One of those links was me mentioning it, and this got so under my skin it took Wacom's brand from "premium, respectable, best in class" to "untrustworthy, garbage, barrel scraping, avoid even if the alternatives function less well" in my head just instantly. Like Lenovo's "let's ship spyware with Thinkpads" did.
> Like Lenovo's "let's ship spyware with Thinkpads" did.
One hopes that companies would value their brand and reputation over some short-term profit (and yet nobody here is holding their breath). To this day I refuse to buy any Lenovo product, and as the tech guy in my family I warn everyone who asks from considering them at all.
If boycotting something comes at a personal cost to the boycotter (such as having to put up with a lesser product that fits their principles better), and they don't have the time or energy to boycott everything that challenges their principles, does that mean they should boycott nothing at all?
Additionally the values of one person varies to the next. To post a question of "do you also boycott X" as some kind of gotcha because of perceived shared values seems presumptuous at best.
"they don't have the time or energy to boycott everything that challenges their principles"
Or maybe they don't want to live in a cave.
If my principles are "carbon neutral, no spyware, workers were not exploited", I think there are zero washing machines, cars and TVs that meet those criteria.
You should set a standard you can live with. If you're boycotting one company for something that you tolerate dozens of other companies doing, you should probably reconsider.
the effect is that they, and hopefully their friends and family who come to them for advice, don't buy lenovo's products. that's independent of what else they happen to be boycotting.
Do you think there’s no value in a positive action unless the person doing it also did some other, unrelated positive action? Why? I think you’re just playing gotcha.
I think if Lenovo's CEO can tell the board "look, we can see x% of customers are anti-rootkitting and avoid companies that use rootkits, therefore we want to switch away from rootkits" that's going to be a lot more effective than "some guys are boycotting us; they say it's about the rootkits but really who knows".
You think that a Lenovo CEO will be completely unconcerned with a boycott of Lenovo products… because their competitors aren’t also being boycotted? Or just less concerned?
If you mean just “less concerned”, then even then, that means the boycott still has some value, right? So what is wrong with someone just boycotting one of two “bad” companies?
Just to transpose the logic to a different situation: say if someone gives $10 to a charity fundraiser, but they actually had $20 in their wallet, does that make their $10 donation less valuable? If this is not a fair comparison, please help me understand exactly what the relevant difference is.
> You think that a Lenovo CEO will be completely unconcerned with a boycott of Lenovo products… because their competitors aren’t also being boycotted? Or just less concerned?
I mean unlikely to take the actions you're trying to push for. If you're not consistent about when to boycott a company, how can they trust you to be consistent about when to stop boycotting a company?
> ...the difference between say 0.1% as likely and not at all likely.
Heh, to think that this sub-thread began with someone (you? Can't recall) complaining about "arbitrary" boycotting... That's a mighty arbitrary number you've got there. What's to say the difference isn't actually between 80% and 99%?
I'm definitely claiming an arbitrary boycott is less than 20% as effective as a clearly principled one. I'm agnostic about whether an arbitrary boycott is completely 100% ineffective or a teeny tiny smidgen effective and I don't think that's a meaningful distinction to draw.
How would most sellers even know whether people are boycotting them "arbitrarily" or not?!?
1) A boycott is a boycott; they only notice that people are boycotting them.
2) ALL boycotts are "arbitrary" in the sense that [almost no | few | some | many | most | almost all] people participate in them, for reasons of their own.
3) ALL boycotts are "clearly principled" in the sense that the people participating in them are doing it because of some principle that's important to them.
4) Seller A can't know -- and probably doesn't give a shit about -- whether each of the participants in the boycott is also boycotting sellers B, C, D, E, F, etc, which perhaps they ought to also boycott on the same grounds they're boycotting seller A.
5) As I already mentioned, some of the people boycotting seller A are probably also boycotting sellers B and C even though they can't be bothered to boycott D, E and F; some others boycott A, D and E although not B, C and F; some A, C, and F; etc etc. For every boycott, you'll find people who also for the same principled reasons boycott other sellers. Lots of arbitrary decisions make a random distribution; it all evens out.
And the numbers (or number-adjacent adjectives) you keep throwing around, apparently in an effort to lend your totally subjective opinion some air of scientific legitimacy, are still totally arbitrary, or to call them what they are: pulled straight out of your nether orifice. How do you KNOW that "an arbitrary boycott is less than 20% as effective as a clearly principled one"??? What data do you have to claim the question is "whether an arbitrary boycott is completely 100% ineffective or a teeny tiny smidgen effective", when it could just as well be whether it is -- to pull equally random numbers out of my own arse -- 90% effective or only 60%? Sure, that might not be "a meaningful distinction to draw", either: Both are pretty fucking bad for the seller.
So... Sorry, but to me your whole screed still feels just as arbitrary and unreasoned as you accuse those partial boycotters of being.
> 1) A boycott is a boycott; they only notice that people are boycotting them.
Well if that's all they can find out then the boycott is pointless. If a boycott is meant to change the company's behaviour then there has to be a way for them to find out what the boycott is about.
> 5) As I already mentioned, some of the people boycotting seller A are probably also boycotting sellers B and C even though they can't be bothered to boycott D, E and F; some others boycott A, D and E although not B, C and F; some A, C, and F; etc etc. For every boycott, you'll find people who also for the same principled reasons boycott other sellers. Lots of arbitrary decisions make a random distribution; it all evens out.
That's only true if everyone is making their decisions randomly though. It doesn't hold if there's a correlation in which companies people do and don't boycott, e.g. people think they're arbitrary boycotting some but not all of the companies that do X, but unconsciously they're boycotting Chinese companies but not American companies.
> And the numbers (or number-adjacent adjectives) you keep throwing around, apparently in an effort to lend your totally subjective opinion some air of scientific legitimacy, are still totally arbitrary, or to call them what they are: pulled straight out of your nether orifice. How do you KNOW that "an arbitrary boycott is less than 20% as effective as a clearly principled one"??? What data do you have to claim the question is "whether an arbitrary boycott is completely 100% ineffective or a teeny tiny smidgen effective", when it could just as well be whether it is -- to pull equally random numbers out of my own arse -- 90% effective or only 60%?
