Wacom tablets track every app you open (opens in new tab)

On Linux you'd be using the community-maintained drivers[0], so I assume this wouldn't be a problem (correct me if I'm wrong).

But as far as I can tell, there's not equivalent Open Wacom drivers for Windows. People with more Windows knowledge than me: any thoughts on why? Is it just that someone using Windows probably doesn't care about Open drivers, so the demand isn't there? Or is there something about Windows that makes substituting drivers harder?

Wacom doesn't provide their own Linux drivers, but looking at the state of drivers around GPUs, printers, I vaguely suspect that somebody in Linux would be working on Open alternatives even if they did. I'm trying to think off the top of my head what Windows-compatible hardware has 3rd-party driver options. Maybe some printers?

[0]: https://linuxwacom.github.io/

The sad bit is that (some reasonable) telemetric data is really, really useful for software engineering. If you have a large enough program, of course it'll have way more bugs than you could ever fix. Crash tracking and usage analytics is how you make a data driven decision on what to fix, and what to ignore. This enables a data driven approach to software quality that's a huge improvement.

Having worked on projects that did and did not have telemetrics, working without them feels absurd - it seems like you're just randomly fixing the side mirror on a car without any idea what's actually broken on it (independently of your overall testing posture).

Vendors tracking excessive information without proper disclosure destroy this information source for those developers that try to collect reasonable information (with consent, disclosure, in context, etc).

Really great article. But I wonder, why the author did not cover if/what the driver publishes, If I do:

- open "Wacom Desktop Center"

- Top right (next to "Login") is "More" (click!)

- "Data Privacy Settings" (click!)

- "Participate In Wacom Experience Program" => on => off!

My setting was "On" - and I swear: whenever a program/website/installer asks I go "No thankx". So it must be dark UI patterns with evil defaults that this super-hidden thing was "on" for me. Shame on you, Wacom!

FWIW that isn’t a unique identifier for the author, it’s for Wacom’s GA account. I didn’t see any meaningful identifier being sent. Of course the set of most opened apps and your IP are probably enough to identify you.

That said, yep, it seems lame they don’t disclose this tracking. I can understand why they’d want to know what apps their device pairs most often with, but tracking all app opens seems aggressive, but maybe it’s the only way to identify what app is open when the device is used.

(I work for an analytics company)

This is just one of many reasons to use StevenBlack's Hosts [1] list to block this type of behavior. While it doesn't currently block link.wacom.com, it would have prevented the subsequent requests google analytics. It works even better when paired with a PiHole [2] to protect all devices on the network.

[1] https://github.com/StevenBlack/hosts

[2] https://pi-hole.net/

Bravo for a really well written article. I'm interested in this kind of thing but not familiar with techniques & tools used, so it was really nice that the author included lots of detail, reasons for doing things, etc.

I work on UX, coming from an engineering background. It means that everyday I work close to product management and engineering.

The trend over the last 10 years is to collect tons of data to improve the product. Some PMs and UXrs believe that they’ll get a magic insight from the data, and the skeptics do it anyways because is another data point to have. For engineering, services like GA are cheap and easy to integrate.

Nobody has a bad intention. But, we are distracted by the next product release to see the long term consequences for the society.

The reality is that some data is useful, but most of it is BS. To measure adoption and engagement you can do a pilot and then deactivate data collection. Big app errors are reported soon after a release, and you don’t need to continue collecting that for a long time.

To improve the UX you can do research with less data points, and smaller groups. The irony: I wish to have data to prove it, my hypothesis is based on my experience. I got more actionable insights from qualitative research, self-reported metrics, or quantitative data focused in certain aspects (instead of collecting all just in case). Some times having nice reports based on tons of data is more useful as an argument for corporate politics rather than to improve the product, but users doesn’t need to pay the consequences of your company stupidity (I’m looking at you MS telemetry ;-) )

There is a simple thing that we can do to change this trend. Ask yourself: What is the goal of collecting the data? What product hypothesis you want to prove? Can you get insights from a small group? If you don’t know.... hold on your data collection desires.

