image1 image1 image1

DataCore SSY 10 PSP7 Update 2 brings a lot of fixes - and automatic cloud data collection

User Rating: 5 / 5

Star ActiveStar ActiveStar ActiveStar ActiveStar Active

Normally I don't write a blog article about the maintenance release of a software. There are lots of other blogs on the internet that use such content for new articles.

This time, Update 2 not only fixes a quite high number of bugs (I count 16 fixes from which 7 are marked as critical) but it also brings some new functionality to the software. One of the "enhancements" is a new data collector service. The release notes state:

"Enhancement: Collect and transmit machine data to DataCore cloud-based analytics platform. Refer to the Help topic “Data Collection” to disable (opt -out) of this service."

That's interesting. A new data collection service that sends out data about my system to the cloud. The release notes don't include any information about the kind of data the service sends out to the internet. That's okay, there is a link to the help topic where one can obviously get more information. As I already installed PSP7 Update 2 on my demo systems I have access to this new topics (if not, the internet web help is always up to date). As I'm a bit concerned about sending data from and about my SAN to the public cloud I want to know, which data exactly is sent and for what purpose.

Next step was to open the help topics and searched in the index for the keyword "Data Collection". I was quite disappointed when I got to the help topic. No explanation about the data being sent and I also have no information about where the data is sent (except the very cloudy description "Analytics Platform"). There is only another reference to the EULA where there should be "information regarding the data collected and transmitted". The good thing here to note is that there is an explanation of how to disable the feature and what port has to be open for this feature to work.

Well in my opinion, there should have been a BIG note during the update process about a new service being installed on my servers and the service is used to send "some" data to the cloud. There wasn't a note at all. And the most annoying thing is that this service is enabled by default! You have to disable it manually if you don't want to send data to the cloud. If DataCore silently installs new services on my systems that are not neccessary for running the application then the standard state of these services should be DISABLED and not enabled. Okay, one can argue that port 443 has to open from the DataCore server to the internet and normally it isn't due to the fact, that DCS should be set to a private network without direct internet access. That's right but there are enough customers outside that have no idea on security or have a bad IT company implementing DataCore solutions and they now send data without explicit accepting it to the cloud.
The only thing I saw during the update process was a password window that asked me about the DCSAdmin password. I have seen this window earlier in my live when I made an upgrade from v8 to v9 or v10 but normally not during installation of a PSP or even update. The funny thing here is, I typed the wrong password and the installer showed a warning about the "Telemetry" service not being able to start. Since I had no idea what this "Telemetry" service is, I simply corrected the password and finished the installation. Fortunately I made this mistake because without I would have never searched for this new service.

Going back to the help topic text, there is a link to the EULA in the installation folder. I haven't seen any EULA that contained detailed technical information yet and I think the EULA is one of the rather bad locations where to put those information in but okay, I think DataCore's lawyers had an eye on that. I opened my Windows Explorer, changed to the installation directory (there is now a new subfolder called "Telemetry" but this folder doesn't include any EULA related document) and opened the EULA.txt in the SANsymphony-folder. I read a bit and scrolled up and donw but there is nothing more than the standard EULA texts without any technical information. Searching for the words "Telemetry" or "Analytics" or "collect" doesn't show any hits. Nothing in the whole document is related to the new service.  

DataCore, I really understand the idea behind your data collection and probably this will end in a better product but I can't agree with the way this data collection service is introduced. The information is totaly incomplete or even wrong, the service runs automatically and if I, for whatever reason, have port 443 open, I will send unknown data to the cloud.

Please give all users all information about the data you sent (and don't get a second M$) from their systems and let them decide if they want it or not. And please change default service start to disabled and let the user decide if he will contribute his data or not!. For me it's clear, disabling this service is the first thing to do after update! (I really don't want to think about our security advisors if they get information about that.....)  


[Update 07/24/2018]

I talked to a DataCore SE and asked him if DataCore itself already checked the new feature against DSGVO/GDPR regulations. He promised me to check that internally. A few days later I got an answer from him with a screenshot from a new EULA. In this EULA there is a new topic called "Data Rights":



In this section there is some general information about the data being transferred -or better said- MAY be transferred. There is no real explanation what information exactly is transferred and where the data will be stored. Perhaps this is some general problem with technical information stored in the EULA.

Checking once again my EULA on the DCS filesystem it seems to be an older version of the EULA where this section is not there. I don't know if this is a problem with my installation or a general problem with updated systems but I can clearly state that the EULA above will be shown with fresh installations of PSP7 U2, no matter is you use the deployment wizard or the SSY installer itself.

Nevertheless, I still have massive concerns with the telemetry service. I'm currently speaking with our ISB if we generally have to disable the telemtry service for all customers we are responsible for, just to be sure that we don't collide with DSGVO/GDPR or if we can enable it as long as the customer clearly states that he is aware of that data transmission and accepts all responsibility.

joomla templatesfree joomla templatestemplate joomla
2019   globbers joomla template