
Wacom tablets track every app you open - krithix
https://robertheaton.com/2020/02/05/wacom-drawing-tablets-track-name-of-every-application-you-open/
======
danShumway
On Linux you'd be using the community-maintained drivers[0], so I assume this
wouldn't be a problem (correct me if I'm wrong).

But as far as I can tell, there's not equivalent Open Wacom drivers for
Windows. People with more Windows knowledge than me: any thoughts on why? Is
it just that someone using Windows probably doesn't care about Open drivers,
so the demand isn't there? Or is there something about Windows that makes
substituting drivers harder?

Wacom doesn't provide their own Linux drivers, but looking at the state of
drivers around GPUs, printers, I vaguely suspect that somebody in Linux would
be working on Open alternatives even if they did. I'm trying to think off the
top of my head what Windows-compatible hardware has 3rd-party driver options.
Maybe some printers?

[0]: [https://linuxwacom.github.io/](https://linuxwacom.github.io/)

~~~
babypuncher
Open source drivers are rare on Windows because manufacturers almost always
ship proprietary drivers that are good enough, and Windows users clearly have
no issues running closed-source software.

Proprietary drivers on Linux are often crap, if they even exist at all.

~~~
shrimp_emoji
>Proprietary drivers on Linux are often crap, if they even exist at all.

Not so with Nvidia GPUs. The open drivers are awful; the proprietary drivers
are good.

(But IS the case with AMD GPUs, to the point where the proprietary driver
seems to perform worse[0] and everyone pretends it doesn't even exist, which
is upside down unintuitive coming from A.) Windows _and_ B.) Nvidia.)

0:
[https://www.phoronix.com/scan.php?page=article&item=nvidia-a...](https://www.phoronix.com/scan.php?page=article&item=nvidia-
amd-tday2016&num=2)

~~~
axegon_
I have to use their proprietary drivers and I beg to differ. Nvidia drivers
are still crap, given all the pain you have to endure to get them running.
Yes, nvidia has managed to sneak into the linux world through cuda but as far
as ease of use, they are still nothing short of crap. Not to mention if you
want to use anything other than ubuntu.

------
Nitramp
The sad bit is that (some reasonable) telemetric data is really, really useful
for software engineering. If you have a large enough program, of course it'll
have way more bugs than you could ever fix. Crash tracking and usage analytics
is how you make a data driven decision on what to fix, and what to ignore.
This enables a data driven approach to software quality that's a huge
improvement.

Having worked on projects that did and did not have telemetrics, working
without them feels absurd - it seems like you're just randomly fixing the side
mirror on a car without any idea what's actually broken on it (independently
of your overall testing posture).

Vendors tracking excessive information without proper disclosure destroy this
information source for those developers that try to collect reasonable
information (with consent, disclosure, in context, etc).

------
DerWOK
Really great article. But I wonder, why the author did not cover if/what the
driver publishes, If I do:

\- open "Wacom Desktop Center"

\- Top right (next to "Login") is "More" (click!)

\- "Data Privacy Settings" (click!)

\- "Participate In Wacom Experience Program" => on => off!

My setting was "On" \- and I swear: whenever a program/website/installer asks
I go "No thankx". So it must be dark UI patterns with evil defaults that this
super-hidden thing was "on" for me. Shame on you, Wacom!

~~~
Moru
Or you could vote with your wallet and buy a Huion instead. They are just as
good, if not better. And about half the price. It's all made in China any way.

~~~
Razengan
An iPad Pro with the Apple Pencil is actually a great alternative to
traditional drawing tablets, even if you use Windows.

~~~
yoavm
Yeah, but a Wacom starts at $59 and an iPad Pro starts at $799, and comes
without a pen.

~~~
Razengan
I shouldn’t have said “Pro” as the recent non-Pro iPads under $400 have Pencil
support too.

~~~
testuser66
I mean sure that's better, but now Apple is tracking you instead and you got
ripped off $340 for it

~~~
callalex
Apple’s tracking opt-outs don’t silently reset themselves to “share
everything” on each update the way Wacom does.

------
codezero
FWIW that isn’t a unique identifier for the author, it’s for Wacom’s GA
account. I didn’t see any meaningful identifier being sent. Of course the set
of most opened apps and your IP are probably enough to identify you.

That said, yep, it seems lame they don’t disclose this tracking. I can
understand why they’d want to know what apps their device pairs most often
with, but tracking all app opens seems aggressive, but maybe it’s the only way
to identify what app is open when the device is used.

(I work for an analytics company)

~~~
penagwin
Tracking the currently open application software side is perfectly within
scope for a drawing tablet - they often have buttons that can be bound to
keyboard shortcuts, etc. It makes sense that it should know when you're
focused on Photoshop vs Google Chrome.

But why are they sending this data to a server? My best guess is that this
helps them focus on what software people are using. This allows them access to
the popularity of graphic applications. They get to see what percentage of
users use say Photoshop vs [Other program here] - so they know where to
prioritize integrations and testing.

But I'm not sure how much "integrations" or work with third parties Wacom does
- the drawing tablets are following an api standard after all. But maybe wacom
does work directly with application devs, I don't really know.

I doubt they're doing this to try to track individual users - even if there
are ways to do it. That said I really wish they approached this with a more
friendly "Would you like to enable some basic Telemetry to improve Wacom
products - Yes, No" instead of a very unfriendly user agreement where they try
to force it.

~~~
Joe-Z
IMO the more simple explanation is they want this data to sell to data
aggregators, who can in turn enrich the profile they have on you. There's a
similar thing going on with smart TVs, right?

