible while ignoring software problems? (Presuming they do that, which seems not unlikely)
I think any attempt to exfil data not required by the function of the tool should be clearly and transparently disclosed, the use of those disclosures backed by the force of law, and opt-in. This is obviously far from where we are.
Because of that, I would block it no matter what. In a better world, I would selectively allow some instrumentation and such, but as-is, there is no way to trust any of it.
So I'm the wrong person to ask.
Well with the proviso you stated that informed consent has been obtained first, then this would be fine (as would more frequent/less targeted collection). If not, then this is not fine.
> What if this information is indirectly used for trading on ADBE stock? Would that be considered OK ?
Obviously yes? What is supposed to be the issue here?
Certain kinds of capitalism, yes. There's not just one kind, and the kind we have now isn't the best kind. Perhaps we should try to discover a better one?
> What does privacy look like in non-capitalist places ... like ... China ...?
China is very capitalist now, if you weren't aware.
In any case, the main problem in those countries (at least with regards to privacy) was authoritarianism, not non-capitalism.
The public is simply ignorant about surveillance technology issues. Not that long ago we used to tolerate sawdust in our bread[1], and that's food, something humans should be pretty knowledgeable about. People would revolt if this happened now, whether they live under a capitalist or communist system. A free market might accelerate the transition, but education about the issue is still the underlying factor of change.
> Has this investor got a beta build from that new startup everyone's talking about? Their bets are always winning, I better frontrun them if that's the case.
> What apps could I exploit to get into this guy's computer?
> Wait why is my employee suddenly running tor browser after I involved her into this new secret deal? Better be careful with her, she might be talking to someone.
> Damn, our competitor's engineers are all running our app. Let's correlate the timestamps with our own backend to discover their accounts and push a special update to them.
That's just a small extra step in the QA pipeline.
Also: analytics and telemetry code doesn't just appear out of the blue. Someone makes an explicit decision to scoop error logs from users, or track clicks, or spy on system configuration. That someone is usually higher up the management or technical chain, and should know enough to recognize that sending anything collected on user's machine that is not crucial (in the most strict, technical sense) to performing the action user activated has privacy implications.
I'm actually pretty sympathetic to Wacom in this instance, more sympathetic than the blogpost author at least. But unethical actions are unethical regardless of whether acting ethically is "a real challenge" for some companies.
Since users ”can’t be informed” about tracking, it doesn’t make sense to discuss whether they “should be informed”.
Tough. If a company can't do it the right way, they shouldn't do it at all.
> in the current state of the industry there's a good reason we have vague agreements
Well, I guess that depends on your point of view. I see no good reason for this, but I have no doubt that the various companies do see a good reason by their definitions.
You're right about the current state of the industry, but the current state of the industry is a travesty.
I was mostly musing about how changing code can have legal/business as well as technical side effects, and we've seen that to some degree with mobile app permissions who just grab everything because it's seen as too much effort to do it right. So I'm curious if this is going to change for the better any time soon.
A functioning democracy legislates according to the will of the people. That means you HAVE to convince the majority first.
In a broken democracy, you still need to convince the powerful (although this might actually be easier). But you still have to convince them to apply the same standard to those without power, which is likely a hard sell.
The latter is a tougher desecration of the constitution to sell.
The NSA is already selecting people with "Linux" and "Tor" in their search histories for added scrutiny.
Source for this? If it's true it would be both sad and hilarious.
In the 90s, software modems ("winmodems", see [0]) were popular because they were cheaper than using dedicated hardware for generating and decoding the audio signals sent over the phone line. Those would break if the manufacturer didn't upgrade their driver for newer versions of Windows, since they're completely software driven.
I'd be very surprised if things have changed since then, and I bet that the majority of consumers would just pick the cheapest option at the big box store.
Now most Linux distributions are littered with binary blobs in linux-firmware that have to be loaded for everything from Wi-Fi to Bluetooth. We've gone the total opposite direction of where we should be .. except for like .. amdgpu.
