Wouldn't at this point a copyright holder (e.g. anyone who contributed to the kernel) + a donation campaign for legal costs be able to force them to either fix it within 30 days, or (once the legal process is over) to indefinitely maintain a patched version of the kernel removing that copyright holder's code?
D-Link comes to mind as a similar situation where GPL prevailed. Perhaps in this case nobody cares enough, either way doesn't mean GPL is useless and nobody should care about it.
the Linux Foundation has been notoriously anti-litigation, their corporate masters do not want any litigation at all, and more or less treat Linux as if it was BSD licensed instead of GPL
Edit: Also, Turris MOX or Turris Omnia  might be an alternative.
The APU works fine but after upgrading to a gigabit connection I’m a bit disappointed. It won’t saturate the connection on a single thread. (Yes over Ethernet) Maybe 400 Mbps max. Apparently it has something to do with pfSense not multithreading connections and the single cores of the CPU not being fast enough on their own. I can run 1 Gbps over multiple connections though so I suppose it mostly fulfills it’s purpose. I also want a WireGuard server but I might end up just deploying that in a VM. pfSense doesn’t currently have that option.
When I learned of these limitations I gave some consideration to the the Ubiquiti USG but found it isn’t exactly super beefy either and requires turning features off to get 1 Gbps. I’m debating building something similar to the ArsTechnica guide .
Overall, I’ve been satisfied with my setup and in particular the UAPs. I’ve deployed multiple UAPs and Edgerouter X’s at friends and family’s houses and have had essentially 0 support requests. The stuff just works and performs. I just had a party last night and even with 20+ clients, streaming music and YouTube TV for football, I had zero complaints or hiccups. All on a single UAP. I haven’t used any recent consumer gear but I know e consumer gear I used to buy would have definitely been choking on that kind of load.
I’m pretty disappointed to see this turn in events with UBNT. I’ve kinda seen it coming for awhile now since they’ve been moving towards these cloud services but I was really hoping they would resist the lures of Surveillance Capitalism.
Edit: I noticed those thanks to link on PCEngines site, which is quite also amazing, knowing a fact TekLager and PCEngines are direct competitors.
The user interface is beyond atrocious and even basic features you'd need in smaller/home setup need digging through Wikis to get the arcane settings you need to click. Basic things like NAT loopback or basic VPN setup. OpenVPN is still neutered and broken.
What's even worse - the defaults are all wrong. There's no simple "enable firewall" switch for basic use-cases like other equipment has. Instead you need to manually configure firewall rules in chains like working with raw IP tables and if you do a small misstep, you'll drill a hole in your network easily. Or make your internet horribly slow because you need to be careful about fasstrack rules and lack of NAT acceleration.
It's really about the most disappointing piece of hardware I bought in last few years and doesn't come close to niceness of Ubiquitis management. Sadly it's also the only company that makes a compact router with SFP and PoE+ to power Ubiquities.
Yes, you can set up simple things with Unifi in a simple way, but the more advanced ones are a tragedy, that you must also google around, dig wikies and forums for arcane incantations of the right json keys, so you can deploy your config in json, there are even no arcane settings to click.
However, the biggest and most major difference between the two lines of products is the requirement of the Controller to run the Unifi line of devices. For that simple fact I would pin the Unifi line as more 'advanced'.
They might share CLI, but that does not mean that your changes persist on USG. You can rely only on whatever you configured in GUI and half-rely on gateway.config.json; for example, they both have dnsmasq and I'm still figuring out how to configure it, so the changes persist. It would be otherwise trivial on edgemax or other pure dnsmasq-using system, like openwrt.
> What's even worse - the defaults are all wrong.
There is a new-ish thing in the web UI called "QuickSet" for these use cases.
Anyway, I wouldnt recomend ubiquiti as replacement for microtik. It is just too complex for most home users and even technical users (on the other side I wouldnt use ubiquity even if it is a giveaway).
Managing more than that is crazy with the current software. Not to mention these are some of the cheapest and lowest build quality switches you will find with these insanely powerful features.
Unifi switches are a materially better build quality.
