Phone home, phoooone hoooome!
What is sent
I'll cut straight to the chase and say what is sent. Then I will say why, and then argue my case.
You can communicate with this site in three ways:
- When you manually request VeroDes to check for updates, nothing is sent. Instead, the special control file "
update.txt
" is retrieved and examined. This contains all the stuff necessary for the update routine to tell you what's new, so you can decide whether or not to update.
If you really want, you can read the update file!
Note that "updateaction" was never implemented, it is hardwired to start the updater on your say-so and then quit. Note also that the path is relative to "heyrick.co.uk", this also is hardwired.
- When you link to the website from within VeroDes, the version information is appended to the URL. The additional data looks like this:
/?prog=VeroDes&vmaj=1&vmin=33&rcnt=123
This passes four parameters, which provide three pieces of information. The first, "prog" is obviously enough the title of the program. This is used to validate actual correct data was sent.
The next two bits, "vmaj" and "vmin" provide the version number. If your version of VeroDes is 1.33, then the major part is 1 and the minor part is 33.
The final part is the runcount. VeroDes tracks how often you have started the software. This is used purely to determine the 'longevity' of the program.
The server records this information, and also uses it to alter the index page if you need to be made aware of anything important.
- When VeroDes automatically checks for newer versions, it sends a slightly modified version of the above. No different information is sent. Don't take my word for it, WireShark it! ☺
There is one other thing. In all requests, VeroDes builds a User-Agent string identifying itself as VeroDes and listing the version. This is neither read nor logged. Just a formality.
Why is this sent?
In all of my years of working with VeroDes, I have had few reports back from users. Those who contacted me have been extremely helpful, but they could be counted on my fingers.
As time is short, it makes sense to concentrate my efforts where it will be most useful. Thus, VeroDes will be a little more proactive in letting me, personally, know about its deployment.
This benefits you too. VeroDes is not just calling home for the sake of it. It is actually providing versioning information so you can be alerted to new versions. To see this in action, copy this link to your URL bar:
http://www.heyrick.co.uk/software/verodes/?prog=VeroDes&vmaj=1&vmin=23&rcnt=0
Did you notice the extremely obvious "there's an update" message that appeared?
Why the runcount?
The runcount is used to determine if you're a VeroDes newbie, or somebody who has been using it a while. That's it.
Isn't this like the horrid Windows "Genuine Advantage"?
NO!
Let's clear up a few things right away:
- No personally identifiable information is sent.
I did consider suffixing a hash of your OS type and memory size to see what type of machines VeroDes was being used on, but decided that such a thing was unwarranted. If you use VeroDes on an ass-kicking quad-core with terrabytes of memory... or an aging Windows 98 with a 233MHz early Pentium... does it matter? You're using VeroDes, that's all that should be important.
Furthermore there is a rather obvious flaw in that it is not easy to distinguish one VeroDes from another in the logfile, so I'm not even going to try. I'm only interested in the agregate result...
- No licence checks are performed.
VeroDes is FREE. As in download it, install it, use it. It isn't quite as free as Richard Stallman might like, but there's no sense in validating a nonexistant licence key! Furthermore, failure to permit VeroDes to call home will not cause the program to paint its background in shades of black, nor will it suddenly behave with reduced functionality.
- But you're logging my IP address, right?
Yes. Does it matter? This is the most bogus excuse ever, for every place you go (yes, even those icky porn sites you'll deny knowledge of) will have this digital footprint.
Don't believe me? Your IP address is 3.17.162.32 and if this has a name attached, it'll be ec2-3-17-162-32.us-east-2.compute.amazonaws.com.
The internet works by machine 'X' talking to machine 'Y', with both having different globally unique numbers. IP addresses. Computers, webcams, STBs, mobile phones... all have IP addresses. That shown above is yours for this connection. Basic logs created by practically every server on the planet contain all of this junk.
- Let me say this one more time...
If your IP address changes (and it seems to roughly every couple of days with my ADSL), then there is NO way to track that your use of VeroDes between IP changes is actually the same version used by the same person. Sure, with a tiny log it could be possible to make guesses, but these will never be anything more. With a larger number of records, guessing would be pointless.
PHP and server "cookies" are NOT used on this site.
Furthermore, I plan to write some software to draw a graph of versions and runcounts. This will contain pretty coloured lines and stuff. You don't think I'm going to spend much time ACTUALLY reading the log, do you?
I repeat again - I am not tracking WHO you are. I don't care.
Why is this so important to you?
Let me put it in simple terms.
I would like to make an HTML help file for VeroDes. I would like to make the support site multi-page like some of the others. I would like to look at the possibility of other enhancements.
However: now that components can be rotated, now that it works on Vista, now that most of the known issues have been sorted... I consider VeroDes to be "ready". This is why the licencing terms no longer forbid (re)distribution. In my mind, VeroDes is ready to meet the world.
In other words. VeroDes is more or less complete.
Do I continue development of this software, or do I leave it awaiting the few bug reports that may or may not arrive? That depends entirely upon how 'popular' it is, and that is determined by the log file of VeroDes's communications with the server.
Paranoia?
Does your Firefox check for updates? How about the extensions installed. WinAMP? Your OS itself?
Lots of things check for updates. It is fairly routine these days.
The only big difference here is that I am being completely clear about what is being sent.
And what this information is being used for.
Workarounds
If you've read thus far and you still think VeroDes is a privacy concern, so be it. I have obviously failed to convince you otherwise, so listed below are ways to work around this.
But note again - the results of the logging of VeroDes deployment determine whether or not development on this software continues, or if I turn my attentions to the hundreds of other things I should do.
- When automatically checking for updates
You can turn this off in the settings. As soon as the software has started, right-click the 'i' button on the left (even if greyed out). The lowest tickbox turns off the auto-check.
There is the problem that VeroDes will attempt to communicate on first start. If you want to mask even that, turn off your WiFi adaptor or unplug the LAN cable. Start the software, configure it accordingly, then reconnect/restart your network adaptor.
What you lose: Notification of new versions being available.
- When manually checking for updates
No additional information is passed. Technically the UserAgent will identify VeroDes and the version, but this is not recorded by the server.
What you lose: Nothing. And in the future, there will never be any requirement to supply specific information in order to check for updates.
- When visiting the website by clicking in VeroDes
You cannot disable this. To work around, simply fire up your browser and type the URL into the bit at the top and do it that way.
What you lose: Embedded notification if there is an important update you should be aware of.
Back to the VeroDes info page...
Copyright © 2010 Richard Murray