Bravo to software engineer Robert Heaton, who was sufficiently intrigued while reading the privacy policy of his Wacom drawing tablet to investigate what “aggregate usage data, technical session information and information about your hardware device” it might be collecting.
“In section 3.1 of their privacy policy, Wacom wondered if it would be OK if they sent a few bits and bobs of data from my computer to Google Analytics, “[including] aggregate usage data, technical session information and information about [my] hardware device.” The half of my heart that cares about privacy sank. The other half of my heart, the half that enjoys snooping on snoopers and figuring out what they’re up to, leapt. It was a disjointed feeling, probably similar to how it feels to get mugged by your favorite TV magician.”
However, Heaton’s investigation found that the data collected weren’t just “bits and bobs” but also the record of every application he opened, and what time he opened it.
Here, for instance, is Heaton’s drawing tablet reporting back to Wacom via Google Analytics that he’s just clicked on the Chrome browser.
You might well wonder why Wacom drawing tablets feel the need to record the name of every single application you run on your private, personal laptop and send it back to Wacom.
Even if you think there might be some customer support reason for collecting this information (rather than something more nefarious) you might well raise a querrulous eyebrow at Wacom behaving like this by default, and find it underhand that everytime the drivers for your Wacom drawing board are updated it enables what is known as the “Wacom Experience Program” again.
It’s not ok that I have to deactivate the “participation in the Wacom Experience Program” after each and every update installation. Could you please ensure to remember the setting across updates? Thank you.
— Pascal Costanza (@p1cost) August 16, 2019
Heaton sums up his concerns with what Wacom is doing succinctly:
I care about this for two reasons.
The first is a principled fuck you. I don’t care whether anything materially bad will or won’t happen as a consequence of Wacom taking this data from me. I simply resent the fact that they’re doing it.
The second is that we can also come up with scenarios that involve real harms. Maybe the very existence of a program is secret or sensitive information. What if a Wacom employee suddenly starts seeing entries spring up for “Half Life 3 Test Build”? Obviously I don’t care about the secrecy of Valve’s new games, but I assume that Valve does.
We can get more subtle. I personally use Google Analytics to track visitors to my website. I do feel bad about this, but I’ve got to get my self-esteem from somewhere. Google Analytics has a “User Explorer” tool, in which you can zoom in on the activity of a specific user. Suppose that someone at Wacom “fingerprints” a target person that they knew in real life by seeing that this person uses a very particular combination of applications. The Wacom employee then uses this fingerprint to find the person in the “User Explorer” tool. Finally the Wacom employee sees that their target also uses “LivingWith: Cancer Support”.
Remember, this information is coming from a device that is essentially a mouse.
Wacom may not be guilty of abusing this information for surveillance or to sell cheap flights to Portugal, but it clearly is failing to properly describe in its privacy policy what data it is collecting under its “Wacom Experience Program”, and in danger of losing the trust of its customers.
Is it possible to write a programme that would kick in when I'm not at my desk,which accessing random applications in rapid succession. The programme could be written in one of those new 4GL languages that painlessly generate the code for you. The schematic we would draw fpr the 4gL compiler to convert in Cobol would make my machine jump from one web site to the next, leading the Wacom fox-hounds and the Google Hunts men on a merry dance across the filed of cyberia (Hopefully within safe parameters.)
The burden of keeping up with this would send the Google Analytics spy into overdrive and the mainframe computer running this machine would begin to smoke as its big circular tape drives whizzed back and forth in rapid succession. Eventually, if television depictions are accurate, the machine would explode and all the Google engineers would be covered in soot from the head to lab coat.
Yes, I'm possibly showing my age by saying 'programme' but you know what I'm saying, surely.
Can you write such a programme and have it on my desk by Friday close of play.
I need to edit the above, it's full of typos.
So I am designing a Top Secret secure entry machanism for GHCQ (the other one) using my high end CADD system, workstation and Wacom Tablet…
Hey Graham,
Isn't Google Analytics HTTPS? Are you only able to see the GET request or is it sending it in the clear? Just curious what tool you used to spy on the app?
I don't suppose the Linux driver does that.
Does this function when the tablet is unplugged?