Worrying privacy implications of "cloud" features, can we disable them?

I see that V3 has a bunch of fancy new cloud-based features like how frequently an application shows up among GlassWire users and what amount of traffic it usually uses. However, I would prefer not to share that information, in particular I am concerned about sending the names of executables which I use on my PC to a remote server. I totally get the value in the service, and it would surely be useful sometimes, but I am perfectly happy with not having access to it to not transmit that data. Right now it seems to be possible to disable all the cloud stuff for people like me with an “ancient” perpetual key-based license by just not signing in, but then I am nagged to sign in, which only offers me the option to click “Remind me later” (which I don’t want to be!).

For now I have downgraded back to the latest 2.3 version until there is some more clarity on how all this new cloud stuff will work.

Edit: Seems like the privacy policy might be missing something:

Traffic Data information: We collect counters of traffic data generated by each software application running on your endpoint and the destination / origin IP address such traffic goes to/comes from. For the avoidance of doubt, GlassWire does NOT inspect the data packets going through an endpoint, it just records the quantity of traffic and the IP destination of such traffic to/from the endpoint, in order to make a Subscriber and/or an end user aware of any abnormal or unwanted data patterns occurring on GlassWire monitored machines.

How are executable/process names processed? Are any measures in place that would prevent building a usage profile? Are just exectuable names or also checksums sent?

GlassWire partners and third party developers: We may share deidentified data for research, statistical, and business purposes.

So theoretically our application usage could be sold as a “deidentified” profile of commonly used together applications?

Edit 2: I just realized… the privacy policy specifically says that destination IP is recorded, with the process name also recorded, this could allow for discovery things like SSH servers (ssh.exe connects to X.X.X.X). GlassWire also records local traffic, so this could reveal the location of internal resources to outside parties (yeah, I know security through obscurity is bad, etc. but it still shouldn’t happen!).

I am not very happy with the implications of this new feature, please let us at least turn it off!

Edit 3: Reworded first edit for clarity.

@Thinking The cloud features, which are an integral of version 3, are meant to allow the following:

1. the ability of a user to access information of an endpoint regardless of where they are sitting. Whether you are an IT manager or a Chief Home Officer, you will soon have the ability to oversee a number of endpoints, potentially geographically dispersed, under the new management console where more feature will soon be added.

2. the ability to crowdsource what is “normal” behaviour by comparing yourself with the average glasswire user. This is important to the many people who in the past have complained they couldn’t give meaning to the information they were seeing on their desktop application (is this quantity of traffic too much? is it normal that this application is even running on my pc. Is it normal that my computer in the US is talking to an IP address in Chiina, etc.)

There is certainly a fine balance between being able to enjoy new functionality and the need of privacy and that balance is different for different users. We strive at maximizing user convenience while respecting their privacy. We don’t do any user profiling and just process the information users provide us with solely to give back to the userbase. For any existing paying user who is uncomfortable with this, they should stick to the V2 version of the software which has no cloud connectivity and is absolutely unchanged to what it was. As per your Edit 2 comment, we can certainly give users the option of not contributing internal LAN traffic to their centralized account, many thanks for the suggestion.

we can certainly give users the option of not contributing internal LAN traffic to their centralized account, many thanks for the suggestion.

I was more hoping for an option to disable the contribution of traffic entirely, obviously associated with not being able to see the contributed data of other users either.

Not being able to disable this feature is a dealbreaker for me at the moment.

I am afraid the connection to the cloud is embedded in the V3 architecture and therefore it is not possible to completely disable cloud contribution (for things like endpoint management etc). Having said that, we can certainly look at providing more granularity / options to paid users of what data they want to (or do not want to) contribute as we continue to develop the product. This week release was a very significant one from an infrastructure upgrade perspective but most changes were to building blocks in the background - most of them are invisible / cannot be appreciated by the user.

We are still at 1% of the functionality we would like to deliver with this V3, so you will have to bear with us and have a little patience. In the meantime, feel free to keep using V2 which may better suit your needs at the current juncture. And feel free to provide any (possibly constructive) feeback or suggestion as it’s very useful.

Based on the above revelations, I believe that I will stick with v2.x.xxx perpetually.

This is as anti-privacy as you can get. Looks like 3.0 is a covert spy operation to sell user data and gather ad revenue, wise choice

I respect the paranoia, but we are a real company with real people, based in the United States. We abide to privacy laws in over one hundred countries, we certainly do not sell user data and we are definitely not, nor we’ll ever be, in the Ads business. Millions of companies out there, including cyber security companies, are migrating to a cloud infrastructure, which is necessary in order to bring new functionality to our userbase. It’s called Digital Transformation and it’s part of living in the 21st century. We appreciate and respect it might not fit all users, which is why we are giving legacy users a choice to stick to the previous version or upgrade for free. I am not sure where is the link between this and running a covert spy operation.