~~~
penagwin
I know this is the popular conclusion - but from a developer perspective, data
such as what software your product is used with is INCREDIBLY valuable for
project planning and prioritization. People hate web tracking, but knowing
what browsers or devices are visiting your website can be enormously helpful.

Also I don't know all the details here - I know that Vizio TVs where
collecting data and explicitly kept the IP and other personal data with it. I
don't know if wacom is doing that.

Now that said - I don't like that they're handing this data to Google through
Google Analytics. I also think they should be far more up front about what
they collect, what they use it for, etc.

~~~
vageli
> I know this is the popular conclusion - but from a developer perspective,
> data such as what software your product is used with is INCREDIBLY valuable
> for project planning and prioritization. People hate web tracking, but
> knowing what browsers or devices are visiting your website can be enormously
> helpful.

What happened to actually communicating with users to learn more about how
they use the product?

~~~
Kalium
That assumes a great deal about both the resources available to do it and the
ability to get responses from a representative sample of customers.

It's not challenging to see why someone might choose a one-time cost in
software engineering over an ongoing cost in communication.

~~~
a_e_k
I really like the approach that the Steam survey uses which blends engineering
and communication:

1) Pop up and ask for permission to scan the machine.

2) Show the data collected that will be sent back and give a second chance to
decline.

3) Allow everyone to see the aggregate results.

Being mostly automated, it's lower friction than a manual Q&A survey. But it
also feels way more respectful that trying to snoop around and then
clandestinely exfiltrate the data. It's one of the few cases where I'm willing
to opt-in to data collection.

~~~
IggleSniggle
Great point! And being able to see the results in aggregate is also
_interesting_. It inclines me to share, because it becomes a two-way share,
even though I don't actually have use for the information.

~~~
penagwin
Being able to see the aggregate data isn't just interesting but publicly
helpful.

From a game developer perspective, looking at it right now tells me that
(simplified):

* Most gamers have at least a GTX 1050 and 8GB of ram or higher. Perfect now we know where to aim our medium settings.

* 74% use Nvidia GPUs, 15% use AMD - now we know where to focus driver optimizations

* English, Simplified Chinese, and Russian are the top languages (where to focus translations)

* 72% play on 1080p, 14% on 1440p, etc. Tells us what resolutions to make sure our UI works on.

------
lightswitch05
This is just one of many reasons to use StevenBlack's Hosts [1] list to block
this type of behavior. While it doesn't currently block link.wacom.com, it
would have prevented the subsequent requests google analytics. It works even
better when paired with a PiHole [2] to protect all devices on the network.

[1]
[https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts)

[2] [https://pi-hole.net/](https://pi-hole.net/)

~~~
Spivak
I mean I put Pihole on all my networks but this is at best a solution to “nice
malware” that doesn’t bother to hardcode addresses or perform lookups via an
attacker controlled DNS server.

You can catch slightly more aggressive malware by forcing all DNS traffic to
your server at the network level but you’re now playing the role of malicious
network operator. I would whitelist this to only devices you own.

~~~
lightswitch05
I don't think anyone would make the argument that a PiHole is a replacement
for following best practices in terms of computer and network security. I'm
just pointing out that a PiHole can block google analytics and other common
violators of privacy. Its not a security tool and isn't advertised as such.

------
tnorthcutt
Bravo for a really well written article. I'm interested in this kind of thing
but not familiar with techniques & tools used, so it was really nice that the
author included lots of detail, reasons for doing things, etc.

~~~
system2
Burp Suite and Wireshark come default in Kali. Give it a try:

[https://www.kali.org/downloads/](https://www.kali.org/downloads/)

(Also make sure to check out Maltego, Metasploit Framework and Armitage.)

------
diegof79
I work on UX, coming from an engineering background. It means that everyday I
work close to product management and engineering.

The trend over the last 10 years is to collect tons of data to improve the
product. Some PMs and UXrs believe that they’ll get a magic insight from the
data, and the skeptics do it anyways because is another data point to have.
For engineering, services like GA are cheap and easy to integrate.

Nobody has a bad intention. But, we are distracted by the next product release
to see the long term consequences for the society.

The reality is that some data is useful, but most of it is BS. To measure
adoption and engagement you can do a pilot and then deactivate data
collection. Big app errors are reported soon after a release, and you don’t
need to continue collecting that for a long time.

To improve the UX you can do research with less data points, and smaller
groups. The irony: I wish to have data to prove it, my hypothesis is based on
my experience. I got more actionable insights from qualitative research, self-
reported metrics, or quantitative data focused in certain aspects (instead of
collecting all just in case). Some times having nice reports based on tons of
data is more useful as an argument for corporate politics rather than to
improve the product, but users doesn’t need to pay the consequences of your
company stupidity (I’m looking at you MS telemetry ;-) )

There is a simple thing that we can do to change this trend. Ask yourself:
What is the goal of collecting the data? What product hypothesis you want to
prove? Can you get insights from a small group? If you don’t know.... hold on
your data collection desires.

~~~
daemin
The one technical reason I see for doing this is to help in dealing with
customer bugs and complaints. So strictly in a diagnostic capacity.

~~~
diegof79
For those cases the app can collect the exceptions only (as many apps and OS
do).

