Worrying privacy implications of "cloud" features, can we disable them?

GW privacy policy states that you are collecting MAC address:

Information That We Collect during the provision of our services:

Geo-location data: we may collect information such as zip code, area code, referrer URL, approximate location, and the time zone where our products and services are installed to provide our services and to assist you in case of troubleshooting.

Technical information from your devices: we collect technical and diagnostic information about the devices on which the GlassWire App runs. For instance, we automatically collect the MAC address of your endpoint, its up and down status, operating system version, unique device identifiers and an inventory of the software running in it.

Sending the information should be not opt-in without opt-out.
You can have a question in the installer whether to opt-in or not.
The data should NOT be sent out of applications running without an account or at least a toggle to change whether the user wants to enable cloud functions or not.

You can’t block control of own data behind the paywall either, that would be against GDPR

1 Like

@ittroll If you are not paying your anonymized data will be contributing to the community and help improve everybody’s knowledge. I am personally a big believer of crowdsourcing to improve the community’s knowledge. So the choice are 1) Stay on the free plan, enjoy the product and help build and enrichen the community 2) become a paying user, enjoy all the premium features to suit your specific needs and help the company be financially viable. I can confirm that Option 3) which is take all the value of the product for yoursefl and give nothing back is not an option.

2 Likes

It does need to be upfront about what it is doing though. I am a paying customer and upgraded from v2 to v3. There was no warning during the upgrade of the change from “never collect” to “always collect”.

As I understand it, even paying customers don’t have an opt out option yet.

Fair enough. As I mentioned elsewhere, we are introducing more controls on data sharing. Should be a matter of weeks, so bear with us. If it’s a blocking issue you may want to stay on V2 for the time being.

3 Likes

The FAQ still says:

Please note your graph data never leaves your PC, and we at GlassWire cannot ever access that data since it’s only stored locally on your own PC or server.

As mentioned above, the privacy policy is also outdated:

Traffic Data information: We collect counters of traffic data generated by each software application running on your endpoint and the destination / origin IP address such traffic goes to/comes from. For the avoidance of doubt, GlassWire does NOT inspect the data packets going through an endpoint, it just records the quantity of traffic and the IP destination of such traffic to/from the endpoint, in order to make a Subscriber and/or an end user aware of any abnormal or unwanted data patterns occurring on GlassWire monitored machines.

No mention of the feature that reports how common certain applications are, would be good to know how this data is collected. What is it sending? Application name, version, checksum?

Edit: V3 release feels kinda rushed, but it looks like SecureMix is open to adding more privacy controls:

I’m not gonna celebrate until I see it actually implemented, but hopefully we can move on from this controversy and look forward to GlassWire picking up steam with new features.

2 Likes

Not having these ready for the launch does seem to be a massive misstep. An IT infrastructure monitoring company should know better how sensitive corporate CISO is to this sort of thing.

3 Likes

I will revert to v2 as well I concur with the privacy issues as well.

5 Likes

@domenico Do you guys not have a security team? The fact that this even got past design phase is EXTREMELY worrying. No (none, zero, nada) competent security engineers would have ever greenlit something like this. What the hell is even going on at GlassWire? I’m pretty sure this isn’t GDPR compliant either. What will happen if a customer complains and your company gets audited for storing extremely sensitive user data in the cloud without consent or deletion controls?

2 Likes

Sending processes, IPs, data sharing etc. is just too much for me, I guess that it’s fine if you collect off free users to build databases but let us paid users to turn off those cloud stuff and add wherever you can offline databases for the features and updated at each glasswire update like geoip, thanks. Also kinda worrying that they said that it cant be disabled because it is a part of v3 which is obviously false as v3 work just fine on offline PCs but i see that they said they may add an option to fully disable it, good

edit after checking everything it look like since they partnered with or have been bought by domotoz (on opencorporates it say that domotoz co-founder is now glasswire manager/director) the privacy policy page of glasswire changed a lot in november

2 Likes

paid user since 2016, currently “elite”

Extremely disappointed in the direction that’s been taken. Glasswire is meant to be a privacy tool, it’s particularly galling I’ve paid for a product which is now actively aiming to upload my data. The incessant nagging to login is an irritant too.

I hope the next release provides reassurances around privacy/opt-outs - it’ll be a shame to go back to pre-glasswire options, but a privacy tool uploading data without permission is a hard red line for me.