I wonder what the comfortable medium between privacy and letting developers get feedback about how well their code works is. It seems to me like Wacom just wants to know if their drivers work, so they can focus engineering efforts around fixing the issues that are affecting their users. "Oh hey, the new beta of Photoshop breaks our drivers!" They don't make a "cloud product" and they have an obligation to make their hardware work with any software the user might want to use, so they are kind of painted into a weird corner here. If they collect data to drive their engineering, they're spyware. If they collect no data, they're a bug-ridden disaster area whose product you would never buy.

I am guessing that the answer will be "they should test everything in house and tell users to complain via email when shit is broken"... but we all know that synthetic QA is never going to be as good as "ground truth", and that 99% of users will just silently be unhappy. So I wonder what the privacy balance is here.

> Why does a device that is essentially a mouse need a privacy policy

I mean, crash logs, but yes -- defining question for our time

drivers shouldn't connect to the internet unless that's what they're for. crash logs should be managed by a third party thing that the user can configure

While this implementation obviously has privacy issues, the anonymized aggregate data would be quite interesting, e.g. how many people use photoshop, illustrator, etc. with their wacom tablets.

The problem then seems to be more about the false positives. If you use "Half Life 3 Test Build" that is useless info for wacom because it (presumably) doesn't care about pen input. Q: If the data were filtered to just art/graphics apps using the pen, would that still be problematic?

No wonder everything is slowing down to a crawl when every mouse driver and their dog is doing full surveillance on every move the user makes.

They have all the data from the uninformed, ambivalent or defeated already. We develop things to crush the remaining resistance. Walled garden devices, cert pinning, signed applications, DNS over HTTPS, yes they are all more secure, but not for you. If well implemented, these serve as tools to make sure the privacy policy is the only thing informing you of collection.

Saw this two nights ago installing the driver on Windows 10. Read the UELA. Did not consent, closed the window. Is that good enough?

By the way, My tablet works MUCH BETTER on Ubuntu and Mint than on Windows 10. Krita and MyPaint are cross platform so I might just do my art on a *nix box instead.

> as far as I can tell anyone with the presence of mind to decline it could do so with no adverse consequences

Makes me think one should try declining these kinds of agreements to see what happens, before accepting. As someone who also has an "anti-privacy-policy-policy," I wonder how many of these kinds of things I've agreed to when it was unnecessary.

One thing the article doesn't talk about is when this tracking happens.

Does it only happen if the pen is touching the tablet, or does it happen all the time even if the pen isn't touching the tablet?

Because there's a huge difference between the 2. Normally you would keep your tablet plugged into a USB port but the pen isn't actively being used.

"In some ways it feels unfair to single out Wacom." - Uh no, it is completely fair to single them out and put them in the spotlight for doing this kind of tracking.

It looks like everything in tech got poisoned, smart TVs taking screenshots, web apps tracking and matching user clicks, smartphones tracking locations realtime and who knows what else, desktop apps monitoring other apps and peripherals, creepy companies building profiles on everyone, health institutions selling data of their users... I want out, I didn't get into this field, keeping myself up-to-date and super capable via top universities, to be just another cog in building a toxic monstrosity this industry is becoming just to make somebody with a limited lifespan feel powerful and rich.

I, for one, want to know Rick's story...

How was the day he got famous internally in Wacom, just because some XML that no one was meant to see..

The best part is where the author admits to using google analytics himself to track who visits his blog. At some point we all have to say enough is enough.

These days I assume that if something is possible, profitable, and legal, it's being done. Sometimes I question whether there's a company executive on earth who doesn't deserve to get stood up against a wall.

This is a fantastic read. It makes the process very straightforward - almost like a how-to for snooping the snoopers who use GA.

Well done & great work.

I wonder if the extremely affordable tablets from Monoprice also have this problem. I don't have a use for one but I know a few others who use them and claim they are fantastic in quality and not overpriced. If they don't phone home, perhaps that could be another marketing point: respects your privacy.