I worked on a desktop product with this type of data collection. Usually what
happens is that after a new release you may see new errors coming up, and then
they start to repeat. The data collection becomes a burden, new reports of the
same error type doesn’t give you more information.

It’s a good opportunity for a good UX, e.g point the user to the relevant
support info to solve the problem.

For support cases you may be able to ask for diagnostics on demand. The app
can collect it internally without sharing and send part of it when an
exception occurs and the user accepts to send it.

~~~
daemin
That's actually a good piece of advice, thanks for posting it.

------
jrockway
I wonder what the comfortable medium between privacy and letting developers
get feedback about how well their code works is. It seems to me like Wacom
just wants to know if their drivers work, so they can focus engineering
efforts around fixing the issues that are affecting their users. "Oh hey, the
new beta of Photoshop breaks our drivers!" They don't make a "cloud product"
and they have an obligation to make their hardware work with any software the
user might want to use, so they are kind of painted into a weird corner here.
If they collect data to drive their engineering, they're spyware. If they
collect no data, they're a bug-ridden disaster area whose product you would
never buy.

I am guessing that the answer will be "they should test everything in house
and tell users to complain via email when shit is broken"... but we all know
that synthetic QA is never going to be as good as "ground truth", and that 99%
of users will just silently be unhappy. So I wonder what the privacy balance
is here.

~~~
JohnFen
> I wonder what the comfortable medium between privacy and letting developers
> get feedback about how well their code works is.

I consider the nut of the problem to be informed consent. If you have user's
informed consent to get the feedback, then there is no problem. If you don't,
then the whole operation is unacceptable.

And no, mentioning it in the privacy policy or terms of use don't count as
"informed consent".

~~~
hnick
This would be a real challenge for some companies. Having a clear privacy
policy creates a hard dependency between it and the code. And developers are
notorious for not even being able to keep comments updated along with their
code changes.

It's not impossible at all, just in the current state of the industry there's
a good reason we have vague agreements (also including good old-fashioned
laziness, of course). It'd probably need to be developed ground up as an API
with side effects, so when the code is compiled it spits out some details
about how it's used.

~~~
laughinghan
So what? Informed consent is also "a real challenge" for some medical studies,
does that mean we should let doctors carry out unethical studies?

I'm actually pretty sympathetic to Wacom in this instance, more sympathetic
than the blogpost author at least. But unethical actions are unethical
regardless of whether acting ethically is "a real challenge" for some
companies.

~~~
jpttsn
The deep problems of “informed consent” are apparent in medical
studies/treatment. Few patients are equipped to be informed because they don’t
have a med school degree.

Since users ”can’t be informed” about tracking, it doesn’t make sense to
discuss whether they “should be informed”.

~~~
laughinghan
Doubtless there are deep problems with "informed consent", but saying they
"can't be informed" is nonsense. Is your plan to not bother to inform people
because they "can't be informed", and decide what's best for them without
their knowledge or consent?

~~~
jpttsn
To the extent permitted by applicable law.

------
diffeomorphism
While this implementation obviously has privacy issues, the anonymized
aggregate data would be quite interesting, e.g. how many people use photoshop,
illustrator, etc. with their wacom tablets.

The problem then seems to be more about the false positives. If you use "Half
Life 3 Test Build" that is useless info for wacom because it (presumably)
doesn't care about pen input. Q: If the data were filtered to just
art/graphics apps using the pen, would that still be problematic?

~~~
_jal
> would that still be problematic?

Yes. When thinking about data, you need to think about orthogonal uses. Can
you imagine reasons why someone might subpoena data to determine whether
Photoshop was being used on my home desktop machines at a particular time?
They might not care that it was Photoshop at all.

~~~
diffeomorphism
Any data collection of course has a privacy cost and should of course be opt
in.

What about aggregate data limited to art apps? For example if it only sends a
monthly summary: used photoshop with a wacom tablet for 15 hours this month,
illustrator for 3 hours this month?

~~~
harikb
In that fictitious scenario, would they have checked with Adobe if they
wouldn't mind their users spied up on. What if this information is indirectly
used for trading on ADBE stock? Would that be considered OK ?

~~~
diffeomorphism
Could you elaborate? Why would I as a user need permission from Adobe to tell
wacom that I am using their tablet in photoshop?

> What if this information is indirectly used for trading on ADBE stock? Would
> that be considered OK ?

Obviously yes? What is supposed to be the issue here?

------
awinter-py
> Why does a device that is essentially a mouse need a privacy policy

I mean, crash logs, but yes -- defining question for our time

drivers shouldn't connect to the internet unless that's what they're for.
crash logs should be managed by a third party thing that the user can
configure

------
jsilence
No wonder everything is slowing down to a crawl when every mouse driver and
their dog is doing full surveillance on every move the user makes.

------
viknod
They have all the data from the uninformed, ambivalent or defeated already. We
develop things to crush the remaining resistance. Walled garden devices, cert
pinning, signed applications, DNS over HTTPS, yes they are all more secure,
but not for you. If well implemented, these serve as tools to make sure the
privacy policy is the only thing informing you of collection.

~~~
aneutron
I'm not perfectly okay with what you are suggesting (and that's okay of
course).

But essentially, coming from a 3rd world country where censorship was the norm
before Internet came along, and seeing how TLS and DoH is giving similar
states like China a headache, I have to say that I am extremely happy, but
concerned.

