Jump to content
xarthangrol

Does Affinity collect and send data from computers?

Recommended Posts

Just now, Patrick Connor said:

Via your IP address, but not with your IP address, that would not be a parameter or stored, it's identifiable.

Yes, but as long as I don't use a VPN I have no real choice not to give away this identifiable data on any anonymous data collection.

But this just theoretical as I already trust you guys to do the right thing.

 


Windows 10 Pro x64 (1809). Intel Core i5-4670K @ 3.40GHz, 16 GB memory, NVidia GTX 780
Affinity Publisher Beta 1.7.0.221

Share this post


Link to post
Share on other sites

I agree. 

 

If the data is as generic as they claim - then providing a sample of such collected data should be trivial. The data collecting code should also be subject to inspection. 

 

Are you granting users under gdpr protections the right to see what data you have collected on them ? 

 

The  point is never that any one individual is particularly interesting and worthy of some grand act of maliciousness. It would be that your data is stolen and used by someone else to harass people, steal their identity,  make correlations with other data that make it more useful, etc. 

Usage data. What specifics are known here?

 

ill load up some of the windows apps and see if any of the traffic is unencrypted and capture what I can. Probably should be able to block  outbound calls home via pihole  

 

Best solution: a simple opt in option for usage stats collection. Opted out is default. 

Compromise, respecting the user: opt in by default with a warning and an option to opt out.

 

Share this post


Link to post
Share on other sites
14 hours ago, Patrick Connor said:

Sorry, but my earlier statement about the webite version of the Privacy Policy not covering the application was INCORRECT. From the above quote it clearly does and in more detail that the license (will edit that post to reference this one). SORRY AGAIN.

Which is why I suggested tidying up the policy because the top line states, 'Welcome to Affinity from Serif. Please read this Privacy Policy carefully as you agree to be bound by it while using the Affinity website.' (my bold emphasis), which is why I mentioned that if I am using an Affinity application and not using the website at the same time, the policy would not apply because there would be no '[...] while using the Affinity website' in action. So, by not using the website while using an Affinity app, I would not be bound to the policy.


ASUS Prime B450M-K; 16GB Corsair Vengeance RAM; AMD Ryzen 5 2600 CPU; Nvidia GTX1050Ti
Windows 10 Professional (64-bit); Manjaro Linux

Share this post


Link to post
Share on other sites

Patrick's replies have given me confidence to strongly consider Affinity Photo in the very near future. I bought many versions of the '... Plus' range of software many years ago, so I look forward to rejoining with Affinity.

Back to the topic. The thing that concerns me the most about privacy policies is non-disclosure of exactly which entities/affiliates/partners/third parties have access to data, and what their policies are. By the time data has been shared with third parties that then share it with their third parties, data ends up all over the place with no end-user control. I am sure that Serif would have contracts or a code of practice in place to ensure that any affiliates do not retain the data they have access to. Still, it would be useful to know who/what they are.

The issue I have is not what information I knowingly give away, but what is unknowingly taken, which is why I asked to know exactly what is collected. Perhaps a precise list of data collected could be included in the licence.


ASUS Prime B450M-K; 16GB Corsair Vengeance RAM; AMD Ryzen 5 2600 CPU; Nvidia GTX1050Ti
Windows 10 Professional (64-bit); Manjaro Linux

Share this post


Link to post
Share on other sites
5 hours ago, xarthangrol said:

The thing that concerns me the most about privacy policies is non-disclosure of exactly which entities/affiliates/partners/third parties have access to data, and what their policies are.

They are listed in the Privacy Policy statement, along with links to their privacy policies.


Affinity Photo 1.6.7 & Affinity Designer 1.6.1; macOS High Sierra 10.13.6 iMac (27-inch, Late 2012); 2.9GHz i5 CPU; NVIDIA GeForce GTX 660M; 8GB RAM
Affinity Photo 1.6.11.85 & Affinity Designer 1.6..4.45 for iPad; 6th Generation iPad 32 GB; Apple Pencil; iOS 12.1.1

Share this post


Link to post
Share on other sites
14 minutes ago, R C-R said:

They are listed in the Privacy Policy statement, along with links to their privacy policies.

and the anonymous data from the software is not shared with 3rd parties, so those are not listed as they do not exist.


Patrick Connor

Serif (Europe) Ltd.

Share this post


Link to post
Share on other sites
1 hour ago, Patrick Connor said:

and the anonymous data from the software is not shared with 3rd parties, so those are not listed as they do not exist.

