Wednesday, February 12th 2020

Wacom Graphics Tablets Dial Home with Info on Every Application You Run: Investigation

Wacom is a brand graphics artists swear by, thanks to its near monopoly over the pen-digitizer tablet market. These are essentially input devices in which convert pen-like input on a surface to 2D graphics on the screen, which high precision. Software engineer Robert Heaton discovered that the driver of Wacom tablets leak information on every application you open, to an entity that's using Google Analytics to collect the data.

Heaton used Wireshark to first detect that his Wacom's driver is sending data packets to Google Analytics by monitoring its DNS lookups. The payload of data sent to the analytics website was encrypted by TLS. He then set up an internal proxy using Burp Suite that convinced the Wacom driver that it is sending data over a secure connection, and intercepted its payload. It was then discovered that Wacom driver tracks every application its users open (and not just applications of interest to the company). The company's EULA don't seek even implicit consent to collect this data, and it presents a big privacy challenge. Heaton argues that what if this could be used by Wacom employees to, say, discover that Valve software is working on "Half Life 3," by querying its data heap for executables that sound like "Half Life 3"? Find a fascinating technical run down of Heaton's discovery on his blog.
Add your own comment

24 Comments on Wacom Graphics Tablets Dial Home with Info on Every Application You Run: Investigation

#1
Ferrum Master
Basically they broke GDPR as EULA doesn't say anything. They are leaking the info to the 3rd party.

Complaining is not needed, it is not just about the HL3, they could be nailed to the cross within EU now. Kinda foreign companies don't grasp the amount penalties GDPR implies - fines up to €20 million or 4% of annual global revenue, whichever is highest...
Posted on Reply
#2
Chomiq
Ferrum Master
Basically they broke GDPR as EULA doesn't say anything. They are leaking the info to the 3rd party.

Complaining is not needed, it is not just about the HL3, they could be nailed to the cross within EU now. Kinda foreign companies don't grasp the amount penalties GDPR implies - fines up to €20 million or 4% of annual global revenue, whichever is highest...
Yay for EU, since consumers won't get a cent from this.
Posted on Reply
#3
Rahnak
That was a legitimately interesting read. Curious about Wacom's response to this.
Posted on Reply
#4
Ferrum Master
Chomiq
Yay for EU, since consumers won't get a cent from this.
Why the greed? Everything must not be so egocentric. We do get respect for our privacy and the law is made. Someone does the job for us while we are drinking our daily coffee and also must be paid. Such regulations were needed as some sort of anarchy prevails regarding personal data and it became a law. Our consumer laws are superior also. TWO years of obligated warranty versus the casual one. Well... we got it for granted, we don't know the difference while most of the ROW gets only 12 months.

Data theft is a real problem and concern, only EU has cleaned the shed and gave us properly defined rights.

If you own a Wacom device, you have ground to sue them and ask the compensation yourself!
Posted on Reply
#5
Unregistered
Surprising Wacom could do this for so long without being noticed... applications like PI-HOLE can take care of this. Still, it'll cost them.
#6
Mr McC
Chomiq
Yay for EU, since consumers won't get a cent from this.
Money resulting from fines will be placed directly into the public coffers, so consumers will see every cent of it. Why criticise an authority that places its citizens' privacy on a higher standing than a company's ability to make profit through data theft? Perhaps the police should simply free anyone caught stealing from here on in, on the basis that you personally make no profit or earnings from the arrest. Taking an extremely generous position, your comment is best described as silly.
Posted on Reply
#7
Sihastru
It's actually OPT-IN. When you install the driver you can decline, the driver will still function properly, but it will not add you to the Experience Program:


And you can disable it at any time:
You can withdraw your consent at any time by opting-out of the use of Google Analytics. The opt-out option is available under / More / Privacy Settings within the Wacom Desktop Center.


Also, for EU members the IP is anonymised:
As the IP anonymize function is activated in the Tablet Driver, Your IP address will, within Member States of the European Union or other contracting states of the Agreement on the European Economic Area, first be shortened by Google. Only in exceptional cases will Google transfer the full IP address to a Google server in the USA, and will shorten it there. All of this information is anonymized.
So, it's more a situation of blindly clicking "Accept".