I believe it is a regulatory problem. In essense, make collecting data
punishable but personally (i.e. Person X signed on decision to collect data,
person X gets jail time)

I know that's probably not even remotely possible because employees "operate
on behalf on the company" but removing that shield will effectively eliminate
this. The same way dumping stock at a company means the FTC/SEC/FBI will have
you ass on a platter, personally.

------
durpleDrank
Saw this two nights ago installing the driver on Windows 10. Read the UELA.
Did not consent, closed the window. Is that good enough?

By the way, My tablet works MUCH BETTER on Ubuntu and Mint than on Windows 10.
Krita and MyPaint are cross platform so I might just do my art on a *nix box
instead.

~~~
danShumway
Off topic, but would you be willing to expand on your Linux experiences with
this?

I'm currently doing all of my digital drawing on an old SP3 tablet running
Manjaro, via Krita. The driver support is... acceptable, I guess. Krita has
more than a few annoying edges, but shows a lot of potential so I've been
sticking with it.

For a long time I've been considering springing for a dedicated setup with one
of Wacom's larger devices, but I've held back because I need it to have
completely solid Linux support and I can't figure out how to test that in
advance. I'm always curious to get more info about what issues other people
have seen.

I wish I could find a physical store where I could just bring in a laptop,
plug it into the actual device, and draw for maybe an hour to figure out if
there are any dealbreaking problems.

~~~
durpleDrank
"Off topic, but would you be willing to expand on your Linux experiences with
this?"

I'm using a Wacom Intuos pen & touch M graphics tablet, connected to a
Thinkpad 430. Over the years I was using Debian Stable, MINT, and finally
Ubuntu.

The experience is great. Like I mentioned, much better than windows. I only
just started to use Krita (I prefer MyPaint, however I feel I should branch
out). The work I do isn't special, just stupid doodles and cartoon type of
stuff. The wacom I'm using is older, I think I bought it 5 years ago or so.

I don't really have much to add besides that. I remember WAYYY back in the day
having to compile the driver myself for an older wacom (Ubuntu 6 or 7 era).
It's practically plug and play now, however, I think there is some other apt-
get stuff that I did once for some reason that I forget (eraser wasn't
working?). If you are having issues maybe try another tablet. I think the one
I have can be bought for $50 on ebay. Maybe try a 30 day return place like
best buy and sorry to say try the latest ubuntu or mint for compatibility
(have a dedicated art machine?)

------
wrkronmiller
> as far as I can tell anyone with the presence of mind to decline it could do
> so with no adverse consequences

Makes me think one should try declining these kinds of agreements to see what
happens, before accepting. As someone who also has an "anti-privacy-policy-
policy," I wonder how many of these kinds of things I've agreed to when it was
unnecessary.

~~~
egypturnash
As far as I can tell the only consequence of declining it is that it pops up
the “hey please let us have all this info” dialogue whenever you reboot. I’ve
been doing this on my own machine for most of a year.

Might be different with the latest update, I haven’t bothered with that.

~~~
pbhjpbhj
Is there an accessible way to prevent an application drawing a specific window
to the screen?

I can see an app like autohotkey could click the "no" button and automatically
remove it, but could you (assuming it's not modal; which it probably is) tell
Windows not to show it?

~~~
egypturnash
The "Wacom Desktop Center" app mostly just sits there looking for updates and
bugging you to enable tracking anyway; the Mac version has a menu setting that
_theoretically_ stops it from ever running, and thus bugging you to sign up to
share your analytics. I just turned it off (since I just noticed it for the
first time) but don't feel like rebooting to check if it actually works.
(Though I did just run the little script I keep around to restart the driver,
which normally brings up the WDC, and it did not show up this time. Huzzah!)

No idea about Windows, I never use that.

------
nickjj
One thing the article doesn't talk about is when this tracking happens.

Does it only happen if the pen is touching the tablet, or does it happen all
the time even if the pen isn't touching the tablet?

Because there's a huge difference between the 2. Normally you would keep your
tablet plugged into a USB port but the pen isn't actively being used.

------
st3fan
"In some ways it feels unfair to single out Wacom." \- Uh no, it is completely
fair to single them out and put them in the spotlight for doing this kind of
tracking.

~~~
rossdavidh
I think the statement was meant to indicate that this kind of behavior is
well-nigh ubiquitous, so the only thing really different about Wacom is that
they're the one we're talking about, when they are by no means the worst
offender.

~~~
JohnFen
I'm sure that's exactly what it means -- but it's still fair to call out
individual companies that engage in this misbehavior. That others are doing it
as well isn't important.

------
bitL
It looks like everything in tech got poisoned, smart TVs taking screenshots,
web apps tracking and matching user clicks, smartphones tracking locations
realtime and who knows what else, desktop apps monitoring other apps and
peripherals, creepy companies building profiles on everyone, health
institutions selling data of their users... I want out, I didn't get into this
field, keeping myself up-to-date and super capable via top universities, to be
just another cog in building a toxic monstrosity this industry is becoming
just to make somebody with a limited lifespan feel powerful and rich.

~~~
sizzle
"just to make somebody with a limited lifespan feel powerful and rich."

