Ubiquity EULA
-
I was sending someone a link to a UBNT access point today, when I noticed this in the review:
"The only minor complaint I have is with the license agreement on the controller software: "...you agree that Ubiquiti may from time to time collect and use device information (such as hardware model, firmware version, device identifiers, device performance information and device operation parameters), collected in a form that does not personally identify you...". There is no way to opt-out of this data sharing, though you could configure outbound blocking rules in your firewall to drop any packets from your AP which are being sent to the IP range owned by Ubiquiti (52.8.33.107 > 52.8.0.0/16, 52.9.75.216 > 52.9.0.0/16), but a lot of home routers may not be up to this task. If running a Linux-based firewall/gateway using IP tables (which I do and highly recommend), you can add the appropriate rules in no time."I did indeed confirm this is present. In fact, I think it is actually in the firmware EULA. Not sure if they consider the controller and firmware in the same boat.
https://www.ubnt.com/eula/I know a lot of people here at ML are security minded. Does this sort of thing concern you? Were you already aware of this and doing as the review says and blocking outbound traffic as such?
-
@BRRABill said in Ubiquity EULA:
I know a lot of people here at ML are security minded. Does this sort of thing concern you?
I always opt into these things. If I don't trust the vendor, I can't have their gear already. That there is a EULA suggests that you can trust them (leans towards), it's the ones collecting without the EULA that are scary. Anonymous data is a good thing, not a bad one. In those cases where it really matters, which basically is never in the SMB or business in general, as you said, you block it.
-
I generally opt in as well, but I want something more than just a bunch of text in the EULA. I want a checkbox that I have to check, it shouldn't be pre-checked so I can opt in if I want to.
They also need to adhere to this strictly - not that I monitor for it, but if I hear from the security community that you don't - I might be dumping your ass. -
@Dashrender said in Ubiquity EULA:
I generally opt in as well, but I want something more than just a bunch of text in the EULA. I want a checkbox that I have to check, it shouldn't be pre-checked so I can opt in if I want to.
I prefer opt out for anonymous data. I want anyone not taking the time and effort to specifically decide otherwise to be adding to the pool of data for improvement.
-
I wonder how their devices would fall into a compliance audit...
Would data leaving your network that you have no control over or idea what it is, or assurance they are keeping it securely on not using it, be acceptable?
-
@BRRABill said in Ubiquity EULA:
Would data leaving your network that you have no control over or idea what it is, or assurance they are keeping it securely on not using it, be acceptable?
Do you not have control? And you do know what it is, both they tell you and/or you can check. And they have legal limits on how they can use it. So most audits, yes it would pass.
-
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
Would data leaving your network that you have no control over or idea what it is, or assurance they are keeping it securely on not using it, be acceptable?
Do you not have control? And you do know what it is, both they tell you and/or you can check. And they have legal limits on how they can use it. So most audits, yes it would pass.
How can I control it, with the exception of blocking the outgoing traffic? Which you are saying not to do. (AKA< you WOULD do that if you were trying for compliance?)
And do we know what it is, exactly? They don't tell us exactly what it is.
-
@BRRABill said in Ubiquity EULA:
How can I control it, with the exception of blocking the outgoing traffic? Which you are saying not to do. (AKA< you WOULD do that if you were trying for compliance?)
I'm saying I would not control it. But if you want to control it, you control it. So yes, if you needed to lock it down, lock it down. It's that simple.
-
@BRRABill said in Ubiquity EULA:
And do we know what it is, exactly? They don't tell us exactly what it is.
You can just look at it though, right?
-
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
And do we know what it is, exactly? They don't tell us exactly what it is.
You can just look at it though, right?
Maybe it's encrypted.
You know, that is an interesting question. I assume the answer is ... of course, but. Do you legally own the data coming from that device going to Ubiquity as long as it's still on your network?
-
@BRRABill said in Ubiquity EULA:
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
And do we know what it is, exactly? They don't tell us exactly what it is.
You can just look at it though, right?
Maybe it's encrypted.
You know, that is an interesting question. I assume the answer is ... of course, but. Do you legally own the data coming from that device going to Ubiquity as long as it's still on your network?
Of course, YOU are the one encrypting it.
-
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
And do we know what it is, exactly? They don't tell us exactly what it is.
You can just look at it though, right?
Maybe it's encrypted.
You know, that is an interesting question. I assume the answer is ... of course, but. Do you legally own the data coming from that device going to Ubiquity as long as it's still on your network?
Of course, YOU are the one encrypting it.
No, I mean maybe UBNT encrypts it on the device, themselves. You wouldn't have access to that.
-
@BRRABill said in Ubiquity EULA:
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
And do we know what it is, exactly? They don't tell us exactly what it is.
You can just look at it though, right?
Maybe it's encrypted.
You know, that is an interesting question. I assume the answer is ... of course, but. Do you legally own the data coming from that device going to Ubiquity as long as it's still on your network?
Of course, YOU are the one encrypting it.
No, I mean maybe UBNT encrypts it on the device, themselves. You wouldn't have access to that.
That's YOUR device and YOUR code encrypting it. Not them. Otherwise, do you feel that they own everything on your network that passes through the router by the nature of them having built the router?