It would be a full two years before I would see any other home users on anything other than dialup. 750k down in 2001 was so impressive, you could start listening to songs on Kazaa as soon as the download started!
One thing I can say for Nouveau over the proprietary drivers is that they actually work without any real fuss. I've run into numerous instances where the proprietary drivers would prevent the system from booting. And I've yet to get them to work at all with any realtime kernel in Manjaro.
And then we get into the nightmare that is any laptop with an integrated Intel GPU and a dedicated Nvidia GPU...
That and, if you have a G-SYNC monitor (which, in retrospect, you shouldn't, but I and several friends of mine do), it won't work at all with the Nouveau driver. :D
Good by comparison to nouveau (the open source driver) perhaps, but definitely not good compared to the open source intel/AMD drivers.
See https://popcon.debian.org/FAQ (thanks to toastal for the link).
Edit: Debian uses relatime by default. I don't know about other distributions.
Still, since you invited, I'll talk more about my own concerns. Do I trust Wacom as a company, as a whole? I think it depends on how they respond to this, right? Do I still trust them to make a tablet that doesn't have the problems you raised with "electric shock hazards, sharp edges"? Yes. At this moment, do I trust Wacom in the area of data collection? No, that seems to me like a questionable decision. I want to know more. I don't think I want an accessory manufacturer to compile a dossier of what programs I use at what time and from what (partially masked) IP address. More so when they're not being up-front about it (certainly from a layperson's perspective). I'm also not very confident right now that the behavioral data will stay within Wacom's walls and go no further.
In fact, I'm forwarding this to my CISO's office for further evaluation. Is that bad in some way?
So they are being up front about it, right? I mean, maybe not in layperson-friendly language, but in compliance with regulations and under the guidance, presumably of their legal team.
In the box alongside the tablet, there was also probably a little booklet full of safety notices, warranty indemnifications, compliance statements, and arbitration assertions about the fitness for purpose of the hardware itself - also not written in layperson-friendly language. But the reaction on seeing that was... well, probably to toss it aside and go ahead and plug in the device, not to immediately assume that because the company presented a bunch of dense legalese, they might be trying to get away with something.
You said yourself: you don't trust Wacom not to sell the data to a data broker when presented with enough cash. But all sorts of Wacom business processes had to comply with regulations, be carried out diligently and ethically, and be generally trustworthy for Wacom to have produced an electronic device that you can safely plug into your computer. So I'm just trying to get you to consider:
What is it about their data processing that leads you to all of a sudden question their corporate ethics, diligence, compliance and trustworthiness?
Actually, I'm interested in exploring more of your own view here. You seemed to take exception that he limited his findings to his apparent area of expertise and interest (software engineering, security/privacy). Is that still the case, or have your views evolved on this issue?
> What is it about their data processing that leads you to all of a sudden question their corporate ethics, diligence, compliance and trustworthiness?
Your questions for me are really best answered by the author:
1. Apparently, it defied a reasonable expectation that the purchase of such a minor peripheral of this type would lead to the manufacturer's attempt to obtain a regular stream of what applications he launched on his PC (and at what time, and from what partially masked IP address). He was a smart cookie. His tip-off was that it somehow needed a privacy policy. And he had the smarts to launch his own technical investigation.
2. When he finally saw what they were pulling from his PC, once again, he was shocked, because that seemed to conflict with his own understanding of what Wacom said they were doing. He hadn't just casually scrolled through the privacy notice. It looks like he read it quite carefully.
I suspect this might be what he took issue with:
> Information Automatically Collected – Google Analytics When You use the Tablet Driver, certain information as described below may be automatically collected for purposes such as improvement of the Tablet Driver, troubleshooting bugs, providing the functions of the Tablet Driver, managing the services and improving overall performance of the Tablet Driver. Such information includes aggregate usage data, technical session information and information about Your hardware device.
No, I'm not interested in pulling in more sections of text and going back-and-forth in a game of Internet Lawyer. Someone else here might be a more willing partner.
> So they are being up front about it, right?