Wow that last sentence really puts things into perspective. How can be reverse
course and throw a wrench in the system? We are the makers, we should be able
to wrestle back control and do it democratically and get politicians on our
side to legislate this ad industry into the ground.

~~~
TeMPOraL
First step would be to kill advertising-based models. Get them banned. Because
it's the advertising industry's race to the bottom that poisons everything,
and fuels the creation of surveillance infrastructure. With ad-related
snooping gone, it will be much easier to rein in the remaining few players who
misuse data in pursuit of optimizing their business models.

(And yes, I know ads enable a lot of free content on-line. But as countless
problems like this show, it's a bad tradeoff.)

~~~
bArray
There was a time before now where advertising was effective and didnt track
you - it was the advent of _targeted_ advertisement which really killed things
off.

Can we go back to the days where an advert was was just an image and a
hyperlink? Where advertisement paid by the pixel and location on the website?
Where JavaScript was unused unless in some rare and warranted cases?

I still believe the web can be a free and open market place of ideas.

~~~
mdhardeman
There are two troubles:

1\. The uplift of targeted advertising is unbelievable until you see the
actual statistics. It's like slowly sipping a cup of coffee to wake up versus
waking up to snort a line of crack.

2\. Advertisers were abused and defrauded by adtech. Which has inspired all
kinds of surveillance hellscape because the advertisers finally caught wise
and have renegotiated to pay for actual performance only -- not clicks --
actually closed sales. But adtech wants paid if you do your research online,
respond to an ad online, and then buy in store. And a whole lot of adtech now
allows for that. Attributing an in-store purchase with no customer interaction
to a prior web session by that same party.

The benefit of those two factors to the advertisers is such that we can't have
a serious discussion about this shit going away without a law which assigns
criminal penalties for being a beneficiary of the scheme.

------
Quai
I, for one, want to know Rick's story...

How was the day he got famous internally in Wacom, just because some XML that
no one was meant to see..

~~~
gvb
It's Rick Astley, y'know "Never Gonna Give You Up"
([https://en.wikipedia.org/wiki/Rickrolling](https://en.wikipedia.org/wiki/Rickrolling)).

------
ipython
The best part is where the author admits to using google analytics himself to
track who visits his blog. At some point we all have to say enough is enough.

~~~
13hunteo
I've read a lot of comments recently about how Google Analytics is bad, but no
one explain why. Can I ask why this is not something people want? Is it not
anonymised?

~~~
dahart
One reason why is that Google Analytics is not being limited to giving the web
site owner traffic information, the analytics are also being used by Google to
collect and correlate larger traffic patterns, as well as track individual
users across multiple sites. These are things Google gets to see, but the
neither the site owners nor the users have access to. What Google does exactly
with this information is not entirely known outside of Google, though it's
certainly used at least to improve personalized advertising, which many people
feel is a privacy concern.

~~~
andai
Google, and anyone who has access / can gain access to the data, whether by
technical means (NSA) or by law.

------
Causality1
These days I assume that if something is possible, profitable, and legal, it's
being done. Sometimes I question whether there's a company executive on earth
who doesn't deserve to get stood up against a wall.

------
djsumdog
How much of this is specifically Watcom sending that info to Google Analytics
and how much of it is the stock Google Analytics SDK automatically slurping up
that stuff by default?

------
r00fus
This is a fantastic read. It makes the process very straightforward - almost
like a how-to for snooping the snoopers who use GA.

Well done & great work.

------
userbinator
I wonder if the extremely affordable tablets from Monoprice also have this
problem. I don't have a use for one but I know a few others who use them and
claim they are fantastic in quality and not overpriced. If they don't phone
home, perhaps that could be another marketing point: respects your privacy.

For years I've avoided the software packaged with hardware whenever possible,
e.g. printer drivers (a few MB of actual driver at most, and a few _hundred_
MB of useless bloatware all installed together); now I guess there's another
reason to do that.

------
pvaldes
I received one as a gift but, to be honest, I never used it after seeing the
obscure mandatory propietary format to save the files. If I can't open my
files later in GNU and there is not a method at sight to save it as jpeg, png,
etc... is useless. Just a cheap model probably. Collecting dust somewhere.

My other wacom, and older model, was awesome as a mouse replacement; but it
toke months to work in Linux and I don't feel too much inclined to repeat the
experience.

~~~
andai
My wacom experiences on linux have been plug and play so far. Maybe I got
lucky with the model numbers.

~~~
pvaldes
I was a species of "mid-early adopter", probably. All should be much easier
now. In any case I eventually stopped to use the older model because it was
just a little cumbersome to move it around with the laptop all day.

It was a nice piece of hardware. Is a pity to hear that they are now tracking
what users do with their computers. For me this is a no-way (It seems that I
did the right thing dismissing the second model).

------
HenryBemis
Every time I see the words “XYZ Experience Program”, my alarms go off, it's
synonym to "every move you make, I'll be watching you".

------
jameshart
Hold on. This is a hardware device we are talking about here. You put it on
your desk, physically interact with it, and plug it into your computer. Do you
realize all the ways the manufacturer could harm you if they were malicious,
cut corners, were coerced by a state to compromise the device, or failed to
comply with regulations?

And you’re worried about their data handling policy?

A short and very incomplete list of the things a purchaser of a Wacom tablet
is trusting to be true:

\- That the tablet is safe to use - it will not fail in a way that exposes the
user to electric shock hazards, sharp edges, dangerous chemicals, etc. \- that
the EM emissions used to communicate between the pen and tablet don’t
interfere with other systems in ways that could compromise safety \- that the
device complies with usb standards and won’t damage electronics you interface
it to \- that there are no hidden surveillance devices in the tablet or pen \-
that, as an input device with access to your usb bus it doesn’t have the
ability to be remotely induced to control your computer

Then you’re installing a piece of driver software, giving it sufficient
permissions that it can read what application is currently running, and you
are worried about it exfiltrating that information, rather than - say - the
fact that as an input driver, again, it has complete control over your
computer; it can record input - what if you use your Wacom to sign a pdf? Now
it knows your signature. Or you tap out your banking password using an on
screen keyboard. Who knows what else it can do - acting at the user input
level presumably it can do anything you the user can do.

So sure, be concerned about what happens to the data it sends to Wacom, but if
you don’t trust Wacom, your problems started much sooner than when you
accepted the data sharing agreement.