Which is also why it would be a wee bit difficult for Serif to show users that data as required by GDPR or other legal mandates! 

I get the impression that some of the posters are not reading the entire Privacy Policy statement, much less carefully. It is a bit like an old joke about how to convince users to read "Read Me" files by changing the title to "Read this or DIE!" or something similarly dire.


Affinity Photo 1.6.7 & Affinity Designer 1.6.1; macOS High Sierra 10.13.6 iMac (27-inch, Late 2012); 2.9GHz i5 CPU; NVIDIA GeForce GTX 660M; 8GB RAM
Affinity Photo 1.6.11.85 & Affinity Designer 1.6..4.45 for iPad; 6th Generation iPad 32 GB; Apple Pencil; iOS 12.1.1

Share this post


Link to post
Share on other sites
14 minutes ago, R C-R said:

Which is also why it would be a wee bit difficult for Serif to show users that data as required by GDPR or other legal mandates! 

I get the impression that some of the posters are not reading the entire Privacy Policy statement, much less carefully. It is a bit like an old joke about how to convince users to read "Read Me" files by changing the title to "Read this or DIE!" or something similarly dire.

You said it yourself: It's usually very long and lawyers language. Nobody really wants to read terms and conditions.

A quick summary what actually happens in clear words how @Patrick Connor gave in this thread is way more useful.

Terms & Conditions are made for the laywers, not for mortals.

Think of the Humancentipad episode of South Park. Nothing more to add. :D


Windows 10 Pro x64 (1809). Intel Core i5-4670K @ 3.40GHz, 16 GB memory, NVidia GTX 780
Affinity Publisher Beta 1.7.0.221

Share this post


Link to post
Share on other sites
2 hours ago, Steps said:

Nobody really wants to read terms and conditions.

Be that as it may, if you really want to understand what the policy is, you need to read the whole thing carefully ... or at the very least consider what terms like "anonymous" & "personal data" mean. You do not need a law degree for that.


Affinity Photo 1.6.7 & Affinity Designer 1.6.1; macOS High Sierra 10.13.6 iMac (27-inch, Late 2012); 2.9GHz i5 CPU; NVIDIA GeForce GTX 660M; 8GB RAM
Affinity Photo 1.6.11.85 & Affinity Designer 1.6..4.45 for iPad; 6th Generation iPad 32 GB; Apple Pencil; iOS 12.1.1

Share this post


Link to post
Share on other sites

GDPR has some details for anonymized data, and there is some great commentary as to what is considered non-subject, and what is.

IF this is the information that is collected ... then at least rhetorically its not too intrusive. However - if this is all that is collected, it would be a kind gesture and good business practice to allow users who wish to opt out of such collection the ability to do so.  I'd speculate we are talking about less than 2% of the entire user base cares - but for those who do .. they care deeply.
 

Affinity applications collect some anonymous information, for example usage data, application name and version number, language and OS version but no Personal Data. This is used to ensure correct content is shown in the welcome screen of the applications and to help notify you of product updates.


Important to keep in mind that this is all hypothetical. They collect data. We only know what they have told us. The people telling us this may be trustworthy and telling us the best information they can - that doesn't exclude the growing normalcy of everyday data breaches that occur due to some form of maliciousness, accident, or misjudgement.

Give us the option to turn off data analytics.

Share this post


Link to post
Share on other sites
17 minutes ago, someguy said:

IF this is the information that is collected ... then at least rhetorically its not too intrusive.

How can collecting analytical data anonymously be considered intrusive? It contains no personal data so what specifically would it intrude on? It is no different from a turnstile with a counter to record how many people have passed through it per day -- it records nothing about who those people are.


Affinity Photo 1.6.7 & Affinity Designer 1.6.1; macOS High Sierra 10.13.6 iMac (27-inch, Late 2012); 2.9GHz i5 CPU; NVIDIA GeForce GTX 660M; 8GB RAM
Affinity Photo 1.6.11.85 & Affinity Designer 1.6..4.45 for iPad; 6th Generation iPad 32 GB; Apple Pencil; iOS 12.1.1

Share this post


Link to post
Share on other sites
43 minutes ago, someguy said:

We only know what they have told us.

True. So if they were to tell you they gave you an option to turn off data analytics, how would you know if they were being truthful about that & that option actually did that?

It is really fairly simple: if you do not trust Serif to be truthful with you, don't use their products or visit their web sites. Nobody is forcing you to do either one.


