
Ubiquiti adds phone-home to the access point firmware - shantara
https://community.ui.com/questions/UI-official-urgent-please-answer/14259289-e4c3-4c5e-aaa0-02a5baa6cbbe
======
andreareina
This is the same Ubiquiti that's does not abide by the GPL for the modified
linux kernel they use[1][2][3]. Which is really too bad as I had been ready to
recommend their gear to a couple of businesses.

[1] [https://sfconservancy.org/blog/2019/oct/02/cambium-
ubiquiti-...](https://sfconservancy.org/blog/2019/oct/02/cambium-ubiquiti-gpl-
violations/)

[2]
[https://news.ycombinator.com/item?id=9331512](https://news.ycombinator.com/item?id=9331512)

[3]
[http://web.archive.org/web/20170317174847/http://libertybsd....](http://web.archive.org/web/20170317174847/http://libertybsd.net/ubiquiti/)

~~~
dleslie
Damn, I like their gear; who's the next best?

~~~
steve19
Mikrotik is pretty nice although the gui is not user friendly as ubiquiti.

~~~
izacus
I'm sorry, but asking someone to switch from Ubiquiti to a Mikrotik is like
asking someone to go from macOS to 1990's Linux.

The user interface is beyond atrocious and even basic features you'd need in
smaller/home setup need digging through Wikis to get the arcane settings you
need to click. Basic things like NAT loopback or basic VPN setup. OpenVPN is
still neutered and broken.

What's even worse - the defaults are all wrong. There's no simple "enable
firewall" switch for basic use-cases like other equipment has. Instead you
need to manually configure firewall rules in chains like working with raw IP
tables and if you do a small misstep, you'll drill a hole in your network
easily. Or make your internet horribly slow because you need to be careful
about fasstrack rules and lack of NAT acceleration.

It's really about the most disappointing piece of hardware I bought in last
few years and doesn't come close to niceness of Ubiquitis management. Sadly
it's also the only company that makes a compact router with SFP and PoE+ to
power Ubiquities.

~~~
hackmiester
RouterOS is basically designed for network engineers. From our perspective,
NAT loopback is extremely complex and has many implications, which RouterOS
doesn't hide from you. And we typically don't run a VPN concentrator on the
same device as a router. I think it's just a matter of different practices in
different industries.

ETA:

> What's even worse - the defaults are all wrong.

There is a new-ish thing in the web UI called "QuickSet" for these use cases.

~~~
stiray
I agree. Mikrotik has great devices but they are great if you can cope with
them. Imagine as getting Cisco Catalyst and then complaining it is not as good
as Ubiquiti due to the sheer number of options. It just doesnt work that way,
there is equipment for the masses which is "good enough" and the other side
where you can tacle everything in transmission but you need to know what you
are doing.

Anyway, I wouldnt recomend ubiquiti as replacement for microtik. It is just
too complex for most home users and even technical users (on the other side I
wouldnt use ubiquity even if it is a giveaway).

~~~
yardie
Honest question. What is the market for Mikrotik? I’ve only seen them in use
at home by enthusiasts and a few SMBs trying to maximize bang for buck. There
offerings just don’t seem very enterprisy.

~~~
godzillabrennus
Having had the displeasure of managing a network for a company that installed
about 40 mikrotik switches behind a mikrotik firewall, I can safely say they
belong in a small business with max 1 or 2 at a time.

Managing more than that is crazy with the current software. Not to mention
these are some of the cheapest and lowest build quality switches you will find
with these insanely powerful features.

Unifi switches are a materially better build quality.

If you want great carrier grade look at Arista. You can even score a 10Gbit 48
port Arista switch off eBay used for about $700 last I checked.

------
esotericn
I own and operate Ubiquiti hardware.

If this doesn't go opt in, I will not be buying more and I will stop
recommending it to others.

Please don't do this. Firewalling access points, good practice or not, should
not be necessary. You're not a dodgy IP cam manufacturer.

People buy your equipment precisely because they want to trust their network
hardware.

~~~
ploxiln
I think "analytics" has become a no-brainer among product managers at all tech
companies. It seems like no company, not even GitLab, can escape the
irresistible urge by management to add analytics. Arguments against it within
the company are useless, it is just so obvious to management that this is the
way to go, it's what all big successful companies do. Only massive public
outrage can turn the accepted wisdom of analytics around, and only sometimes.