~~~
gmd63
What prevents a small peripheral company from being a vector for hardware
attacks via a foreign state? Is there an impartial inspection process that
checks devices? It seems like it would be extremely lucrative for a person to
facilitate that operation if they don't value the integrity of their nation.

~~~
mzs
not much
[https://news.ycombinator.com/item?id=22251384](https://news.ycombinator.com/item?id=22251384)

------
djhworld
Very enjoyable read, thank you.

I'd imagine simply turning off the "User Experience Program" opt-in is a flaky
setting that probably gets reverted to "on" when you do updates etc

A better option is to install LittleSnitch and block the traffic.

------
LegitShady
Even my drawing tablet? Im starting to hate the present day philosophy of
pervasive surveillance acceptability when I can't even pay premium for a
device and have it not track me constantly.

------
serf
last wacom drivers I used on Windows ( I don't know, 2013? ) would eat memory
all day, every day, until self-destruction. I have a screenshot somewhere of
the process taking ~28 gigs of memory.

It doesn't at all surprise me that it's sneaking around.

This might be some cargo-cult level religion of mine , but if a driver package
has a lot of flashy UI stuff (Wacom, Logitech, Creative), it's probably doing
something suspect.

The more the apps look like key-gens, that's when you have to start
wiresharkin'.

------
greggman3
Facebook Oculus Rift seems to log the title of every window of every app you
open

[https://www.reddit.com/r/virtualreality/comments/ezln7j/face...](https://www.reddit.com/r/virtualreality/comments/ezln7j/facebook_oculus_rift_logs_desktop_activity/)

------
dreamcompiler
Until this kind of shit is legislated out of existence, every company that
makes an installable program is going to be tempted to do it to generate more
revenue. If it's not forbidden, every company will think they have to do it to
remain competitive, morality be damned.

Until that happens, use a piHole.

------
lordleft
Can we just take a moment to appreciate how well-written this is? Super
engaging and fun to read.

------
doctor_eval
I haven’t seen this written anywhere (perhaps I haven’t looked hard enough)
but I’m starting to think that perhaps Google and Facebook are reaching out to
and paying companies like Wacom to capture these analytics.

It makes little real sense for Wacom, a manufacturer of tablets, to capture
this amount of data, and doing so has a cost. But it makes heaps of sense for
Google to do it since they can infer all sorts of stuff from the applications
you install.

It also explains why this crap is so pervasive, why the privacy policy is so
vague (Wacom may not even know the extent of the exfiltration - don’t ask
don’t tell), and why the quality of the data collection is so good.

I mean I’m guessing there a google product called something like “Google
Analytics for OSX Drivers” and google would want that in popular products.

These sort of back room deals and outreach programs are pretty common in
general, but if I’m right, then Wacom, while certainly an accomplice, is not
the root cause of this.

------
rhacker
That's actually really good to know. I used to own a wacom (pronunciation war:
It's Whack-om haha) about 10 years ago for drawing - I don't think I would buy
one now until they walk this one back (and push it off the cliff to die).

------
thiagomgd
Good post. It would be nice to see a follow up with brands that don't track
you.

------
xg15
So, if the driver hadn't had the courtesy to use the OS cert store, respect
the OS proxy settings and use unencrypted DNS, how would we go forward to find
out the siohoned-off data then?

------
vzaliva
As the side note, the following sentence from the post "I began my
investigation with a strong presumption of chicanery" is something I am going
to steal and use from now on. :)

------
risyachka
So they got list of apps, and did some analysis on the data. Should they
disclose it upfront? Sure, it would be nice. If this a big deal? Doesn't seem
so.

------
sillysaurusx
BURP SUITE!

Burp suite is amazing and more people should use it. That is all.

~~~
burntwater
On their website, they list their plans Enterprise through Community, left to
right. That's the opposite of what's standard and immediately makes me wary.

They might be great, I don't know. But if something as non-standard as that is
done, what other weirdness behavior does their software have?

~~~
sillysaurusx
Heh. Brace yourself; Burp is very weird.

It's worth learning though. I haven't found a better intercepting proxy, and
the community edition is pretty powerful.

------
shmerl
You can use them on Linux and avoid the malware:
[https://linuxwacom.github.io](https://linuxwacom.github.io)

------
wackget
Pretty sure e-reader devices like Kindle, Kobo, Nook, etc. have baked-in
Google Analytics too. Why isn't there an outrage about that?

------
raxxorrax
sigh... their tablets are quite good if you like to paint digitally. Time to
look for non existent third party drivers for windows.

This is why a software firewall can be helpful. Since I use Windows I expect
there are no alternative drivers.

You can use the tablets without drivers in a very restricted manner. I don't
know how to solve this besides strong regulations. Big firewall to China?