All I've been doing is clarifying what I'm saying. I'm putting numbers on it because you asked! First playpause had some strange fixation on whether I was claiming arbitrary boycotts were completely ineffective or only mostly ineffective, and then you jumped in with some strange fixation on the numbers I used to illustrate what I was saying. It's a bit much to ask for intense precision and then complain when I try to be precise.
> > 1) A boycott is a boycott; they only notice that people are boycotting them.
> Well if that's all they can find out then the boycott is pointless. If a boycott is meant to change the company's behaviour then there has to be a way for them to find out what the boycott is about.
Sigh... Yes, if some people "arbitrarily" choose to boycott company A for some reason that you think is somehow "invalid" if they don't also boycott companies B, C, and D that you think it should also apply to, they will of course let the company know that "We're boycotting you because of this principled reason!" What we were discussing was (your silly hangup on) their "arbitrariness" in not also boycotting other companies, and that company A neither knows or gives a shit about.
Are you genuinely this obtuse, or just pretending because you think you'll "win" a discussion with intentional "misunderstandings"?
> > Lots of arbitrary decisions make a random distribution; it all evens out.
> That's only true if everyone is making their decisions randomly though.
No, read it again: Arbitrarily. That's enough. Because everyone's "arbitrary" is different, the sum of them all will be indistinguishable from random. (In fact, there is an old adage that if you could measure all preconditions exactly, there is no such thing as "random". Even the movements of all the molecules in a gas wouldn't be "random" if you could know the initial position and velocity of each of them exactly... But you can't; that is, in a way, what "random" is.)
> I'm putting numbers on it because you asked! First playpause had some strange fixation on whether I was claiming arbitrary boycotts were completely ineffective or only mostly ineffective, and then you jumped in with some strange fixation on the numbers I used to illustrate what I was saying. It's a bit much to ask for intense precision and then complain when I try to be precise.
No. Either you're very bad at understanding what is being asked of you, or you are just plain lying when making this quoted claim. Absolutely nobody has been asking you for "intense precision" in numerical terms. We're asking for a qualitative motivation for the particular numbers you're making up: WHY should the effectiveness of "arbitrary" boycotts be as minuscule as you claim, and not on the hugely different scale I just as arbitrarily made up?
Please stop deflecting; either provide some sensible replies or just admit that you've been bullshitting without the least speck of support from the very beginning.
Even if nobody boycotts all companies that would be deserving of it, other people probably (just as arbitrarily) pick others from the same set, so it evens out and they all get boycotted by at least some people.
Ok. That’s a good argument. I’ve never been on the seller side of a boycott. I wonder if they consider things like this when they respond to a boycott.
For the spyware/DRM on CDs in the early 2000's? It helps that I mostly just listen to music on YouTube. It's a little easier to remember to not buy something when you're buying a company product like "Lenovo" I guess than something nebulous like Sony Music.
I haven't bought a Sony branded anything since 2000 or so. I almost forgot what it was about (yeah, the CD root kit and the battery-draining DRM shenanigans). I just put them out of consideration for any purchase.
(Yeah, I know, "not really the same company, etc". It is, and it's the brand. Live by it, die by it.)
Took them off my "don't buy" list when my smartphone broke and I immediately needed a replacement and the only reasonable one available at my local store was a Sony Xperia XZS. I still regret it to this day. Worst 499€ ever spent.
Sadly I bought my son a Lenovo couple Christmas ago forgetting all about their crappy behaviour. Forget the spyware their build quality is just garbage. The hinges broke a few weeks after warranty so had to fix it myself. They look nice and shiny but once you use it for a bit can feel the cheapness. And this was an expensive gaming laptop. I am turned off of their products from that experience.
Besides the specific Wacom related issue, I find this snippet fantastic:
>The first is a principled fuck you. I don’t care whether anything materially bad will or won’t happen as a consequence of Wacom taking this data from me. I simply resent the fact that they’re doing it.
I have rarely seen the concept expressed in such a clear, direct manner.
Some are Chinese, some are Taiwanese or Japanese. There's nothing wrong with hardware from China per-se. The local market is Windows-centric though which means drivers for other platforms often suck or don't exist. Also, mainland Chinese market tolerance for spyware/malware/general iffyness is high, which means pushback on vendor driver software bullshit is low. To sidestep this, open source can solve the bad-actor-driver issues and we can all get cheaper hardware.
all pihole would do is stop ipv4 look up assuming you load a list that blocks it. It doesn't stop ipv6 because those are universal. And things can be hardcoded.
I think when I was younger I’d assumed the sheer number of technical users out there would mean it would be hard for companies to get away with things like this but these days I realize this sort of analysis and public exposition is actually rare and the number of skilled developers investing time in this is slim
Perhaps collectively as a community we can create public bug and privacy bounties that enable and incentivise more work like this
It is becoming harder and harder to troubleshoot which apps talk what to which servers because all off them, including OS, talk something all the time.
Back in the day if user told me they have a problem accessing some Internet content I would instruct them to close all the applications and start to dump their traffic on firewall and proxy. There wouldn't be any traffic from their IP address. Then, when they started the application I would see if traffic goes through proxy or directly through firewall, and make adjustments, like putting destination domain on an exclusion list in proxy or destination ip and port on an exclusion list in firewall.
Nowadays, Windows 10 without any applications started sends hundreds of requests per minute to dozens of IPs. Something respects global proxy settings, something not. I guess Android is even worse.
Protip: you can configure Windows Firewall to block all outbound traffic on a per-process basis. It’s not advertised as a feature though. There’s also ‘netsh http’ too. (I’m not sure how to block HTTP requests originating in the kernel though)
“Responsible disclosure” is a concept mostly proposed by companies looking to accommodate their own willful irresponsibility. This is even more true in the case of intentional privacy violations by software vendors. The responsible thing is to immediately put these companies on blast the moment this kind of spying is uncovered.
I do see your point, but I still think a standardised way to at least make sure the vendor is aware of the issue would be needed if we're talking about a formal program. Not necessarily holding off publishing to do so though.
But I don't mean to back the side of vendors unduly here...
> Software vendors do this on purpose; they don't need notification.
