Sketchy Behavior? Wacom Tablet Drivers Phone Home With Your Data
upstart writes in with an IRC submission for carny:
FYI: Wacom's official tablet drivers leak to the manufacturer the names of every application opened, and when, on the computers they are connected to.
Software engineer Robert Heaton made this discovery after noticing his drawing board's fine-print included a privacy policy that gave Wacom permission to, effectively, snoop on him.
Looking deeper, he found that the tablet's driver logged each app he opened on his Apple Mac and transmitted the data to Google to analyze. To be clear, we're talking about Wacom's macOS drivers here: the open-source Linux ones aren't affected, though it would seem the Windows counterparts are.
"Being a mostly normal person, I never usually read privacy policies. Instead I vigorously hammer the 'yes' button in an effort to reach the game, machine, or medical advice on the other side of the agreement as fast as possible," Heaton said earlier today.
"But Wacom's request made me pause. Why does a device that is essentially a mouse need a privacy policy?"
After firing up Burp Suite to observe his network traffic, Heaton found that his peripheral's macOS driver would query the presence of an XML file on a wacom.com server, and if this document was present, the software would feed notifications of applications being opened into Wacom's Google Analytics account. If the XML file was not present, the driver would not spill any details to Google, and note in its logs the telling line: "Analytics disabled either locally or from server kill switch." In other words, the XML file acted as a kill switch.
[...] It appears Wacom gathers this information to figure out which specific applications punters are using alongside its hardware: which apps are popular, which get used a lot, and so on, presumably to help it improve its products. Google Analytics will let you inspect the activities of individual users, such as which applications were opened, though it attempts to mask people's identities using ID numbers. You can't drill down to personally-identifiable things like IP addresses. The data can be analyzed in aggregate to figure out which programs are being run and when.
Read more of this story at SoylentNews.