How Much Data is Bambu Lab REALLY Collecting?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
with 3D printers being ever more connected to online services like the cloud otherwise known as somebody else's computer privacy policies are becoming something that we should probably be reading a little bit more and because of you guys let's actually get into bamboo Labs privacy policy dig into it a bit let's talk hey guys welcome back to the channel and yes this video is inspired by Nathan builds robots who did first cover the privacy policy for bamboo lab enough of you asked in the comments for this video so hey why not and in fact we were going to be talking about crealities and prusas as well but uh the raw recording of that video is over an hour and a half so we're probably gonna split those up but you let me know if that is something that you guys want to see and if there are any other privacy policies or terms of use that you would like us take a look at remember I'm not an attorney this is not legal advice this is just my understanding and what it means from my perspective and from my perspective I'd like to tell you about today's sponsor 3D Musketeers if you do want to support us financially you like the work that we do here and you like some of the research that we put into making these videos you can support us via patreon PayPal or YouTube channel members Links of course are in that description down below for as little as one dollar a month and at the ten dollars here and how you get to come hang out and our private Discord server where you can be involved in the actual content calendar for the channel see some upcoming printers that haven't even been talked about publicly yet as well as well come hang out with an awesome group of people but hey we understand money's a little tight these days like And subscribe and a share goes a long way to helping this channel grow but without further Ado let's dig into a bit of the bamboo lab privacy policy something that has actually been updated a little bit since I last looked at it and some's good some of it's bad I have some questions let's get into it and again for those that are gonna sit there and say you don't know what you're talking about I might not I'm not an attorney I've read enough privacy policies in my days but I am not an attorney and if you think I got something wrong let me know in those comments below because like most everybody I am human and that means I do get things wrong from time to time but I think I got a pretty good read on most of these the first thing to really look at with bamboo lab is if you don't want to read the whole privacy policy they've got a short version that short version is yeah it's it's short but I don't like it because you can often hide a lot of legalese in a short version that is designed for the average person to look at so we're gonna go ahead and straight up ignore it a lot of you know that I've got issues with bamboo lab and their data collection for the single purpose of we don't know what it's collecting and a company that came from a company that is now banned from doing business with the US government that is just telling me to trust them has never been one that feels all that good and warms my cold heart I did read through this actually on an unboxing video of our first bamboo lab X1 Carbon which I will card to so you guys can take a look at it however things might have changed I think it's good for us to go through and review it we can see it is very specific and we're going to see this with pretty much every one of these privacy policies if you do not agree to the entire privacy as a hole you must not use products and services from that company and this is what bamboo says now you don't really have a choice right you either agree to the privacy policy or you don't use their products or option three you find a way to do what you want and how you want we can see some information regarding what they collect we have account information which is fine contact information which again is fine these are all necessary for when you create an account make a purchase send it with payment information all of this is important most companies and I would assume bamboo included are not going to take your credit card information they don't care they're gonna have a third party payment processor handle it because that third party payment processor also has the insurance so if there is a data breach the payment processor deals with the BS not bamboo so you'll see that while they will need to collect some level of payment information it is likely going to go through a third party of course transactional information which gives them that data including details of your purchase history be it of machines parts build plates filament whatever it might be all pretty standard stuff Fraud and Abuse Prevention information personal data that we need to collect for verification purposes to prevent Fraud and Abuse including data of device trust and appeal records so we can look here and understand more of what these appeal records are it is copyright appeal information including the identity information of the appealer the reason and description of the appeal and evidence a copyright ownership date of the model appealed and information of the outcome of the appeal this all really has to do with you utilizing Bamboo's name or Bamboo's IP without their relative knowledge they collect your device information when you use their products or Services they collect a device ID from which the device can be identify they also collect other information about the device such as the operating system hardware version device modeled by serial number and network connection a lot of you guys know that we are pretty set on trying to understand what is inside of those bamboo log files in fact we have an open Bounty that is a personal Bounty not associated with 3D Musketeers of course for trying to crack the bamboo