Affinity Photo 1.6.7 & Affinity Designer 1.6.1; macOS High Sierra 10.13.6 iMac (27-inch, Late 2012); 2.9GHz i5 CPU; NVIDIA GeForce GTX 660M; 8GB RAM
Affinity Photo 1.6.11.85 & Affinity Designer 1.6..4.45 for iPad; 6th Generation iPad 32 GB; Apple Pencil; iOS 12.1.1

Share this post


Link to post
Share on other sites
1 hour ago, R C-R said:

True. So if they were to tell you they gave you an option to turn off data analytics, how would you know if they were being truthful about that & that option actually did that?

That's actually pretty simple: https://www.wireshark.org

It's an free, open source and very easy to use network analysis tool.

Such a standard since years that for example the Fritz!Box as Germans most popular router have hidden direct dump feature if you want to scan a whole network. In this case your local computer will do. You should try it one day if you were not familar with it until now. 

Even if data itself is crypted you can tell from metadata like destination urls and paket sizes a lot.

In case I turned off data collections there should be no uploads except the calls @Patrick Connor mentioned. 

I trust Serif enough not to analyze Affinity. Not worth the time.

Point is everyone easily can do that at any time.


Windows 10 Pro x64 (1809). Intel Core i5-4670K @ 3.40GHz, 16 GB memory, NVidia GTX 780
Affinity Publisher Beta 1.7.0.221

Share this post


Link to post
Share on other sites
37 minutes ago, Steps said:

Even if data itself is crypted you can tell from metadata like destination urls and paket sizes a lot.

You still could not be sure what data was anonymized & what was not. It is easy enough to encrypt data such that there would be little if any discernible repeating patterns. 

It all boils down to who you trust.


Affinity Photo 1.6.7 & Affinity Designer 1.6.1; macOS High Sierra 10.13.6 iMac (27-inch, Late 2012); 2.9GHz i5 CPU; NVIDIA GeForce GTX 660M; 8GB RAM
Affinity Photo 1.6.11.85 & Affinity Designer 1.6..4.45 for iPad; 6th Generation iPad 32 GB; Apple Pencil; iOS 12.1.1

Share this post


Link to post
Share on other sites
1 minute ago, R C-R said:

You still could not be sure what data was anonymized & what was not. It is easy enough to encrypt data such that there would be little if any discernible repeating patterns. 

Yes, we talk not about the content of the data (anonymous or personal) but if there is a suspicious data transfer at all after opt-out. Maybe I was not clear on that. 


Windows 10 Pro x64 (1809). Intel Core i5-4670K @ 3.40GHz, 16 GB memory, NVidia GTX 780
Affinity Publisher Beta 1.7.0.221

Share this post


Link to post
Share on other sites
4 minutes ago, R C-R said:

You still could not be sure what data was anonymized & what was not. It is easy enough to encrypt data such that there would be little if any discernible repeating patterns. 

It all boils down to who you trust.

one way to foster such trust would be by providing a software option to turn off data analytics.

I also dont think you have taken into account the users options.
How much trust would you say i've allocated affinity products if I only run them on an airgaped machine, in a VM, looking over the application in IDA PRO, etc ?

Share this post


Link to post
Share on other sites
7 hours ago, someguy said:

 How much trust would you say i've allocated affinity products if I only run them on an airgaped machine, in a VM, looking over the application in IDA PRO, etc ?

I know this is all hypotetical. If I would feel the need to dissassemble an application (which certainly would violate the terms and conditions) I would indeed rather choose to not use it all.

The points in the discussion came clear:

As a user you can check & control a lot of things, but without trust it is going nowhere. Like in any other relationship.

Serif however could remove that phrase from the terms if they don't plan to do it. And when, they could ask to opt-in. This would gain some more trust.

I personally feel no pressing need to change the terms as I was fine with it before. There are bigger companies out there that we should keep an eye on. I used chrome for some time and looking into another application with Wireshark I accidently saw some things I did not like/expect there and went back to Firefox.

Edited by Steps
Rephrased

Windows 10 Pro x64 (1809). Intel Core i5-4670K @ 3.40GHz, 16 GB memory, NVidia GTX 780
Affinity Publisher Beta 1.7.0.221

Share this post


Link to post
Share on other sites
9 hours ago, Steps said:

Yes, we talk not about the content of the data (anonymous or personal) but if there is a suspicious data transfer at all after opt-out. Maybe I was not clear on that. 