If you want great carrier grade look at Arista. You can even score a 10Gbit 48 port Arista switch off eBay used for about $700 last I checked.
But unfortunately I constantly see those admins recommend them for prosumer, unmanaged small business and home use-cases. In those cases they're horrible to manage and lack features users expect.
>horrible to manage and lack features users expect
Users expect WebUIs, and WebFig is horrible to manage.
MikroTik may well be better for you (I used it for 5km PTP links, but that's because it's cheap, if I had the budget I would've gotten LiteBeam or AirGrid), but that doesn't imply it's a suitable replacement for everyone. And it is most certainly not a suitable replacement of airOS for most people who use airOS.
I run my VPN server on a different device, I can understand why you might want to run it in your router, but again this isn’t plug and play trivial networking gear and most administrators will be doing the same as me.
There are many companies selling what you want.
Which administrators? In what environments? Remember, the thread started with someone telling us that Mikrotik is a good replacement for Ubiquiti use-cases. Whose EdgeRouters and USGs have easily configurable VPNs with good defaults.
I'd also love to hear about any alternative products which support SFP for WAN and 802.3at PoE with ease of setup and use as Ubiquiti. Or even a SOHO ASUS router.
All kit has security issues but the important thing is how open the manufacturer is about the issues and how quickly they fix them, and Mikrotik have always been very good in this area, regularly releasing updates
Also, as all their devices run the same software, even devices that are years old will still be updated
I often see people saying “Mikrotik is insecure” but this seems to be based solely on the fact that there are published security issues which they have patched. In my opinion that is the opposite of insecure
Agree on the user friendliness though - I use them at home for personal stuff, but for work it is Unifi
I wouldn’t disagree that management ports should probably be locked down out of the box but I would expect anyone reading this to apply some basic lockdown when setting up any device
I just want to offer a counterpoint to an assertion that I often see here claiming they are insecure which I don’t think is justified
Certainly if you are not into networking and want something that just works then Unifi is great, but if you want something with bucketloads more functionality and don’t mind getting your hands dirty then don’t be put off Mikrotik due to security concerns
Only if you have exposed management port to the internet, which you should never do.
The Web UI seems to be a perfect equivalent if you want a GUI to manage your one box at home, and SSH should do the trick for automation. Is there any reason to use their proprietary (Windows-only) software to configure the router?
No no... It's way worse than that.
Linux / OpenBSD with open source wifi drivers, if that is even a thing. Snatch some Atheros or Realtek chips before they disappear.
Anyway, one of the GGP's (great grandparent's) links indicate the software freedom conservatory did open a lawsuit just last month. https://sfconservancy.org/blog/2019/oct/02/cambium-ubiquiti-...
that's a letter, not a lawsuit. not yet, anyway.
If this doesn't go opt in, I will not be buying more and I will stop recommending it to others.
Please don't do this. Firewalling access points, good practice or not, should not be necessary. You're not a dodgy IP cam manufacturer.
People buy your equipment precisely because they want to trust their network hardware.
High quality products were made for many years with no analytics, just by thoughtful design, using the product yourself, and gathering some feedback from users manually. Even without statistically representative data from some large target population, you can use your brain to figure out what goes wrong and how to make a good product.
And I think lots of products today are quite annoying because of bad decisions based on flawed analytics data. It's hard work to run a good experiment and avoid confounding correlations and plain bugs that throw off the results, and practically nobody today does the hard work. They just run the analytics, get some flawed buggy numbers, interpret them without sufficient care and thoughtfulness, and push through bad design changes. We're data-driven! We're just not looking at the road.
I'd use anything else for the slowness alone if I could decide the tools at work myself.
The best part is that 10 years ago I used to have an absolute piece of dog shit WinCE phone that failed to even keep up with my typing speed in its stock SMS app. Google Maps worked perfectly on that device.
And it is even worse in firefox than in chrome.
It takes 30s to 1 min to load(!).
It has cached last view, which loads fast.. then it goes unresponsive for bloody 30s to 1 min anyways.
3 different machines were used to test this - i5 6th gen laptop, i7 7th gen pc, i7 3rd gen pc - all of them with plenty of ram(at least 16gb).