High quality products were made for many years with no analytics, just by
thoughtful design, using the product yourself, and gathering some feedback
from users manually. Even without statistically representative data from some
large target population, you can use your brain to figure out what goes wrong
and how to make a good product.

And I think lots of products today are quite annoying because of bad decisions
based on flawed analytics data. It's hard work to run a good experiment and
avoid confounding correlations and plain bugs that throw off the results, and
practically nobody today does the hard work. They just run the analytics, get
some flawed buggy numbers, interpret them without sufficient care and
thoughtfulness, and push through bad design changes. We're data-driven! We're
just not looking at the road.

~~~
9HZZRfNlpR
My theory is that they hunt like lunatics this engagement and time spent
number. My engagement increased with new Gmail because it's slow as fuck. Of
course I click around like a clown and wait, probably product manager happy
that people use their product for longer now.

~~~
distances
It's amazing how slow Google products are becoming. Firebase is my own pet
peeve: opening a single crash report takes easily 20-30 seconds. It's
unbelievable. Should be a split second for fluid workflow. Aren't they using
their own products? How is this acceptable to any engineer or manager?

I'd use _anything_ else for the slowness alone if I could decide the tools at
work myself.

~~~
crdoconnor
Are you using Firefox or Chrome?

~~~
Jamwinner
I am going to report it is slow on both, when the bs is disabled. Especially
slow on other browsers. You know there are other browsers right? Google seems
confused and angered when I dont use one of the 2 they own. Firefox is only
around because they fund it discreetly to avoid antitrust, while is still
sends them nearly all the same tracking metrics.

~~~
distances
What do you mean by "when the bs is disabled"?

------
jlgaddis
I'm gonna go searching for it but, in the meantime, anyone know the process
for submitting a hostname to be added to any of the lists used by PiHole, et
al.?

The hostname that Ubiquiti is using -- _trace.svc.ui.com_ \-- seems like
exactly the thing that should be blocked, IMO.

\---

FWIW, if you're using PiHole and want to block these access points from
"phoning home", you can simply do the following:

    
    
      $ echo server=/trace.svc.ui.com/ | sudo tee /etc/dnsmasq.d/ubiquiti_access_point_phone_home.conf
      $ sudo systemctl restart pihole-FTL.service
    

This will cause dnsmasq, the underlying resolver, to return NXDOMAIN for any
such queries.

\---

 _EDIT:_

Apparently the "pihole" utility has functionality built-in to blacklist
domains (via /etc/pihole/blacklist.txt). Instead of the above, you can simply
use:

    
    
      $ pihole -b trace.svc.ui.com
    

This will result in the IP address "0.0.0.0" being returned (with a TTL of two
seconds) for any manually blacklisted hostnames (the same way that PiHole
normally responds to queries for blocked domains) although, personally, I
still prefer NXDOMAIN.

~~~
kpU8efre7r
Use blacklist. I already have to blacklist some Belkin URLs that are
constantly pinged.

~~~
jlgaddis
Using the blacklist is simpler but it uses a _two second_ TTL (bit looks like
that can be changed in the 01-pihole.conf file, though).

I'd rather it return NXDOMAIN, though. That's what I had to do to block DNS-
over-HTTPS for Firefox.

~~~
gingerlime
FWIW, I just tested my Adguard Home by adding trace.svc.ui.com to the filter,
and I think it does return NXDOMAIN by default.

------
godzillabrennus
I met cmb (the lead architect of Ui.com) when he was starting up Pfsense. He’s
good people.

Don’t be afraid to tweet him your thoughts on this and a link to this thread:
[https://twitter.com/cbuechler](https://twitter.com/cbuechler)

If there is any chance in management making the right decision here then it’ll
be because good people at the company have ammo to go back to management with.

FYI - I was about to buy Qty 22 unifi access points next week and Qty 44 unifi
48 port switches. Nope on that with this change.

~~~
slovette
He’s lead on the security team, not blanket UI.com from what I know. Also met
him when he was working on the PFSense stuff and spent a few days with him and
his team in Austin TX in 2014.

I agree, great person and I still have faith in him; but he’s just 1 person on
a billion dollar enterprise team. He’s also very silo’d it seems, to what he’s
doing on the firewall (and UDM?) side.

We’re also heavy deployers of UI stuff (100+ AP’s /month and 1000’s of ports
installed).

This change concerns me, but doesn’t surprise me. All the new product line is
geared for centralized propriety. The company as a whole is turning for the
worst I think. The new forums and treatment of their community is indicative
enough of this theory....

