Home → Stable →

MacGPG: GPG sends analytics data to analytics.paddle.com without consent

• Edit

Gerd Naschenweng

25 Sep, 2018 01:56 PM

Subject refers. As an encryption suite I do not expect that I have no option of opt-out or data-transparency. I am not sure if this is compliant under GDPR, but it feels underhanded / wrong to sent usage-information to a billing provider.

I get, that paddle.com is used for managing subscriptions, but there is no insight what information is sent.

Expected
No analytics data to be sent

macOS                   10.14       18A389
GPG Suite               2018.4      2310    (bc31914)
GPG Mail                3.0         1328    (82e5a048)  29 trial days remaining
GPG Keychain            1.4.5       1496    (25530e6)
GPG Services            1.11.5      1033    (86cb937)
MacGPG                  2.2.10      921     (b487092)
GPG Suite Preferences   2.1.3       1057    (966febd)
Libmacgpg               0.8.6       885     (35a18be)
pinentry                0.9.7.1     9       (db18340)

1. 1 Posted by gerd.naschenwen... on 25 Sep, 2018 01:58 PM

   

   Screenshot here: https://twitter.com/gerdnaschenweng/status/1044584572573216768

   • Edit

2. Support Staff 2 Posted by Luke Le on 25 Sep, 2018 02:43 PM

   

   Hi Gerd,

   we will add additional information about this to our FAQ.
   Paddle does provide analytics but not without prior consent, and we explicitly do not enable that feature. Unfortunately paddle uses the same IPs for all their services, so even though we are connecting to their API endpoint for activation code validation, little snitch resolves the domain to analytics.paddle.com since both endpoints listen to the same IP address.

   We also don't use their capability to perform periodic remote validation since we don't want to share more information than absolutely necessary with them.

   I hope this information helps.

   • Edit

3. 3 Posted by postex on 09 Oct, 2018 11:58 AM

   

   I don't see how that info can be correct given my experience. Although I have purchased and validated the license when installing a week ago or so, I still captured outgoing calls today:

   "On 9 Oct 2018, org.gpgtools.Libmacgpg.xpc tried to establish a connection to v3.paddleapi.com." I allowed this as I believed it was a periodic license validation (that I now read that you claim not to perform)

   Then a few minutes later I had a new call that I denied:
   "On 9 Oct 2018, org.gpgtools.Libmacgpg.xpc tried to establish a connection to analytics.paddle.com."

   Explanation?

   • Edit

4. 4 Posted by gerd.naschenwen... on 09 Oct, 2018 12:18 PM

   

   There are two domains:
   v3.paddleapi.com in my case had last activity 8h ago (the time I booted up)
   analytics.paddle.com last activity 23 minutes ago

   Both originate from org.gpgtools.Libmacgpg.xpc.

   • Edit

5. 5 Posted by postex on 09 Oct, 2018 12:36 PM

   

   Yes, those are the domains I wrote about above.

   I now removed all permissions/denials for org.gpgtools.Libmacgpg.xpc
   So calls would once again be presented to me in Little Snitch.

   After a few minutes a call to
   analytics.paddle.com
   was once again caught. And denied by me.

   • Edit

6. Support Staff 6 Posted by Steve on 09 Oct, 2018 02:22 PM

   

   This is solved in the nightly build and the next GPG Suite update will include the changes.

   Could you please download and install our latest hotfix GPG Suite and see if that solves your problem.

   All the best,
   steve

   Disclaimer: This is a development version which has not been thoroughly tested yet - bugs or crashes are to be expected. Thanks for helping us test.

   • Edit

7. 7 Posted by gerd.naschenwen... on 10 Oct, 2018 05:29 PM

   

   I had to uninstall the latest hotfix. It crashes mail when trying to draft email replies with attachments. I will forward a bug-report when I get a chance.

   • Edit

8. Support Staff 8 Posted by Steve on 10 Oct, 2018 06:28 PM

   

   Please do so. if you can please provide exact steps to reproduce and a crash log as txt file. We will then look into this as obviously that should not happen.

   • Edit

9. Support Staff 9 Posted by Luke Le on 10 Oct, 2018 06:28 PM

   

   Hi Gerd,

   are you using macOS 10.14.1 (beta) by any chance?

   • Edit

10. 10 Posted by gerd.naschenwen... on 11 Oct, 2018 04:09 AM

    

    Yes Luke, I am on 10.14.1 18B57c. I have just installed GPG Suite 2018.4 (2338n). I will submit a crash-report if/when it happens. With the nightly from 1. Oct it crashed when replying to certain emails. I had to get work done, hence rolling back the update. I could not see a clear pattern other why it crashed for some and not others.

    • Edit

11. Support Staff 11 Posted by Steve on 11 Oct, 2018 05:51 AM

    

    We have a ticket for this problem. I connected this discussion with the existing ticket. That means, should this discussion get closed, it will be re-opened as soon as the ticket is closed. That way you'll stay in the loop and get notified as soon as we have news. Feel free to open a new discussions should you run into further problems or need assistance.

    • Edit

12. 12 Posted by gerd.naschenwen... on 11 Oct, 2018 06:01 AM

    

    Thanks - I have just reproduced the crash and logged here: https://gpgtools.tenderapp.com/discussions/nightly/1537-gpg-mail-ma...

    • Edit

13. Support Staff 13 Posted by Luke Le on 19 Oct, 2018 01:59 AM

    

    Hi Gerd,

    Would you mind downloading and installing our latest hotfix GPG Suite?

    GPG Suite 2349n and later should address this problem.

    It might be necessary to re-activate GPG Mail in Mail › Preferences › Manage Plug-ins after installing the hotfix.

    Disclaimer: This is a development version which has not been thoroughly tested yet - bugs or crashes are to be expected. Thanks for helping us test.

    • Edit

14. Steve closed this discussion on 19 Oct, 2018 02:07 PM.

15. Steve closed this discussion on 23 Oct, 2018 10:02 PM.