Wacom Explains Why Its Tablet Driver Sends Data to Google Analytics (Update)

Update February 7, 2020:

Wacom published a blog post in response to the "many questions regarding data collection" prompted by Robert Heaton's report (detailed in our original coverage below). The blog says that Wacom's users have to opt in to sharing the data, which is collected via the Wacom Experience Program that Heaton described. Wacom also said that users can opt out of sharing this data at any time by turning off the Wacom Experience Program inside the Privacy Settings panel in the Wacom Desktop Center app.

Wacom explained that it "collects data through its software driver ... for quality insurance and development purposes only." That data is collected "from time to time" via Google Analytics, which is said to anonymize the information before providing it to Wacom. That way it can view aggregate data without compromising individual users (at least in theory).

"Our development and customer care teams could review across all aggregated users of a product, for instance, the most common function settings for pen buttons (e.g. 'right click' or 'undo') or the most frequently viewed tabs or selected links in the Wacom apps," Melissa Ashcraft, Wacom's director of marketing communications, wrote. "We have no access to personal data. We cannot relate to any specific users as the data are anonymized and aggregated. We do not know who users are as individuals and cannot see what users are creating or doing in third-party software applications."

Original article, February 6, 2020:

Wacom tablet owners might be sharing more information with the company than expected. A software engineer named Robert Heaton reported Wednesday that Wacom's driver sent details about every app he opened to Google Analytics.

The driver seemingly recorded when the app was opened too, and the report included a string of characters that could serve as a unique identifier for Heaton's laptop. That's a lot of information for a drawing tablet driver to collect about a customer's system.

Heaton said he needed to use Wireshark, a popular app among the security-conscious that monitors network traffic, as well as a cybersecurity utility called Burp Suite to piece together the information Wacom's driver gathered to share with Google Analytics.

Wacom likely uses this data to troubleshoot any problems with using its tablets in specific apps. If the company sees that a lot of Wacom tablet owners experience problems after using Adobe Illustrator, for example, it can investigate the issue.

Failing to disclose this information could be a problem, though, and it doesn't exactly inspire confidence even if everything's on the up-and-up. Even the most innocent actions look sketchy when done in secret.

We've reached out to Wacom for a comment on Heaton's findings and will update this post if the company responds.

Topics

Security

11 Comments Comment from the forums

digitalgriffin 06 February 2020 19:29

I agree this (driver stability analysis) might be a perfectly valid use as the tablet can by used like a mouse, which means every app can be affected.

But now that I know, I'm going to uninstall it on my gaming PC. (Owning one myself)

Telemetry apps can be used to identify pain points for users. Just as long as it's clear in the software license that the telemetry data is being collected, it's purpose, what information is being collected, and how it's used (including resale to third parties). It would be nice if they had an opt-out however.
Reply
w_barath 06 February 2020 20:20

A good opt-out is to set all google-analytics hostnames to map to 10.255.254.253 in your hosts file. If google wants to participate in supporting this stuff then they can kiss goodbye all other analytics data from your machine, and let that be a lesson to both of them.
Reply
zangetsu-san 07 February 2020 01:33

what in tarnation is 10.255.254.253 ??
Reply
USAFRet 07 February 2020 02:04

WACOM
Avast
cell phones

And people are so freaked out about Windows 10...lol
Reply
Unolocogringo 07 February 2020 12:53

zangetsu-san said:
what in tarnation is 10.255.254.253 ??
https://www.speedguide.net/ip/10.255.254.253A special set of IP adresses that point to nowhere.
Reply
jgraham11 07 February 2020 13:13

This is exactly the problem with Linux and Windows! They allow drivers to be put into kernel space where they have higher rights and are harder to detect. Hardware vendors can create drivers that do this. Wacom is just the one who has been caught. Microkernel is the way to go! Apple is doing it, Blackberry did it and they were/are unhackable!
Reply
bigdragon 07 February 2020 17:39

I have to wonder what useful crash information -- if any -- is provided by Wacom telemetry. I'm not so fond of the idea of Wacom monitoring every program I open on my PCs and for how long I use each one. Wacom doesn't need to vacuum up that much info. I'd much rather volunteer the info. Here, I'll do that right now:

Clip Studio Paint, Blender, Unreal Engine, Drawpile

I want Wacom to make sure my tablets and pens work great in those programs. Everything else is just noise. This article makes it look like Wacom is collecting noise.
Reply
cryoburner 07 February 2020 18:51

jgraham11 said:
This is exactly the problem with Linux and Windows! They allow drivers to be put into kernel space where they have higher rights and are harder to detect. Hardware vendors can create drivers that do this. Wacom is just the one who has been caught. Microkernel is the way to go! Apple is doing it, Blackberry did it and they were/are unhackable!
From the sound of the report, I get the impression that the writer encountered this on an Apple computer. I don't believe they specifically mentioned what OS they were using, but all the screenshots in the report appear to be taken on a Mac, and the writer mentions using "OSX’s Keychain" to allow him to route the encrypted data through a proxy...

https://robertheaton.com/2020/02/05/wacom-drawing-tablets-track-name-of-every-application-you-open/
Reply
cryoburner 08 February 2020 04:30

"Our development and customer care teams could review across all aggregated users of a product, for instance, the most common function settings for pen buttons (e.g. 'right click' or 'undo') or the most frequently viewed tabs or selected links in the Wacom apps," Melissa Ashcraft, Wacom's director of marketing communications, wrote. "We have no access to personal data. We cannot relate to any specific users as the data are anonymized and aggregated. We do not know who users are as individuals and cannot see what users are creating or doing in third-party software applications."
I like how she focuses on "most common function settings for pen buttons" and "most frequently viewed tabs or selected links in the Wacom apps" while largely ignoring the main point of the report about how they are logging the names of all applications being run on the system and at what times those applications are in use.

It's likely that they only receive anonymized data from Google, which might also be aggregated for them, but Google is still getting that data prior to anonymization, and who knows what they do with it. And based on the Analytics page they linked to, it sounds like Google's idea of "anonymization" is simply removing the last octet from one's IP address, in other words, putting you into a pool of just 256 addresses, relatively few of which are likely to be running Wacom hardware. It wouldn't take much to combine that data with other data sets to de-anonymize it.

Considering the price of Wacom's hardware, spyware like this shouldn't be bundled in it, even if there's an option to opt out of it.
Reply
USAFRet 08 February 2020 04:54

"We have no access to personal data. We cannot relate to any specific users as the data are anonymized and aggregated. "

Going back more than a decade, and the leak of "anonymized" AOL search data. No username/passwords, strictly what people were searching for.
Given enough data points, and you can track it down to an actual human and physical house address.
Reply

Show more comments