lab encryption it is AES encrypted we know that for sure because we've identified the MCU we are fairly certain that the device serial number is part of the key to decrypt it so bamboo is likely able to collect your device information including that serial number and then utilize it to decrypt your log file that's as far as we've really gotten so far because well I don't really want to brick a motherboard because I'm fairly certain they're not just going to send me a new one because they know what we're up to we're gonna see what we can do but then you have spare bamboo motherboards I might know someone who's interested in buying them but this is important for them because they want to know where their machines go now it's not a very common practice to see this in consumer grade 3D printing right while machines have serial numbers it's not common for manufacturers to care about that because a lot of times manufacturers don't generally care if you are the first user of it because there's really no easy way to track it you can make a new account that isn't Associated but at a certain point your warranty will run out so they put some sort of identifier on it bamboo collects that so they know for sure when that machine was manufactured as well as who have owned that machine whether it is you somebody else or whomever and of course the network connection which is part and parcel of the issue that I have what level of the network connection are they pulling is that going to include my SSID and my password because if so that would give bamboo lab direct intermediate access to any network that they have a printer connected to and you might say Grant I don't care if they see what benches that I'm printing you might not but if that machine can become a opening to a network for someone who is not acting in good faith you might be a little bit upset if you found your computers being used on a botnet you don't know what a botnet is don't worry tldr you don't want it I worry about some of this information because while they do need it to connect the printer to the internet they don't need to store it the machine needs to store it personally so it can connect but the company itself does not need to collect that I believe that is an overreach in my personal opinion and of course the printer camera information now this is a big one for X1 Carbon owners it's not that big of a deal if bamboo really wanted to use the camera information to violate non-disclosures honestly if they're gonna go through that kind of work I say let them have it because it is very different difficult to do that kind of thing it is those of you that have the p1p or an open printer maybe you've removed the panels from your p1s or whatever new printer bamboo has by the time you're watching this video that camera can see a lot more than just the internals of the printer which is a massive security concern while you might not care if bamboo sees you walking around the house without pants on people that live there did not explicitly agree to that level of spying just really the nicest way that I can put it be careful about those cameras and while yes you can put a shutter on the camera to close it when it's not being used heck you can run your printers in Lan only mode or do what we do don't connect it to the internet at all all you really have to do is just well if you talk about it on the internet deal with people yelling at you for not updating your printer thinking that they know and understand how itar works and I'm not going to get into that right now but then you also have bamboo saying you need to update your firmware but don't put it online can't update firmware it's the current issue that we have with these machines and we see that they only collect it when you voluntarily provide it to them however we don't know how and when that occurs now if you send video files to Bamboo during a support ticket that's fine but that machine has a direct connection to the outside world and because everything is encrypted that comes out of that machine you don't know for sure what is being sent and what isn't and because bamboo has outright refused to prove it I don't know if I trust it it's gonna be up to you guys you might say well I don't care if bamboo sees me walking around without pants on and well yes there are other devices in your house that are likely listening to YouTube it does not immediately say well because everything else does it it's fine if this one does too think about what level of security that you're looking for here 3D model data that one is a big one if you are a business if they're collecting your 3D model data they are violating non-disclosures for you and of course that is only when you use the cloud again though we don't know what is being sent in those log files don't know what is being sent in packets that go up from the printer to servers we can't see it the 3D model data is part of what bothers me and while it says under any circumstances without your mission bamboo lab will not read analyze or process your 3D model files and we will not Grant any third-party access to your 3D model files again how do you grant it and and then how do you revoke it being granted so when you send bamboo log files or when you send them video files can you revoke that access or as soon as you send it you are providing an irrevocable license for them to utilize it for whatever their purposes are it's not really explained here even if we look further into printing data cookie policy and network activity data this takes us to key terms where we can scroll down and look for the certain things that we're looking for and then it takes us to the cookie policy which every company collects cookies there there's just there's no way around it it is what it is cookies are a part of the deal but bamboo like reality have different stories for where you are based in the world I'm reading the one based in the United States but if