That's the issue. Was Wacom clear and transparent? Or did Wacom manage to generate a body of text which obfuscates what they are actually doing while still maintaining legal compliance? Or did they overreach? As it turns out, the FTC has a special page to submit complaints regarding privacy policies. I imagine that corporate privacy policies are turning into a hot topic for the FTC right now. I guess there's enough interest here, so I'll go ahead and submit this issue to the FTC (Federal Trade Commission) and see if they want to help Wacom figure out the answer to your question.
Beyond that, you have some interesting questions about trust. Not my area of expertise, but I'll take a crack at it. Your boss might say that you're someone he trusts. He might give you authority over an application which processes millions or billions in yearly revenue. But he wouldn't trust you to take care of his kids for a week. Trust is not binary (yes/no), and it is not universal (trust in area X must equal overall trust or trust in area Y). That's as much as I've got. If you've got followup questions about trust, they might be better directed towards an online resource which focuses on that issue.
Hope this helps.
If you are talking about GNOME’s Wacom settings, then I can understand the confusion: under Windows this would be part of the driver package, but under Linux this bit just happens to be completely unrelated and maintained by GNOME. I realize this does not matter much to the end user but it kind of matters in the context of this discussion; the bugs aren’t inherent, they are probably mostly a result of how the software ecosystem works on Linux...
2. If you’re referring to a Windows open source Wacom driver, one already exists, as mentioned elsewhere in the thread, though it has a pretty specific purpose in mind. https://github.com/hawku/TabletDriver
I assumed your comment was also about that, I didn't expect that you were ignoring the context of the conversation and just commenting about whether the current driver was buggy or not. Sorry.
I don't know anything about water treatment or nuclear power, but I still expect the people working in those industries to be held to extremely high standards of competence, virtue and accountability.
We should have the same standards. We don't, so instead we need to demand regulations for these monsters.
Or that they got a prescription filled. For Valtrex.
What would be helpful -- but that I am adamantly against -- would be tons of data drops, in communities across the nation, of local church leaders and local community leaders.
Here’s some: https://www.pewresearch.org/fact-tank/2018/03/27/americans-c...
91% of Americans feel that they have lost control of their personal data and privacy. The logical conclusion is that at least that many understand what they have gotten themselves into. That would indicate that a majority of people are exercising informed consent, despite the vast majority of Americans feeling that way, they continue to use the gamut of products and services.
https://docs.microsoft.com/en-us/windows-hardware/drivers/in...
These hurdles are a bigger impediment than they appear.
This is arguably worse security wise but it makes the driver install process identical to the way it used to be as far as the average consumer can tell. This is why (IMO) free software is so important, to the point where I’ve begun to agree with the radicals and think it should be mandatory.
No it doesn't, the devs refuse to provide stable in-kernel APIs because they want the flexibility to be able to modify them as they please when a better solution comes along. Also maintaining support for proprietary drivers is harder due to them being black boxes, not only in terms of debugging, but also in security and stability.
NVidia is basically the one major holdout these days, and its proprietary driver for Linux is very good, so it's not as if it's impossible to maintain a proprietary driver in the Linux ecosystem. The motivation here comes from Linux being huge in accelerated computing and 3d, not due to any particular love for Linux on Nvidia's part.
Indeed the lack of a stable interface has made it cumbersome to maintain a out-of-tree driver, which is GREAT since it means hardware vendors are more likely to open source their drivers or at least give enough documentation for them to be created by a third party. This ends up being a huge part of Linux's success, as it supports the widest range of hardware of any system 'out of the box', hardware support which is then functional on any platform on which Linux runs, which in turn is practically everything under the sun.
And if this wasn't enough, it is also a boon for alternative systems which will never see official proprietary drivers due to being niche, as they can port Linux drivers, or even add Linux driver compability layers.
As the situation on windows shows us, the alternative is drivers that are crap for other reasons. If Linux offered a stable binary interface for drivers, we'd have proprietary drivers that "worked" but were nevertheless still crap insofar as they were essentially malware, as is the case with this wacom driver.