Here's the complete EULA, pretty short and easy to understand:

Tablet Driver – Privacy Notice

This Privacy Notice is for the Tablet Driver Software ("Tablet Driver") provided by Wacom Co., Ltd. and its subsidiaries (collectively "Wacom Group"). This Privacy Notice applies to Your use of Tablet Driver. Please review this Privacy Notice before using Tablet Driver.

1. Definitions
1.1. "Personal Data" means any information which – either alone or in combination with other information we can access – relates to You as an identified or identifiable individual.
1.2. “User” means an individual who uses the Tablet Driver.
1.3. "Wacom", "we", “our” or “us” means the relevant company in the Wacom Group responsible for processing your Personal Data. The list of Wacom Group companies can be found at
www.wacom.com/about-wacom/our-passion/our-company

2. Wacom Privacy Policy and Cookie Notice
2.1. Wacom respects Your privacy and takes our responsibility to protect Your privacy seriously, and will process your Personal Data in accordance with Wacom Privacy Policy and Wacom Cookie Notice and in compliance with the applicable privacy laws.
Wacom Privacy Policy is available at www.wacom.com/privacy
Wacom Cookie Notice is available at www.wacom.com/cookie-notice
2.2. If You access website, use online services or subscribe to the cloud service offered by Wacom, certain information will be collected. Your information will be processed by us in accordance with the relevant Wacom Privacy Policy.
2.3. The Tablet Driver provides the option to sign up to and use the cloud and other online services of Wacom (“Wacom Services”). The sign-up is optional. If You do so, You will be required to enter certain Personal Data; the collection, processing and use of which is governed by the relevant Wacom Privacy Policy.
Your content is stored in the local memory of Your hardware device on which You use the Tablet Driver. If You have signed up for the Wacom Services and activated the respective function, the content (including as the case may be Personal Data) is then synchronized to the Wacom Services.
2.4. Due to the global nature of the operation of Wacom Group Your Personal Data might be processed outside of Your local jurisdiction. However, any transfer or storage of Your Personal Data to a location outside Your jurisdiction will continue to be in compliance with applicable privacy laws. Please see more details in Wacom Privacy Policy.

3. Information Automatically Collected – Google Analytics
When You use the Tablet Driver, certain information as described below may be automatically collected for purposes such as improvement of the Tablet Driver, troubleshooting bugs, providing the functions of the Tablet Driver, managing the services and improving overall performance of the Tablet Driver. Such information includes aggregate usage data, technical session information and information about Your hardware device.
3.1. Google Analytics. By clicking the “Accept”-Button on this Privacy Notice, You have consented to the use of Google Analytics, a web analysis service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Google Analytics helps us analyze how the Tablet Driver is used. You can find out more about this popular analytics tool here: www.google.com/analytics/index.html. Google Analytics tracks visitor interactions; for example which functions of the Tablet Driver our users use, which are most popular, what time of day the Tablet Driver is used, whether visitors have used the Tablet Driver before and other similar information. The information regarding Your use of the Tablet Driver is normally transferred to a Google server in the USA, and is stored there. As the IP anonymize function is activated in the Tablet Driver, Your IP address will, within Member States of the European Union or other contracting states of the Agreement on the European Economic Area, first be shortened by Google. Only in exceptional cases will Google transfer the full IP address to a Google server in the USA, and will shorten it there. All of this information is anonymized. Google takes the privacy and security of Your Google Analytics data seriously and You can find out more about how it protects Your data here: www.google.com/analytics/learn/privacy.html.
You can withdraw your consent at any time by opting-out of the use of Google Analytics. The opt-out option is available under / More / Privacy Settings within the Wacom Desktop Center.

4. contact information
If You have any questions, requests or concerns about this Privacy Notice or Your Personal Data, please contact us at our email address specified in relevant Wacom Privacy Policy or privacy-eula@wacom.com

5. Changes and Updates to this Privacy Notice
This Privacy Notice may be revised periodically. Revisions will be effective when posted by Wacom and made available through the Tablet Driver.
By clicking the “Accept”-Button, You agree with this Privacy Notice.
End.
Posted on Reply
#8
bonehead123
Snoopity snoop snoop.......

