Nicholai/block-nuke-telemetry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
block-nuke-telemetry/docs/legal/EULA-Analysis.md

242 lines
9.7 KiB
Markdown
Raw Blame History

# Foundry EULA Telemetry Analysis
**Tags:** #note-type/research #domain/technical #project-type/technical #status/complete #priority/high
## Summary
The Foundry EULA **explicitly authorizes** extensive data collection from your computer and network. Your network captures confirm this telemetry is actively happening, though the actual data volume appears more modest than the EULA permits.
## Key EULA Clauses (Sections 19.2 & 19.3)
### What Foundry Claims to Collect (Clause 19.2)
The EULA states the Software "may include mechanisms to access and collect limited information" including:
1. **License details** - Foundry product licenses on your system
2. **Computer and network equipment details** - Hardware specifications
3. **Operating system details** - OS version, system registry files
4. **Email domain** - Domain of computer/network equipment owners
5. **Location data** - Geographic location of computers running Software
6. **Usage profiling** - "Profile and extent of use" of Software features
### How Foundry Uses This Data (Clause 19.2)
The EULA permits use of collected data for:
**(a) Usage modeling** - "model the profiles of usage, hardware and operating systems in use collectively across its customer base in order to focus development and support"
**(b) Targeted support** - "provide targeted support to individual customers"
**(c) License enforcement** - "ensure that the usage of the Software by Licensee is in accordance with the Agreement and does not exceed any user number or other limits"
**(d) Anti-piracy** - "confirm the identity of Licensee, to identify unlicensed use of the Software (including use of pirated or other unlicensed copies of the Software) and to **assist Foundry (and its resellers and any enforcement bodies)** in contacting any unlicensed users"
**(e) Service notifications** - "advise Licensee about service issues such as available upgrades and maintenance expiry dates"
### Critical Authorization (Clause 19.3)
> "By downloading or using the Software, you [...] **irrevocably authorise Foundry** (through the use of the Software) to **access such computer(s) and IT systems (including any system registry files)** and **collect the Information from them and to transmit that Information to Foundry and its resellers (and any enforcement bodies)**"
**Key points:**
- Authorization is **irrevocable** (you can't take it back)
- Applies to "IT systems" plural - potentially your entire network
- Data shared with "resellers and **enforcement bodies**"
- Access includes **system registry files**
## Network Capture vs EULA Claims
### What We Observed (20-minute capture)
| Connection | Purpose | EULA Justification |
|------------|---------|-------------------|
| `api.honeycomb.io` (17KB, HTTPS) | Usage telemetry, performance metrics, error tracking | Clause 19.2(a) - usage modeling |
| `learn.foundry.com` (HTTP, unencrypted) | Documentation availability checks, version reporting | Clause 19.2(e) - service notifications |
| `sentry.foundry.com` (process found, not active) | Crash reporting, error dumps | Clause 19.2(b) - targeted support |
### What We Did NOT Observe (But EULA Permits)
- Email domain collection
- Geographic location transmission
- System registry file access/transmission
- License enforcement data to "enforcement bodies"
- Network equipment enumeration
**This doesn't mean it's not happening** - these could occur:
- During startup/shutdown (we didn't capture these)
- Periodically (longer than 20-minute window)
- Only when triggered (crashes, license checks)
- In the encrypted Honeycomb payload (we can't see inside)
## Privacy Concerns
### 🚨 Major Issues
**1. Unencrypted HTTP**
- `learn.foundry.com` uses HTTP (port 80), not HTTPS
- Exposes Nuke version, IP address, and usage patterns to ISP/network observers
- Violates basic security best practices for data transmission
**2. No Opt-Out**
- EULA states authorization is "irrevocable"
- No telemetry toggle found in Nuke preferences
- Accepting EULA = accepting all data collection
**3. Broad Scope**
- "IT systems" (plural) - could mean entire network, not just one computer
- System registry access - can contain sensitive paths, usernames, installed software
- "Enforcement bodies" - unclear who this includes (lawyers? investigators? police?)
