Sunday, 23 February 2014
Software that phones home: Good or bad?
This is something that's been bugging me for a few days now - probably just triggered by reading all the recent disclosures of NSA/GCHQ surveillance, and trust in software systems in general. The basic issue I'm thinking about is when and where is it 'right' for software to 'phone home'?
This checking in with base idea is sometimes a good thing - for example if when I fire up a program, I get a little box that tells me a new version is available then that's a good thing. Or if my computer or phone is stolen, then calling in to let me know where in the world it is, is a good thing. It is probably also a good thing if you are a software vendor, and you want to ensure that your software hasn't been pirated, or run outside of the parameters for which it is properly licensed. For the latter case, it may even be a good idea to encrypt the message pinged back, to prevent l33t hax0rs suppressing license compliance mechanisms.
But the privacy issues of this sort of thing are very big, especially if, you as a user don't know it's being done, or if you don't know what is being sent back to base. I have only ever come across one software license (in this case a commercial vendor) that discusses this (in the context of the licensee not suppressing in any way this communication as a way of ensuring license compliance - not addressing at all what is sent back - if it's my source IP address and a timestamp fine, if it is a dump of all my queries, I'd be furious).
Of course, it's possible to control or spot this sort of activity, and I've just installed Radio Silence as a quick way of seeing if any of my desktop apps do anything behind the scenes I don't know about.
But, in general, are there any community expectations and standards for this sort of thing, especially for cases where the software will be used explicitly to generate trade secrets and perform confidential research?