What happens instead is Linux drivers are mostly BSD ports. Go figure.
Not finding that now, though there's a 2014 discussion of a driver wrapper for FreeBSD to access Linux device drivers:
https://www.phoronix.com/scan.php?page=news_item&px=MTgzMjY
Linux of course also makes use of some driver wrappers, the most well-known of which is probably NDISwrapper, supporting wireless networking cards:
Device managers don't care about Linux anyway, and wouldn't suddenly start caring if Linux announced a stable ABI.
From what I've seen, facilitating proprietary drivers seems like the motivation of most people lamenting the lack of a stable ABI. An example of this being the comment I responded to; "Linux purposely makes proprietary drivers crap. [...]"
Discounting proprietary drivers under the assumption that they wouldn't be written anyway, what does a stable ABI afford us? Out-of-tree FOSS drivers? In other words, drivers that aren't good enough to be accepted into the kernel?
Many of them are not stupid. On average, half of them are above average. They're just uninformed and busy with their own lives.
Also when I said linux made proprietary drivers crap I meant that as a good thing. It lead to open source drivers where there otherwise would not have been. Some OEMs like AMD eventually went open source on linux while remaining proprietary on windows.
Is there a reason the Linux folks don't do something about this? If I were them I wouldn't be happy seeing my licensing terms treated like a joke.
Also I don't know all the details here - I know that Vizio TVs where collecting data and explicitly kept the IP and other personal data with it. I don't know if wacom is doing that.
Now that said - I don't like that they're handing this data to Google through Google Analytics. I also think they should be far more up front about what they collect, what they use it for, etc.
Maybe if it were only used for that it wouldn't be so bad. But I don't trust a company not to take another bite at the apple by selling customer data if they think they can get away with it. Matter of fact, refusing to do so is leaving money on the table and could get a CEO fired for not making the company as profitable as it could have been. Once companies have the data, they are almost certainly obligated to use it in ways to their benefit and your expense.
What happened to actually communicating with users to learn more about how they use the product?
I work on a product, and we include some telemetry. I'm also a strong privacy advocate, and I believe I've done my best within the corporate realm to ensure that the data we're collecting is extremely scoped AND useful for decision making and prioritization. In my experience, there aren't that many of me, but I implore folks to realize that as PMs and engineers, we absolutely do have a say in making sure that blanket data exfiltration and aggregation doesn't happen in our products.
Communicating with your customers proactively about what you're collecting and why is important too. And not buried in some privacy policy legalese: publish a blog post, explain what you're gathering, give examples of how it's driven decision-making for you in the past, and what you're hoping to learn in the future. It goes a long way.
https://www.nngroup.com/articles/first-rule-of-usability-don...
"watch users as they attempt to perform tasks"
It's not challenging to see why someone might choose a one-time cost in software engineering over an ongoing cost in communication.
(and yes, the obverse inference is also true. If you see one person complaining, there are probably 99 more who have had the same issue and have said nothing)
If you want to put resources into "hey folks like to use this product with ours" you need accurate information.
> In section 3.1 of their privacy policy, Wacom wondered if it would be OK if they sent a few bits and bobs of data from my computer to Google Analytics, “[including] aggregate usage data, technical session information and information about [my] hardware device.”
What wasn't upfront about this? That they didn't add more details about what the session information was? Legally why would they? The post includes an image the section where they legally disclosed it. People not reading the privacy policy before using a product is not Wacom's legal problem.
Can you ask them to put this section on a separate screen? Sure. Will they do it? Who knows. I'm sure they'd want to know if you are a customer giving ideas than a low priority non customer as would any person.
How many blogs or websites disclose the use of Google Analytics in their privacy policy?
You could talk to many customers and this is the least thing they have on their minds. Paranoia displayed by commenters here is amazing.
As the post concludes, if you are a (prospective) customer who does not like what they collect then there are other brands. I might add who probably have a hidden, more intrusive way to track you because they are smaller, have smaller volume/margin and have the incentive to build and sell your profile like other small companies not in the field.