I must admit I didn't put much thought into my comment on ethics but I guess what I had in mind is perhaps a scenario where the behaviour is not actually intentional, and the vendor should at least be properly informed that there may be leakage (to them) of private data as opposed to just jumping straight to blogging about it.
So rather than "responsible disclosure" perhaps just a code of conduct to ensure that such a program doesn't just attract people looking for glory and blog posts, but actually has a standardised way to report these issues to the vendor and give them an opportunity to fix and/or respond.
I don't mean to dilute the core of the idea though, it's a good one, and it definitely needs to be geared towards being in favour of the consumer rather than letting the vendor off the hook.
The only value in responsible disclosure is protection of users. If you figure out there's a way to harm a boatload of people, it's nice to do what you can to ensure it can't happen before telling everybody how. It makes sense. But there's a very good reason it comes with a not-too-distant deadline before you give up on it.
But this? We're talking about finding ways that people are being actively harmed. How does "responsible disclosure" come into play here?
The only thing it would seem to do is to protect companies and their bad decisions. That's not the point. At best they've screwed up, and at worst they're actively malicious. How do users not deserve to know that they are being harmed as soon as possible? How do potential users not deserve to know that they will be harmed by using the product, and that the company is either doing a poor job of protecting them or actively trying to exploit them?
There's no reason to try to attach any ideas of "responsible disclosure" here unless you're explicitly trying to protect the vendor.
I’m not suggesting a delay. Responsible disclosure was the wrong term to use.
The distinction I was trying to draw is rather than just blogging about it or unleashing a Twitter storm and jumping straight to an adversarial public crucifixion of the vendor (and by all means do that as well), there should be a standardised process of also contacting that vendor directly and engaging with them to give them an opportunity to fully understand what is being reported, reproduce the issue (in the case of it being unexpected) and fixing the problem. Some vendors won’t engage or will stick their head in the sand, but others may actually choose to address the problem. This is also in the users’ best interests.
Some issues will hit Hacker News or gain visibility in other ways, but other issues that are published may not naturally reach the eyes of someone at a vendor unless the person publishing actually takes steps to contact them. That’s the point I was trying to get across.
Not suggesting any of that is a prerequisite to publishing anything publicly in parallel.
Not only is this kind of technical user rare, but public response to a post like this is also demonstrably rare. Of the people who read this, only a fraction will consider changing their configuration to stop Wacom from sending this data.
Incentives are well aligned for a corporation to just try it.
I think we all as the end users could use a bit more support in terms of getting access to good information on configuring all the things we might use, being able to make better and more effective choices overall.
For example, one thing that jumped to mind was we seem to be lacking any objective measures of the speed of various OS versions, so everybody is always upgrading and claiming its faster, but is it objectively faster every time? What kind of regressions might happen?
There's nobody that is spending the time figuring out this kind of information, so everyone is kind of uninformed and there's more pressure to always upgrade.
That’s an interesting idea, specifically the privacy bounty part, I imagine one of the difficulties here would be who handles the adjudication of it’s a privacy issue or not /you get paid or not.
As much as I struggle to personally get behind crypto, this is exactly the sort of motivating use case that DAOs (decentralized autonomous organizations) are intending to solve. User would pool their crypto currency, gaining voting rights in the process, researchers can submit to the pool to collect a bounty and members of the DAO get the opportunity to vote on bounty release. All this is would be built to happen autonomously
It's a funky idea, at the moment I'm suggesting more as a curiosity rather than thinking it's the right approach for something like this
My immediate criticism is you could end up with an organisation that _is_ ultimately centralized but now the major players would be hidden. Currently crypto seems to generally tend towards oligarchic growth, so I imagine you'd have a few players that control most of the shares and many people controlling negligible portions. Perhaps these issues (not to mention the energy costs) can be solved, but right now I'm curious but skeptical about these ideas
There are tons of highly skilled and wealthy folks in the HN community, who are upset about issues such as privacy in tech, poor security in public sector organizations (utilities, education), etc. With some good, informal, leadership, we could put the community's resources to good use and help solve these problems.
Folks who don't see meaning in their regular jobs could find contributing their skill or money to this and similar projects fulfilling and rewarding.
Wacom collecting kinda intrusive information (likely justified under knowing what applications to test their product against) is not some sort of oligarchial/royalty based plot.
I mean, everything you wrote sounds great, it just doesn't mean anything or have any relation to reality.
Wacom (ワコム, or wakomu) is also a Japanese company, not American.
It's weird to presuppose that the US even matters when Wacom is a multinational company that operates domestically in Japan and also in Europe. This is probably a GDPR issue for Europeans.
The sad thing about this is that there are perfectly valid reasons for Wacom to want certain information, like what hardware do their customers connect the drawing tablets to, what operating systems and applications do they use. This is useful information to have, in the sense that Wacom can choose where to put their resources, what applications to test for, etc.
But the very fact they are so damned sneaky about it makes it look really shady. Why not openly ask the users those questions and show them what information would be sent to the vendor? (And I am pretty sure Wacom is but one of many companies behaving this way.)
I vaguely recall using some applications built-in crash report a couple of years ago, and it was a) explicitly opt-in, and b) showed me (after asking me if I wanted to see it), verbatim, the data it was going to send to the vendor, including stack trace and stuff like that, and then asked me again if I wanted to send that crash report. (Unfortunately, I do not recall what software that was, though. sad emoji)
So I know it is not only possible to handle these things differently, but some people/companies actually do that.
> "Why not openly ask the users those questions and show them what information would be sent to the vendor?"
Why not pay money to people who spend time helping Wacom improve their products? Then lots of people would willingly help, fill in surveys, test configurations, write feedback, etc.
This is why I reject the counter arguments "Your data is why X service is free" or "If you're not paying for it, you are the product". Even when we are paying for something, we're still getting spied on.
If you offer cash to customers then you are setting yourself up to receive reviews primarily from those who are in need of cash or have "spare" time. A person employed full-time who uses their tablet daily may be missed entirely.
[edit: Not that this is entirely wrong, but it must be one-of-many approaches for customer feedback.]
I don't see any valid reason for Wacom to look at what application people use. And in a proper operating system that information should not be easily available (not without the users' consent).
