TL;DR: OSQA's update checker silently sends all administrator emails and other 'statistics' to DZone (its vendor) which uses it to spam its users with offers to upgrade to AnswerHub, a commercial alternative to OSQA. Do they seriously expect me to trust them with my data now?
I am well aware that some companies use questionable tactics. Usually, I don't care. But when they implement an 'updater' functionality whose main purpose is sending a list of administrator e-mails back home to the vendor (without my consent), it's simply too much.
Update: Soon after I published this blog post, I got a reply and atteched it to this blog post with OSQA's permission. If only it arrived sooner...
OSQA in troubles
At Rebex, we have been using using OSQA, an open-source Q&A system, to power our Q&A forum since 2010, when fee-based StackExchange 1.0 was discontinued. Although OSQA had its share of quirks, it mostly suited our needs. Unfortunately, a lot of OSQA sites have become a target of spam and the problem got quite out of hand recently, with hundreds of spam user accounts created every single day, possibly by some badly-written botnet. Dealing with this manually is no longer an option and we started looking into possible solutions.
One straightforward solution would be migrating to AnswerHub, a hosted Q&A platform from DZone, the makers of OSQA. Unfortunately, it has one major drawback - it doesn't have a publicly-known price, which usually translates to it will cost you a lot. But it was still on our shortlist, along with migrating Q2A, which got harder because DZone removed the exporter modules from OSQA few years ago.
We have your email account
Fortunately, AnswerHub made our decision easier by their super-aggresive marketing tactics. When I received an e-mail from them offering a free trial, it annoyed me a bit because I don't remember sharing my e-mail address with them. When I received a similar e-mail three days later, it annoyed me even more. But at least I thought they are trying, I thought - my e-mail is not exactly private.
But when half of my colleagues received the same e-mail, some of them to their private e-mail addresses, we all became a bit suspicious. Where did DZone got all those e-mails from? When we discovered that these e-mails are exactly those we used to register ourselves on our forum, the suspicion grew even more. What is going on here? Have the folks at DZone planted some kind of backdoor into OSQA?
So we asked, and got a reply within minutes. Unfortunately, it was very strange:
"As the creators of OSQA we have your email account."
Seriously? Now, I was becoming genuinely freaked out. The fact they used the term "email acount" instead of "email address" did not help either. I don't care about my e-mail address, but does this mean that the creators of OSQA might actually have e-mails of our customers who registered to our forum as well?
So I wrote another e-mail, where I asked:
"I’m a software engineer and I don’t understand! How is this possible? I have not installed your software myself and have not registered my e-mail with you. Does this mean your staff can actually access the administrator section of our forum?"
I hit the "Send" button and impatiently waited for a reply. But there was none. I interpreted this as "there is indeed something fishy going on and we don't know what to say now" and started looking into OSQA source code for possible backdoors.
Not a backdoor, but...
Fortunately, I have not found a backdoor. Instead, I found this. The good folks at DZone added code to their software that sends e-mail addresses of all administrators back home on every update check, and they somehow forgot to ask for a permission. And along with the e-mail list, they send some other useful info too:
They call this statistics in their code. And no, they don't ask for a permission to send this data - their UI clearly states that the purpose of the updater module is to receive notifications about the latest updates:
No, I really don't see any mention of "sending a list of administrators and other sensitive information" back home! But at least our customer's e-mails are safe.
OSQA's commit history reveals that this started gradually. The first version of the updater module was almost innocent. But soon they added administrator email sending, reporting of active user count since last update check, and so on. In the end, a database of all those statistics became useful for their marketing department. And while I don't have anything against marketing, I really don't like companies stealing potentially sensitive personal and business information behind my back and without my consent. And no, the fact that the software was free does not help.
Although this might not be illegal, it's definitely unethical. How can I trust AnswerHub with my and customers' data now? It's simple - I can't! I have no idea what they might be doing with all those useful information behind our backs.
And by the way, I have not received any reply from DZone yet. It's been 24 hours already. Quite suprising for a company that proudly calls itself fast-paced...
Update 1: Just found out I'm not the first one to complain.
Update 2:: Finally, I got a reply several hours after publishing this blog post:
I am sorry I didn't reply sooner but I had to sit down with my technical team to make sure I understood exactly how we got your email address, not account. However, it has come to my attention that you have already discovered this by your own research. We plan to update the installation documentation to make it clear that we collect this information when updating. AnswerHub never sells this OSQA data nor the data of any AnswerHub users, as AnswerHub customers own all their own data.
I want to assure you that we truly meant nothing malicious by the email campaign. We've had some great success stories migrating OSQA users over to AnswerHub and our wish was just to make all OSQA users aware of the option.
I am sure at this point you don't wish to have further communication or provide further information. If you wish to give us an address, I'd be happy to send you a package to further extend our sincerest apologies for the inconvenience. If not, I certainly understand.
Well, I have to admit the OSQA team can respond profesionally. When they do respond. Would they eventually respond as well had I not published the blog post? I don't know, of course. I hope they would.