This was the exact reason I stopped using their products when I did graphic design many moons ago, why it is just now becoming a headline I don't know, as it was a well known & proven fact way back then....

As with most things nowadays, when in doubt, just R.T.F.M. :D
Posted on Reply
#9
DeathtoGnomes
Sihastru
It's actually OPT-IN. When you install the driver you can decline, the driver will still function properly, but it will not add you to the Experience Program:


And you can disable it at any time:



Also, for EU members the IP is anonymised:


So, it's more a situation of blindly clicking "Accept".

Here's the complete EULA, pretty short and easy to understand:

Tablet Driver – Privacy Notice

This Privacy Notice is for the Tablet Driver Software ("Tablet Driver") provided by Wacom Co., Ltd. and its subsidiaries (collectively "Wacom Group"). This Privacy Notice applies to Your use of Tablet Driver. Please review this Privacy Notice before using Tablet Driver.

1. Definitions
1.1. "Personal Data" means any information which – either alone or in combination with other information we can access – relates to You as an identified or identifiable individual.
1.2. “User” means an individual who uses the Tablet Driver.
1.3. "Wacom", "we", “our” or “us” means the relevant company in the Wacom Group responsible for processing your Personal Data. The list of Wacom Group companies can be found at
www.wacom.com/about-wacom/our-passion/our-company

2. Wacom Privacy Policy and Cookie Notice
2.1. Wacom respects Your privacy and takes our responsibility to protect Your privacy seriously, and will process your Personal Data in accordance with Wacom Privacy Policy and Wacom Cookie Notice and in compliance with the applicable privacy laws.
Wacom Privacy Policy is available at www.wacom.com/privacy
Wacom Cookie Notice is available at www.wacom.com/cookie-notice
2.2. If You access website, use online services or subscribe to the cloud service offered by Wacom, certain information will be collected. Your information will be processed by us in accordance with the relevant Wacom Privacy Policy.
2.3. The Tablet Driver provides the option to sign up to and use the cloud and other online services of Wacom (“Wacom Services”). The sign-up is optional. If You do so, You will be required to enter certain Personal Data; the collection, processing and use of which is governed by the relevant Wacom Privacy Policy.
Your content is stored in the local memory of Your hardware device on which You use the Tablet Driver. If You have signed up for the Wacom Services and activated the respective function, the content (including as the case may be Personal Data) is then synchronized to the Wacom Services.
2.4. Due to the global nature of the operation of Wacom Group Your Personal Data might be processed outside of Your local jurisdiction. However, any transfer or storage of Your Personal Data to a location outside Your jurisdiction will continue to be in compliance with applicable privacy laws. Please see more details in Wacom Privacy Policy.

3. Information Automatically Collected – Google Analytics
When You use the Tablet Driver, certain information as described below may be automatically collected for purposes such as improvement of the Tablet Driver, troubleshooting bugs, providing the functions of the Tablet Driver, managing the services and improving overall performance of the Tablet Driver. Such information includes aggregate usage data, technical session information and information about Your hardware device.
3.1. Google Analytics. By clicking the “Accept”-Button on this Privacy Notice, You have consented to the use of Google Analytics, a web analysis service provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). Google Analytics helps us analyze how the Tablet Driver is used. You can find out more about this popular analytics tool here: www.google.com/analytics/index.html. Google Analytics tracks visitor interactions; for example which functions of the Tablet Driver our users use, which are most popular, what time of day the Tablet Driver is used, whether visitors have used the Tablet Driver before and other similar information. The information regarding Your use of the Tablet Driver is normally transferred to a Google server in the USA, and is stored there. As the IP anonymize function is activated in the Tablet Driver, Your IP address will, within Member States of the European Union or other contracting states of the Agreement on the European Economic Area, first be shortened by Google. Only in exceptional cases will Google transfer the full IP address to a Google server in the USA, and will shorten it there. All of this information is anonymized. Google takes the privacy and security of Your Google Analytics data seriously and You can find out more about how it protects Your data here: www.google.com/analytics/learn/privacy.html.
You can withdraw your consent at any time by opting-out of the use of Google Analytics. The opt-out option is available under / More / Privacy Settings within the Wacom Desktop Center.