There is a valid reason, which is custom configuration for each application. How you want a tablet to act in Blender is likely not the same as you would want in Photoshop. A lot of mice do the same thing.
Once the user has agreed to that valid use-case, there's not a lot the OS can do to stop the data being logged permanently.
The author oversimplified by calling it "essentially a mouse". Pressure sensitivity is arguably the main feature that distinguishes a drawing tablet from just being a pen-shaped mouse. It's understandable that they might want to know what applications it's being used in so they can make sure that it works.
But they really could do that in a less shitty way.
Any examples for those proper OSes? I can only imagine those often critized for being walled gardens, namely iOS, Android, and proprietary hardware like gaming consoles. On any UNIX used as a desktop, you will not have trouble finding a list of running processes.
Market share describes what state the world is in. I don’t see what bearing that has on a discussion of what the world should be.
OpenBSD implemented the ASLR security mitigation as default in their operating systems first. Windows and macOS followed years later. I don’t think they did so because of OpenBSD’s market share.
The need to know what art applications to test their product against and what hardware configurations they might need to write drivers for. For example, is 99% of their customer base using GiMP or are they using Photoshop? Its important to know how to allocate their testing resources.
They could ask permission first but this sort of telemetry is a nothingburger in my opinion, as unpopular as that might be on this forum.
I strongly disagree, what runs on my computer is my business and if Wacom wants to know, they can ask, and I'll tell them 'no, sorry that is not something you need to know'.
It's called consent and it's not up to Wacom to decide that I will think it is a nothing burger.
> in my opinion, as unpopular as that might be on this forum.
That's the whole point of consent: some people give it, others withhold it. You are just as entitled to your opinion as I am to mine and that is why they should ask, it's not that you get to decide for me that it's a nothing burger, just like I won't decide for you that it isn't.
You consented when you ran their drivers to use the hardware, just like you consent to being recorded on CCTV when you enter a shop or stop at a gas station.
Don't like it? Read the privacy policy for software you run. That, or you can write or rely on libre drivers for the tablet to run on your specific hardware setup. And deal with all the issues unsupported/maintained drivers have.
Well, or as an alternative, we could regulate the collection, retention, and use of data by applications.
Consumers can't meaningfully consent isn't meaningful when businesses don't have an obligation to disclose what data is being collected especially when it is described as
“[including] aggregate usage data, technical session information and information about [my] hardware device.”
Far more consumers would be outraged if each application or license agreement had to:
a) provide a detailed list of information collected and transmitted to the vendor
b) acknowledge each time that list of data changed
c) had to do this for each business they dealt with on a regular basis
> You consented when you ran their drivers to use the hardware
Is it mentioned in the privacy policy agreement? Or are you saying that any driver I install on my machine is equal to my consenting that the driver's author can collect whatever data they want?
Hence my comment on the privacy policy statement. I'm sure its included with the tablet, or Wacom's lawyers are completely incompetent. Sending data necessary to the functioning of the device(ex: knowing what programs to support compatibility with) is generally allowed through Art 6 https://gdpr-info.eu/art-6-gdpr/, I'm not your lawyer though.
This, and not only that - i use my tablet instead of a mouse for everything, and I'm sure I'm not the only one, and there's a few annoying things about that which could potentially be fixed if Wacom realizes we do this. The pressure sensitivity gets in the way of a lot of things like selecting files in explorer for example. But yeah please ask for permission Wacom, even fucking Google does that when you are first setting up Android
IIRC correctly Steam has a (yearly?) hardware survey which their users have the option to take part in, collecting information about parts in the computer and about connected periphery devices, i.e. model names, no. of monitors, resolution, amount of RAM, ...
And Valve is very transparent about how that works -- the survey displays a detailed opt-in each time the user's data is collected, and the results of the survey are public (https://store.steampowered.com/hwsurvey).
Well the collection part is transparent (so there is no privacy issue) but they don't disclose how and how ofthen they select participants or even how many participants there were for each survey.
Because for the data to be useful even for totally benign purposes, it probably can't be collected just once. For example, the biggest signal I would try to extract for product purposes is users who open an app, try using the pen, and then give up and continue using it with the mouse instead. You can't get that information by collecting information at install time.
Could you write a trigger in the driver to detect this, and only ask for consent then? Probably not, since that gives you only the numerator without a denominator.
Now, if they really aren't asking at all, that is shady. But asking just once rather than on every interaction seems basically mandatory to get the data needed for product development.
Some parts of the report are deliberately anonymized, too -- for example, if an executable is running from the user's home directory, that path is literally displayed as "/Users/USER/" rather than including the actual username.
AFAIK for example on Fedora this (ABRT) is opt in and only sends "thing crashed" if you opt in. You need to explicitly manually check and confirm a full crash dump before sending it, so really not anything being done without the user knowing, at least on Fedora.
There is a myth that if you are a paying customer then you are not a product. As we see, for more and more companies like Wacom, Microsoft or Apple you are a product no matter if you pay or not.
Have some self respect and vote with your wallet against such companies.
It's not true anyway, because of FOSS. There are also services that exist to provide a social good without a profit motive; that's why nonprofit designations exist.
That phrase has always seemed like an overly cynical take that normalizes antisocial/exploitive behavior by setting an expectation that free services should exploit the user in the first place.
Huions are pretty great. Very affordable and very high quality. I'm guessing the premium you pay for Wacom has more to do with the brand name than the actual product.
I'm not a professional artist though, so maybe Huions are bad for pro work. Idk, but I'm happy with my Huion.
I spent a few years with a Huion screen tablet (GT-19 series), but pressure sensitivity response was really bad compared to a Cintiq. However we are comparing a 400€ product to one that is about 3K€; second-hand it can trade for under 1K, and then it is a reasonable alternative.
With a Huion 1060+ the pressure response felt amazing; however that was on Windows, I never got it to work under Linux. For a hobbyist it is a really much better choice than the cheap Wacom (e.g. Bamboo line), because it is important to have a big drawing area, so that you can draw from your elbow and not from your wrist.
I only use Linux and indeed, drivers work OOtB and don't require you to sign any privacy policy. Although you don't have the fancy GUI that they have on Windows.
The Huion GT works OOtB with the Wacom drivers. For the 1060+, I tried all the out-of-tree drivers without any luck, but that was about 3 years ago.
