Opt-Out of Device Feedback

It is commonplace today that software and hardware manufacturers want you to send them device feedback and/or usage statistics.  Some even do it without your consent requiring you to Opt-out of the program bu digging through settings.  There are some major privacy concerns here so this article hopes to educate you to the issues.

In full disclosure JSCM Group will always error on the side of privacy when given a choice so we do not set any client device we touch to send device feedback or usage statistics.

Opt-In vs. Opt-Out

Before we dive into he meat of the issue, let's have a quick refresher on Opt-In vs. Opt-Out.

Opt-In

This requires you to choose an option on a web form or other software installation screen that asks you if you would like to share information with the company you are interacting with.  In other words, if you do nothing you are NOT apart of the program.

Example of an Opt-In Form Field

Example of an Opt-In Form Field

This is the only legal option allowed now in the European Union under GDPR (General Data Protection Regulation).

Opt-Out

This option requires that you select an option to remove yourself from the feedback or sharing.  In other words, if you do nothing you ARE apart of the program.

Example of Forced Opt-In

Example of Forced Opt-In

So what are the privacy risks with feedback?

So now that let's focus on the actual issue with hardware and software device and usage statistics.

Myth #1: It's Anonymous

The manufacturer will tell you that the feedback you are sending them is anonymous.  This is impossible.  First, when your system calls home it will be clear that the request is coming from a specific IP address.  This alone makes it not anonymous. 

Second, your system name and license will be sent back as well to ensure the entry is unique.  The license will be tied toy your account or your business therefore disclosing the source.  There is nothing anonymous about this.

Myth 2: Device Usage Information

Once you agree to send device usage information, you are giving up all privacy for what you use the device for.  If you do this on a mobile phone it could send them all of the websites you list, targeting advertising and mining the data.

If you do this on a firewall they will have insight to your policies and how you are securing your network.  Since it is tied to your IP address, do you thin an attacker could get insight into your security?

Myth 3: Statistical Data Only

The manufacturer is not just getting statistical data to use for their own knowledge, you are the product.  They are using your usage to gather more information turning you into the product.

This is not unlike the grocery store discount card.  They could just give you the deals, however, it is better for them to require the card so they can track your spending habits.  This is why your grocery bill will always be about the same amount regardless of what is on sale.  They won't put all of your favorites on sale the same week.  They know how you shop and can prevent this.

There is an old marketing saying, if the product is free you re the product.  Well device feedback is free and although they may produce security research and other papers off of the data gathers, they are also using you.

So what an you do?

  1. Always Opt-Out of any feedback.
  2. Don't work with "security" companies that force you to opt-in, they are not security focused they are marketing focused.
  3. Look through any settings to ensure they do not call home.

This isn't a black helicopter, conspiracy, paranoid post.  Privacy should always be your concern, even in this database driven society,