4. contact information
If You have any questions, requests or concerns about this Privacy Notice or Your Personal Data, please contact us at our email address specified in relevant Wacom Privacy Policy or privacy-eula@wacom.com

5. Changes and Updates to this Privacy Notice
This Privacy Notice may be revised periodically. Revisions will be effective when posted by Wacom and made available through the Tablet Driver.
By clicking the “Accept”-Button, You agree with this Privacy Notice.
End.

Wacom broke its own EULA because of the data that was actually sent, or did you not read the source article? Device hardware does not mean other app names and times it was opened.

This is a fine example that we should be using 2 EULAs, essentially, one for general purposes and one for Privacy. The way most EULAs are now is more or less blackmail. You purchase a program for big big bucks and if you disagree with EULA (any part of it really) you are usually stuck with the program without recourse. There is no political solution any time soon, so we are all FK'd until we take things into our own hands like this guy basic did.

Setting up and using a proxy server to intercept this data, like this guy did, is for advanced users. I wonder if a windows firewall rule can do the same thing, block access. My guess is not, not if you want the program to check for updates from within itself.
Posted on Reply
#10
Wshlist
Now think a second about what an android device sends home.

And yes that's all outlined in their EULA, and yes some you can opt out, of and delete info in google's privacy options, but what many people miss is that according to the EU's GDPR there are things which require you to send the company you wish to not make use of your information an e-mail; specifically stating so.
But seeing that nobody realizes I don't think even mega companies get more than a handful of such e-mails. And people will think the online buttons are all you need to use.
It's perhaps a bit curious why the GDPR has that bit in it. But to be fair, it's always mentioned in the EULA's ('always' might not include Wacom? :).

For me an additional issue is that to 'opt out' often requires you to have an account in the first place, and to opt out of all stuff via e-mail requires you to identify yourself to the companies of course; else they can't tell who opted out, but that in itself gives them a lot of info.
Posted on Reply
#11
R-T-B
yakk
Surprising Wacom could do this for so long without being noticed... applications like PI-HOLE can take care of this. Still, it'll cost them.
Lots of applications do similar without being noted, it's a frigging minefield. Remember my findings on Unity Game Engine a few months back?

It's an epidemic.
DeathtoGnomes
I wonder if a windows firewall rule can do the same thing, block access.
Yes. Just block google analytics in this case.
bonehead123
As with most things nowadays, when in doubt, just R.T.F.M
That won't always save you.
Posted on Reply
#12
gamefoo21
I'm super careful when installing this stuff and I option out almost every time. Weirdly during install for the stylus driver on my portable it doesn't ask to option in or not.

I'll have to see if it's there, and if it is that's pretty nasty.

Then again Google repeatedly tried to guilt you into reenabling their call home stuff in their Android apps.

Never had an app actually nag me for going in to turn off connecting to an assistant app until I started using Google's SMS/MMS messaging app on my phone. I have caught it resetting the data scraping options before too.

I really believe these things should be 100% opt in. Not default in and force you to opt out, often made difficult to opt out as well.
Posted on Reply
#13
lemonadesoda
Naughty watcom. Let’s hope they get fined, and it makes big news, just to remind other companies not to try and play tricky. So glad there are no ‘nothing to hide nothing to fear’ morons at TPU.
Posted on Reply
#15
zlobby
There a few takeaways from this.

1) it's only a matter of time to get caught

2) if tue fines are small, companies will chose the fines instead of ceasing the mischievious activities

3) people are dumb enough to continue trusting bad companies
Posted on Reply
#16
R-T-B
lemonadesoda
So glad there are no ‘nothing to hide nothing to fear’ morons at TPU.
Oh, they are here.
Posted on Reply
#17
Vayra86
Chomiq
Yay for EU, since consumers won't get a cent from this.
The net gain for consumers is that they start becoming more aware of how their data is handled, and how data ownership is presented.

In the EU, you dó own your data, its just that the penny hasn't dropped for everyone yet. I can go out to anyone holding my personal details and demand they tell me how and where they use it. And they must have a direct, verifiable use for the specific service I asked for. If not, shoot to kill...
zlobby
There a few takeaways from this.