you're based in the EU because of gdpr you have a completely different set of rules that the rest of the world doesn't have to follow because your laws are specific it's dumb I don't like it it's pain in the butt but if you do want me to go through the the one for the EU let me know and I'll do it again we can all see that they collect usage data such as network activity data which uh let's look at that one in the key terms that includes interactions including between users bamboo lab websites and other websites operated by a third-party company on their behalf referred collectively to as reacted web pages that is effectively what you go to somebody else's website when you bounce away from bamboo they can see where you're going again that is a cookie thing but if they're going to be selling that data we have a problem these interaction records may include topics replies comments reads ratings likes and collects as well as interactions such as uploading downloading deleting and printing they collect your IP address which if they're going to utilize the thing for the servers in the cloud they need the IP address right statistics regarding how related paintings are looked at in view that's the the bounced stuff the related Pages you visited before are coming to the reacted web pages so where you came from and where you're going they're basically playing Cotton Eye Joe here and browsing information collected through cookies again kind of a common thing so we can see how they use that personal data and the use of said personal data to me is often more important than the collecting of said personal data now remember companies any of them can update their privacy policy at any time and if you stop agreeing with it for some reason according to the topic you must cease to use their products immediately but they don't currently give you a way to validate that your information is not going to be used against your will because you have provided to them and it effectively gets grandfathered into the new policy whether you like it or not all you can do is choose to not provide further information not delete the information that is already there and we can see that they collect information on a legal basis which we'll get into under data Protection Law for each purpose categories of personal data which we process for each purpose each called a category Series so let's look at this legal basis again I like this that it's got you know links to key terms very nice helpful we can see they have a legal justification called Legal basis under which data Protection Law for each purpose it will include performance of a contract whether it's necessary for bamboo lab or a third party to process your personal data too comply with obligations under a contract with you this includes bamboo Labs obligation under the terms of use to provide bamboo lab services to you or to verify information before a new contract with you begins so this is them just making sure the information that you are providing that they are giving you that you have agreed to matches where it needs to this is pretty much above board so far legitimate interest when bamboo lab or a third party has an interest in using your personal data in a certain way which is necessary and Justified considering any possible risk to you and bamboo lab users for example using your usage data to improve bamboo lab services for all users contact us if you want to understand a specific justification well if we don't exactly know what the legitimate interest is we can't understand the specific justifications that bamboo lab uses now the issue that I have is that third party for those that don't know bamboo lab is based in China and for those who don't know China has a thing about collecting data if you don't know just look up all the stuff going on with Tick Tock and its data collection it's effectively an app that is being used to monitor people look it up promise I'm not going to break out the tinfoil hat for this one but this one is concerning to me because the third party is the problem if bamboo lab wants to use my information to improve bamboo lab products I don't really necessarily have an issue with that as long as I know what that information is and what it's being used for if I don't know any of those things I feel a little bit apprehensive here because I don't know what it's being used for and I don't know why and I kind of want to know those things don't you let me know what you guys think in those comments because I don't know I feel like a lot of users can say well I don't care as long as the printer works I feel like people need to care a lot more about data security and I hate it because the more arguing I have to do the less the soapbox I want to stand because it just feels like people are gonna hate me over it and I don't want to be hated over something that is a big deal and for some reason isn't a big deal to a lot of people but it is that third party when we know that products from the previous company that bamboo lab employees and investors came from DJI has been utilized in Espionage and spying and giving information to enemies against the United States it makes you wonder ever so slightly what those third parties might be and again this is speculation but third party is a very vague thing could I pay bamboo lab to become a third party to get all the information from bamboo lab users I don't know I will contact bamboo to see about specific justifications because I'm not seeing any justifications but I'd like to know what they are and why consent hey this is good we always like consent bamboo lab asks you to actively indicate your agreement to Bamboo Labs use of your personal data for certain purposes and compliance with legal obligations when bamboo must process your personal data to comply with a law except they operate under the laws of the PRC People's Republic of China not the United States so it's a very different world when