I’m not sure if this counts as relevant competition but I’m migrating away from my Wacom tablet to an iPad + Apple Pencil. As well as procreate, an iPad can act as an external display for a Mac - and when connected, the Apple Pencil works as a stylus in macos applications.
It’s way more expensive though - especially with the Apple Pencil. And macos only.
If you're a product, then there is simply a bigger paying customer.
Companies are ever tending towards surveillance capitalism because the profit the marketplace for personal information provides them potentially far outweighs the profits of mere direct sales. Withdrawing your business from such a company will achieve very little so long as they still have some user data in the bank. Participating in surveillance capitalism provides a great competitive edge at first, but the race to the bottom makes it a necessary component of conducting business. If Wacom simply needs to sell customers' session data to stay afloat, a not-wacom that expressly refuses to do the same probably won't stay in business for long on just sales. They would need some other revenue source, in crowdfunding, venture capital, SaaS, advertisements, a corporate buyout, government or military contract, renting and franchising, anything. Save for crowdfunding, these kinds of alternate revenue sources serve to tap into the lion's share of currency consumers don't hold.
Incredibly inequal wealth distribution prevents money from functioning like a distributed democratic force.
I never thought I would want a "walled garden" on my desktop, but these shit software stacks that companies are integrating into their products are forcing me to want to fight back to lock down my machine.
I would love a simple utility that could not only neatly encapsulate and display the data being sent from my machine out on the network but also allow me to merely check a box to block that traffic.
A smart initial config of course would "allow list" the usual web traffic from my browser(s), mail traffic from my mail client, etc.
I don't want to mess with proxies, don't want to have to block ports using a command-line tool or by wading through my router config.
>I would love a simple utility that could not only neatly encapsulate and display the data being sent from my machine out on the network but also allow me to merely check a box to block that traffic.
Does Little Snitch not meet your needs there? I believe even with the challenges caused by Apple's unfortunate elimination of kernel extensions it's still powerful and effective. The GUI is solid and I've had solid success over many years with it for this sort of thing.
> Don’t assume you’re not being mined for data because you’re on Linux!
You make a good point that I'd not really considered. When I'm on Linux, I have a tendency to think I'm less likely to be tracked for stuff since mostly I just use the open source drivers.
I have a wacom tablet connected to my machine running Fedora and didn't install wacom drivers, it 'just worked' using whoever's amazing open source graphics tablet driver contributions.
But if I didn't know that or I had to install Wacom's sneaky drivers anyways? If I had to use Little / Open Snitch either way to use a particular piece of hardware, the thought occurs to me (this may be OT) that it I may just wander back to what I'm used to from the past: Windows.
Gravity pulls me to Windows because I'm familiar with its UX, I have lots of software I run on it, and it's less fragmented than desktop Linux.
But I am using Fedora here because it has a superior privacy stance, is not going to force me to update, is not going to violate my express preferences by willfully ignoring or un-setting my settings, and because there's less third party drivers required (provided I do the special Linux-friendly hardware dance).
I guess I'm trying to say one's personal computing choices are a constantly changing balance and your statement caused me to re-evaluate my balance there, so thank you for the thought provoking comment.
It doesn't take much of a walled garden to prevent mouse drivers from surreptitious network access. It only takes a capability based permission system.
We could go a bit further with MAC (Mandatory Access Control). Something like SELinux.
Properly understood, SELinux can provide rock-solid security. Of course, it's not a replacement of other security software, but it can prevent most of sneaky leakages such as the we had just seen in this post.
MacOS doesn't ship with SELinux, but I believe it has something similar.
Can it? (Genuine question). I understand SELinux can block processes from opening network sockets for example, but aren't drivers modules loaded into the kernel and not their own process, so you'd have to block the kernel from doing things or not? Or can SELinux go more granular than that?
When a proprietary/vendor-supplied out of tree driver includes analytics/telemetry/spyware, it's most likely going to be in a userspace component. Such drivers will almost always include at least a userspace configuration tool and often a userspace daemon.
I don't know if it's SELinux or the containerisation API, but such a mechanism is also in play with sandboxed Linux applications (Flatpak, Snap). On Ubuntu there are many apps you can disable a lot of permissions for because of the snappification of the OS.
Back in the Windows XP days my dad installed an Enterprise copy on the family PC. You could see per application network access in real-time, and would ask for permission whenever an application tries to make an outgoing connection, unlike Windows Firewall which seems to be extremely leaky.
I think you want the opposite of a walled garden (app store). I think you want a completely open garden, such as we have with a typical Linux distro.
A walled garden just changes the entities which can control your devices. It doesn't fix the problem of agency, trust, choice and consent.
My tablets can't have spyware, because the drivers are stock open source. The folks making the hardware aren't in control of the driver software that runs the device. I can trust the community that any attempts to do this nonsense in an open source driver will make the news. The track record against spyware in the linux kernel is spotless.
This kind of nonsense is only a problem with closed source software.
I still use it. Unfortunately, apps that don't respect the system proxy settings are common. (And now we have browsers that don't respect system DNS, but that's another rant...)
> we can also come up with scenarios that involve real harms. […] I personally use Google Analytics to track visitors to my website.
This was a well-written fun read, and I also both care about privacy a lot and have also used Google Analytics on a site too, but at the same time I’m a little bit floored how quickly his own use of GA was assumed benign while Wacom’s was assumed malicious. (Using GA is handing tracking data to Google, after all.) I don’t think the “it’s just a mouse” is a valid justification for this double standard. My browser is “just a viewer”; I’m getting tracked before I click on anything on your page. If we’re going to care about privacy deeply, I think we need to be a little more rigorous together.
This makes me wonder something as a developer - it’s not just tempting to have analytics and telemetry, it’s very, very valuable data if you care about the customer experience. And for companies that don’t do anything with this data other than improve the customer experience and fix crashes, this data is also valuable to the customers and users. So the big question here for developers is how can we collect usage data safely without compromising privacy? What data is safe to track, and what data is not safe to track? Personally I assume there are many kinds of seemingly innocuous data that could be misused. Even tracking mouse location can reveal things to an adversary. What can we do as developers to prevent customer experience from becoming adversarial? Is the only answer to not send any data? Or is there a technical way to establish and maintain trust between users and apps?