To be clear about it, what kind of data is it that you want to be given an option for them not to collect? They have certain legal rights to collect some kinds of data, for example to protect their intellectual property or to comply with legal & contractual requirements (including with you, their customer), or to protect public safety.

In exercising those rights they also incur a legal obligation to collect certain personal data from their customers to comply with GDPR or whatever replaces it, for example to ensure the so-called “right to portability” or "right to erasure," as well as to make it possible to notify supervising authorities & affected users of security breaches, should any occur. Plus, since they do business outside the EU, they also need to comply with the requirements of any similar laws enacted in each of those other jurisdictions.

So even if they did give you this option, it would not & could not be a complete opt-out.


Affinity Photo 1.6.7 & Affinity Designer 1.6.1; macOS High Sierra 10.13.6 iMac (27-inch, Late 2012); 2.9GHz i5 CPU; NVIDIA GeForce GTX 660M; 8GB RAM
Affinity Photo 1.6.11.85 & Affinity Designer 1.6..4.45 for iPad; 6th Generation iPad 32 GB; Apple Pencil; iOS 12.1.1

Share this post


Link to post
Share on other sites
2 hours ago, R C-R said:

To be clear about it, what kind of data is it that you want to be given an option for them not to collect? They have certain legal rights to collect some kinds of data, for example to protect their intellectual property or to comply with legal & contractual requirements (including with you, their customer), or to protect public safety.

In exercising those rights they also incur a legal obligation to collect certain personal data from their customers to comply with GDPR or whatever replaces it, for example to ensure the so-called “right to portability” or "right to erasure," as well as to make it possible to notify supervising authorities & affected users of security breaches, should any occur. Plus, since they do business outside the EU, they also need to comply with the requirements of any similar laws enacted in each of those other jurisdictions.

So even if they did give you this option, it would not & could not be a complete opt-out.

Someone seemed to indicate that using any of the affinity products offline was possible and within the TOS/EULA ... so it would seem that the call home to verify legitimate active installs isn't needed. One easy way to comply with GDPR - don't collect user data. The legal requirements needed for Serif to conduct business that users must agree to would be clearly outlined in the privacy policy and TOS. It's pretty sparse there so I don't think your point has a lot of weight but it is valid to bring up. The argument seems to be contingent upon the pseudo-anonymized data collection for software development - one I've heard a lot about personally.  That's fine, understandable .. but I'm merely asking a very simple question:

    Can we have an option to turn off such usage stats?

 

That's a very reasonable request.  The data they collect is minuscule presumably. Great. Let me opt out of it.

Share this post


Link to post
Share on other sites
30 minutes ago, someguy said:

The legal requirements needed for Serif to conduct business that users must agree to would be clearly outlined in the privacy policy and TOS.

It is. It complies with all GDPR requirements, including your right to be forgotten, to see what personal data they have collected about you, & all the rest of it.

What more do you want?


Affinity Photo 1.6.7 & Affinity Designer 1.6.1; macOS High Sierra 10.13.6 iMac (27-inch, Late 2012); 2.9GHz i5 CPU; NVIDIA GeForce GTX 660M; 8GB RAM
Affinity Photo 1.6.11.85 & Affinity Designer 1.6..4.45 for iPad; 6th Generation iPad 32 GB; Apple Pencil; iOS 12.1.1

Share this post


Link to post
Share on other sites
28 minutes ago, R C-R said:

It is. It complies with all GDPR requirements, including your right to be forgotten, to see what personal data they have collected about you, & all the rest of it.

What more do you want?

If there is no data collected at all you need no right to be forgotten or request personal data.

Sorry, but you make this really much harder than it needs to be.

Serif already only requests upon registration only data they need. If you buy the software all they want is your full name, email and country. You can pay with paypal if you want. So they don't ask for more than necessary.

For using the software they grant themselves the right to collect usage data by the terms. They don't do it right now.

The request we are here talking about is if they just can remove that line from the terms and if they ever want to collect data let users decide and show them plain text what will be transmitted.

Many software does it that way already. It helps to gain trust in these days. And most users opt-in as they want to help if they have a good feeling what happens.

My example before was the Steam hardware survey. I participatie every year, because I like to share my specs to the statistics, but I can review before submitting and see it does tell nothing personal about me.

It's a reasonable request.

And Serif has no cloud service. They don't need to collect data for "public safety". That's nonsense.