you look at requiring and compliance with legal obligations there is no Fourth Amendment nor is there for the rest of the world but there is no terms that set out unlawful searches and seizures and that can and might include your data a lot of this goes into more of the gdpr stuff but it's not heavily explained they really move into saying it's article 6 chapter 1 of gdpr which I can get into if you guys want to just let me know in the comments maybe we'll do a podcast about it or something we bring on an attorney to talk about this if there is an attorney you guys would like to see brought on to talk about this privacy policy stuff I'd love to know we've previously talked to really awesome attorneys one of which being Seth Polanski well card to his episode where we talked all about intellectual property but Seth is not a contract lawyer he is a intellectual property lawyer so if there is a contract lawyer that you'd like us to talk to let me know because uh this could be a lot of fun I think it'd be a really great podcast let me know what you guys think so we then move into marketing and advertising because providing personalized Services there's not a whole lot of information there but we can see with marketing advertising we've got a category section these are things that bamboo lab can collect to conduct marketing or advertising to you after obtaining your consent again your consent is likely provided inside of this privacy policy and user terms of service in terms of your use so yeah you're providing consent to this we can see that that information is account information contact information transactional information device information printer camera information 3D model data and usage data again most of that I don't care too much about account information contact information transactional information even device information those are all things that bamboo and any company is going to have immediate access to period but I don't want them selling that information to a third-party Advertiser printer camera information 3D model data and usage data again we don't know exactly where you agree to this I'm assuming it occurs somewhere in the terms of use itself but I'm not sure further down into privacy rights we get into a lot of gdpr which is great I'm glad that we're looking into this unfortunately I'm nowhere near gdpr Export especially because it doesn't apply in my country but it is still something that I like the thing is if you're not in a country where gdpr exists most of this actually doesn't really apply to you we can see that bamboo lab also has a data retention policy and they say that they keep it only for the period necessary to provide you with bamboo lab products and services and for achieving bamboo Labs legitimate and essential business purposes such as making data-driven business decisions about new features and offerings complying with our legal obligations or resolving disputes below we provide details on the storage periods of your personal data data retained until you remove it so that is indefinite it is your right to request that we delete certain of your personal data I'm assuming that that's certain amounts of personal data data expires offer a specific period of time they have a set fixed retention periods so that some data expires or will be deleted after a specific period of time this is normal this is fine data retain until your bamboo lab account is deleted this is good when you delete your account that data can go with it I'm assuming that involves your purchase history and that kind of thing and data retained for extended periods of time for limited purposes after your account is deleted we may keep some data for a longer period of time but for very limited purposes what those are to be determined data security something that is a big deal to me we use certain physical organizational and Technical security measures that are designed to improve the integrity and security of personal data we collected maintain Please be aware that no security measures are perfect I am aware of that and impenetrable I am also aware of that and thus we cannot and do not guarantee that your personal data will not be access viewed disclosed altered or destroyed by any breach of any of our physical technical organizational security measures that is the hey we told you if we leaked your crap that you know it might happen so you can't sue us because you agree to this policy yeah every company has this of course not intended for children we already knew that that's a big thing children operating 3D printers not a good move we can see that this is as of May 16 2023 so if you go to Bamboo lab and look at the privacy policy of course we will link to it in that description down below if it is updated anytime after May 16th of 2023 it is new and we have not done a video on it and if we have we'll link to it in the description as well moving on to the bamboo lab terms of use something that should help clarify a lot of these issues let's start with the top one important these terms of use here and after referred to as these terms are the terms between you individual company or any other entity and bamboo lab we've got different designations for bamboo lab bamboo lab has quite a few companies I guess they go by these are them okay this is what they go by in Asia here's in the United States and Europe the general terms are exactly what you would expect nothing there is a big deal heck even the end user software license not that big of a deal but we can look at our obligations that we may not use bamboo lab technology or bamboo lab intellectual property to develop software or design develop manufacture cell or licensed third-party devices accessories associated with bamboo lab products out bamboo Labs prior consent I don't know what bamboo lab considers their property and intellectual technology intellectual property because there are a lot of people that do this from my non-legal