> So the big question here for developers is how can we collect usage data safely without compromising privacy?
Consent and control. Do not collect anything without obtaining the user’s active, voluntary, informed consent, and give the user the control to withdraw consent later. That’s really all there is to it.
Active: you don’t hide it in the TOS. You make consent an action that the user is requested to do.
Voluntary: to the user, the software should behave identically with or without user consent for data collection. Don’t make consent a condition of using the product or features.
Informed: the user knows what he is consenting to and can understand what data is in play. No simple “check this box to help us understand stuff LOL”.
> "it’s very, very valuable data if you care about the customer experience. [...] What can we do as developers to prevent customer experience from becoming adversarial?"
Pay money for the very very valuable data, instead of taking it and trying to hide behind legalese and finger-pointing and distraction and affront. If studying how people use your thing adds value to your company, run a usability lab where you pay people to study how they use your thing. Contact a company with a lot of users and arrange to give them discounts in exchange for data, agree up front what data will be shared and how it will be used. Offer discounts like Amazon's Kindle-with-ads is cheaper than Kindle. Make it opt-in with limited things you collect and what you do with it, and be trustworthy enough that people believe you only do that.
Microsoft PowerShell collects telemetry and it's opt-out, which is annoying for a shell/programming language. But there is a public help document about what is collected and how to opt-out[1] and the source code is on GitHub[2]. Even then I wouldn't be surprised if that was the proverbial straw which broke the camel's back. As developers keep abusing people's trust and taking liberties, something will be. It's a tragedy of the commons situation, why would you stop abusing the ~~environment~~ customer a little bit for a good reason when others are doing worse and they won't stop?
I would assume a primary internal use for this would be to test their driver against specific applications and to develop enhancements and improvements for them. The driver offers application specific mappings, so perhaps they want to know what applications are actually being used to better inform their efforts.
If the drivers are continuously updated with this information to provide an improved experience for the largest parts of their user base, then they are effectively paying back for the use of this data.
If that's as far as their use of this data goes, then what more do they directly owe you for the data?
"Pay money to get the data from the user" doesn't mean "pay money whether the user wants it or not, and take the data whether the user wants to or not". It means that the user has to engage in a voluntary transaction where he can decide whether the price he's paying is worth it or not. No price is "worth it" if the decision that the price is worth it is a one-sided decision that comes from the company.
Like the sibling comment, my reaction, and my intent when I said “valuable”, was referring to developer quality and customer experience value, not financial value -- assuming the data is not being sold for financial gain, and it is only used for development and UX. I personally loathe reducing all things to financial value on principle, because I think it cheapens relationships and reduces trust, and anyway the conversion rate is often wildly wrong. However, I also think you have a reasonable and valuable point, and maybe paying for the data really is how we make this work. It certainly would be okay in my book if there was a large financial penalty for companies found doing things with data that aren’t in the customer’s best interest and that they didn’t make clear from the start.
At this point I don't think there's a solution for this crap except regulation. Any PM of practically any product that has a software component is now expected to include revenue-generating spyware in the package; if she doesn't she gets fired. Regulation is the only solution.
And the fines need to be stiff, like $10,000 per incident per user. It's gotta hurt or companies won't stop doing it.
Is this what you believe happened with Wacom in this case? How could these tracking points be converted into revenue?
Personally I think this was a good case of "Any sufficiently advanced incompetence is indistinguishable from malice", but maybe my imagination is just insufficient.
It wouldn't surprise me a single bit if this is against the GDPR. Actually it would surprise me slightly if this is not against the GDPR.
Contrary to what many, both companies and individuals, seem to think, GDPR is not about cookie pop-ups but about regulating collection, storage and use of personal data.
Well the thing is, it’s really hard to define what “spyware” is from a legal sense. For example anti-malware software is highly invasive by definition.
It seems the real problem is consent… There should be a “nutrition facts” for software that is enforced at the OS level through an aggressive permissions model and backed by a privately run app stores subject to audit by government regulators.
If you're using a different driver it is your choice. Wacom does not advertise their support but I bought one and I just had to plug it to make it work. AFAIK, they pay developers to maintain the drivers.
At the least, the title should say it is a specific driver that has such problem.
This article was written more than a year ago and received significant attention at the time. I suspect Wacom may have made some changes since then—at least, I hope they did. I can’t be sure because the official drivers aren’t actually open source.
This article’s analysis took place on macOS. The drivers to which you linked are for Linux. It’s not unreasonable to assume that official closed-source drivers, especially when bundled with other software, might be more intrusive. For example, many Wacom tablets have buttons that can be remapped, but only if you install Wacom’s software.
Dismissing it as the user’s choice really isn’t fair. I’m not going to berate my mother for failing to use Linux, but that doesn’t mean she wants all her activity sent to Wacom.
I'm sure macOS supports hid devices out-of-the-box. Users should pressure Wacom to correctly support it. They do it correctly on linux, it is a shame users from other OS's are not treated as first-class citizens.
For OS X: Little Snitch. For Linux: Open Snitch.
The other option: Offline first, air-gapped.
There is no way that I run a computer without host-based application firewall.
I use Little Snitch, but find it a bit... intrusive. I find myself turning it off occasionally just to get work done.
For those of you who are in this same boat, there are Little Snitch config files you can download that come pre-loaded with lots of blocked hosts, so you don't have to do them on your own one-by-one, which is frustrating on a new system.
What I wish I could find is a Little Snitch list that only filters out tracking and profiling. I'm OK with seeing ads. I know the web sites have to make money. But I don't want to be tallied by some random social media company just because I visited a web site about artisanal brake clamps. Something that will allow ads.google.com, but not analytics.google.com. Or if they're the same, then dump the whole thing.
I recently bought a Wacom tablet, but didn't install any drivers except those
that are in the free-software repository of Void Linux, which I suppose don't
do this. I wish it were easier in general, though, to find out whether
hardware requires proprietary software to function. For example, I'd like to
get a document scanner, but, since I don't know of any model that can run on
free software, I just do without.
I have MF645C (combined laser printer and scanner) from Cannon and it works perfectly fine (over network) from my Fedora systems without the need to install any proprietary drivers & using the auto discovery system over network.