~~~
gonzo
> Also met him when he was working on the PFSense stuff and spent a few days
> with him and his team in Austin TX in 2014.

Well, now I’m curious who you are. :-)

~~~
sanguy
We know who you are, and what you did to PFSense....

~~~
godzillabrennus
[https://www.wipo.int/amc/en/domains/search/text.jsp?case=D20...](https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2017-1828)

------
hannasm
Its a shame to see another seemingly benevolent and forward thinking company
start betraying the customer base they have built up. This company seems to
have started a large strategic shift in the past couple years and it's
probably just a matter of time until all the hardware I've bought from them
has to be thrown out.

------
tlrobinson
I’ve been a fan of Ubiquiti but they seem to be pissing off their existing
customers a lot lately.

Off the top of my head:

1\. Deprecating UniFi Video in favor of UniFi Protect which only runs on
Ubiquiti hardware (and none of the current hardware supports more than a
handful of cameras anyway?)

2\. Advertising UniFi Protect on existing UniFi Video installations, which is
especially obnoxious for installers who sold their customers a complete system

3\. Removing SNMP configuration from new firmware versions on certain product
lines (EdgeSwitch?)

4\. Now this.

~~~
noodlesUK
The unifi protect thing is really annoying. I would totally have done an
installation already if not for a lack of ability to back up data off the NVR
device (cloud key gen2+) or self host on something with more storage. If I do
an install with more than a few cameras it’ll only have a day or two of
recording on their crappy 2.5in HDD. The software looks so good though. It’s
really irritating.

~~~
ChrisLomont
You can replace the 1TB in the cloud key with 5TB drives, which help. You can
also set the compression to get more lifetime, or change always record to only
record windows around movement.

Check the net for 5TB upgrade instructions.

------
sliken
Disturbing, easy to fix, but disturbing.

Ironically blocking various widgets from spying on me was why I bought
ubiquiti hardware. I was noticing regularly outbound network connections from
my TV, turns out it was finger printing what I watched and reporting back to
the mothership. It no longer gets network access of any kind.

I was tired of playing the OpenWRT/DDWRT flavor of the week (korg) on hardware
that wasn't really well supported (netgear R7000). I hated the disposable
nature of configuring the routers and having to largely throw away that
configuration with each major upgrade. Even getting Comcast's /60 handled was
painful (a bug in dhcpd6c or similar). I also wanted to handle WIFI APs well
and not have a painful upgrade process.

I have a Ubiquiti NanoHD, EdgeRouter 6p, and a PoE EdgeSwitch 8xp. Nice GUI,
you can fall back gracefully to command line, and backup your device state in
a human readable config file you can keep in version control. Upgrades are
typically press a button in the web UI and wait a few minutes.

They handle my moderately complex home network. Comcast gives in a /60, I
split that into a /64 per 4 router ports. Lets me split the trusted stuff
(desktops and laptops I manage) from the untrusted. I can even login over ssh
to manage them with a key.

It's been very handy. If one of my PoE cameras freak out, I can bounce them
remotely.

If various android apps have anti-social behaviors to avoid DNS based blocking
I can track them on IPv4, IPv6, and block them when they try to skip my name
servers. Took me a bit to block all IPv6/IPv4 DNS traffic to force anything on
my network to actually use my nameservers. I'm not looking forward to DNS over
TLS which despite the promises seems like will inevitably make things harder
to filter.

Anyone know of a Ubiquiti competitor that's better about handling privacy and
security and not trying to install spyware?

~~~
tjoff
Easy to fix for whom? How do you fix the trust issue?

What to do when they add this to their other products, such as routers?

~~~
sliken
It's easy to block devices from calling home. The trust issue is harder. I
think the real fix is to move to a different company until they change their
minds.