Transparency, consent, and control.
If every company addressed these three issues, we wouldn’t be having this conversation about privacy and data collection over and over and over.
What I'm addressing is that I feel many people see a company tracking data, and assume this data is valuable enough to sell, and that the data is for sure being sold.
My point was that the data isn't just valuable to sell (maybe), but is legitimately valuable in making a better product/service.
I don't think anybody is disputing that. But that its very valuable to devs does not excuse collecting it without getting the user's informed consent first.
I believe wanting it for product development is just as simple.
My tablet behaves differently per application. If I typically have one app open only on one screen I can limit the tablets "workspace".
Context-specific buttons based on app.
And if you're doing that _and have build sufficient app infrastructure around it_ as Wacom has to support fairly custom per-app behavior, the more realistic conclusion is that they're trying to get more info on that - now you can argue about opt in on the "share experience data" privacy setting - and I would agree, absolutely.
But "more simple to say that they're just selling data for money" is a pretty reductionist argument that jumps solely to the most negative possible motivation. "What's the worst they could be doing with it? Selling it? That's probably what they're doing, not making their tool more useful."
For me Occam's Razor points towards internal analytics.
Seems the obvious answer, yep.
Is this different than the local CA cert list? Sorry I don’t use Windows.
Can we go back to the days where an advert was was just an image and a hyperlink? Where advertisement paid by the pixel and location on the website? Where JavaScript was unused unless in some rare and warranted cases?
I still believe the web can be a free and open market place of ideas.
1. The uplift of targeted advertising is unbelievable until you see the actual statistics. It's like slowly sipping a cup of coffee to wake up versus waking up to snort a line of crack.
2. Advertisers were abused and defrauded by adtech. Which has inspired all kinds of surveillance hellscape because the advertisers finally caught wise and have renegotiated to pay for actual performance only -- not clicks -- actually closed sales. But adtech wants paid if you do your research online, respond to an ad online, and then buy in store. And a whole lot of adtech now allows for that. Attributing an in-store purchase with no customer interaction to a prior web session by that same party.
The benefit of those two factors to the advertisers is such that we can't have a serious discussion about this shit going away without a law which assigns criminal penalties for being a beneficiary of the scheme.
I hate the means by which advertising is targeted today, but I would be lying if I said the format of the ads themselves were more annoying or less useful than the past.
And furthermore it could be a plurality of those kinds of providers aggregating content.
Deploy single-sign-on schemes, and websites might participate in a plurality of programs from different vendors.
But at the end of the day, you'd pay one or two "providers" a monthly sub, they pool the funds, take their cut, and do prorata distribution of the pool based on views, eyeball time, popularity of content, lots of ways.
No need to perform microtransactions from a banking perspective. You're going to eat $20 of web content this month, and so will lots of others. And then those views can participate in the pool and get paid monthly or something.
Something like APPAA - Advertising Privacy Protection and Accountability Act
What would you guys call it? what language is necessary to cover all the edge cases for the deceptive and dirty-playing advertising industry?
As in, being a beneficent party of a targeted ad campaign becomes a presumption of criminal activity.
We have to make the advertisers culpable for the behavior of the companies serving up their ads.
You need to think about incentives. You have two tablets, identical in functionality and performance. But the one without the ads and surveillance features costs twenty percent more. Which one do you buy? Actually Kindle did this for a while (maybe they still do...). I ended up buying the cheaper one with the ads.
For a $20 one time fee you can remove this feature (which can be done after purchase at any time). But most people won't notice the tiny option select on the amazon purchase page that defaults to "with Special Offers".
To make it even more confusing, they make it sound like the better option to pick is the ad-supported version. I mean you are choosing between the model "with special offers" or the one "without special offers"? Most people that don't know any better will leave the default "with special offers" options selected.
Source: https://www.amazon.com/All-new-Kindle-now-with-a-built-in-fr...