Other printers and scanners from Cannon might work good as well.
I don't understand why desktop operating systems still don't ship with mobile style sandboxing. It would be so darn useful to restrict applications from using filesystem, or have access to only certain folders, or restrict them from internet access.
I recently wanted to install a crypto currency wallet on my linux machine but I was terrified of the fact that every single software on my machine can access the whole of filesystem and can easily steal keys to the wallet. Eventually decided it's just not worth the constant worrying.
in this case it’s a kernel driver that interacts as an HID with every application. it also loads app specific macros so it needs to know WHAT app is running.
You have several options for that in the F/LOSS world: Linux containers, BSD jails, Qubes OS, or plain old VMs, etc. As with anything on these platforms you're free to pick your tool of choice.
On Windows there are also a few options, Sandboxie being the best one IME. It's open source now as well, though the quality and stability have taken a hit. And there's Windows Sandbox, which has been shipping since Windows 10.
I'm glad users can still make a choice on desktop OSs. As great as app isolation is on mobile devices, there's little from that ecosystem I would want on desktop. Even though OS manufacturers are desperately trying to merge the two...
The real problem here is that our OSes do not let us control the outgoing connections from software that we use. Device drivers should not have network access, unless they are drivers for network devices. The OS should enforce an allowlist for each application with the network names/protocols/ports it is allowed to use. Users should have control over this allow-list. The OS should require the user to review the allow-list before they can use a newly installed program.
Software must install and work properly even when the user restricts its network access. When software fails to do so, the OS maker should not sign the software or allow it to market itself as "OS-compatible".
We cannot depend on good intentions. Good quality of life requires accountability for all.
… which is perfectly acceptable because there are customer facing features enabled with this account. Which is shared in the marketing for said mice. And then there are mice which don’t require accounts.
And technically, the mice do NOT require you to create an account.
it is only acceptable as an opt-in. Companies right and left try to collect as much data as possible, to a large extend not feature driven but marketing/sales driven, because having the users Email account, country, language etc. opens a sales channel. Oculus' Fb Account requiremet the most prominent example, but I remember also buying a GoPro Hero Black ~2016 that would require the companion App to create a GoPro account, just so you can change the settings of the camera (which some items were not changeable through the on-camera buttons).
I think in future we have to have a law, every App has to have the option, to show you all what they send in cleartext logfile if you wan't. It can't be, we have just to trust every company in good faith.
I strongly believe this sort of behaviour comes from companies who for some reason think they need their products to have some sort of "experience", usually the ideas of marketing people.
I remember many years ago buying an unbranded tablet from Alibaba -- direct from an OEM -- for a fraction of the cost of a Wacom, and it didn't even need drivers to start functioning. What drivers did come with it on the CD were minimal, unsigned (very common at the time, along with the instructions to click past the warning when installing) and surprisingly even had source code. The configuration utility wasn't a bloated abomination and didn't add itself to autorun on startup.
In other words, it felt like a humble servant ready to work for you, rather than attempting to coerce you into its "experience". It probably wasn't as responsive or featureful as a Wacom, but worked decently for the cost.
The Wacom data collection program is OPTIONAL. Mr. Heaton buries this in his rant in the second to last paragraph.
Any professional digital artist (especially 3d) will tell you they use multiple pieces of software and that many benefits from having the tablet buttons assigned differently to facilitate efficiency as an artist. This is (probably) why Wacom products track the software you're using.
Finally,
"Being a mostly-normal person I never usually read privacy policies."
- Robert Heaton
Sure, blame Wacom for your impatience, Mr. Heaton.
> The Wacom data collection program is OPTIONAL. Mr. Heaton buries this in his rant in the second to last paragraph.
I don't see that in the second to last paragraph, and the word "optional" doesn't seem to appear anywhere.
The driver being aware of which software is active makes sense and is legitimate. The driver sending that information to others is unnecessary and illegitimate (since explicit consent was not given).
I assume it's because the Wacom has some value-adds for specific software, like custom software-specific hot buttons, erase functionality, the zoom circle, etc. and they want to know which applications users are using with the Wacom.
But the fact that there's a legitimate customer-oriented explanation doesn't make this okay.
I mean, if I added an always-on internet connected forward-facing camera and mic to a washer and dryer, I don't think we'd accept "to help you debug issues" as a good answer.
Considering Wacom feels justified in collecting whatever they want without disclosing it, I think it's safe to assume that, yes, you would be compromised. It's better to be safe than sorry.
Not enough data presented in the article to say. All it included was foreground app changes, so based on that you'd just get Terminal opening log messages.
I have depressingly started to believe (accept?) that everything I use tracks the name of everything else that I use.
Agreeing with the author’s conclusion:
>“This isn’t the dataset that’s going to complete the embrace of full, totalitarian surveillance capitalism. Nonetheless, it’s still deeply obnoxious. A device that is essentially a mouse has no legitimate reasons to make HTTP requests of any sort.”
Also, I always disable those “experience programs,” like Nvidia’s. They just give off data collection vibes:
>“If you too have a Wacom tablet (presumably this tracking is enabled for all of their models), open up the “Wacom Desktop Center” and click around until you find a way to disable the “Wacom Experience Program”.”
Start voting with your wallet. I think this is specific to Wacom tablets, but there are many vendors that provide Wacom hardware without their specific OS. I wonder if there is a good open source ROM for drawing tablets?
Wacom tablets are special purpose input devices, like Kensington trackballs or 3Dconnecxion SpaceMouse. What is needed is an open source Windows driver.
Possible common choices for pen technologies are {Wacom EMR, Wacom AES, Microsoft Pen Protocol(formerly N-trig), Synaptic(unnamed?), Apple Pencil}. Apple Pencil and AES/MPP are well received on lower ends as well as for non-graphic purposes(especially note taking, where EMR is near unusable), so wallet voting can happen in markets for those, but nothing had replaced Wacom EMR in professional spaces if I understand right. That's why the company gets to keep pathetic 32", 4K, non-HDR, 310 nits, 1000:1 contrast, 98% Adobe RGB display for 4 grand as their absolute flagship product. Apple Pro Display XDR has same size of 32", but is 6K XDR(HDR), with up to 1000 nits brightness, has 1mil:1 contrast, has P3 wide color support, for 5 grand.