~~~
TrickyRick
I mean the author notes that you can decline and the software keeps working. I
don't have a Wacom tablet so can't confirm, and it doesn't justify what
they're doing but at least it's relatively easy to opt-out.

------
Priem19
This is probably the best written article on tech I've ever read. It reads
like a novel, and it's informative to boot.

------
tinus_hn
It’s almost as if this is some sleazy attempt to get around malware checks by
selectively disabling this behavior. Unacceptable.

------
Pacers31Colts18
I'm able to do the same on my Android phone. I can go into the Google settings
and see everything I opened and when.

------
musicale
More anti-privacy, security holes, and dark patterns in the name of
"analytics."

Is this really what tech customers want?

------
Pacers31Colts18
My Pixel 2 does the same. I assume all Android phones do. I can see everything
ive opened in my Google profile

~~~
GrayShade
There used to be a "device activity" setting under
[https://myaccount.google.com/dashboard](https://myaccount.google.com/dashboard).
Does anyone know why it was removed?

> Activity controls no longer include the Device Information setting

------
buddylw
Wacom has application specific settings for compatibility. You can't have that
feature without tracking individual processes and that data would be important
for any sort of troubleshooting. It should be anonymized and they should be
clear about what they are collecting, but the data does have a legitimate and
benign use at least.

~~~
penagwin
Software side you're right, it makes sense for the driver to keep track of the
current application for things like button binds, etc.

But that doesn't mean they need to transmit that information off your
computer.

Although I agree, this is likely relatively benign, it's most likely useful as
a market research tool to see what applications they should prioritize
support/testing for.

------
ryanisnan
Wow, your writing is fantastic. Thanks for the writeup!

------
persephonee
Why is the blog author wasting his time? The privacy statement says WACOM
collects data. He does research and proofs it. -_-

~~~
danShumway
> Wacom didn’t say exactly what data they were going to send themselves. I
> resolved to find out.

[...]

> since Wacom’s privacy policy makes no mention of their intention to record
> the name of every application I open on my personal laptop, I’d argue that
> it doesn’t even give them the technical-fig-leaf-right to do so. In fact,
> I’d argue that even if someone had read and understood Wacom’s privacy
> policy, and had knowingly consented to a reasonable interpretation of the
> words inside it, that person would still not have agreed to allow Wacom to
> log and track the name of every application that they opened on their
> personal laptop.

------
3xblah
"In Wacom's defense (that's the only time you're going to see that phrase
today), the document was short and clear, although as we'll see it wasn't
entirely open about its more dubious intentions (here's the full text)."

The "document" is actually comprised of three documents. Lawyers call this
"incorporation by reference." The link given by the author is therefore only a
starting point. When we incorporate the other two^1 documents --
[https://www.wacom.com/privacy](https://www.wacom.com/privacy) and
[https://www.wacom.com/cookie-notice](https://www.wacom.com/cookie-notice),
this is _not_ a "short" document.

1\. Actually it is comprised of four documents if we include the external list
of companies -- www.wacom.com/about-wacom/our-passion/our-company that are
also beneficiaries of the terms of these policies. Unless the user reads all
three documents, she has not reviewed the entire contents of the "policy".

"Wacom didn't say exactly what data they were going to send themselves."

Looking at the privacy policy is there anything that could be in HTTP traffic
from the tablet that would be outside the scope of what Wacom has stated they
might collect.

Excerpts

3\. Scope of this Privacy Policy

This privacy policy explains how we collect and use information that relates
to you when you:

\- use _our other software and products_ ; or

We refer to these uses and interactions as our "Services."

    
    
       |------------------------------------------------------------+----------------------------------------+------------------------------------------------------------|
       |Usage Information (e.g., indicators of engagement with our  |(1) to improve our products and create  |(a) with our service providers, including analytics         |
       |website or usage of Services, IP address, device identifier,|new products                            |providers, to help us deliver and improve the Services, and |
       |etc.)                                                       |                                        |to provide targeted advertising                             |
       |                                                            |(2) to provide targeted advertising     |                                                            |
       |                                                            |                                        |(b) our Affiliates                                          |
       |                                                            |(3) to better understand how our        |                                                            |
       |                                                            |customers' use our Services             |                                                            |
       |                                                            |                                        |                                                            |
       |                                                            |(4) for our internal accounting,        |                                                            |
       |                                                            |security, and operational purposes      |                                                            |
       |                                                            |                                        |                                                            |
       |                                                            |(5) for purposes required by law        |                                                            |
       |------------------------------------------------------------+----------------------------------------+------------------------------------------------------------|
    

Usage Information. We collect information about your interactions with our
services. This includes or can relate to your personal information. This
information enables us to, _among other things_ , improve our Services and
your experience, see which areas and features of our Services are popular and
count visits, provide you targeted advertising based upon your interests and
to analyze trends, administer our websites, track how you engage with our
websites and other Services, learn about the systems, browsers, and apps you
use to interact with our Services, gather demographic information about our
user base as a whole. We also use analysis tools and methods to allow us to
better understand how our customers use our Services. This includes how often
the Services are used, the events that occur within the application,
aggregated usage, performance data, any exceptions that occur within the
software and the source from which the application was downloaded.

"Some of the events that Wacom were recording were arguably within their
purview, such as "driver started" and "driver shutdown". _I still don 't want
them to take this information because there's nothing in it for me_, but their
attempt to do so feels broadly justifiable.

Assuming Wacom respects resolv.conf as it does system-wide HTTP proxy
settings, why not run localhost or LAN DNS server, either authoritative or
recursive, that does not return a Google IP address for queries like
www.google-analytics.com originating from the tablet IP address

The "broadly justifiable" reasoning does not account for the possibility Wacom
may collect the data and then fail to improve the product, service or "user
experience". Wacom is making no promises of any _user benefits_ arising from
collection of data. Even if there were "something in it" for the author, he
has no way to hold Wacom to this promise. They get his data and he _may or may
not_ get something in return.

------
killjoywashere
Who is Rick?