Windows 10 Pro x64 (1809). Intel Core i5-4670K @ 3.40GHz, 16 GB memory, NVidia GTX 780
Affinity Publisher Beta 1.7.0.221

Share this post


Link to post
Share on other sites
12 minutes ago, Steps said:

If you buy the software all they want is your full name, email and country.

Which is personal data, which they have a legal right to collect for legitimate business purposes & a legal obligation to protect for as long as they keep it.

If they did not keep it in some personally identifiable form & you bought some software item from their store (an app, brushes, whatever) how could they verify that you had purchased it if you needed to download it again because your local copy was lost or corrupted? When you buy anything from Serif, or use their web services, you willfully create a business relationship between you & Serif (just as you would with any other business), one that creates certain legal obligations for both parties. There is no way around that.

More to the point here, GDPR makes a distinction between the legal requirements for businesses that keep personal information (for what they define as "a natural identifiable person") & for anonymous data businesses keep that does not identify anyone personally. They are not required to disclose anonymously collected data to users (& in fact doing so can create a data mining source that could, together with other sources, compromise your privacy or security), just to disclose to users that they are collecting that data (which they do), & if needed to insure compliance to make that data available to the appropriate supervising authorities.

So no, I am not making any of this harder than it needs to be. It is not something so simple that it can be distilled into a short 'executive summary' statement devoid of legal jargon & still mean much.


Affinity Photo 1.6.7 & Affinity Designer 1.6.1; macOS High Sierra 10.13.6 iMac (27-inch, Late 2012); 2.9GHz i5 CPU; NVIDIA GeForce GTX 660M; 8GB RAM
Affinity Photo 1.6.11.85 & Affinity Designer 1.6..4.45 for iPad; 6th Generation iPad 32 GB; Apple Pencil; iOS 12.1.1

Share this post


Link to post
Share on other sites

@R C-R 

I think you are missing the point.

We do not talk about the personal data they need to fulfill the purchase. Nobody questioned that. It's not about letting us pay in bitcoins so Serif does not know who we are.

We talk about the "usage data" that may one day be collected.

It's all about that.


Windows 10 Pro x64 (1809). Intel Core i5-4670K @ 3.40GHz, 16 GB memory, NVidia GTX 780
Affinity Publisher Beta 1.7.0.221

Share this post


Link to post
Share on other sites
On 1/17/2019 at 5:31 PM, R C-R said:

They are listed in the Privacy Policy statement, along with links to their privacy policies.

I'm asking about the product EULA (section 16) not the website policy, which are separate things.

On 1/17/2019 at 5:47 PM, Patrick Connor said:

and the anonymous data from the software is not shared with 3rd parties, so those are not listed as they do not exist.

Perhaps the wording, 'and affiliates', in section 16 is not required as it implies that 3rd parties have access to data that the user provides. However, it seems to be that section 16 is not about software data but ANY information that is given by the user to Serif for product support and services purposes. I'm guessing that could be information like:

  • account number
  • installation IDs if Serif still uses them
  • recordings of telephone support
  • e-mails between users and support agents
  • chat messages transcripts
  • any hardware information given
  • references to software that may be given during troubleshooting
  • system logs
  • everything

ASUS Prime B450M-K; 16GB Corsair Vengeance RAM; AMD Ryzen 5 2600 CPU; Nvidia GTX1050Ti
Windows 10 Professional (64-bit); Manjaro Linux

Share this post


Link to post
Share on other sites
On 1/17/2019 at 7:12 PM, R C-R said:

Which is also why it would be a wee bit difficult for Serif to show users that data as required by GDPR or other legal mandates! 

I get the impression that some of the posters are not reading the entire Privacy Policy statement, much less carefully. It is a bit like an old joke about how to convince users to read "Read Me" files by changing the title to "Read this or DIE!" or something similarly dire.

Not really. You are focussed on the website policy, but I am focussed on the product EULA, which has already been established to be a separate thing. A website privacy policy does not apply to software use, unless the software is part of the website, such as online services. If you have read the website privacy policy from the top, you would have seen that it states that we are bound to the privacy policy 'while using the Affinity website', which clearly means that we are not bound to it when not using the website. As soon as we close the browser and terminate the connection with the website, the privacy policy ceases to apply.


ASUS Prime B450M-K; 16GB Corsair Vengeance RAM; AMD Ryzen 5 2600 CPU; Nvidia GTX1050Ti
Windows 10 Professional (64-bit); Manjaro Linux

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×