Wacom drawing tablets are spying on every app you open, and sending the data back to Wacom

Wacom drawing tablets are spying on every app you open

Wacom drawing tablets are spying on every app you open

Bravo to software engineer Robert Heaton, who was sufficiently intrigued while reading the privacy policy of his Wacom drawing tablet to investigate what “aggregate usage data, technical session information and information about your hardware device” it might be collecting.

“In section 3.1 of their privacy policy, Wacom wondered if it would be OK if they sent a few bits and bobs of data from my computer to Google Analytics, “[including] aggregate usage data, technical session information and information about [my] hardware device.” The half of my heart that cares about privacy sank. The other half of my heart, the half that enjoys snooping on snoopers and figuring out what they’re up to, leapt. It was a disjointed feeling, probably similar to how it feels to get mugged by your favorite TV magician.”

However, Heaton’s investigation found that the data collected weren’t just “bits and bobs” but also the record of every application he opened, and what time he opened it.

Email Sign up to our newsletterSign up to SLG’s newsletter – “GCHQ”
Security news, advice, and tips.

Here, for instance, is Heaton’s drawing tablet reporting back to Wacom via Google Analytics that he’s just clicked on the Chrome browser.

Data

You might well wonder why Wacom drawing tablets feel the need to record the name of every single application you run on your private, personal laptop and send it back to Wacom.

Even if you think there might be some customer support reason for collecting this information (rather than something more nefarious) you might well raise a querrulous eyebrow at Wacom behaving like this by default, and find it underhand that everytime the drivers for your Wacom drawing board are updated it enables what is known as the “Wacom Experience Program” again.

Heaton sums up his concerns with what Wacom is doing succinctly:

I care about this for two reasons.

The first is a principled fuck you. I don’t care whether anything materially bad will or won’t happen as a consequence of Wacom taking this data from me. I simply resent the fact that they’re doing it.

The second is that we can also come up with scenarios that involve real harms. Maybe the very existence of a program is secret or sensitive information. What if a Wacom employee suddenly starts seeing entries spring up for “Half Life 3 Test Build”? Obviously I don’t care about the secrecy of Valve’s new games, but I assume that Valve does.

We can get more subtle. I personally use Google Analytics to track visitors to my website. I do feel bad about this, but I’ve got to get my self-esteem from somewhere. Google Analytics has a “User Explorer” tool, in which you can zoom in on the activity of a specific user. Suppose that someone at Wacom “fingerprints” a target person that they knew in real life by seeing that this person uses a very particular combination of applications. The Wacom employee then uses this fingerprint to find the person in the “User Explorer” tool. Finally the Wacom employee sees that their target also uses “LivingWith: Cancer Support”.

Remember, this information is coming from a device that is essentially a mouse.

Wacom may not be guilty of abusing this information for surveillance or to sell cheap flights to Portugal, but it clearly is failing to properly describe in its privacy policy what data it is collecting under its “Wacom Experience Program”, and in danger of losing the trust of its customers.

Found this article interesting? Follow SLG on Twitter to read more of the exclusive content we post.

Leave a Reply

Your email address will not be published. Required fields are marked *