So they're driving down the time it takes to do what they magically infer I'm trying to do. Is this why whenever I try to organize my gmail box I give up 10 minutes in because the UI is slow and bullshit? Because it's good for metrics that I can't make my gmail account anywhere near as useful as my work email?
Most certainly you could misuse the statistics for blind number worshipping, and I’m sure there are many anecdotes of that kind of behaviour. But I’m also quite certain that successful organizations can use these to improve their products in meaningful ways. I suspect any gmail product manager who tried to slow down their product (or resisted fixes) to improve meaningless time spent metrics would be crucified.
The freedom and transparency we got from PCs where you can always know what is going on, with some caveats, is missing from all other platforms. And it's really worrying.
But I agree, it's a serious problem. The abuse has become so widespread that I am now in favour of heavyweight statutory regulation and severe penalties for violations. I don't see any other way we come back from this situation now. Competition in the market has utterly failed.
On phones, things have gotten much worse. Although you can flash a relatively open ROM in case of Android, good luck controlling what the baseband does behind the scenes.
And if we talk about cars and other devices like smart watches, there's often zero openness.
I actually have a lot of sympathy with that one, because radio transmission is one of those areas where one idiot who thinks he's clever and should have total control of his device can literally disrupt entire networks for everyone else over a wide area, with the obvious serious consequences. Modern wireless communications systems rely much more than most people realise on conventions and standards and everything playing nice, so regulating such that only licensed practitioners are authorised to make parts that transmit within prescribed specifications is not an absurd idea.
Of course, that doesn't mean a closed part of the system like radio control should have any access to any other part of the system. It ought to be essentially a firewalled client of the more open parts of the system. And if it's going to be regulated and controlled then the people licensed to develop those components should be required to have them only perform the defined function according to standardised specs, without anything else piggybacking on top.
Right now we don't know whether for example it's even powered when your phone is on airplane mode and collecting data.
I'll just leave this here.
I agree with this, and it seems to create a self-fulfilling prophecy.
I believe this to be responsible for the decline in Apple’s various device OSs.
On a browser, it's drive-by, and your ability to track users is gone once they leave your site, especially with vendors like Mozilla and Apple implementing third-party cookie blockers by default and the ubiquity of adblock.
On a phone, if you install something, you'll probably leave it for at least a few days, and if you watch logcat, you'll notice that many of these apps are anything but patiently waiting for the user to decide open it up again.
There is a way to hijack the back button, i have no idea if it has been fixed, there are also tracking cookies so they can track you cross sites anyway.
I bet they'd say they would have.
Source: I am basically the person you are talking about, in one of my current roles.
It is now, it seems.
Having seen what kinds of data crash reports in other domains include (the richer the call chain trace, the better) I expect this to be a subtle security problem. In regulated or otherwise highish-security networks one can expect to see user authentication when accessing wifi (EAP).
Simple scenario: AP crashes during client auth stage. A full crash trace may easily contain the credentials used for EAP, and if those are sent to mothership, your access point has just leaked out the necessary information to successfully access your secure network. Worse, when EAP is used, the login is likely bound to domain credentials, which are practically guaranteed to allow access to all sorts of internal services.
To state the obvious: best practice with crash traces is to filter out or mask high-value KV pairs. But then again, best practices also disallow leaking credentials in the first place.
For my part, I will now consider Unifi APs as rogue devices.
Do note that some ubnt devices have custom firmwares blocked on newer software versions. For example Unifi AP and LR:
Just ~ two weeks a go I finally retired my old OpenBSD based gateway in favor of USG. But no, I guess I'm back to putting OpenBSD on USG, and maybe OpenWRT on APs.
Is there a working replacement OS for Ubiquiti PoE switches?
It’s not like it doesn’t already have a firewall built into it.
When I buy [network] equipment, it is my expectation that since I own the HW, I am to a certain degree in control of what they do and to whom they 'talk to'. And call-home / telemetrics without at least opt-out just doesn't sit well with me here.
