Etcher makes a surprisingly large number of network connections behind the scenes that are not necessary for burning an ISO image to a SD card or thumb drive. Furthermore, when a user disables the option “Anonymously report errors and usage statistics to
resin.io,” the app STILL makes most of those connections to sites that collect usage statistics.
Etcher attempts to connect to Mixpanel, GoSquared, and Google’s Marketing Platform, regardless of whether or not a user has disabled the “Anonymously report errors and usage statistics” option.
I don’t know (yet) if this is a problem with the Etcher code itself, or a side-effect of using the bloated electron framework.
I just downloaded Etcher 1.4.4 on my MacBook Pro running macos 10.14 Mojave, because I wanted to quickly create a bootable USB thumb drive from a Linux ISO. I have many years of experience with Linux, and I’m capable of using
dd at the command-line, but sometimes it’s nice to do things the easy way.
At first, I was delighted to find Etcher. It appears to be an open-source project that makes a tedious chore easy to remember. Hurray!
However, I became concerned when I launched the app and my Little Snitch firewall started asking me about all the outbound network connections the app was making behind the scenes. I can understand that the app might want to “phone home” to check for updates to the software, but I was surprised at how many connections the app made, ESPECIALLY when I saw a connection to
connect.facebook.net. Why does a disk flashing utility need to talk to FACEBOOK? Facebook was the “final straw” that prompted me to gather all of this data and make this post.
I went into the settings, and there’s an option that says, “Anonymously report errors and usage statistics to
resin.io.” I unchecked it, cleared the rules, and restarted Etcher, and it STILL made connections to many more sites than
resin.io, including well-known marketing sites such as Mixpanel, GoSquared, and Google. WTF?
MY INVESTIGATIVE DATA
For each of these use cases, I completely uninstalled the app, including the preferences and cached data. I then re-installed from scratch, deleted all of my firewall rules for Little Snitch, and retested.
First Use Case: Report Usage and Errors = YES, permit all outbound connections. (Default for most people)
Second use case: Set Report Usage and Errors = No, and block all outbound connections
This would be the default for someone who cared enough to set the “Report Usage” option to “No”, and either blocked outbound connections with a firewall, or did not have network connectivity.
Etcher STILL attempted the following connections:
Third Use Case: Report Errors = No, enable all outbound connections
This would be what would happen if someone who cared enough to set “Report Usage and Errors” to “No,” but had no way to block outbound connections. Etcher would still make the following connections!
This one is most disturbing!
gosquared.com, and the
googletagmanager.com connections are well-known services for gathering “usage statistics” and marketing information.
Mixpanel’s website says:
We’ve built the only user analytics platform that lets everyone in your organization
deeply understand each user. Get instant answers and automatic insights so
you can take intelligent actions that improve your customer experience.
Gosquared’s website says:
Convert more customers from your website. Today.
Over 10,000 websites use GoSquared to convert visitors into customers.
Both Google Analytics and Google Tag Manager are part of Google’s marketing platform. See
https://marketingplatform.google.com for more information.
It is unclear whether there is an inadvertent bug in the Etcher code causing it to ignore privacy settings, or if this is just a side-effect of using the Electron JS cross-platform framework. I’m reporting this here first, and if necessary, I can post an issue on Github.
As a new member of this forum, I can only have two URLs in my post, so I had to convert all of the URLs to fixed text in order to create this topic.