TL;DR

Etcher makes a surprisingly large number of network connections behind the scenes that are not necessary for burning an ISO image to a SD card or thumb drive. Furthermore, when a user disables the option “Anonymously report errors and usage statistics to resin.io,” the app STILL makes most of those connections to sites that collect usage statistics.

Etcher attempts to connect to Mixpanel, GoSquared, and Google’s Marketing Platform, regardless of whether or not a user has disabled the “Anonymously report errors and usage statistics” option.

I don’t know (yet) if this is a problem with the Etcher code itself, or a side-effect of using the bloated electron framework.

DETAILS

I just downloaded Etcher 1.4.4 on my MacBook Pro running macos 10.14 Mojave, because I wanted to quickly create a bootable USB thumb drive from a Linux ISO. I have many years of experience with Linux, and I’m capable of using dd at the command-line, but sometimes it’s nice to do things the easy way.

At first, I was delighted to find Etcher. It appears to be an open-source project that makes a tedious chore easy to remember. Hurray!

However, I became concerned when I launched the app and my Little Snitch firewall started asking me about all the outbound network connections the app was making behind the scenes. I can understand that the app might want to “phone home” to check for updates to the software, but I was surprised at how many connections the app made, ESPECIALLY when I saw a connection to connect.facebook.net. Why does a disk flashing utility need to talk to FACEBOOK? Facebook was the “final straw” that prompted me to gather all of this data and make this post.

I went into the settings, and there’s an option that says, “Anonymously report errors and usage statistics to resin.io.” I unchecked it, cleared the rules, and restarted Etcher, and it STILL made connections to many more sites than resin.io, including well-known marketing sites such as Mixpanel, GoSquared, and Google. WTF?

So…my question is, “What is the privacy policy for Etcher? Exactly what data is being collected, and how is it being used? Why should ANY data collection be necessary for a utility to flash ISO images to disk devices?”

MY INVESTIGATIVE DATA

For each of these use cases, I completely uninstalled the app, including the preferences and cached data. I then re-installed from scratch, deleted all of my firewall rules for Little Snitch, and retested.

First Use Case: Report Usage and Errors = YES, permit all outbound connections. (Default for most people)

• https://resin-production-downloads.s3.amazonaws.com
• https://etcher.io
• https://www.googletagmanager.com
• https://www.google-analytics.com
• https://d1l6p2sc9645hc.cloudfront.net
• https://api.mixpanel.com
• https://data.gosquared.com
• https://data2.gosquared.com
• https://google-analytics.com
• https://googletagmanager.com
• https://connect.facebook.com
• https://www.facebook.com

Second use case: Set Report Usage and Errors = No, and block all outbound connections

This would be the default for someone who cared enough to set the “Report Usage” option to “No”, and either blocked outbound connections with a firewall, or did not have network connectivity.

Etcher STILL attempted the following connections:

• http://api.mixpanel.com
• https://resin-production-downloads.s3.amazonaws.com
• https://etcher.io

Third Use Case: Report Errors = No, enable all outbound connections

This would be what would happen if someone who cared enough to set “Report Usage and Errors” to “No,” but had no way to block outbound connections. Etcher would still make the following connections!

This one is most disturbing!

• http://api.mixpanel.com
• https://resin-production-downloads.s3.amazonaws.com
• https://etcher.io
• https://data.gosquared.com
• https://data2.gosquared.com
• https://d1l6p2sc9645hc.cloudfront.net
• https://www.google-analytics.com
• https://www.googletagmanager.com

Conclusions

Mixpanel.com, gosquared.com, and the google-analytics.com and googletagmanager.com connections are well-known services for gathering “usage statistics” and marketing information.

Mixpanel’s website says:

We’ve built the only user analytics platform that lets everyone in your organization
deeply understand each user. Get instant answers and automatic insights so
you can take intelligent actions that improve your customer experience.

Gosquared’s website says:

Convert more customers from your website. Today.
Over 10,000 websites use GoSquared to convert visitors into customers.

Both Google Analytics and Google Tag Manager are part of Google’s marketing platform. See https://marketingplatform.google.com for more information.

It is unclear whether there is an inadvertent bug in the Etcher code causing it to ignore privacy settings, or if this is just a side-effect of using the Electron JS cross-platform framework. I’m reporting this here first, and if necessary, I can post an issue on Github.

Postscrip

As a new member of this forum, I can only have two URLs in my post, so I had to convert all of the URLs to fixed text in order to create this topic.

Update: I did go ahead and create a Github issue:

New user of etcher here… I independently noticed that Etcher is making network connections even though I have ‘anonymously report usage’ turned off. I created a forums account JUST so I could comment on this.
This makes no sense to me… why is Etcher calling home even though I have privacy turned on?

Thank you for reporting this. We are raising this with the etcher team and will get back to you once we’ve analysed the problem.

Hello, which version of Etcher are you using, with which OS? Thanks

Not easy to say if something is legit, but I get that, however, I have never used Balena, I USE RUFUS OR ImgBurn but since this is the only option for mac, you basically have no choice.

We recommend using the latest version of Etcher as we have since fixed a lot of issues, including accidentally sending some data (note: always anonymous data) when a user opted-out.