For years I've avoided the software packaged with hardware whenever possible, e.g. printer drivers (a few MB of actual driver at most, and a few hundred MB of useless bloatware all installed together); now I guess there's another reason to do that.

I received one as a gift but, to be honest, I never used it after seeing the obscure mandatory propietary format to save the files. If I can't open my files later in GNU and there is not a method at sight to save it as jpeg, png, etc... is useless. Just a cheap model probably. Collecting dust somewhere.

My other wacom, and older model, was awesome as a mouse replacement; but it toke months to work in Linux and I don't feel too much inclined to repeat the experience.

Every time I see the words “XYZ Experience Program”, my alarms go off, it's synonym to "every move you make, I'll be watching you".

Hold on. This is a hardware device we are talking about here. You put it on your desk, physically interact with it, and plug it into your computer. Do you realize all the ways the manufacturer could harm you if they were malicious, cut corners, were coerced by a state to compromise the device, or failed to comply with regulations?

And you’re worried about their data handling policy?

A short and very incomplete list of the things a purchaser of a Wacom tablet is trusting to be true:

- That the tablet is safe to use - it will not fail in a way that exposes the user to electric shock hazards, sharp edges, dangerous chemicals, etc. - that the EM emissions used to communicate between the pen and tablet don’t interfere with other systems in ways that could compromise safety - that the device complies with usb standards and won’t damage electronics you interface it to - that there are no hidden surveillance devices in the tablet or pen - that, as an input device with access to your usb bus it doesn’t have the ability to be remotely induced to control your computer

Then you’re installing a piece of driver software, giving it sufficient permissions that it can read what application is currently running, and you are worried about it exfiltrating that information, rather than - say - the fact that as an input driver, again, it has complete control over your computer; it can record input - what if you use your Wacom to sign a pdf? Now it knows your signature. Or you tap out your banking password using an on screen keyboard. Who knows what else it can do - acting at the user input level presumably it can do anything you the user can do.

So sure, be concerned about what happens to the data it sends to Wacom, but if you don’t trust Wacom, your problems started much sooner than when you accepted the data sharing agreement.

Very enjoyable read, thank you.

I'd imagine simply turning off the "User Experience Program" opt-in is a flaky setting that probably gets reverted to "on" when you do updates etc

A better option is to install LittleSnitch and block the traffic.

Even my drawing tablet? Im starting to hate the present day philosophy of pervasive surveillance acceptability when I can't even pay premium for a device and have it not track me constantly.

last wacom drivers I used on Windows ( I don't know, 2013? ) would eat memory all day, every day, until self-destruction. I have a screenshot somewhere of the process taking ~28 gigs of memory.

It doesn't at all surprise me that it's sneaking around.

This might be some cargo-cult level religion of mine , but if a driver package has a lot of flashy UI stuff (Wacom, Logitech, Creative), it's probably doing something suspect.

The more the apps look like key-gens, that's when you have to start wiresharkin'.

Facebook Oculus Rift seems to log the title of every window of every app you open

https://www.reddit.com/r/virtualreality/comments/ezln7j/face...

Until this kind of shit is legislated out of existence, every company that makes an installable program is going to be tempted to do it to generate more revenue. If it's not forbidden, every company will think they have to do it to remain competitive, morality be damned.

Until that happens, use a piHole.

Can we just take a moment to appreciate how well-written this is? Super engaging and fun to read.

I haven’t seen this written anywhere (perhaps I haven’t looked hard enough) but I’m starting to think that perhaps Google and Facebook are reaching out to and paying companies like Wacom to capture these analytics.

It makes little real sense for Wacom, a manufacturer of tablets, to capture this amount of data, and doing so has a cost. But it makes heaps of sense for Google to do it since they can infer all sorts of stuff from the applications you install.

It also explains why this crap is so pervasive, why the privacy policy is so vague (Wacom may not even know the extent of the exfiltration - don’t ask don’t tell), and why the quality of the data collection is so good.