Ubiquiti does seem like a generally good company, just seems like someone
decided more feedback on failures was a good idea and added the remote
debugging... without thought on opt-in. After all I get a few similar reports
a day (x failed... report home?), but they are of course opt-in.

~~~
tomasato
If you block it, it leaks memory until it crashes the device

~~~
unwind
No, the reply from the Ui employee specifically mentions in which fw release
that bug was fixed.

~~~
arpa
That in and by itself is hair-raising! It's absolutely, obviously, crassly
obvious that Ui only concern was getting the telemetry out and everything else
(like failure modes) was an afterthought. It paints a picture the crowd here
are probably very familiar with: Upper mgmt needs this feature a month ago, go
implement it asap. No PM, no architect, no nothing, just C-level straight to a
dev...

~~~
tebruno99
Software is complex and bugs happen everywhere, the firmware wasn't even
released yet (it was an opt-in beta) when the bug occurred. I don't like this
any more than the next guy but beta is BETA for a reason, to find bugs.

------
lousken
No way to opt out? Seriously? This kind of telemetry BS where you have to set
up firewalls is really getting on my nerves, after microsoft started doing it
it seems like every company considers this behavior acceptable.

I guess hiring real testers isn't cool anymore.

~~~
jlgaddis
According to Ubiquiti:

> _There is no on /off switch but there also are no penalties for blocking
> Internet access to the device, dropping traffic to this host, and/or
> blocking it via DNS._

\---

> _I guess hiring real testers isn 't cool anymore._

Have you used any Ubiquiti products? I'm not sure that they ever hired "real
testers".

~~~
lousken
Yea, we use it at our company, 6 AC-LR APs managed with unifi controller 5.6.
Have been working without any issues so far.

~~~
o-__-o
Meanwhile I have two that just randomly reboots causing hell. Great hardware
but it’s so unreliable

~~~
stephen_g
That could just be an unlucky coincidence that you have two with some kind of
hardware fault... Sounds best to just RMA them. None of our Ubiquiti stuff
does anything like that so I can’t believe that’s in any way normal.

~~~
o-__-o
2 out of 6 sounds like a QA problem

------
benjohnson
Needs to be opt in: Some of my customers would be happy to have crash logs
sent to Ubiquiti. Others that fall under HIPAA or PCI need this turned off -
otherwise I'll have to bill them to block it at the DNS level.

~~~
1over137
Do they use DNS? If they use DoH or just IPs, then that won't help you.

------
kristaps1990
Ubiquiti posted an official update on this
[https://community.ui.com/questions/Update-UniFi-Phone-
Home-P...](https://community.ui.com/questions/Update-UniFi-Phone-Home-
Performance-Data-Collection/f84a71c9-0b81-4d69-a3b3-45640aba1c8b)

------
system2
I spent countless thousands of dollars for Ubuquiti products for our clients.

Why would it be so hard to make it optional? Why? I just can't wrap my head
around it. Why are you forcing us to send our data, no matter how encrypted or
not We purchased these for security and privacy.

Ubiquiti, pull yourself together. We will stop buying, you will lose.

------
fzil
Wow, can't really trust anyone nowadays. I feel like its a losing battle that
privacy conscious people are fighting. It feels like every single company is
edging towards this dystopian future.

------
jchw
Sigh. I thought about trying an open source router before settling on a
Ubiquity AP + USG. It seemed like a solid investment, into a company that was
pretty well trusted.

The lesson I’m learning is, maybe it’s worth it to pay more to get less
sometimes.

~~~
Nextgrid
Any chance you can return it under warranty? You could claim the product is
now defective as it’s spying on you.

If anything, it’ll waste their time a little bit and if enough people do this
they’ll reconsider this decision.

~~~
jchw
I've had it for long enough that I am not sure.

I think my best bet would be to install OpenWRT on the AP and sell + replace
the USG. Not sure with what. It'd be kind of cool if I could have a router
running NixOS so I could keep the configuration declarative, but pfSense is
the obvious preferred choice in the community, so maybe I will just get a
device designed to run pfSense.

I dunno if messing with tech support will really "send a message," so I will
just send feedback through the regular channels. Chances are, it will get
ignored. Chances are pretty much anyone that isn't a huge customer doesn't
matter.

------
_iyig
Disappointing; I just wired my home with Ubiquiti equipment, and now it looks
like I may have to tear it all out.