I think I’ll hold off on calling GW 3.0 a spy operation for the time being , but I do get the frustration of some users, coming from someone who has been using GlassWire since version 1, it does feel in a way like 3.0 has become “what it swore to destroy”. A big reason for using GlassWire has always been to keep control of the data which programs are sending out, seeing the extent of which when I first started using GlassWire made me that long time customer. It does feel sort of upside down that now GlassWire is the one that’s being all connected and sharing telemetry in the cloud, without the ability to properly turn it off. The closest before was the VirusTotal integration, but that always had two stages of opt-in.

Paranoia or not, Glasswire policy says they record my MAC address, location and ALL the traffic metadata, ie. where from, where to, how much.

And there is no option to disable the reporting of it, it’s being reported even if I do not create online account?

That is a privacy nightmare, which was proven hundreds of times.
The metadata that GW is now collecting can be weaponised. (see the abortion drama in US)

The idea of firewall (which GW ships with) is to BLOCK traffic, not to report and collect traffic to someone else. I understand that Adminstrators might want to see those reports but any Administrator or Company would not want to share it with anyone either. That comes for more aware personal users as well!

At least, the feature should be limited to online accounts only and the collected information should be anonymised (not tied to any identifiable user data like MAC address).

Upgraded to v3, read this thread and immediately reverted to v2. The new strategy completely undermines the point and original ethos of the product.

Had to get the v2 installer from a (trustworthy) third-party site as I couldn’t find it on GlassWire’s site.

Last v2 update is still available here: https://download.glasswire.com/GlassWireSetup.exe?v=2.3.449

Thanks. Would be nice if such links were provided on the change log.

@SHADOW13 The privacy policy has been prepared in advance of several features we would like to introduce in the future and is quite encompassing. As of today, we do not actually collect your MAC address. If you don’t make a cloud account, we have no way of knowing (either directly or indirectly) who you are or how to identify you.

For those who have made a cloud account, whatever data is provided is linked to their account so that eventually they can view it on their management dashboard either singularly or in aggregated format across their endpoins. A registered user can always request to cancel their data along with their account if so they wish.

As already anticipated, it is in the roadmap to give more clarity and control to paying users of which data is being sent out, via the account settings tab of the glasswire application.

So if you are not paying then you become the product?

GW privacy policy states that you are collecting MAC address:

Information That We Collect during the provision of our services:

Geo-location data: we may collect information such as zip code, area code, referrer URL, approximate location, and the time zone where our products and services are installed to provide our services and to assist you in case of troubleshooting.

Technical information from your devices: we collect technical and diagnostic information about the devices on which the GlassWire App runs. For instance, we automatically collect the MAC address of your endpoint, its up and down status, operating system version, unique device identifiers and an inventory of the software running in it.

Sending the information should be not opt-in without opt-out.
You can have a question in the installer whether to opt-in or not.
The data should NOT be sent out of applications running without an account or at least a toggle to change whether the user wants to enable cloud functions or not.

You can’t block control of own data behind the paywall either, that would be against GDPR

@ittroll If you are not paying your anonymized data will be contributing to the community and help improve everybody’s knowledge. I am personally a big believer of crowdsourcing to improve the community’s knowledge. So the choice are 1) Stay on the free plan, enjoy the product and help build and enrichen the community 2) become a paying user, enjoy all the premium features to suit your specific needs and help the company be financially viable. I can confirm that Option 3) which is take all the value of the product for yoursefl and give nothing back is not an option.

It does need to be upfront about what it is doing though. I am a paying customer and upgraded from v2 to v3. There was no warning during the upgrade of the change from “never collect” to “always collect”.

As I understand it, even paying customers don’t have an opt out option yet.

Fair enough. As I mentioned elsewhere, we are introducing more controls on data sharing. Should be a matter of weeks, so bear with us. If it’s a blocking issue you may want to stay on V2 for the time being.

The FAQ still says:

Please note your graph data never leaves your PC, and we at GlassWire cannot ever access that data since it’s only stored locally on your own PC or server.

As mentioned above, the privacy policy is also outdated:

Traffic Data information: We collect counters of traffic data generated by each software application running on your endpoint and the destination / origin IP address such traffic goes to/comes from. For the avoidance of doubt, GlassWire does NOT inspect the data packets going through an endpoint, it just records the quantity of traffic and the IP destination of such traffic to/from the endpoint, in order to make a Subscriber and/or an end user aware of any abnormal or unwanted data patterns occurring on GlassWire monitored machines.

No mention of the feature that reports how common certain applications are, would be good to know how this data is collected. What is it sending? Application name, version, checksum?

Edit: V3 release feels kinda rushed, but it looks like SecureMix is open to adding more privacy controls:

I’m not gonna celebrate until I see it actually implemented, but hopefully we can move on from this controversy and look forward to GlassWire picking up steam with new features.