dalto
June 1, 2020, 3:46pm
22
It depends how privacy conscious you are. They aren’t stealing data or anything but definitely over the line for me from a privacy perspective.
It was first reported in 2018:
opened 06:51PM - 06 Oct 18 UTC
closed 05:38PM - 07 May 19 UTC
platform:all
type:bug
component:gui
- **Etcher version:** 1.4.4
- **Operating system and architecture:** macOS 10.… 14 "Mojave" and MacBook Pro (Late 2016)
- **Image flashed:** ubuntu-18.04.1-desktop-amd64.iso
- **Do you see any meaningful error information in the DevTools?** No
I have the [Little Snitch firewall](https://www.obdev.at/products/littlesnitch/index.html) installed, and when I installed Etcher and tried using it I was surprised at the number of outbound connections it made.
I'm posting an issue because if you go into the settings and de-select the option, "Anonymously report errors and usage information to resin.io," the app ignores the setting and still makes a large number of connections to well-known web usage sites such as Mixpanel, GoSquared, and Google.
I do not know if this is a bug in the Etcher code, or if it's cruft that is baked into the Electron JS framework. Regardless, it's misleading to give a user the option to opt-out of usage reporting, and still make the connections anyway.
Here is another:
Here are the reported sites they were connecting to:
https://www.googletagmanager.com
https://www.google-analytics.com
https://d1l6p2sc9645hc.cloudfront.net
https://api.mixpanel.com
https://data.gosquared.com
https://data2.gosquared.com
https://google-analytics.com
https://googletagmanager.com
https://connect.facebook.com
https://www.facebook.com
The final straw for me was where they acknowledged that their opt-out settings were broken but basically said they had other priorities to work on first.
Things didn’t get all that much better over a year later:
opened 05:59PM - 26 Nov 19 UTC
closed 04:29PM - 28 Nov 19 UTC
Reopening #2057 - the issue is still valid.
- **Etcher version:** 1.5.63
- *… *Operating system and architecture:** darwin x64
Wikipedia defines spyware as:
> Spyware is a software that aims to gather information about a person or organization, sometimes without their knowledge, and send such information to another entity without the consumer's consent.
## Required Elements
1. is software :white_check_mark: etcher is software
1. gather information about a person :white_check_mark: information: that the user is launching etcher
1. without their knowledge :white_check_mark: no indication is displayed at any time that this is happening
1. send information to another entity :white_check_mark: information is transmitted to LAN, ISP, interchange points, and hundreds of others
1. without consent :white_check_mark: no consent is asked for or given (and indeed, none exists)
Etcher has done *precisely this* for some time.
This **silent** tracking **includes IP address and timestamp information**, which is more than sufficient to **identify a user (and perhaps even their physical location)** to the other people who gain access to this data, such as analytics providers, network hosts, interchange points, ISPs, and intelligence services (hi Ed!).
Upon opening Etcher for the **first time**, the following connections are attempted:
<img width="548" alt="Screen Shot 2019-11-26 at 09 51 53" src="https://user-images.githubusercontent.com/408977/69659317-c94e9100-1032-11ea-9e77-4de1dce9f227.png">
<img width="549" alt="Screen Shot 2019-11-26 at 09 52 01" src="https://user-images.githubusercontent.com/408977/69659318-c94e9100-1032-11ea-95f7-7d7dd2f78f2f.png">
At no point am I prompted for consent, or provided the ability or UI to opt out. This happens *silently*, regardless of user intent or consent. Only after balena has been contacted by the software does the main application window open:
<img width="912" alt="Screen Shot 2019-11-26 at 09 52 04" src="https://user-images.githubusercontent.com/408977/69659361-de2b2480-1032-11ea-82ab-cbd1ec9fdf11.png">
Then, the user could attempt to disable the settings, but by then their IP address (and physical location) has by this time already been transmitted to the manufacturer, likely against their consent and wishes.
This issue is not about the GDPR, or the legality of this collection, simply the very practical issue that the software phones home and **leaks the user's IP address to the developers and hundreds of others without consent or even notification**. At no point does the user have the ability to disable this on first launch. By simply phoning home, thousands of other people have gained access to the piece of information that a given user is using this software.
At present, that makes this application fit the definition of **spyware**.
Remember: humans have an inalienable right to privacy. By leaking users' personal data (even if you do not save it, or don't receive it yourself - by *causing it to be sent out of their computer at all*) you have **infringed upon their human rights**.
Do not abuse the human rights of your users. Ask the user for consent before transmitting *any* data out of their computer.
Since then, I have been unwilling to trust them from a privacy perspective. There are too many other alternative flashing tools out there.
1 Like