MacGPG: GPG sends analytics data to analytics.paddle.com without consent

Gerd Naschenweng's Avatar

Gerd Naschenweng

25 Sep, 2018 01:56 PM

Subject refers. As an encryption suite I do not expect that I have no option of opt-out or data-transparency. I am not sure if this is compliant under GDPR, but it feels underhanded / wrong to sent usage-information to a billing provider.

I get, that paddle.com is used for managing subscriptions, but there is no insight what information is sent.

Expected
No analytics data to be sent

macOS                   10.14       18A389
GPG Suite               2018.4      2310    (bc31914)
GPG Mail                3.0         1328    (82e5a048)  29 trial days remaining
GPG Keychain            1.4.5       1496    (25530e6)
GPG Services            1.11.5      1033    (86cb937)
MacGPG                  2.2.10      921     (b487092)
GPG Suite Preferences   2.1.3       1057    (966febd)
Libmacgpg               0.8.6       885     (35a18be)
pinentry                0.9.7.1     9       (db18340)
  1. 1 Posted by gerd.naschenwen... on 25 Sep, 2018 01:58 PM

    gerd.naschenweng's Avatar
  2. Support Staff 2 Posted by Luke Le on 25 Sep, 2018 02:43 PM

    Luke Le's Avatar

    Hi Gerd,

    we will add additional information about this to our FAQ.
    Paddle does provide analytics but not without prior consent, and we explicitly do not enable that feature. Unfortunately paddle uses the same IPs for all their services, so even though we are connecting to their API endpoint for activation code validation, little snitch resolves the domain to analytics.paddle.com since both endpoints listen to the same IP address.

    We also don't use their capability to perform periodic remote validation since we don't want to share more information than absolutely necessary with them.

    I hope this information helps.

  3. 3 Posted by postex on 09 Oct, 2018 11:58 AM

    postex's Avatar

    I don't see how that info can be correct given my experience. Although I have purchased and validated the license when installing a week ago or so, I still captured outgoing calls today:

    "On 9 Oct 2018, org.gpgtools.Libmacgpg.xpc tried to establish a connection to v3.paddleapi.com." I allowed this as I believed it was a periodic license validation (that I now read that you claim not to perform)

    Then a few minutes later I had a new call that I denied:
    "On 9 Oct 2018, org.gpgtools.Libmacgpg.xpc tried to establish a connection to analytics.paddle.com."

    Explanation?

  4. 4 Posted by gerd.naschenwen... on 09 Oct, 2018 12:18 PM

    gerd.naschenweng's Avatar

    There are two domains:
    v3.paddleapi.com in my case had last activity 8h ago (the time I booted up)
    analytics.paddle.com last activity 23 minutes ago

    Both originate from org.gpgtools.Libmacgpg.xpc.

  5. 5 Posted by postex on 09 Oct, 2018 12:36 PM

    postex's Avatar

    Yes, those are the domains I wrote about above.

    I now removed all permissions/denials for org.gpgtools.Libmacgpg.xpc
    So calls would once again be presented to me in Little Snitch.

    After a few minutes a call to
    analytics.paddle.com
    was once again caught. And denied by me.

  6. Support Staff 6 Posted by Steve on 09 Oct, 2018 02:22 PM

    Steve's Avatar

    This is solved in the nightly build and the next GPG Suite update will include the changes.

    Could you please download and install our latest hotfix GPG Suite and see if that solves your problem.

    All the best,
    steve

    Disclaimer: This is a development version which has not been thoroughly tested yet - bugs or crashes are to be expected. Thanks for helping us test.

  7. 7 Posted by gerd.naschenwen... on 10 Oct, 2018 05:29 PM

    gerd.naschenweng's Avatar

    I had to uninstall the latest hotfix. It crashes mail when trying to draft email replies with attachments. I will forward a bug-report when I get a chance.

  8. Support Staff 8 Posted by Steve on 10 Oct, 2018 06:28 PM

    Steve's Avatar

    Please do so. if you can please provide exact steps to reproduce and a crash log as txt file. We will then look into this as obviously that should not happen.

  9. Support Staff 9 Posted by Luke Le on 10 Oct, 2018 06:28 PM

    Luke Le's Avatar

    Hi Gerd,

    are you using macOS 10.14.1 (beta) by any chance?

  10. 10 Posted by gerd.naschenwen... on 11 Oct, 2018 04:09 AM

    gerd.naschenweng's Avatar

    Yes Luke, I am on 10.14.1 18B57c. I have just installed GPG Suite 2018.4 (2338n). I will submit a crash-report if/when it happens. With the nightly from 1. Oct it crashed when replying to certain emails. I had to get work done, hence rolling back the update. I could not see a clear pattern other why it crashed for some and not others.

  11. Support Staff 11 Posted by Steve on 11 Oct, 2018 05:51 AM

    Steve's Avatar

    We have a ticket for this problem. I connected this discussion with the existing ticket. That means, should this discussion get closed, it will be re-opened as soon as the ticket is closed. That way you'll stay in the loop and get notified as soon as we have news. Feel free to open a new discussions should you run into further problems or need assistance.

  12. 12 Posted by gerd.naschenwen... on 11 Oct, 2018 06:01 AM

    gerd.naschenweng's Avatar

    Thanks - I have just reproduced the crash and logged here: https://gpgtools.tenderapp.com/discussions/nightly/1537-gpg-mail-ma...

  13. Support Staff 13 Posted by Luke Le on 19 Oct, 2018 01:59 AM

    Luke Le's Avatar

    Hi Gerd,

    Would you mind downloading and installing our latest hotfix GPG Suite?

    GPG Suite 2349n and later should address this problem.

    It might be necessary to re-activate GPG Mail in Mail › Preferences › Manage Plug-ins after installing the hotfix.

    Disclaimer: This is a development version which has not been thoroughly tested yet - bugs or crashes are to be expected. Thanks for helping us test.

  14. Steve closed this discussion on 19 Oct, 2018 02:07 PM.

  15. Steve closed this discussion on 23 Oct, 2018 10:02 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac