Tag Archives: application

A simple explanation of the wacom data scandal

To call this a scandal would be an overstatement, its embarrassing for wacom but it simply sounds worse than it is.  The origin of this story begins here https://robertheaton.com/2020/02/05/wacom-drawing-tablets-track-name-of-every-application-you-open/ 

Its a pretty involved story that seems to be about 50% explaining literally every step involved in the process of proving the nature of the exfiltration. (exfiltration is the opposite of infiltration, means to sneak something out rather than in), so ill try to explain this in a reasonably simple and concise manner.

Here it is; wacom collects a list of the headers of programs, their “names” if you will, that you open during periods of activity on your tablet. They read just the names of programs you open or click on right after or during periods you use your tablet.

The text in the header is what they will see. Just its name though.

Wacoms goal in this is to quietly add support for any and all software that a lot of its customers appear to be using, it takes the names of the software, and uploads it to their private database, thats it. Ill elaborate a bit later on why this is so important for wacom though.

The problem this creates; the implications are minor however, depending on your stance on privacy you might have a problem with it, personally i couldnt give less of a shit, sure, occasionally they will see other software i exit paint tool sai, paint or photoshop from but all they see is the names and a timestamp. The risk is that a wacom employee with clearance, which no employee should really have (since the point is only to count programs used A LOT by everyone), can see an individuals program habits and exploit this in a really complex and obscure way. After a ridiculous amount of effort that would leave a huge digital papertrail (meaning doing illegal stuff with this would easily lead to termination of employment or otherwise being caught), at best a would-be hacker/criminal could send you some phishing emails or a virus (you probably will not download or your AV will block) that exploits one of the programs it sees you using, the risk/return of such an attack is too high for too little in an obscure way.

what to take from this; this was a huge dick move by wacom, the information they take is handled poorly and collected aggressively, because it poses an extremely low threat to end users they proportioned their level of care accordingly. It changes nothing though. Off the top of my head, wacom could instead not use google for this service, and just directly download the analytical data, what this means is decimating the potential for abuse of the data. All methods of abuse involve using the google data profile to match a tablet user with an online identity, remove this and the problems vanish.

why would they do this?
Its simple, ask yourself, why does anyone bother using wacom products? They are the best out there! But why are they so much better than the limited competition? Because they natively have the widest support for software. I think you see where im getting with this. Wacom collects the names of the software people often use its tablets with so they can properly direct their driver development efforts where its needed most, as well as catching onto new software. Its odd isnt it that niche or obscure new software seems to pop up and natively support advanced pen functions right? Wacom actively tracks what software is used, other tablet makers however simply focus on basic support while emphasizing use on the giants like photoshop and clip studio paint. Others dont bother at all and just rely on windows drivers for compatibility.

Wacom does this to control a monopoly on the pen tablet and display market so they can continue to charge their obscene high prices for their products. Its a niche market as it is, wacom doesnt really make a huge amount of profit even though their prices are so high, so its extremely hard for anyone to butt in on their turf, and this is how they maintain control.

 

So, in conclusion, your private data is safe, basic common sense level web security awareness will trump anyone who gets their hands on your data, and wacom should be embarrassed and fix this poor exploitable handling of your data, as a matter of respect not security, there are better ways to do it that anonymize its users. As Robert Heaton says, in spite of everything “this is essentially just a mouse”.

 

And on a parting note, you can pretty easily block wacom services from connecting to the internet via your firewall, i recommend the free program “tinywall” it will block everything you dont approve of explicitly including windows services that some programs use to sneak analytic data from, you can temporarily enable it to check for driver updates, or simply just make a point to check wacoms site for driver updates to download manually if you permablock it from your windows firewall instead.