**4. Third-Party Sharing**
- Data shared with "resellers" (potentially dozens of companies worldwide)
- Honeycomb.io is a third-party SaaS platform (data leaves Foundry's control)
- Sentry is another third-party service
**5. Location Tracking**
- EULA permits collection of "location of the computer(s)"
- Could be used to enforce geographic licensing restrictions
- Potential violation of local privacy laws depending on jurisdiction
### ⚠️ Moderate Concerns
**6. Usage Profiling**
- "Profile and extent of use" - tracks which features you use, how often, for how long
- Could reveal workflow patterns, project types, professional activities
- Combined with location data = detailed professional surveillance
**7. License Enforcement Priority**
- Anti-piracy purpose (19.2d) gives Foundry incentive to collect more data than needed
- "Enforcement bodies" suggests potential legal action based on telemetry
**8. Indefinite Retention**
- EULA doesn't specify how long data is kept
- No mention of data deletion upon license termination
### ✅ Positive Observations
**9. Limited Actual Volume**
- Only 32KB over 20 minutes observed
- Not "constantly phoning home" during normal use
- Most telemetry uses HTTPS encryption
**10. GDPR Compliance Claim**
- Clause 19.2 references GDPR and Privacy Notice
- Suggests some legal compliance framework exists
## Legal Analysis
### Binding Nature
The EULA header explicitly states:
> "YOUR ATTENTION IS PARTICULARLY DRAWN TO [...] (D) CLAUSE 19.3 WHERE YOU AUTHORISE FOUNDRY TO USE THE SOFTWARE TO ACCESS AND COLLECT CERTAIN INFORMATION FROM YOUR COMPUTER NETWORKS AND TO TRANSMIT THIS INFORMATION TO FOUNDRY."
By using Nuke, you've legally consented to:
- Remote access to your computer and IT systems
- Collection and transmission of system information
- Sharing data with third parties (resellers, enforcement bodies)
- Irrevocable authorization (can't withdraw consent)
### Potential Legal Issues
**1. Computer Fraud and Abuse Act (CFAA) - USA**
- Authorized access exempts Foundry from CFAA liability
- But: authorization must be "knowing and voluntary"
- Question: Is burying this in page 8 of EULA sufficient notice?
**2. GDPR - EU/UK**
- EULA claims GDPR compliance
- But: GDPR requires explicit, informed, freely given consent
- Question: Is acceptance of entire EULA valid consent for data processing?
- Question: Can you use Nuke without consenting? (No = not "freely given")
**3. CCPA - California**
- Right to know what data is collected
- Right to deletion
- Right to opt-out of sale
- EULA doesn't clearly provide these rights
**4. Network Administrator Concerns**
- Clause 19.3(i): "warrant that you are entitled to control access to the computer(s)"
- If you're on a company/studio network, do you have authority to consent to Foundry accessing the entire network?
## Recommendations
### 1. Block Telemetry (Most Effective)
Use the provided blocking script:
```bash
./block_nuke_telemetry.sh
```
**Legal consideration:** EULA clause 3 prohibits "circumvent[ing] the license keys or other copy protection mechanisms" - but telemetry blocking is NOT bypassing license protection, just data collection. This should be legally defensible.
### 2. Network Isolation
Run Nuke on isolated network segment:
- No access to broader IT systems
- Firewall rules blocking Foundry domains
- Limits EULA clause 19.3 exposure to "IT systems"
### 3. Monitor Ongoing (What You're Doing)
Use monitoring scripts to track:
- What data is actually transmitted
- When it's transmitted
- Volume and frequency
- New domains/endpoints
### 4. Request Data Under GDPR/CCPA
If you're in EU/UK/California:
```
Subject Access Request to: privacy@foundry.com
"Under [GDPR Article 15 / CCPA Section 1798.100], I request:
1. All personal data you hold about me
2. Categories of data collected via telemetry
3. Third parties with whom my data has been shared
4. Purpose and legal basis for processing
5. Deletion of all data not required for license validation"
```
### 5. Corporate/Studio Users
If using Nuke in a business:
- Review with IT security team
- Assess EULA clause 19.3 network access authorization
- Consider contractual negotiation for enterprise licenses
- Implement network monitoring at perimeter
### 6. Raise Awareness
- Post findings to VFX communities (od|force, Reddit r/vfx, etc.)
- File feature request with Foundry for telemetry opt-out
- Consider alternatives (DaVinci Resolve Fusion, Natron, etc.)
## Conclusion
**Your suspicions were correct.** The EULA explicitly authorizes:
- Remote access to your computer(s) and IT systems
- Collection of usage data, system information, and location
- Transmission to third parties including "enforcement bodies"
- Irrevocable consent (no opt-out)
**What we observed in network captures:**
- Confirms telemetry is actively occurring
- Volume appears modest (32KB/20min)
- Some traffic unencrypted (learn.foundry.com)
- Main analytics encrypted via Honeycomb
**The real concern:** We can only see metadata of encrypted connections. The actual data payload to Honeycomb could include everything the EULA permits:
- System registry dumps
- Hardware enumeration
- Software inventory
- Usage patterns
- Location data
**Bottom line:** Foundry has granted themselves broad surveillance rights through the EULA. Whether they fully exercise these rights is unknown. Blocking telemetry is legally defensible and recommended for privacy-conscious users.
---
**Created:** 2025-10-25
**Related:** [[nuke_foundry_analysis]], [[block_nuke_telemetry.sh]], [[monitor_nuke_telemetry.sh]]
Reference in New Issue View Git Blame Copy Permalink