-
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
And do we know what it is, exactly? They don't tell us exactly what it is.
You can just look at it though, right?
Maybe it's encrypted.
You know, that is an interesting question. I assume the answer is ... of course, but. Do you legally own the data coming from that device going to Ubiquity as long as it's still on your network?
Of course, YOU are the one encrypting it.
No, I mean maybe UBNT encrypts it on the device, themselves. You wouldn't have access to that.
That's YOUR device and YOUR code encrypting it. Not them. Otherwise, do you feel that they own everything on your network that passes through the router by the nature of them having built the router?
Now you've lost me. If I didn't put a code for UBNT to use to encrypt decrypt this anonymous data - how is it my code? If I'm lucky I checke/unchecked a box - if I'm unlucky, there is no UI indication of this happening, and only through reading the EULA am I even aware that this is happening.
Now I have to turn on wireshark and capture traffic from the controller until I find this traffic - which would be like looking for a needle in a haystack - and then analyze it, etc, etc, etc...
-
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
And do we know what it is, exactly? They don't tell us exactly what it is.
You can just look at it though, right?
Maybe it's encrypted.
You know, that is an interesting question. I assume the answer is ... of course, but. Do you legally own the data coming from that device going to Ubiquity as long as it's still on your network?
Of course, YOU are the one encrypting it.
No, I mean maybe UBNT encrypts it on the device, themselves. You wouldn't have access to that.
That's YOUR device and YOUR code encrypting it. Not them. Otherwise, do you feel that they own everything on your network that passes through the router by the nature of them having built the router?
I didn't write the firmware. Isn't it possible they are encrypting the information they are sending back to themselves? In fact, isn't it probable?
-
@Dashrender said in Ubiquity EULA:
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
And do we know what it is, exactly? They don't tell us exactly what it is.
You can just look at it though, right?
Maybe it's encrypted.
You know, that is an interesting question. I assume the answer is ... of course, but. Do you legally own the data coming from that device going to Ubiquity as long as it's still on your network?
Of course, YOU are the one encrypting it.
No, I mean maybe UBNT encrypts it on the device, themselves. You wouldn't have access to that.
That's YOUR device and YOUR code encrypting it. Not them. Otherwise, do you feel that they own everything on your network that passes through the router by the nature of them having built the router?
Now you've lost me. If I didn't put a code for UBNT to use to encrypt decrypt this anonymous data - how is it my code? If I'm lucky I checke/unchecked a box - if I'm unlucky, there is no UI indication of this happening, and only through reading the EULA am I even aware that this is happening.
Now I have to turn on wireshark and capture traffic from the controller until I find this traffic - which would be like looking for a needle in a haystack - and then analyze it, etc, etc, etc...
Because:
- Open source, it's as much yours as anyone else's.
- You own the device and the code running on it.
- It's up to you to leave it, remove it, change it, etc.
-
@BRRABill said in Ubiquity EULA:
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
@scottalanmiller said in Ubiquity EULA:
@BRRABill said in Ubiquity EULA:
And do we know what it is, exactly? They don't tell us exactly what it is.
You can just look at it though, right?
Maybe it's encrypted.
You know, that is an interesting question. I assume the answer is ... of course, but. Do you legally own the data coming from that device going to Ubiquity as long as it's still on your network?
Of course, YOU are the one encrypting it.
No, I mean maybe UBNT encrypts it on the device, themselves. You wouldn't have access to that.
That's YOUR device and YOUR code encrypting it. Not them. Otherwise, do you feel that they own everything on your network that passes through the router by the nature of them having built the router?
I didn't write the firmware. Isn't it possible they are encrypting the information they are sending back to themselves? In fact, isn't it probable?
Hopefully, so look at the code if you want and see what is collected, rather than what is sent. This isn't closed source, there is no limit to your knowledge of your own security.
-
@scottalanmiller said
Hopefully, so look at the code if you want and see what is collected, rather than what is sent. This isn't closed source, there is no limit to your knowledge of your own security.
It isn't?
"The Ubiquiti Firmware is copyright-protected material under United States and international copyright and other applicable laws. Unauthorized copying, use or modification of ANY PART of this firmware, or violation of the terms of this Agreement, will be prosecuted under the law."
-
Also it says you may NOT
"(d) modify, translate, reverse engineer, decompile, disassemble or otherwise attempt (i) to defeat, avoid, bypass, remove, deactivate, or otherwise circumvent any software protection mechanisms in the Ubiquiti Firmware, including without limitation any such mechanism used to restrict or control the functionality of the Ubiquiti Firmware, or (ii) to derive the source code or the underlying ideas, algorithms, structure or organization from the Ubiquiti Firmware (except that the foregoing limitation does not apply to the extent that such activities may not be prohibited under applicable law);"
-
@BRRABill said in Ubiquity EULA:
@scottalanmiller said
Hopefully, so look at the code if you want and see what is collected, rather than what is sent. This isn't closed source, there is no limit to your knowledge of your own security.
It isn't?
"The Ubiquiti Firmware is copyright-protected material under United States and international copyright and other applicable laws. Unauthorized copying, use or modification of ANY PART of this firmware, or violation of the terms of this Agreement, will be prosecuted under the law."
Have you checked their license?