* Possibly by some other combination of dropping Established/Related traffic. I think that'll get gnarly for the instances where WAN_LOCAL traffic is needed -- VPN, connectivity checks for load balancing, etc.
eth0_out affects traffic leaving the ER on eth0
eth0_local affects traffic that enters the ER on eth0 and is targetted directly at the ER itself (e.g. the webgui)”
In this case you would put the rule on eth0_out, not eth0_local.
Just now I verified with the following partial ruleset on a EdgeRouter I have in production:
set firewall name WAN_OUT default-action accept
set firewall name WAN_OUT rule 300 action drop
set firewall name WAN_OUT rule 300 description 'block 188.8.131.52'
set firewall name WAN_OUT rule 300 destination address 184.108.40.206
set firewall name WAN_OUT rule 300 protocol all
set interfaces ethernet eth0 firewall out name WAN_OUT
The only way to filter traffic from the router would be to drop the standard "Allow Established / Related" rule from WAN_LOCAL, retain the default drop action, and make specific rules allow whatever the router should be permitted to communicate with. And that would still allow packets to escape the router -- for TCP the communications channel is effectively dead since the handshake can never complete, but it could blast out all the UDP it wants.
* Maybe there’s an export restriction on a component and they lack the license to export to that country.
* Maybe they have not submitted their product for regulatory testing in that region.
* Maybe the product doesn’t operate within legally available spectrum in that country.
* Maybe the product presents an IP rights concern in the laws of that country.
* Maybe they simply haven’t paid a lawyer licensed to practice law in that region to confirm they wouldn’t have any legal concerns.
The hostname that Ubiquiti is using -- trace.svc.ui.com -- seems like exactly the thing that should be blocked, IMO.
FWIW, if you're using PiHole and want to block these access points from "phoning home", you can simply do the following:
$ echo server=/trace.svc.ui.com/ | sudo tee /etc/dnsmasq.d/ubiquiti_access_point_phone_home.conf
$ sudo systemctl restart pihole-FTL.service
Apparently the "pihole" utility has functionality built-in to blacklist domains (via /etc/pihole/blacklist.txt). Instead of the above, you can simply use:
$ pihole -b trace.svc.ui.com
I'd rather it return NXDOMAIN, though. That's what I had to do to block DNS-over-HTTPS for Firefox.
set service dns forwarding options server=/trace.svc.ui.com/
Or if you have dns forwarding using the system resolver you could also just add it to the hosts file via something similar to this.
set system static-host-mapping host-name trace.svc.ui.com inet 0.0.0.0
Don’t be afraid to tweet him your thoughts on this and a link to this thread: https://twitter.com/cbuechler
If there is any chance in management making the right decision here then it’ll be because good people at the company have ammo to go back to management with.
FYI - I was about to buy Qty 22 unifi access points next week and Qty 44 unifi 48 port switches. Nope on that with this change.
Last tweet (from 2 years ago) is about supporting Tencent Christmas party.
I agree, great person and I still have faith in him; but he’s just 1 person on a billion dollar enterprise team. He’s also very silo’d it seems, to what he’s doing on the firewall (and UDM?) side.
We’re also heavy deployers of UI stuff (100+ AP’s /month and 1000’s of ports installed).
This change concerns me, but doesn’t surprise me. All the new product line is geared for centralized propriety. The company as a whole is turning for the worst I think. The new forums and treatment of their community is indicative enough of this theory....
Well, now I’m curious who you are. :-)
I have hundreds of Unifi switches deployed. There is no downtime with normal setting changes(port/vlan assignment, link speed/duplex changes, etc...)
Off the top of my head:
1. Deprecating UniFi Video in favor of UniFi Protect which only runs on Ubiquiti hardware (and none of the current hardware supports more than a handful of cameras anyway?)
2. Advertising UniFi Protect on existing UniFi Video installations, which is especially obnoxious for installers who sold their customers a complete system
3. Removing SNMP configuration from new firmware versions on certain product lines (EdgeSwitch?)
4. Now this.
Check the net for 5TB upgrade instructions.
Ironically blocking various widgets from spying on me was why I bought ubiquiti hardware. I was noticing regularly outbound network connections from my TV, turns out it was finger printing what I watched and reporting back to the mothership. It no longer gets network access of any kind.
I was tired of playing the OpenWRT/DDWRT flavor of the week (korg) on hardware that wasn't really well supported (netgear R7000). I hated the disposable nature of configuring the routers and having to largely throw away that configuration with each major upgrade. Even getting Comcast's /60 handled was painful (a bug in dhcpd6c or similar). I also wanted to handle WIFI APs well and not have a painful upgrade process.
I have a Ubiquiti NanoHD, EdgeRouter 6p, and a PoE EdgeSwitch 8xp. Nice GUI, you can fall back gracefully to command line, and backup your device state in a human readable config file you can keep in version control. Upgrades are typically press a button in the web UI and wait a few minutes.
They handle my moderately complex home network. Comcast gives in a /60, I split that into a /64 per 4 router ports. Lets me split the trusted stuff (desktops and laptops I manage) from the untrusted. I can even login over ssh to manage them with a key.
It's been very handy. If one of my PoE cameras freak out, I can bounce them remotely.
If various android apps have anti-social behaviors to avoid DNS based blocking I can track them on IPv4, IPv6, and block them when they try to skip my name servers. Took me a bit to block all IPv6/IPv4 DNS traffic to force anything on my network to actually use my nameservers. I'm not looking forward to DNS over TLS which despite the promises seems like will inevitably make things harder to filter.
Anyone know of a Ubiquiti competitor that's better about handling privacy and security and not trying to install spyware?
I should think so. Broadcom doesn't want their hardware to be properly supported by open-source software, so you were never going to be entirely successful in your quest to find good third-party firmware for that particular router. In the long run, it's always worth returning any such hardware and spending a bit more time shopping around for a router or AP that uses Qualcomm, Mediatek or Marvell chipsets (Ubiquiti APs use Qualcomm). And if you don't like the flavor of the week mess for firmware distributions, stay away from DD-WRT and prefer OpenWRT, which actually does clearly-identified stable releases.
What to do when they add this to their other products, such as routers?
Ubiquiti does seem like a generally good company, just seems like someone decided more feedback on failures was a good idea and added the remote debugging... without thought on opt-in. After all I get a few similar reports a day (x failed... report home?), but they are of course opt-in.
This would be easy to discover if you mixed brands, but the point is how would you trust them anymore?
You can argue that this should have been opt-in but it’s absurd to say that anyone cannot trivially opt-out.
I don’t understand the point of speculating that they are going to break iptables to get crash reporting, other than spreading FUD.
I've hated this "just block it" mentality around Windows 10 from day one because it was obvious to me it would be a losing game for the user in the long term.
You can't fight the software developer forever on this and with each update they send. Eventually if they really want that tracking feature they're going to integrate it into some other core feature that will stop working if you try to disable the tracking.
I guess hiring real testers isn't cool anymore.
> There is no on/off switch but there also are no penalties for blocking Internet access to the device, dropping traffic to this host, and/or blocking it via DNS.
> I guess hiring real testers isn't cool anymore.
Have you used any Ubiquiti products? I'm not sure that they ever hired "real testers".
That's a nice network you have there. It'd be a shame if someone broke it because they couldn't phone home.
Why would it be so hard to make it optional? Why? I just can't wrap my head around it. Why are you forcing us to send our data, no matter how encrypted or not We purchased these for security and privacy.
Ubiquiti, pull yourself together. We will stop buying, you will lose.
The lesson I’m learning is, maybe it’s worth it to pay more to get less sometimes.
If anything, it’ll waste their time a little bit and if enough people do this they’ll reconsider this decision.
I think my best bet would be to install OpenWRT on the AP and sell + replace the USG. Not sure with what. It'd be kind of cool if I could have a router running NixOS so I could keep the configuration declarative, but pfSense is the obvious preferred choice in the community, so maybe I will just get a device designed to run pfSense.
I dunno if messing with tech support will really "send a message," so I will just send feedback through the regular channels. Chances are, it will get ignored. Chances are pretty much anyone that isn't a huge customer doesn't matter.
Has anyone recently set up a custom home router, switch, and/or WiFi AP? Any tutorials or examples you could recommend?