1) it's only a matter of time to get caught

2) if tue fines are small, companies will chose the fines instead of ceasing the mischievious activities

3) people are dumb enough to continue trusting bad companies
The fines aren't small. And they will repeat for every offense. And people aren't dumb, there is just too much info to keep track of. So we want, and need regulation to do it for us. Simple.

The US and many other countries can learn from 'us', here. We're the beacon of progress when it comes to data ownership in the world right now. Its just a matter of time.
SamWarrick
So...Half-Life 3 finally confirmed!
It was even your THIRD post on TPU. *gasp*
Posted on Reply
#18
Aquinus
Resident Wat-man
Vayra86
The US and many other countries can learn from 'us', here. We're the beacon of progress when it comes to data ownership in the world right now. Its just a matter of time.
I'd rather block EU users from my software than comply with the GDPR. If I wanted nanny state policies, I'd move to the eurozone. If I'm writing software outside of the protection of a business, I'm sure as hell not legally binding myself to this insanity.
Posted on Reply
#19
Wshlist
Aquinus
I'd rather block EU users from my software than comply with the GDPR. If I wanted nanny state policies, I'd move to the eurozone. If I'm writing software outside of the protection of a business, I'm sure as hell not legally binding myself to this insanity.
'insanity' eh...
You think businesses should go around ingnoring a market with 500+ million customers because you think it's 'insanity' that people (and thus consumers) have rights. Got it.
Posted on Reply
#20
R-T-B
Aquinus
I'd rather block EU users from my software than comply with the GDPR. If I wanted nanny state policies, I'd move to the eurozone.
Who would've thought conducting business on the internet would mean international compliance... the gaul of it.

Seriously, blocking is a legit strategy though.
Wshlist
'insanity' eh...
You think businesses should go around ingnoring a market with 500+ million customers because you think it's 'insanity' that people (and thus consumers) have rights. Got it.
The insanity more comes from running an online site that collects user data by nature than anything else. It gets legally complicated fast.
Wshlist
You think businesses should go around ingnoring a market with 500+ million customers because you think it's 'insanity' that people (and thus consumers) have rights. Got it.
More correctly, he's saying his personal business will.
Posted on Reply
#21
Aquinus
Resident Wat-man
R-T-B
Seriously, blocking is a legit strategy though.
I wish there was a better alternative, because downright blocking a group of people isn't a good way to widen your audience. It's not like there is a good option to let EU citizens waive that "right", so the options are either compliance or nothing.
Wshlist
'insanity' eh...
You think businesses should go around ingnoring a market with 500+ million customers because you think it's 'insanity' that people (and thus consumers) have rights. Got it.
It's a very authoritarian decision where the cost of bending over backwards is too great, particularly if you've already written software in a way that makes compliance unfeasible without major refactoring. Particularly for an open source dev trying to start a project. The legal ramifications for non-buisiness actors, like open source devs and OSS community projects makes this a huge legal burden.

I, as a private citizen, do not have the legal or financial resources to combat lawsuits regarding the GDPR which is the crux of the issue and I don't want to expose myself to that legal mess. This literally makes it so I can't write software of certain types because I would be legally bound to comply, which I'll never do without the aid of a business or LLC. That's wrong.

Edit: This has actually happened to me. I was writing software for gathering WCG statistics from willing individuals (since it required getting a token that only a user can provide, and changes with a password reset,) and suddenly I'm in a position of either signing a legal document legally binding me to the GDPR because IBM itself is in compliance or giving up on the project altogether. In the end, I let the project die and the GDPR is to blame (and to some degree, IBM as well.)
Posted on Reply
#22
Sihastru
Ok, I don't claim to be an expert in international law, but maybe read a bit about the Privacy Shield data transfer mechanism (and while you're there, read up on the CLOUD Act and the Safe Harbor program for self-recertification). Preferably before you resort to gratuitous name-calling. It almost makes companies like Google, Amazon or Facebook "immune" to GDPR, as they have been certified (or they self certified themselves, as it were) to handle and transfer even uniquely identifiable private EU citizens' information to the US and other third party countries. Now, is Wacom, using Google services to collect, process and transfer anonymized, unidentifiable user data really break the GDPR? At this point it seems more like aggregated statistical data than personal data.