Has anyone recently set up a custom home router, switch, and/or WiFi AP? Any
tutorials or examples you could recommend?

~~~
nothingnewhere
MikroTik - learn it any you will not regret it. Buy hAP AC2 devices - powerful
yet cheap, lifelong free OS upgrades, they offer much more than UBNT devices.

~~~
eps
I've been on a receiving end of troubleshooting MikroTik-centric bugs and they
really make you to go Hmmm. Not because they are bad, but because they are of
a kind that you'd see in the code hacked together over a weekend while
chugging down some beers. An amateur job basically with a glaring lack on
quality control.

I wouldn't touch MikroTiks with a long pole.

------
hameedullah
I use ubiquit and had recommended them just last week to somebody, but I am
going to switch to another vendor who is more open and about these things.

The fact that they sneaked the call home with out any opt-in is bad and fishy,
and even after it was raised by community they are not willing to provide opt-
in. They want the users to disable the access to the host name and blah blah,
which is not feasible for most home users.

~~~
sgarman
Who else is there?

------
muppetman
EDIT: I'm wrong - 4.0.66 has been promoted to stable. The rest of this post,
while sort of still valid, is incorrect.

This is in a BETA version of the firmware. BETA. You have to sign up to get
access to the BETA area. So yes, while integrating tracking etc isn't a great
idea, it might also help debug crashes/problems in the BETA firmware people
are running.

Now, if this rolls out to the stable channel, then sure, pass me a pitchfork
too. But until then, you've got to opt-in to test the BETA software, and you
know what you're signing up for - BETA quality software.

I'm almost surprised Ubiquiti give regular folk access to the beta software,
because the users treat it like production, roll it out into production, then
complain.

~~~
tbyehl
Grab your pitchfork, it's in Stable.

[https://community.ui.com/releases/UAP-USW-
Firmware-4-0-66-10...](https://community.ui.com/releases/UAP-USW-
Firmware-4-0-66-10832/56545db5-5e7b-4dad-b823-ea299aebc4f6)

~~~
muppetman
Thanks - I didn't realise 4.0.66 had been promoted. I've updated my original
post!

------
purpleidea
Their "protect" camera line doesn't work properly unless it can connect to the
internet.

Now this...

What company's hardware should I buy instead for Linux friendly AP's and
cameras?

~~~
rsync
Sounds just like Sonos.

Slowly, over 10+ years, trending towards removing control and usability and
funneling their use-case to an online-only, subscription based, neurotic
consumption model.

Ironically, I was _just in the process_ of migrating my home, my office and my
local volunteer fire department to an all-ubiquiti network+camera platform ...

God dammit.

------
8fingerlouie
Updated response from Ubiquiti

[https://community.ui.com/questions/Update-UniFi-Phone-
Home-P...](https://community.ui.com/questions/Update-UniFi-Phone-Home-
Performance-Data-Collection/f84a71c9-0b81-4d69-a3b3-45640aba1c8b)

------
jlgaddis
Don't bother reading through the responses -- it's mostly others arguing about
what GDPR is or isn't. Ubiquiti's official response [0] is near the bottom of
the thread:

> _We have started to gather crashes and other critical events strictly for
> the purpose of improving our products. Any data collected is completely
> anonymized, GDPR compliant, transmitted using end-to-end encryption and
> encrypted at rest. There is no on /off switch but there also are no
> penalties for blocking Internet access to the device, dropping traffic to
> this host, and/or blocking it via DNS._

> _..._

> _The memory leak that you reference above was a bug specific to release
> 4.0.60 which was fixed as of 4.0.61._

[0]: [https://community.ui.com/questions/UI-official-urgent-
please...](https://community.ui.com/questions/UI-official-urgent-please-
answer/14259289-e4c3-4c5e-aaa0-02a5baa6cbbe#answer/2329912d-667c-4a38-bce4-687025616931)

~~~
mokus
Is it even possible for this to be GDPR-compliant without even a way to opt
out? I’m not very well-read in the subject, but I thought stuff like this had
to be _opt-in_ under GDPR?

