Sketchy behavior? Wacom tablet drivers phone home with names, times of every app opened on your computer

'Why does a device that is essentially a mouse need a privacy policy?'

29 Reg comments Got Tips?

Updated FYI: Wacom's official tablet drivers leak to the manufacturer the names of every application opened, and when, on the computers they are connected to.

Software engineer Robert Heaton made this discovery after noticing his drawing board's fine-print included a privacy policy that gave Wacom permission to, effectively, snoop on him.

Looking deeper, he found that the tablet's driver logged each app he opened on his Apple Mac and transmitted the data to Google to analyze. To be clear, we're talking about Wacom's macOS drivers here: the open-source Linux ones aren't affected, though it would seem the Windows counterparts are.

"Being a mostly normal person, I never usually read privacy policies. Instead I vigorously hammer the 'yes' button in an effort to reach the game, machine, or medical advice on the other side of the agreement as fast as possible," Heaton said earlier today.

"But Wacom’s request made me pause. Why does a device that is essentially a mouse need a privacy policy?"

Kill switch

After firing up Burp Suite to observe his network traffic, Heaton found that his peripheral's macOS driver would query the presence of an XML file on a wacom.com server, and if this document was present, the software would feed notifications of applications being opened into Wacom's Google Analytics account. If the XML file was not present, the driver would not spill any details to Google, and note in its logs the telling line: "Analytics disabled either locally or from server kill switch." In other words, the XML file acted as a kill switch.

Interestingly enough, while poking around with this code, Heaton noticed the XML disappeared for a while then reappeared containing a curious Easter Egg: <hi>Rick</hi>

If you want to disable this snooping, open your Wacom Desktop Center, find the slightly hidden More link, click on it, go to the privacy settings, and opt out of "Wacom's Experience Program." Note that you may have to opt out again after updating your driver installation: this data collection is enabled by default.

Google Chrome logo

Is Chrome really secretly stalking you across Google sites using per-install ID numbers? We reveal the truth

READ MORE

It appears Wacom gathers this information to figure out which specific applications punters are using alongside its hardware: which apps are popular, which get used a lot, and so on, presumably to help it improve its products. Google Analytics will let you inspect the activities of individual users, such as which applications were opened, though it attempts to mask people's identities using ID numbers. You can't drill down to personally-identifiable things like IP addresses. The data can be analyzed in aggregate to figure out which programs are being run and when.

A spokesperson for Wacom was not available for comment.

"Some of the events that Wacom were recording were arguably within their purview, such as 'driver started' and 'driver shutdown'," Heaton noted.

"I still don’t want them to take this information because there’s nothing in it for me, but their attempt to do so feels broadly justifiable. What requires more explanation is why Wacom think it’s acceptable to record every time I open a new application, including the time, a string that presumably uniquely identifies me, and the application’s name."

That string, we reckon, is Wacom's Google Analytics account number, rather than a per-user identifier.

"I think people should just make sure to disable this specific tracking and read future Wacom privacy policies more carefully," he told El Reg.

"I get that Wacom almost certainly just want the data for product development purposes and aren't doing anything overtly evil with it, but that doesn't make it OK for them to grab it." ®

Updated to add

Wacom have sent in the following statement:

"The reason why Wacom collects data through its software driver is for quality insurance and development purposes only. This is very much a standard procedure for hardware manufacturers and software developers. We only collect anonymized aggregated data, so we cannot single out or identify individual users."

"The data is limited to the Wacom model, the pen functions used and the names of the software applications which are active when the device is used. And as you mentioned, users can of course opt out at any time without affecting functionality or performance of the Wacom products."

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020