GDPR defines personal data in Art. 4 (1). Personal data are any information which are related to an identified or identifiable natural person. There is also a definition of sensitive personal data, these data include genetic, biometric and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership. Considering the fact that you launched a certain application while using the Wacom Tablet Driver as personal data or sensitive personal data seems a bit of a stretch to me. But then again, I'm not an expert.

GDPR is neither draconic or complicated to understand. It does what every country should do, really... protect citizens from abusive entities. If you ask me, it's insufficiently restrictive.
Posted on Reply
#23
Wshlist
Aquinus
I wish there was a better alternative, because downright blocking a group of people isn't a good way to widen your audience. It's not like there is a good option to let EU citizens waive that "right", so the options are either compliance or nothing.

It's a very authoritarian decision where the cost of bending over backwards is too great, particularly if you've already written software in a way that makes compliance unfeasible without major refactoring. Particularly for an open source dev trying to start a project. The legal ramifications for non-buisiness actors, like open source devs and OSS community projects makes this a huge legal burden.

I, as a private citizen, do not have the legal or financial resources to combat lawsuits regarding the GDPR which is the crux of the issue and I don't want to expose myself to that legal mess. This literally makes it so I can't write software of certain types because I would be legally bound to comply, which I'll never do without the aid of a business or LLC. That's wrong.

Edit: This has actually happened to me. I was writing software for gathering WCG statistics from willing individuals (since it required getting a token that only a user can provide, and changes with a password reset,) and suddenly I'm in a position of either signing a legal document legally binding me to the GDPR because IBM itself is in compliance or giving up on the project altogether. In the end, I let the project die and the GDPR is to blame (and to some degree, IBM as well.)
The GDPR is directed at commercial activities so it does not apply to open source efforts.
The punishment and rules are also geared towards large corporations and not private individuals.
But yeah obviously IBM is a large commercial org ... who should be curtailed by some basic rules IMHO.
Sihastru
Ok, I don't claim to be an expert in international law, but maybe read a bit about the Privacy Shield data transfer mechanism (and while you're there, read up on the CLOUD Act and the Safe Harbor program for self-recertification). Preferably before you resort to gratuitous name-calling. It almost makes companies like Google, Amazon or Facebook "immune" to GDPR, as they have been certified (or they self certified themselves, as it were) to handle and transfer even uniquely identifiable private EU citizens' information to the US and other third party countries. Now, is Wacom, using Google services to collect, process and transfer anonymized, unidentifiable user data really break the GDPR? At this point it seems more like aggregated statistical data than personal data.

GDPR defines personal data in Art. 4 (1). Personal data are any information which are related to an identified or identifiable natural person. There is also a definition of sensitive personal data, these data include genetic, biometric and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership. Considering the fact that you launched a certain application while using the Wacom Tablet Driver as personal data or sensitive personal data seems a bit of a stretch to me. But then again, I'm not an expert.

GDPR is neither draconic or complicated to understand. It does what every country should do, really... protect citizens from abusive entities. If you ask me, it's insufficiently restrictive.
'October 2015, following a court decision by the Court of Justice of the European Union, the safe harbor agreement between the EU and US was declared invalid on the grounds that the US was not supplying an equally adequate level of protection against surveillance for data being transferred there.'

Unfortunately they replaced it with the exact same thing renamed.. but that's goddamn politicians for you.
But anyway, it's not called 'safe harbor' when dealing with the EU.
Posted on Reply
#24
remixedcat
I do tons of beta testing and QA and this shit can get ppl like me sued!!!! WTF wacom. I thought about getting one of thier tablets... not now!
gamefoo21
I'm super careful when installing this stuff and I option out almost every time. Weirdly during install for the stylus driver on my portable it doesn't ask to option in or not.

I'll have to see if it's there, and if it is that's pretty nasty.

Then again Google repeatedly tried to guilt you into reenabling their call home stuff in their Android apps.

Never had an app actually nag me for going in to turn off connecting to an assistant app until I started using Google's SMS/MMS messaging app on my phone. I have caught it resetting the data scraping options before too.

I really believe these things should be 100% opt in. Not default in and force you to opt out, often made difficult to opt out as well.
gmail kept nagging me to enable body sensors a lot last year and I declined.
Posted on Reply
Add your own comment