~~~
0xcde4c3db
As far as I know, GDPR only applies to data that somehow relates to a person.
If telemetry e.g. only sent build number + backtrace for crashes and the IP
address wasn't logged, it seems like that would be allowed under GDPR.

~~~
dvdkhlng
How does it sent back data without revealing the source IP address? :)

~~~
0xcde4c3db
I don't think GDPR attaches to every piece of data that one could
hypothetically observe.

~~~
chopin
It attaches to date you _actually_ observe. I am sure the IP address is part
of that. Enough to make the thing GDPR relevant.

If someone complains they're going to have a bad time.

------
mokus
Ok, I’m trying to set up a block for this within the unifi interface itself.
Looks like the best option is a firewall rule dropping all “wan out” traffic
originating from my access point. Am I missing a better option?

~~~
vetinari
I would prefer returning NXDOMAIN for that host; with blocked IPs, once ubnt
changes their dns, your rules will be obsolete.

On the other hand, I never understood how to configure dnsmasq on usg in a
permanent way (not only blocking hosts, but also static SRV and TXT records).
It it supposed to be done via gateway.config.js, but finding the right json
keywords is the issue. Is there someone who can drop some hints?

~~~
mokus
That’s why I’m blocking ALL destinations. I don’t think any valid packets out
of my network need to have my AP itself as source addr.

------
shantara
There's a one line mention of "[HW] Crash and critical event reporting" in the
changelog:

[https://community.ui.com/releases/UAP-USW-
Firmware-4-0-66-10...](https://community.ui.com/releases/UAP-USW-
Firmware-4-0-66-10832/56545db5-5e7b-4dad-b823-ea299aebc4f6)

~~~
jlgaddis
All of Ubiquiti's changelogs consist exclusively of short one-liners such as
this -- and pretty much useless.

It's like they just copy and paste the 50-character commit messages or
something.

~~~
mhluongo
I hope their commit messages are better than that >:|

~~~
artificialLimbs
I'd be surprised. Here's an actual quote from one of their changelogs: "Do not
choose the skip option when running the Migrate Site wizard. If you do your
devices may end up in a weird state."

------
dillonmckay
I ordered an Edge Router that is supposed to be delivered this week.

I intend to return it and use a pf-sense ‘official’ hardware device.

~~~
Daneel_
+1 for pfsense (or OPNSense if you want a better management team)

------
noodlesUK
Stop this madness. This is networking equipment aimed at a highly technically
proficient base of users. Much like gitlab, this hardware is often going to be
used by people in more security and privacy conscious environments. This kind
of phoning home is absolutely fine _if_ the user is informed and the data that
is being sent is clearly explained, _and_ there’s an easy opt out.

I bought unifi equipment because I was fed up of typical consumer equipment
(and meraki) requiring subscriptions and phoning home all the time. WRT the
GDPR stuff, I’m pretty sure a network admin can’t consent on behalf of all the
users of the network...

------
Gonzih
It amazes me that in some cases brand love can overpower common sense. When OP
concerned about privacy and security is told by loyal brand users to "give it
up". I wonder if companies realize power of blind brand loyalty and utilize
this to their own advantage.

------
Fej
What are good alternatives to Ubiquiti for (fairly) inexpensive and high-
performance APs?

They are cheap enough to be viable for home use. Does any other company make
business-grade APs at that rough price point?

------
kuon
I use ubiquiti hardware in my house, and I was already concerned by the
quality of their UI, it filled the disk once with mongodb logs (5TBi !)and
crashed my home server, now it is running in chroot with limited disk access
but that was a pain to setup.

Anyway, I am looking into alternative but I can't find anything yet. I only
need WiFi AP that can work together for roaming. I would love open source, and
would pay premium to support an open source solution.

------
sqldba
Wow the responses in that thread are toxic as hell.

~~~
caseyf7
Ubiquiti owners are not happy after the app outage on Halloween that wasn’t
disclosed on their status site. They’re also not happy Ubiquiti apps require
logging in through their cloud service vs directly to the device.

~~~
tjoff
They changed so you can't login locally?

I still do. But I haven't updated the app in a while since they changed the
EULA.

~~~
Macha
I recently set up a new controller + USG + unifi switch and reset my AP-AC .
It's definitely still optional as of last week.

------
surfsvammel
I am not sure how to evaluate this. I’m about to buy a quite a lot of UI
hardware in January. If this is it, they implement an opt-in/opt-out feature
I’ll definitely see it as positive (that they listened to the community), it
not—the. I don’t know what to think.

The question of hardware for my January setup, which I thought settled, just
got reopened again.