~~~
DrOctagon
It looks to me like a Rickroll.

------
0xff00ffee
Great article!

I love how he MITM'd Wacom on his host machine. Slick!

Also this: "I dug around in the driver’s logfile and found the following
snippet that confirmed my suspicions..."

Arms race time: this is an alert to shady developers to not put meaningful
messages about data collection in their log files.

~~~
TheRealPomax
Real shady devs already don't do this. All signs here point to "salaried
employees being asked to implement a feature, and just following the ticket to
the letter".

------
droithomme
Great forensics work.

> _even if someone had read and understood Wacom’s privacy policy, and had
> knowingly consented to a reasonable interpretation of the words inside it,
> that person would still not have agreed to allow Wacom to log and track the
> name of every application that they opened on their personal laptop._

I agree completely. Tracking every application one uses and reporting on that
to third party Google is so contrary to their stated EULA that both a class
action lawsuit, and prosecution in jurisdictions that protect privacy, are
warranted.

------
robohoe
I'm surprised Wacom is still around with iPad and Apple Pencil being such a
hit. I know I've migrated.

~~~
ghostbrainalpha
Is the pressure sensitivity equal on the apple pencil to high end Wacom?

~~~
budlightvirus
It's really great. iPad + Apple pencil feels better for making marks, and the
Cintiq Pro is just a bit behind in drawing feel but more capable overall.

------
onlyrealcuzzo
More importantly, don't iOS and Android track every app you open also?

~~~
dmitryminkovsky
This is getting voted down, but is this not true? My iPhone knows all my top
apps and shows them on whatever that screen is called, with the search, and
adjusts them over time as usage changes. Maybe it’s not “more important,” but
why vote this down? How do I know that data doesn’t go back to Apple with
“telemetry”?

~~~
cmcd
A Wacom tablet is not the same as a phone, it is a peripheral. This is like
your Dell keyboard tracking your keystrokes and what application they go into.

~~~
AlexandrB
Which is a thing that has already happened with Razer[1]. They back-pedalled
(a little) after pressure from customers[2].

[1]
[https://www.reddit.com/r/privacy/comments/8klf7a/razer_synap...](https://www.reddit.com/r/privacy/comments/8klf7a/razer_synapse_privacy_policy_keylogging_and/)

[2] [https://www.techradar.com/news/razer-synapse-3-app-
delivers-...](https://www.techradar.com/news/razer-synapse-3-app-delivers-
better-privacy-and-convenience-by-allowing-guest-logins)

~~~
nottorp
It's a bit late for them <pats SteelSeries mouse>.

------
ghostbrainalpha
I know privacy is a big deal, and this is not cool in general but I kind of
don't mind Wacom doing this.

If Wacom's users are starting to use a niche program outside of the Adobe
suite, I'd like them to know about it so they can fully support it.

And its not like I'm going to be using my Wacom tablet with very many
programs. Its not like it can replace a mouse unless you are a crazy person...

~~~
JohnFen
I'm sure that most people feel as you do. So manufacturers should get informed
consent before doing the data collection -- that way, you can give such
consent and people who feel differently about such tracking can withhold it.
It's win-win.

------
ogre_codes
Maybe Wacom isn't really aware of this and there is a guy named _Rick_ who has
set up an elaborate scheme to stalk his artist ex girlfriend.

Edit: While this post was meant to be tongue in cheek, it is possible and I'm
not sure which is worse.

------
moron4hire
"their device, which - remember - is essentially a mouse"

... that has per-application configuration settings that change how the tablet
can be used. They aren't just wantonly collecting unrelated data. They have
features tied to this.

I read the whole article to see if there was any mention of app-specific
config. Doesn't come up once.

~~~
0xff00ffee
Hmm... Good point. I could see how Wacom could make context sensitive control
panels based on the app, without having to ask the user, but then I still
would want control over that: what if the functionality becomes too different
between to apps and I find it annoying? This should be exposed to the user.

It makes it feel less nefarious, I guess. But I still don't want a C&C server
knowing this much about me.

~~~
moron4hire
You do have control over it. By default, every app uses the same
configuration. You proactively add configs to apps that you want to work
differently.

For me, I've used it to make the pen work like a touchpad stylus while
normally working, but map to the screen corners when working in photoshop.

------
excerionsforte
I'm fine with Wacom collecting this kind of data as long as it doesn't open
any security holes. There are certain classes of products where I would not
care what they collected as long as it was relevant to improving the product.
i.e. Wacom wants to know popular apps I use my tablet on, ok. If they wanted
to know my approx location though then I'd be alarmed.

~~~
kovacs_x
Haven't you thought that they know this already by your ip address? ;)

~~~
excerionsforte
This is very basic information. Wacom makes drawing tablets which is usually
in a static place for me.