But that's why I wrote that advertising-based business models need to be banned. Not discouraged, not badmouthed, but banned. They're anticompetitive and poisonous; when one company starts doing it, others in the whole sector are drawn to follow suit (it's e.g. why it's hard to actually sell apps on mobile or make subscriptions for publications on-line profitable; ad-supported operations create a baseline cost of zero).
Or alternatively, give users ownership of their data like the EU has taken steps to do. Advertising is here to stay and provides its own use. But there could be something that forces transparency.
The genie is out of the bottle at this point. IMHO the only method forward is how do we as a society responsibly allow for coexistence such that all parties are satisfied.
Canter and Siegel was in 1994.
Because I will only say "Yes" if I'm being paid or otherwise compensated specifically for that input.
I think it's important companies pay for usage testing so that they value that information and are more likely to hold it closely since it represents an investment and is perceived as competitive advantage.
But trusting companies to do the right thing is untenable. That trust has been broken far too often, by far too many companies. The only rational position a concerned user can take is to assume that anybody collecting such sensitive information (particularly in a sneaky way) intends to monetize it or use it for purposes other than product improvement.
And even if the data really will only be used for product development, getting the user's informed consent -- and refraining from data collection without it -- is critical.
Further, using GA automatically means that the data is being used for Google's purposes as well as the application creator's.
That's not what they are saying at all, and suggesting it's for nothing proves you don't understand the value of using the data for internal decision making. Simply put: the main use of this data is for that reason: internal decision making. Answering questions like:
* How are our customers using our products? * What errors are they experiencing? * What features are they using? * Where are they confused? * What features cause the most problems? * What feature should we work on next?
These are all regular questions that are answered by collecting these types of metrics, including the one described in this post. Selling the data to third parties isn't easy. The data is generally gathered to inform product decisions, not to sell, so it's not in any easy format that makes it easy to sell. One has to go out of their way to sell this data, and the cost to put together this data in a way that's useful to sell would almost certainly cost more to setup and manage than they would get from such a small number of relative users.
The simple fact is, everyone sends data back to their servers for collecting and parsing, including Apple, the company everyone puts on a pedestal for privacy.
Simply put: show me the evidence they are selling the data to third parties for profit. Anything less is speculation.
For small/mid-size datasets (which is what we're talking about), yes, that's exactly what I'm implying. It's not actually easy for most companies to sell user data for a quick buck like is being claimed.
It will be nice if all the EU residents in one go send a request to remove their information from all the US based media and technology giants who under the guise of changing the world are indeed working to sale more to consumers and make themselves rich.
> Making it illegal won't solve much. E.g. FB doesn't sell private information, they sell the ability to target demographics.
You just need to appropriately specify what's being made illegal. You're right that FB could weasel out of a law that outlawed selling private information. They couldn't weasel out of a law that outlawed monetizing personal data without user consent.
Make their only defense be cooperation in prosecuting the offending party.
1) Pop up and ask for permission to scan the machine.
2) Show the data collected that will be sent back and give a second chance to decline.
3) Allow everyone to see the aggregate results.
Being mostly automated, it's lower friction than a manual Q&A survey. But it also feels way more respectful that trying to snoop around and then clandestinely exfiltrate the data. It's one of the few cases where I'm willing to opt-in to data collection.
From a game developer perspective, looking at it right now tells me that (simplified):
* Most gamers have at least a GTX 1050 and 8GB of ram or higher. Perfect now we know where to aim our medium settings.
* 74% use Nvidia GPUs, 15% use AMD - now we know where to focus driver optimizations
* English, Simplified Chinese, and Russian are the top languages (where to focus translations)
* 72% play on 1080p, 14% on 1440p, etc. Tells us what resolutions to make sure our UI works on.
It's not hard to see how to do it right.
I was attempting to illustrate the decision-making processes that may have led to this juncture and what happened to communicating with customers. Please accept my apologies, as I have plainly failed to be clear that this was not an argument as to the moral or ethical questions concerned.
Again, you're completely right. It's not at all difficult to see the morally and ethically correct way to go about this.