Tapatalk is collecting data (of airvpn users?)

[urbanconcrete 14]

Hey there, 

 

i just found the news that tapatalk, used also by airvpn, is sending user details to servers run by tapatalk. And they can give them away. 

They can get: Username, mail address, etc.

 

You can disable it by change the config "mobiqou/config/config.php"  the parameters "allow_trending" to "0"

 

Is it known by the staff?

 

 

See: http://heise.de/-2716662 (german)

---edit---

They can even send mails to users of the forum if they are not using tapatalk.

 

http://www.hardwareluxx.de/index.php/news/software/anwendungprogramme/35790-tapatalk-nur-mit-modifikationen-sicher.html (still only german)

[InactiveUser 185]

I must say, I was not aware that AirVPN actively integrates Tapatalk, I am not in favor of that!

Third parties should not have any access to AirVPN resources.

Tapatalk's license agreement is very up-front about siphoning off email databases:

 

In consideration for Tapatalk granting you access to and use of the Service, you agree that Tapatalk and its third party providers and partners may (i) place such advertising and affiliate links on the Service, and (ii) access your email database

 

Tapatalk Forum Owner License Agreement

[Staff 9765]

Hello,

 

the cited feature has never been implemented in AirVPN forum and of course it will never be implemented. As far as we can see, questionable data mining is not implemented in plug-ins for the Invision version running in our servers.

 

We will never allow TapaTalk to send out our database e-mail addresses entries. While TapaTalk accesses the database (to allow users' log in our web site from TapaTalk) no transmission of such data to remote TapaTalk servers is allowed. There's no code on the TapaTalk we run that can do it. We can say this for sure because we analyze the source code of several applications in our servers, including the TapaTalk plug-in.

 

The questionable data mining code is implemented in the latest version of Invision TapaTalk plugin, not yet running on our server. Our developers will purge this code before applying the plugin, if it will ever be deployed.

 

We disagree that we infringe their license if we do not allow collection of e-mail addresses: we consider any contractual agreement infringing the EU legal framework on data protection and privacy as invalid (as well as any other contractual agreement causing infringements of the law), and we consider e-mail addresses as data covered by the scope of the relevant Directives on privacy and data protection. Since we are based in Italy and the forum servers are physically based inside the EU, there's no doubt that the applicable law on the matter is EU law, not USA law. According to the contract, if a clause is invalid due to the law, all other non-illegal clauses remain into effect.

Kind regards
AirVPN Staff

[lsat 23]

Hello,

 

the cited feature has never been implemented in AirVPN forum and of course it will never be implemented. As far as we can see, questionable data mining is not implemented in plug-ins for the Invision version running in our servers.

 

We will never allow TapaTalk to send out our database e-mail addresses entries. While TapaTalk accesses the database (to allow users' log in our web site from TapaTalk) no transmission of such data to remote TapaTalk servers is allowed. There's no code on the TapaTalk we run that can do it. We can say this for sure because we analyze the source code of several applications in our servers, including the TapaTalk plug-in.

 

The questionable data mining code is implemented in the latest version of Invision TapaTalk plugin, not yet running on our server. Our developers will purge this code before applying the plugin, if it will ever be deployed.

 

We disagree that we infringe their license if we do not allow collection of e-mail addresses: we consider any contractual agreement infringing the EU legal framework on data protection and privacy as invalid (as well as any other contractual agreement causing infringements of the law), and we consider e-mail addresses as data covered by the scope of the relevant Directives on privacy and data protection. Since we are based in Italy and the forum servers are physically based inside the EU, there's no doubt that the applicable law on the matter is EU law, not USA law. According to the contract, if a clause is invalid due to the law, all other non-illegal clauses remain into effect.

 

Kind regards

AirVPN Staff

Legal action is both expensive and prolonged process.

Simply don't use gereedy for data application provider.

Othervise you  may find yourself in a tough spot. What example do you need?

 

 

Bear in mind that the USA it the rare example of the country that considers international/ other county's court decision as inferior to USA's ones. They provide extraterritorial law enforcement. Don't play the game you're bound to lose. Find substitute for TapaTalk plug-in, the sooner the better.

[zhang888 1065]

Find substitute for TapaTalk plug-in, the sooner the better.

 

In this case, "another" doesn't necessary means better or more secure. At least this one seem to be very popular and that's why it's audited,

there is a huge number of topics where people discuss it's security issues, such as here:

http://www.reddit.com/r/Android/comments/223150/did_you_know_tapatalk_tracks_all_your_link_clicks/

 

So in terms of security, at least you "know your enemy". What will happen with small, open-source replacement plugins is a shot in the dark.

No one probably seriously had the time to look at their design and code, and there you might even expose yourself to more critical issues,

such as traditional web attacks - XSS,SQLi,Session management,and more.

 

I'm not a fan of this Tapatalk either and in fact never used it, I won't miss it if it's gone. But in terms of compromizing between usability, privacy

and security, I guess it's better to keep it. Hopefully Staff shares same thoughts.