I mean I’m guessing there a google product called something like “Google Analytics for OSX Drivers” and google would want that in popular products.

These sort of back room deals and outreach programs are pretty common in general, but if I’m right, then Wacom, while certainly an accomplice, is not the root cause of this.

That's actually really good to know. I used to own a wacom (pronunciation war: It's Whack-om haha) about 10 years ago for drawing - I don't think I would buy one now until they walk this one back (and push it off the cliff to die).

Good post. It would be nice to see a follow up with brands that don't track you.

So, if the driver hadn't had the courtesy to use the OS cert store, respect the OS proxy settings and use unencrypted DNS, how would we go forward to find out the siohoned-off data then?

As the side note, the following sentence from the post "I began my investigation with a strong presumption of chicanery" is something I am going to steal and use from now on. :)

So they got list of apps, and did some analysis on the data. Should they disclose it upfront? Sure, it would be nice. If this a big deal? Doesn't seem so.

BURP SUITE!

Burp suite is amazing and more people should use it. That is all.

You can use them on Linux and avoid the malware: https://linuxwacom.github.io

Pretty sure e-reader devices like Kindle, Kobo, Nook, etc. have baked-in Google Analytics too. Why isn't there an outrage about that?

sigh... their tablets are quite good if you like to paint digitally. Time to look for non existent third party drivers for windows.

This is why a software firewall can be helpful. Since I use Windows I expect there are no alternative drivers.

You can use the tablets without drivers in a very restricted manner. I don't know how to solve this besides strong regulations. Big firewall to China?

This is probably the best written article on tech I've ever read. It reads like a novel, and it's informative to boot.

It’s almost as if this is some sleazy attempt to get around malware checks by selectively disabling this behavior. Unacceptable.

I'm able to do the same on my Android phone. I can go into the Google settings and see everything I opened and when.

More anti-privacy, security holes, and dark patterns in the name of "analytics."

Is this really what tech customers want?

My Pixel 2 does the same. I assume all Android phones do. I can see everything ive opened in my Google profile

Wacom has application specific settings for compatibility. You can't have that feature without tracking individual processes and that data would be important for any sort of troubleshooting. It should be anonymized and they should be clear about what they are collecting, but the data does have a legitimate and benign use at least.

Wow, your writing is fantastic. Thanks for the writeup!

Why is the blog author wasting his time? The privacy statement says WACOM collects data. He does research and proofs it. -_-

"In Wacom's defense (that's the only time you're going to see that phrase today), the document was short and clear, although as we'll see it wasn't entirely open about its more dubious intentions (here's the full text)."

The "document" is actually comprised of three documents. Lawyers call this "incorporation by reference." The link given by the author is therefore only a starting point. When we incorporate the other two^1 documents -- https://www.wacom.com/privacy and https://www.wacom.com/cookie-notice, this is not a "short" document.

1. Actually it is comprised of four documents if we include the external list of companies -- www.wacom.com/about-wacom/our-passion/our-company that are also beneficiaries of the terms of these policies. Unless the user reads all three documents, she has not reviewed the entire contents of the "policy".

"Wacom didn't say exactly what data they were going to send themselves."

Looking at the privacy policy is there anything that could be in HTTP traffic from the tablet that would be outside the scope of what Wacom has stated they might collect.

Excerpts

3. Scope of this Privacy Policy

This privacy policy explains how we collect and use information that relates to you when you:

- use our other software and products; or

We refer to these uses and interactions as our "Services."