------
tlrobinson
I love the UniFi “single pane of glass” management interface. Are there any
similar open source system that works via SNMP or something?

It seems like possibly a good opportunity for low end network hardware
companies such as Netgear or TP-Link to collaborate with an open source
project like pfSense.

------
awinter-py
phone home without permission is always sleazy. smart states will make it
grounds for a refund.

------
gaius_baltar
Did somebody sniffed what kind of request they use to send the data to the
mothership?

I have one of their devices here, I will be pretty glad to use some spare
network capacity to send them a few thousand fake crash report per hour.
That's what they want, right?

~~~
arpa
They claim to use end-to-end encyption. If it's implemented properly, none of
us can.

And while I understand your frustration and anger, DoSing someone is usually a
bad idea.

~~~
sneak
A few thousand per hour is decidedly not a DoS.

------
rsync
When I load the index for their forum:

[https://community.ui.com/questions](https://community.ui.com/questions)

... this thread is not listed ... are they really hiding these comment threads
?

~~~
tastroder
No, according to this

[https://community.ui.com/questions/Thread-archives-for-
priva...](https://community.ui.com/questions/Thread-archives-for-privacy-
violation-telemetry-need-IPs-and-DNS-names-of-telemetry-targets-from-
pr/4bfa3da3-de11-4bcd-95b7-12de4f3980d4)

it's just in a separate beta version of their community forum that's not
publicly accessible yet.

------
samiamn
Is it possible to send fake telemetry data back? That's the best way to combat
these issues. Imagine an app that sends fake telemetry back to all these
services making their data bunk.

------
ausjke
worked at ubiquiti before. the first thing I was told is that, "customer
first", "customer first".

I never realized customer-first means violating GPL and call-home.

openwrt or vyos are good alternatives, however, both got minimal community
support(sharing code or donation), especially openwrt, which is used by big
vendors like tplink or xiaomi but they neither have contributed any code, nor
have they sponsored/donated anything to the projects they making huge money
on, they're just bad-ass parasites.

------
arminiusreturns
So I've been interested in whitebox networking and sdn (linux on
switches/routers) what is the equivalent closest to Ubiquiti for APs that runs
linux?

~~~
tlrobinson
I’m wondering the same thing. It seems like a good opportunity for APs and
switches to integrate nicely with something like pfSense or OPNSense.

------
Thriptic
Can anyone provide a synopsis of what data is actually submitted and what
exact states trigger the submission?

~~~
jlgaddis
> _...crashes and other critical events..._

I would not be surprised _AT ALL_ to find that they aren't doing certificate
validation, however... in which case it'd be trivial to MITM the connection
and find out just what they're sending.

~~~
arpa
That is a scenario that actually is good - because then at least you can know
what goes out to the mothership. Otherwise, well, who knows. Maybe it's crash
reports, maybe it's the names of your fetishes.

------
Bud
The link to the original thread seems to have been 404'd now. Did UI
erase/hide it?

------
dbdjfjrjvebd
Well I won't buy or recommend and more Ubiquiti hardware.

I wonder if companies really understand how much stupid decisions like this
taint their brand.

------
gonzo
new statement from Ubiquiti stating they'll add an opt-out button in a future
release. [https://community.ui.com/questions/Update-UniFi-Phone-
Home-P...](https://community.ui.com/questions/Update-UniFi-Phone-Home-
Performance-Data-Collection/f84a71c9-0b81-4d69-a3b3-45640aba1c8b)

------
kanetoad
About turn! Was just about to freashen up a site using Ubiquiti, forget that!

------
bayindirh
Looks like 2019 will be the year of tracking and surveillance in every front.

------
Jonnax
Not much details on the forum thread.

Has anyone extracted the data they send?

Also I was under the impression that GDPR says that IPs are personal data.

I can't imagine crash data from a router wouldn't include that.

Also it seems like they didn't inform users, but secretly put this in an
update.

------
mychael
I have lost all trust in Ubiquiti at this point.

------
sschueller
Doesn't this violate the GDPR? How are they going to opt-in Europe and not
everyone else?

------
mtgx
Very disappointing. I was considering buying one of their routers next. Not
anymore. This is unacceptable for a router.

------
ownbusiness
Such an amazing, just exciting to next one!

