Wacom drawing tablets are spying on every app you open, and sending the data back to Wacom

Graham Cluley @gcluley

Wacom drawing tablets are spying on every app you open

Bravo to software engineer Robert Heaton, who was sufficiently intrigued while reading the privacy policy of his Wacom drawing tablet to investigate what “aggregate usage data, technical session information and information about your hardware device” it might be collecting.

“In section 3.1 of their privacy policy, Wacom wondered if it would be OK if they sent a few bits and bobs of data from my computer to Google Analytics, “[including] aggregate usage data, technical session information and information about [my] hardware device.” The half of my heart that cares about privacy sank. The other half of my heart, the half that enjoys snooping on snoopers and figuring out what they’re up to, leapt. It was a disjointed feeling, probably similar to how it feels to get mugged by your favorite TV magician.”

However, Heaton’s investigation found that the data collected weren’t just “bits and bobs” but also the record of every application he opened, and what time he opened it.

Here, for instance, is Heaton’s drawing tablet reporting back to Wacom via Google Analytics that he’s just clicked on the Chrome browser.

Data

You might well wonder why Wacom drawing tablets feel the need to record the name of every single application you run on your private, personal laptop and send it back to Wacom.

Even if you think there might be some customer support reason for collecting this information (rather than something more nefarious) you might well raise a querrulous eyebrow at Wacom behaving like this by default, and find it underhand that everytime the drivers for your Wacom drawing board are updated it enables what is known as the “Wacom Experience Program” again.

Heaton sums up his concerns with what Wacom is doing succinctly:

I care about this for two reasons.

The first is a principled fuck you. I don’t care whether anything materially bad will or won’t happen as a consequence of Wacom taking this data from me. I simply resent the fact that they’re doing it.

The second is that we can also come up with scenarios that involve real harms. Maybe the very existence of a program is secret or sensitive information. What if a Wacom employee suddenly starts seeing entries spring up for “Half Life 3 Test Build”? Obviously I don’t care about the secrecy of Valve’s new games, but I assume that Valve does.

We can get more subtle. I personally use Google Analytics to track visitors to my website. I do feel bad about this, but I’ve got to get my self-esteem from somewhere. Google Analytics has a “User Explorer” tool, in which you can zoom in on the activity of a specific user. Suppose that someone at Wacom “fingerprints” a target person that they knew in real life by seeing that this person uses a very particular combination of applications. The Wacom employee then uses this fingerprint to find the person in the “User Explorer” tool. Finally the Wacom employee sees that their target also uses “LivingWith: Cancer Support”.

Remember, this information is coming from a device that is essentially a mouse.

Wacom may not be guilty of abusing this information for surveillance or to sell cheap flights to Portugal, but it clearly is failing to properly describe in its privacy policy what data it is collecting under its “Wacom Experience Program”, and in danger of losing the trust of its customers.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

4 Replies to “Wacom drawing tablets are spying on every app you open, and sending the data back to Wacom”

  1. Is it possible to write a programme that would kick in when I'm not at my desk,which accessing random applications in rapid succession. The programme could be written in one of those new 4GL languages that painlessly generate the code for you. The schematic we would draw fpr the 4gL compiler to convert in Cobol would make my machine jump from one web site to the next, leading the Wacom fox-hounds and the Google Hunts men on a merry dance across the filed of cyberia (Hopefully within safe parameters.)

    The burden of keeping up with this would send the Google Analytics spy into overdrive and the mainframe computer running this machine would begin to smoke as its big circular tape drives whizzed back and forth in rapid succession. Eventually, if television depictions are accurate, the machine would explode and all the Google engineers would be covered in soot from the head to lab coat.

    Yes, I'm possibly showing my age by saying 'programme' but you know what I'm saying, surely.

    Can you write such a programme and have it on my desk by Friday close of play.

  2. So I am designing a Top Secret secure entry machanism for GHCQ (the other one) using my high end CADD system, workstation and Wacom Tablet…

  3. Hey Graham,

    Isn't Google Analytics HTTPS? Are you only able to see the GET request or is it sending it in the clear? Just curious what tool you used to spy on the app?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.