   |------------------------------------------------------------+----------------------------------------+------------------------------------------------------------|
   |Usage Information (e.g., indicators of engagement with our  |(1) to improve our products and create  |(a) with our service providers, including analytics         |
   |website or usage of Services, IP address, device identifier,|new products                            |providers, to help us deliver and improve the Services, and |
   |etc.)                                                       |                                        |to provide targeted advertising                             |
   |                                                            |(2) to provide targeted advertising     |                                                            |
   |                                                            |                                        |(b) our Affiliates                                          |
   |                                                            |(3) to better understand how our        |                                                            |
   |                                                            |customers' use our Services             |                                                            |
   |                                                            |                                        |                                                            |
   |                                                            |(4) for our internal accounting,        |                                                            |
   |                                                            |security, and operational purposes      |                                                            |
   |                                                            |                                        |                                                            |
   |                                                            |(5) for purposes required by law        |                                                            |
   |------------------------------------------------------------+----------------------------------------+------------------------------------------------------------|

Usage Information. We collect information about your interactions with our services. This includes or can relate to your personal information. This information enables us to, among other things, improve our Services and your experience, see which areas and features of our Services are popular and count visits, provide you targeted advertising based upon your interests and to analyze trends, administer our websites, track how you engage with our websites and other Services, learn about the systems, browsers, and apps you use to interact with our Services, gather demographic information about our user base as a whole. We also use analysis tools and methods to allow us to better understand how our customers use our Services. This includes how often the Services are used, the events that occur within the application, aggregated usage, performance data, any exceptions that occur within the software and the source from which the application was downloaded.

"Some of the events that Wacom were recording were arguably within their purview, such as "driver started" and "driver shutdown". I still don't want them to take this information because there's nothing in it for me, but their attempt to do so feels broadly justifiable.

Assuming Wacom respects resolv.conf as it does system-wide HTTP proxy settings, why not run localhost or LAN DNS server, either authoritative or recursive, that does not return a Google IP address for queries like www.google-analytics.com originating from the tablet IP address

The "broadly justifiable" reasoning does not account for the possibility Wacom may collect the data and then fail to improve the product, service or "user experience". Wacom is making no promises of any user benefits arising from collection of data. Even if there were "something in it" for the author, he has no way to hold Wacom to this promise. They get his data and he may or may not get something in return.

Who is Rick?

Great article!

I love how he MITM'd Wacom on his host machine. Slick!

Also this: "I dug around in the driver’s logfile and found the following snippet that confirmed my suspicions..."

Arms race time: this is an alert to shady developers to not put meaningful messages about data collection in their log files.

How much of this is specifically Watcom sending that info to Google Analytics and how much of it is the stock Google Analytics SDK automatically slurping up that stuff by default?

Great forensics work.

> even if someone had read and understood Wacom’s privacy policy, and had knowingly consented to a reasonable interpretation of the words inside it, that person would still not have agreed to allow Wacom to log and track the name of every application that they opened on their personal laptop.

I agree completely. Tracking every application one uses and reporting on that to third party Google is so contrary to their stated EULA that both a class action lawsuit, and prosecution in jurisdictions that protect privacy, are warranted.

I'm surprised Wacom is still around with iPad and Apple Pencil being such a hit. I know I've migrated.

More importantly, don't iOS and Android track every app you open also?

I know privacy is a big deal, and this is not cool in general but I kind of don't mind Wacom doing this.

If Wacom's users are starting to use a niche program outside of the Adobe suite, I'd like them to know about it so they can fully support it.

And its not like I'm going to be using my Wacom tablet with very many programs. Its not like it can replace a mouse unless you are a crazy person...

Maybe Wacom isn't really aware of this and there is a guy named Rick who has set up an elaborate scheme to stalk his artist ex girlfriend.

Edit: While this post was meant to be tongue in cheek, it is possible and I'm not sure which is worse.

"their device, which - remember - is essentially a mouse"

... that has per-application configuration settings that change how the tablet can be used. They aren't just wantonly collecting unrelated data. They have features tied to this.

I read the whole article to see if there was any mention of app-specific config. Doesn't come up once.

I'm fine with Wacom collecting this kind of data as long as it doesn't open any security holes. There are certain classes of products where I would not care what they collected as long as it was relevant to improving the product. i.e. Wacom wants to know popular apps I use my tablet on, ok. If they wanted to know my approx location though then I'd be alarmed.