------
8fingerlouie
While I’m opposed to companies trying to extract “telemetry” data like they
own it, I think most responses in this thread are overreacting.

The equipment phones home, but realistically what can it transmit ? Things
like number of devices connected, IP scope, network neighbors, public IP, MAC
addresses, and of course the traffic itself.

I think it’s safe to assume that it’s not sending the traffic, as we’d have
noticed on the firewall egress.

Public IP and MAC addresses are bad, and probably conflicting with the GDPR as
these can be used to identify you, especially if coupled with your account. As
UBNT states in the comments, they claim to be GDPR compliant, with data
anonymizes, so we can assume they’re not gathering these as well.

That leaves device statistics, such as clients connected, memory/cpu used,
private IP ranges. Are those really that bad ?

UBNT also states there is no penalty for blocking these devices from
contacting the internet, and while I would prefer an opt-in solution, it’s no
worse than when Microsoft invented “opt out by renaming your WiFi or we share
your password with friends of friends”

~~~
wutanc
Given that they've commented on the fact that all traffic is end-to-end
encrypted you'd not notice them sending things you don't want to be send.

Maybe they're sending a list of all sites you visits? How about them sending
any login information that you add on sites that for whatever reason isn't
doing tls?

One important point here is that they "claim" to be GDPR compliant but are
already somewhat breaking GDPR. All data is encrypted on the APs so we can't
really know what is sent. This is a complete buy in in trust from us, the
customers. We're supposed to trust them that they're not sending anything they
shouldn't, even tho they selected not to tell us at all about them
implementing this.

It's horribly sketchy at best, if ont illegal.

~~~
8fingerlouie
I would certainly have preferred to be informed beforehand, as well as opting
in, and the whole "oh by the way, we do this now, and we only tell you because
someone discovered it" approach is extremely sketchy.

That is of course assuming that the GDPR is being honoured, and that's a
pretty big if. Most european companies are still struggling to be compliant,
as _EVERYTHING_ that can identify you as an individual is to be handled. It
also includes backups, and also when the authorities requires you to store
data for 5-15 years, but also allows the right to be forgotten.

I know we've had our fun devising a scheme to delete records from archived
backups.

The only way to check is to request your personal data from UBNT. The GDPR
allows this free of charge, and they're obligated to hand over all personal
information they have on you.

In any case, I already block all internet access for networking equipment, and
based on this I added trace.svc.ui.com to PFBlockerNG, just to make it resolve
to something local.

~~~
wutanc
Yeah, all this screams sketchy sadly.

I know first hand how hard it is to get GDPR right, I've been extensivly
involved in updating systems to comply. It's a lot of hard work and talking
back and forth with lawyers to make sure we don't do anything stupid.

------
mgraczyk
As a developer who has relied on crash reports countless times in the past for
fixing bugs and improving products, I applaud Ubiquiti for taking a principled
stance and choosing what is best for most of their users.

I wish more companies would stand their ground and refusing caving to a vocal,
but demonstrably toxic minority.

~~~
TimTheTinker
Whatever happened to _serving_ customers being the top priority? That’s how
you make money - by selling something that serves people’s needs and wants.

In this case, Ubiquiti’s actions are particularly irksome because they’re
changing a product _after_ its sale to do something that would have caused
many customers to avoid purchasing it in the first place if it had shipped
that way — and without giving customers an easy way to turn it off.

~~~
mgraczyk
Curious to hear how this change could harm any customer. Judging by the
vitriol and strong language in this thread, there must be some grievous harm
telemetry causes that I am not aware of.

~~~
noodlesUK
What is a “crash report”? Is it just a log saying that the machine crashed? Is
it a core dump? Is there PII in the logs? Does it expose information that is
protected by law? It’s not the fact that there’s telemetry, it’s that it
wasn’t communicated well so people can mitigate risks. This shows that there
isn’t a culture of paying attention to this sort of thing over business
intelligence.

~~~
Silhouette
_It’s not the fact that there’s telemetry, it’s that it wasn’t communicated
well so people can mitigate risks._

I respectfully disagree. It _is_ also the fact that there's telemetry. It is
not OK for me to punch you in the face just because I tell you I'm going to do
it first. You shouldn't have to mitigate that risk. The risk wouldn't exist if
I weren't punching you in the face.