perspective so an interesting one that I think has carried over before bamboo lab realized they had to play by the open source game is uh 3.5 you agree to not use the product and related update content to engage in the following activities copy or use any part of the software beyond the scope of these terms provide to third parties or allow third parties to use the whole or part of the software without obtaining bamboo boo lab's written consent including but not limited to app service code and source code use the product in a deceptive way for deceptive purposes remove any copyright declarations or prompts contained to the product attempt to destroy bypass change and validate or escape from product and or digital Rights Management System that's DRM that is part of the organic composition of the product or perform any other improper or illegal acts so what they're saying is you can't do anything with the software and they don't want you removing any of the copyright or the history of the software which is what they did when they took it from prusa slice They removed all the old commits from pursue slicer and then of course in order slick 3r so they're telling you not to do the things that they did it's very much pot calling the kettle black here I recognize that bamboo lab wants users to not act poorly but then you kind of have to set a good example to do it right yourself first because if you don't do that how do you expect your users to do it so we look at the incentive use of data and there are a couple of lines in here that I actually like but I can't confirm whether any of this is true we can see in 6.1 where you choose to help bamboo lab and products products and services bamboo lab and its Affiliates licensors May collect data from your device for analysis collected data includes your device configuration data app statistical data and error log data all data is anonymized before being collected and processed but to our best guess it is part of your serial number that can decode the encrypted log file because it's a Hardware Key it is a Hardware Key of some sort to decrypt that log file so no it's not anonymized because it is connected directly to a Hardware Key of some sort so I I think bamboo lab might actually be already violating their own terms of use now I'm not an attorney and I'm also not a cyber security expert maybe we can find a cyber security expert that is an attorney I know Defcon is coming up many people at Defcon would like this kind of thing if you know anyone that's going to Defcon would like to talk to me about this let me know let's talk with them but I think this is where my level of understanding of legalese tends to fall off it's anonymized or so they say but there's no way for me to prove it and this level of trust me bro doesn't work for me this is something that as someone that does need to run their machine offline for the time being it makes me a little unsettled this last line in 7.3 due to the importance of these updates is talking about updating of the software your product May block new print job before the updates is installed and will immediately provide update notifications to help you understand the related information does that mean that if I choose not to update my machines they will actively block me I want to believe this is more talking about if you tell your machine to update it is going to not run the print job before it updates it'll just update then go ahead and run the print job maybe that's it I'm on honestly not certain but again my legal definitions are kind of weak what do you guys think so yeah that's the basis from my perspective I'd love to know your opinion on these privacy policies I know that I might be reading into things a little bit more than I should and maybe I missed over some things as well obviously my use case is going to be different than yours as a business that deals with non-disclosures and you know export control stuff but I'd love to know your thoughts in those comments down below and of course let us know as well if you want to take a look at creality and prusa to learn more about how they collect and utilize your data if you guys want to see it I'd love to make those videos for you and don't forget if there is a legal professional that you would like us to talk to in the live on a podcast I would love to do that so send us your favorite I don't know lawyer content creators that would be open to this kind of thing I'm down if they are down anyways guys stay safe out there don't forget to call your loved ones and as always leave a like and keep making awesome them have a good one hey thanks so much for watching this video and a master thank you is out to all of our Channel supporters whose names are listed right next to me at the five dollar tier in higher remember if you want to support the efforts that we do here you can join via those links in that description down below with the 10 tier and higher getting you access to our patreon Discord server right below me will be my first look at purchase slicer 2.6 and next to that will be my look at Orca slicer very similar to Bamboo studio just you know with more access for other printers I'll see you guys down to those comments and in the next one take care
Info
Channel: 3D Musketeers
Views: 18,688
Rating: undefined out of 5
Keywords: 3d printing, crafter, maker, 3dprinting, 3dm, creators, 3dmusketeers, 3d musketeers, create, diy, business, tech, technology, design, making, make, awesome, inventing, slicer, tutorials, 3dprint, 3d print, 3d printer, 3dprinter, bambu lab, bambu lab x1 carbon, data privacy, bambu lab x1, bambu lab 3d printer, cyber risk, cyber tech & risk, privacy policy, data collection, legal basis, nathan builds robots, bambu lab privacy policy, bambu lab p1p, right to privacy, gdpr
Id: e-90nys9too
Channel Id: undefined
Length: 28min 27sec (1707 seconds)
Published: Wed Jul 26 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.