5 Likes

@Jar_Jar Thanks for your thorough legal analysis. Despite you being “pretty sure” of the contrary, we are indeed fully compliant with GDPR. User permissioning is granted at account creation and we don’t enable any cloud based features without such permissioning. That is the reason why account creation is currently mandatory for any new user. Existing users can avoid sharing any data, even on V3, by not creating an account and using their existing license keys. As far as security goes, our larger business is SOC2 type I and type II compliant which is no small feat because of its stringent requirements. And we are in fact periodically audited by external security experts to maintain such certification. Having said all this, this is pretty much a pointless conversation and a waste of a forum post. As already indicated numerous times, we are releasing before then end of the week an updated version which grants all users with an account more controls over the cloud features they wish to use rather than the current all or none approach. We are going further than that in a second version scheduled to come out in January, where we will make account creation (and the related usage of cloud based features) entirely optional to all users, not just paid ones.

1 Like

Hello GW Team, Att Katie_GlassWire - domenico

After reviewing some of the changes from GW Version 2 to Version 3 here are some of my worrying concerns with some red flags from this security application.

First version 3.0.474 was nagging us to sign up for an account.
Then came along Version 3.0.476 No nagging on first install but now the only option is to sign-up for an account which some do not want or need. This is a forced option (Not Happy) or yes, one can enter the old legacy license key to by-pass that.

I can say I am not keen at all on the data telemetry collected. With an online account and logged in, it collects your computer name, how long you are signed into your computer, IP addresses etc. … screenshots below. All this when you might only want to use the free version and not sign up for an account.

Endpoints PC Name & Uptime

If you are a paid user and the features again gathering this data collection. “GW score” There would be some back end server with all this data harvested from GW user’s apps etc. I know it is an option but as a security app that is a worry for me, with a red flag waving.

As you can see, I am not the only one, and other users have mentioned some of this. Going forward it might be good to rethink some of the changes that have been implemented. For me by far version 2 is the choice and with a much safer option.

Maybe you could run a poll in the forum asking users what they might want or not, or like to have in this software.

Remember without users, GW will not exist.

This is some of my thoughts and more to come I would say.

Thank you GW Team, i know you are trying to improve this software.

Hi @GlassWare,

I’m not sure if you were able to read Domenicos latest post as it looks like you posted at the same time.

As confirmed in his post, we are in process of building a version with no account creation needed - so the same as v2.

We are also adding a feature which will allow users to opt out of any data processing. This will be release within the next few days.

Thanks,
Katie

4 Likes

Hi Katie_GlassWire

Thank you for the reply, I did not see Domenicos latest post.
There is a lot going on in these posts.
All i knew was, that when Version 3.0.476 was released after some of my concerns. I thought this is what we are now presented with.
I Will be looking forward to reviewing, and testing out the new releases that should address some of these issues.
Thank you…

1 Like

@domenico Your last post is incredibly confident regarding your compliance to regulation and whatnot, maybe even borderline arrogant. Fine, may it as it be, but the product development we’re currently experiencing from Glasswire is erratic at best. It feels like you’re trying to convert Glasswire into an EDR or at least some kind of “serious” enterprise-/business-ready security solution - which is, again, fine but probably not what most people signed up for.

If you intend to become a unicorn and be bought by some tech giants, again, seriously, fine. But changing the scope of the tool, including imposing cloud use on people, subscription policies, and account-creation to use the tool without being annoyed by it, seems like a less-then-well-thought-out idea. Or maybe some PowerPoint-decision made by committee.

Speaking for myself, after reading your data protection agreement, weighing the pros and cons of the changes in the software, and also experiencing the weird communication from the company (setting deadlines and then postponing them in other threats, borderline aggressive communication in posts, calling data privacy concerns “paranoia”, etc.) I have come to the conclusion that I’ll just throw away the rest of my elite subscription and be done.

I have no idea what kind of enterprise, security, and software architecture you’re applying or how you intend to run the business, but I’d definitely recommend setting up some communication and community guidelines - in 2022 there is enough evidence out there that firing at your community might not be as rewarding as you expect it to be. Good luck, though.

2 Likes

Hi Katie_GlassWire

Just asking after your comment 10 days ago, and now Version 3.0.482
is out, but still wants an account created on a new install, unless you have a license code.

" we are in process of building a version with no account creation needed - so the same as v2."
I guess this is not the version you are talking about?
Thank you…

Hi @GlassWare,

We released version 3.0.482 which has the new “Permissions” feature. This allows users to enable/disable data processing.

Removing the mandatory log in is still in process.

Best,
Katie

There is a separate post reporting that even with data processing disabled (permission not given) the new version is “phoning home” with outgoing connections.

Trust is a very important attribute for a security product. Hard won and easily lost.

What do these connections look like? I am still on v2.3.449 for the time being

image

Here is how it looks for me (host detection is bad here, can be either activate. or update.), happens maybe a couple times per day.