However, Heaton’s investigation found that the data collected weren’t just “bits and bobs” but also the record of every application he opened, and what time he opened it.
Here, for instance, is Heaton’s drawing tablet reporting back to Wacom via Google Analytics that he’s just clicked on the Chrome browser.
You might well wonder why Wacom drawing tablets feel the need to record the name of every single application you run on your private, personal laptop and send it back to Wacom.
Even if you think there might be some customer support reason for collecting this information (rather than something more nefarious) you might well raise a querrulous eyebrow at Wacom behaving like this by default, and find it underhand that everytime the drivers for your Wacom drawing board are updated it enables what is known as the “Wacom Experience Program” again.
It’s not ok that I have to deactivate the “participation in the Wacom Experience Program” after each and every update installation. Could you please ensure to remember the setting across updates? Thank you.
— Pascal Costanza (@p1cost) August 16, 2019
Heaton sums up his concerns with what Wacom is doing succinctly:
I care about this for two reasons.
The first is a principled fuck you. I don’t care whether anything materially bad will or won’t happen as a consequence of Wacom taking this data from me. I simply resent the fact that they’re doing it.
The second is that we can also come up with scenarios that involve real harms. Maybe the very existence of a program is secret or sensitive information. What if a Wacom employee suddenly starts seeing entries spring up for “Half Life 3 Test Build”? Obviously I don’t care about the secrecy of Valve’s new games, but I assume that Valve does.
We can get more subtle. I personally use Google Analytics to track visitors to my website. I do feel bad about this, but I’ve got to get my self-esteem from somewhere. Google Analytics has a “User Explorer” tool, in which you can zoom in on the activity of a specific user. Suppose that someone at Wacom “fingerprints” a target person that they knew in real life by seeing that this person uses a very particular combination of applications. The Wacom employee then uses this fingerprint to find the person in the “User Explorer” tool. Finally the Wacom employee sees that their target also uses “LivingWith: Cancer Support”.
Remember, this information is coming from a device that is essentially a mouse.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
6 comments on “Wacom drawing tablets are spying on every app you open, and sending the data back to Wacom”
Is it possible to write a programme that would kick in when I'm not at my desk,which accessing random applications in rapid succession. The programme could be written in one of those new 4GL languages that painlessly generate the code for you. The schematic we would draw fpr the 4gL compiler to convert in Cobol would make my machine jump from one web site to the next, leading the Wacom fox-hounds and the Google Hunts men on a merry dance across the filed of cyberia (Hopefully within safe parameters.)
The burden of keeping up with this would send the Google Analytics spy into overdrive and the mainframe computer running this machine would begin to smoke as its big circular tape drives whizzed back and forth in rapid succession. Eventually, if television depictions are accurate, the machine would explode and all the Google engineers would be covered in soot from the head to lab coat.
Yes, I'm possibly showing my age by saying 'programme' but you know what I'm saying, surely.
Can you write such a programme and have it on my desk by Friday close of play.
I need to edit the above, it's full of typos.
So I am designing a Top Secret secure entry machanism for GHCQ (the other one) using my high end CADD system, workstation and Wacom Tablet…
Isn't Google Analytics HTTPS? Are you only able to see the GET request or is it sending it in the clear? Just curious what tool you used to spy on the app?
I don't suppose the Linux driver does that.
Does this function when the tablet is unplugged?