I wouldn't touch MikroTiks with a long pole.
Aruba AP's can be had quite cheaply, and they have an integrated controller aswell.
The fact that they sneaked the call home with out any opt-in is bad and fishy, and even after it was raised by community they are not willing to provide opt-in. They want the users to disable the access to the host name and blah blah, which is not feasible for most home users.
This is in a BETA version of the firmware. BETA.
You have to sign up to get access to the BETA area.
So yes, while integrating tracking etc isn't a great idea, it might also help debug crashes/problems in the BETA firmware people are running.
Now, if this rolls out to the stable channel, then sure, pass me a pitchfork too. But until then, you've got to opt-in to test the BETA software, and you know what you're signing up for - BETA quality software.
I'm almost surprised Ubiquiti give regular folk access to the beta software, because the users treat it like production, roll it out into production, then complain.
What company's hardware should I buy instead for Linux friendly AP's and cameras?
Slowly, over 10+ years, trending towards removing control and usability and funneling their use-case to an online-only, subscription based, neurotic consumption model.
Ironically, I was just in the process of migrating my home, my office and my local volunteer fire department to an all-ubiquiti network+camera platform ...
> We have started to gather crashes and other critical events strictly for the purpose of improving our products. Any data collected is completely anonymized, GDPR compliant, transmitted using end-to-end encryption and encrypted at rest. There is no on/off switch but there also are no penalties for blocking Internet access to the device, dropping traffic to this host, and/or blocking it via DNS.
> The memory leak that you reference above was a bug specific to release 4.0.60 which was fixed as of 4.0.61.
If this is their final position we will no longer be purchasing UI hardware moving forward.
Sigh. More junk that requires micro-management.
The Usage Data that we collect may include information such as your device data, including your mobile devices, sensor data, device signals, device parameters, device identifiers that may uniquely identify your devices, including your mobile device, web request, Internet Protocol address, browser type, browser language, referring/exit pages and URLs, platform type, the date and time of your request, and one or more cookies that may uniquely identify your devices or browser. IN ADDITION, WE MAY AUTOMATICALLY COLLECT LOCATION INFORMATION (INCLUDING LATITUDE AND LONGITUDE), PERFORMANCE DATA, MOTION DATA, TEMPERATURE DATA, POWER USAGE DATA, AND ANY DATA OR SIGNALS COLLECTED BY THE DEVICES AS PART OF THE USAGE DATA. WE DO NOT COLLECT THE CONTENTS OF ANY COMMUNICATIONS THAT PASS THROUGH OUR DEVICES OR SERVICES.
By this desription, it certainly isn't GDPR compliant. device identifiers/data etc.. is PII in GDPR context and requires a legal basis for processing.
If someone complains they're going to have a bad time.
On the other hand, I never understood how to configure dnsmasq on usg in a permanent way (not only blocking hosts, but also static SRV and TXT records). It it supposed to be done via gateway.config.js, but finding the right json keywords is the issue. Is there someone who can drop some hints?
I intend to return it and use a pf-sense ‘official’ hardware device.
It's like they just copy and paste the 50-character commit messages or something.
I bought unifi equipment because I was fed up of typical consumer equipment (and meraki) requiring subscriptions and phoning home all the time. WRT the GDPR stuff, I’m pretty sure a network admin can’t consent on behalf of all the users of the network...
They are cheap enough to be viable for home use. Does any other company make business-grade APs at that rough price point?
Anyway, I am looking into alternative but I can't find anything yet. I only need WiFi AP that can work together for roaming. I would love open source, and would pay premium to support an open source solution.
I still do. But I haven't updated the app in a while since they changed the EULA.
The question of hardware for my January setup, which I thought settled, just got reopened again.
It seems like possibly a good opportunity for low end network hardware companies such as Netgear or TP-Link to collaborate with an open source project like pfSense.
I have one of their devices here, I will be pretty glad to use some spare network capacity to send them a few thousand fake crash report per hour. That's what they want, right?
And while I understand your frustration and anger, DoSing someone is usually a bad idea.