Also I think it's worth considering how or where Wacom got this idea. As Wacom EMR pen market used to be a very stagnating space with zero competition until it had been incorporated into 1st- and 2nd-gen Surface only to be replaced by N-trig on Surface 3 onwards, I think it could be argued that it was that influx of capital that caused them realize they could "modernize" this way.
Wacom is the best, in general. Huion gets 90% there for half or less of the price. They favor a different pressure curve that likely works well enough for most people while, I'm sure, saving on nibs and/or whatever's in the pen. The digitizer itself is equally or more accurate in positioning.
While some people take an understandable but cynical view due to the close ties between most Chinese companies and the government, that's exactly why I don't worry. Any whiff of spying would be a diplomatic hazard.
Think of the ruckus when Bloomberg accused Supermicro of installing spy chips for the Chinese government.
Now imagine actual, confirmable spying. This would be the end to a huge part of Huion's business in markets it's worked hard to build a good reputation in for access to people who likely don't deal much in the kind of information a government wants to steal.
I think it's slightly worse because I seriously doubt the majority of users are simply unware of something needing to be cared about. So they aren't just dubiously doing something, they are doing it knowing that most people won't know it is being done.
I block google analytics at the DNS level so I guess I'm safe? It's good that they don't send the tracking data to the same domain that sends driver updates.
> Some applications, like web browsers, co-operate very well with proxies. They allow users to explicitly specify a proxy for them to to send their traffic through. However, other applications (including the Wacom tablet drivers) provide no such conveniences. Instead, they require some special treatment.
You may be able to tweak your /etc/hosts to direct traffic to a machine you control, just look out for certificate issues.
I one tried using my wife's Wacom tablet on my office Mac. It kept prompting me to allow it record keystrokes from all applications. Naturally I didn't allow it. It didn't work but then the spyware was quite difficult and and hard to remove. I was shocked.
That is a bummer since I like their tablets for drawing. But I cannot in good conscience support such practices. If they ask the user, fine. But this is certainly the worst form of spyware, even if it is only used for "legitimate" purposes.
There's a reason that Wacom tracks what application is running - it can change the functionality of the pad based on the program in the foreground. They probably want the information so they know what programs are most popular with their customers. That doesn't make it right, but it's part of the reason.
Last week I set up my tablet on my new laptop. As part of installing its drivers I was asked to accept Wacom’s privacy policy.
And this is where I stopped. You're doing it wrong. Drivers belong to the kernel. You should not have to manually install it. You should pressure the vendor to correctly support their devices.
I have a Wacom device, tried it in different recent distros, different computers and never needed to manually install a driver.
God I'm so sick of these holier than thou Richard Stallman level unrealistic dismissals. This take isn't brilliant - we all, at all times, know that we have the option to not ____ if we so choose. Not unlike how people say things like "well I would just choose not to work at ____". That we often choose otherwise means we can't but.
>You should pressure the vendor to correctly support their devices.
Cool like by means of a blogpost that makes it to the top of hn that details how annoying the vendor's process is?
I'm sick of those that proselytize electric cars, since not everyone has the option.
I'm sick of those that proselytize walking/biking to work, since not everyone has the option.
I'm sick of those that proselytize recycling, since not everyone has the option.
I'm sick of those that proselytize philanthropy, since not everyone has the option.
I'm the first one who thinks these small sacrifices are probably not worth it since the sacrifice is usually way too much (handicapping yourself significantly) and the benefits practically negligible (i.e. small droplet in the ocean and all that). Much better to spend your efforts on political campaigns rather than this type of small-time stuff which yes, is mostly just for the show.
But what I'm sick of is the people who not only refuse to just bow down and shut up when presented with people that do make the sacrifice, but are instead outright hostile to them.
It is possible to promote better alternatives without being smug or taking a holier-than-thou attitude. But you're not going to convince anyone to switch with a comment that presumes your alternative is already the default and that everyone will know what you're talking about, rather than actually name and explain the alternative.
I want to make it clear that "taking a holier-than-thou attitude" was never my intention. I wanted to highlight the fact that the title is wrong, and it indeed is, and that users complacency with abuse from the vendors do not help.
You really weren't trying to communicate clearly. Repeatedly referring to "a different driver" or "a specific driver" when you meant "the driver for a different operating system", and writing comments that presume (but only implicitly) a Linux context when the original blog post is analyzing the macOS driver is less than helpful. You also seemed to be going out of your way to avoid mentioning other operating systems by name.
Everything you've said in this thread could have been more clearly and helpfully condensed to "the Linux driver doesn't include this behavior, and probably never could because it's open-source and upstreamed to the kernel".
> >And this is where I stopped
>
> God I'm so sick of these holier than thou Richard Stallman level unrealistic dismissals.
I understand your position, but they correctly support their device on linux, I'm sure they can do it on other OS's.
> >You should pressure the vendor to correctly support their devices.
>
> Cool like by means of a blogpost that makes it to the top of hn that details how annoying the vendor's process is?
I think this is a good step. But people not buying it and pressuring the vendor to correctly support the device is not mutually exclusive.
We must consider that it is lack of knowledge and complacency from users that incentivizes vendors to act in such an abusive way.
Sorry to sound stallman-like. I just wanted to raise attention to an important point that is mostly ignored.
If you're so sick of those comments then what are you doing here, with your 50 day old account telling people off that have been here for many years?
This community has been a bit sharper than most when it comes to the kind of side-effects that seem to be part and parcel of the tech world and if that's not to your liking it confuses me why you would join.
- https://news.ycombinator.com/item?id=22247292 (this article, earlier thread)
- https://news.ycombinator.com/item?id=22803484 (comment by the author of the article)
- https://news.ycombinator.com/item?id=22512696
- https://news.ycombinator.com/item?id=27963867
One of those links was me mentioning it, and this got so under my skin it took Wacom's brand from "premium, respectable, best in class" to "untrustworthy, garbage, barrel scraping, avoid even if the alternatives function less well" in my head just instantly. Like Lenovo's "let's ship spyware with Thinkpads" did.