Mattermost-server: Unauthorized analytics are running on a fresh install

Created on 11 Apr 2019 · 10Comments · Source: mattermost/mattermost-server

Summary

Hey guys, thanks so much for the hard work and effort you put into this open source project!

Mattermost server, has enabled segment.io analytics by default on a fresh install. There was no indication that I could see that gives the user warning or a choice. There _is_ an opt-out feature post-installation, but it should be opt-in since it seems not obvious and not authorized. (note I did not use an absolute latest version, so this may have changed in the latest). The segment.io analytics go to to a third-party that users don't know who has access to the data.

I've read: https://docs.mattermost.com/administration/telemetry.html but this doesn't necessarily help.

It collects (among other pieces of obfuscated information) IP address of the user, time of messages sent, and user agent. All 3 of those are something neither the admins nor the users consented to sending to a 3rd party website.

Steps to reproduce

Install mattermost. Notice in console / network tab that there are constant pings to segment.io without enabling such analytics or installing a plugin for all users without their permission or consent.

Mattermost Version: 5.6.1
Database Schema Version: 5.6.0
Database: mysql

Expected behaviour

For this feature to be opt-in or just not there.

Observed behaviour (that appears unintentional)

This feature seems to be opt-out / not obvious to the admin when installing MM.

Possible fixes

Make analytics an opt-in feature, not an opt-out feature.

Bug ReporOpen

Source

jake-tulip

👍6

Most helpful comment

From https://docs.mattermost.com/developer/manifesto.html :

No surprises

Users should never run into anything unexpected with Mattermost.

Phoning home without consent is absolutely unexpected.

sneak on 17 Mar 2020

😄4

All 10 comments

Hi @jake-tulip,

The documentation you shared outlines the reasons it's enabled and what data is collected.

This was forwarded to our product managers and they will take your feedback into consideration as we have plans to work on improving administrator on-boarding experience and our privacy policy.

Let us know any questions,

amyblais on 11 Apr 2019

👎6

Hi @jake-tulip,

I'll close this issue for now as there haven't been updates for a while.

Please re-open this issue if you have any further questions.

Thank you for the feedback,

amyblais on 24 Apr 2019

👎6 😕3

I'll close this issue for now as there haven't been updates for a while.

@amyblais do you know if this is an issue that is being considered by Mattermost Org at all, or is it abandoned as a possible change?

jake-tulip on 24 Apr 2019

Hi @jake-tulip,

Yes, this will be taken into consideration as we have plans to work on improving administrator on-boarding experience and our privacy policy.

I'll add some of our PMs to this thread if they have further details to add: @jasonblais @wiersgallak

amyblais on 24 Apr 2019

Thank you for your feedback on our telemetry opt-out processes @jake-tulip . All feedback is considered when making changes to the product. Even if we do not address directly in the near term, it is used for making future decisions on how we improve this specific feature and design other features that may include a decision around opt-in vs. opt-out.

I also wanted to take the opportunity to clarify a few things.

We do not collect IP addresses of the user. An IP address of the server is collected for the Security Update Check Feature. Server IP information is used to help us identify the environment of servers (private cloud, self-hosted etc) which helps us understand the conditions that may affect the performance and deployment of the Mattermost.
We do not collect any information that could be used to identify individual users. The user information we do get is the GUID, with no ability to connect the GUID to any other data that would identify the user’s name or other personal information.
Additionally, our Privacy Policy that is included at the initial installation login page, outlines more information on the Error and Diagnostics Reporting feature and how data is protected.

wiersgallak on 30 Apr 2019

Thanks for the response @wiersgallak

I think the core issue is that this is an opt-out feature which has tracking spyware enabled in a fresh installation. Data gets sent to an unauthorized third-party (Segment and Mattermost-org). The data leaves a user's browser through a tracking script, and the servers it reaches have access to the user's IP address, a GUID, timestamp of messages, and user-agent. This information is very sufficient in pinning down a "profile" of a user. I'm not sure that Mattermost falls under the definition of "free open source software".

I understand that Mattermost-org wants to have this tracking enabled by default to collect as much information about their users and activities as possible, but it seems not ideal that this is not obvious to first installers, it's opt-out (not opt-in), and the non-admin users don't have much of a choice.

jake-tulip on 1 May 2019

👍3

Yeah, this is totally unacceptable. I had no idea this software was spying on my server.

This needs to be EXPLICIT opt-in. Proceeding as if you have consent when you've only assumed consent for spying is unethical.

Why even publish a Privacy Policy if I'm going to be forcibly opted-in to it without my ever having been able to read it and decide first, or even been made aware of its existence?

sneak on 17 Mar 2020

👍1

Turns out, as far as I can tell, the environment variables to change this setting (documented nowhere) is MM_LOGSETTINGS_ENABLEDIAGNOSTICS = "false" as well as MM_SERVICESETTINGS_ENABLESECURITYFIXALERT = "false". I haven't tested it.

You can also do the following in a Dockerfile:

FROM mattermost/mattermost-team-edition:latest
RUN sed -i 's#api.segment.io#xx.example.com#gI' /mattermost/bin/mattermost
RUN sed -i 's#securityupdatecheck.mattermost.com#xxxxxxxxxxxxxxxxxxxxxx.example.com#gI' /mattermost/bin/mattermost

That should give you a clean image that doesn't phone home.

sneak on 17 Mar 2020

From https://docs.mattermost.com/developer/manifesto.html :