... this thread is not listed ... are they really hiding these comment threads ?
it's just in a separate beta version of their community forum that's not publicly accessible yet.
I never realized customer-first means violating GPL and call-home.
openwrt or vyos are good alternatives, however, both got minimal community support(sharing code or donation), especially openwrt, which is used by big vendors like tplink or xiaomi but they neither have contributed any code, nor have they sponsored/donated anything to the projects they making huge money on, they're just bad-ass parasites.
I would not be surprised AT ALL to find that they aren't doing certificate validation, however... in which case it'd be trivial to MITM the connection and find out just what they're sending.
Usage Data. As described in this section, we may automatically collect information when you use the Services ("Usage Data"). The Usage Data that we collect may include information such as your device data, including your mobile devices, sensor data, device signals, device parameters, device identifiers that may uniquely identify your devices, including your mobile device, web request, Internet Protocol address, browser type, browser language, referring/exit pages and URLs, platform type, the date and time of your request, and one or more cookies that may uniquely identify your devices or browser. IN ADDITION, WE MAY AUTOMATICALLY COLLECT LOCATION INFORMATION (INCLUDING LATITUDE AND LONGITUDE), PERFORMANCE DATA, MOTION DATA, TEMPERATURE DATA, POWER USAGE DATA, AND ANY DATA OR SIGNALS COLLECTED BY THE DEVICES AS PART OF THE USAGE DATA. WE DO NOT COLLECT THE CONTENTS OF ANY COMMUNICATIONS THAT PASS THROUGH OUR DEVICES OR SERVICES.
 - https://community.ui.com/questions/UI-official-urgent-please...
 - https://www.ui.com/legal/privacypolicy/#c1
I wonder if companies really understand how much stupid decisions like this taint their brand.
Has anyone extracted the data they send?
Also I was under the impression that GDPR says that IPs are personal data.
I can't imagine crash data from a router wouldn't include that.
Also it seems like they didn't inform users, but secretly put this in an update.
The equipment phones home, but realistically what can it transmit ? Things like number of devices connected, IP scope, network neighbors, public IP, MAC addresses, and of course the traffic itself.
I think it’s safe to assume that it’s not sending the traffic, as we’d have noticed on the firewall egress.
Public IP and MAC addresses are bad, and probably conflicting with the GDPR as these can be used to identify you, especially if coupled with your account. As UBNT states in the comments, they claim to be GDPR compliant, with data anonymizes, so we can assume they’re not gathering these as well.
That leaves device statistics, such as clients connected, memory/cpu used, private IP ranges. Are those really that bad ?
UBNT also states there is no penalty for blocking these devices from contacting the internet, and while I would prefer an opt-in solution, it’s no worse than when Microsoft invented “opt out by renaming your WiFi or we share your password with friends of friends”
It doesn't matter. That's the point. If you're at all serious about privacy and security, any unauthorised exfiltration of data from your system is a problem.
Maybe they're sending a list of all sites you visits? How about them sending any login information that you add on sites that for whatever reason isn't doing tls?
One important point here is that they "claim" to be GDPR compliant but are already somewhat breaking GDPR. All data is encrypted on the APs so we can't really know what is sent. This is a complete buy in in trust from us, the customers. We're supposed to trust them that they're not sending anything they shouldn't, even tho they selected not to tell us at all about them implementing this.
It's horribly sketchy at best, if ont illegal.
That is of course assuming that the GDPR is being honoured, and that's a pretty big if. Most european companies are still struggling to be compliant, as _EVERYTHING_ that can identify you as an individual is to be handled. It also includes backups, and also when the authorities requires you to store data for 5-15 years, but also allows the right to be forgotten.
I know we've had our fun devising a scheme to delete records from archived backups.
The only way to check is to request your personal data from UBNT. The GDPR allows this free of charge, and they're obligated to hand over all personal information they have on you.
In any case, I already block all internet access for networking equipment, and based on this I added trace.svc.ui.com to PFBlockerNG, just to make it resolve to something local.
I know first hand how hard it is to get GDPR right, I've been extensivly involved in updating systems to comply. It's a lot of hard work and talking back and forth with lawyers to make sure we don't do anything stupid.