Backpack send usage from you server. You are warned.

[dgironella]

Hi Backpack,

Because you send server usage to your stats api? If you do this you need to explain it on your documentation. I don't need to show you where I use backpack. Detect used unlicensed is only an excuse.

`
/**
* Send usage statistics to the BackpackForLaravel.com website.
* Used to track unlicensed usage and general usage statistics.
*
* No GDPR implications, since no client info is send, only server info.
*
* @return void
*/
private function sendUsageStats()
{
// only send usage stats in production
if (! $this->runningInProduction()) {
return;
}

    // only send stats every ~100 pageloads
    if (rand(1, 100) != 1) {
        return;
    }

    $url = 'https://backpackforlaravel.com/api/stats';
    $method = 'PUT';
    $stats = [
        'URL'                   => url('') ?? false,
        'HTTP_HOST'             => $_SERVER['HTTP_HOST'] ?? false,
        'APP_URL'               => $_SERVER['APP_URL'] ?? false,
        'APP_ENV'               => $this->app->environment() ?? false,
        'APP_DEBUG'             => $_SERVER['APP_DEBUG'] ?? false,
        'SERVER_ADDR'           => $_SERVER['SERVER_ADDR'] ?? false,
        'SERVER_ADMIN'          => $_SERVER['SERVER_ADMIN'] ?? false,
        'SERVER_NAME'           => $_SERVER['SERVER_NAME'] ?? false,
        'SERVER_PORT'           => $_SERVER['SERVER_PORT'] ?? false,
        'SERVER_PROTOCOL'       => $_SERVER['SERVER_PROTOCOL'] ?? false,
        'SERVER_SOFTWARE'       => $_SERVER['SERVER_SOFTWARE'] ?? false,
        'DB_CONNECTION'         => $_SERVER['DB_CONNECTION'] ?? false,
        'LARAVEL_VERSION'       => $this->app->version() ?? false,
        'BACKPACK_CRUD_VERSION' => \PackageVersions\Versions::getVersion('backpack/crud') ?? false,
        'BACKPACK_LICENSE'      => config('backpack.base.license_code') ?? false,
        'BACKPACK_URL'          => backpack_url('') ?? false,
    ];

    // send this info to the main website to store it in the db
    if (function_exists('exec') && extension_loaded('curl')) {
        $this->makeCurlRequest($method, $url, $stats);
    } else {
        $this->makeGuzzleRequest($method, $url, $stats);
    }
}

`

[pxpm]

Hello @dgironella ! Indeed. It's a known fact for everybody, atleast I tougth it was, mainly because it's open in the code, cleary visible (no obfuscation or whatsoever), also very noticeable of what is collected and we also state it in our Privacy Policy: https://backpackforlaravel.com/privacy-policy#the-data-we-collect

Our random usage stats ensures we don't actually have any kind of accurate data in terms of value, the value is only for us internally and the main reason for that was indeed licencing problems, but also helps knowing server specs where backpack is beeing used, software version etc.

One can argue that if we get more requests from domainA than domainB we can guess that domainA have more traffic than domainB, but well, Alexa and many other website rank engines are probably a better source for that information than our own analytics. 🙃

We are not in the data analytics business, that's why we don't care about data accuracy in terms of usage as you define.

I talked with @tabacitu about this, and I think we both agree that in v5 (we did a core split), we migth be able to make this optional, since now our paid product is close-sourced, in contrast with 4.1 where paid/non-paid users used the same codebase and pirated the hell out of Backpack.

And if you think "licencing" is not a good reason for it, please have a look on public Backpack usage stats in Packagist for example, you will imediatelly see that there is NO-WAY so many people are working on "non-comercial" projects with Backpack, otherwise we would be a team of 5~10!

That said, I don't think there is nothing alarming here, but you migth have another interpretation of it. Me and @tabacitu will be taking this discussion further about making it optional now in v5

Thanks for raising the issue 👍

[tabacitu]

Thank you for answering @pxpm - I only feel the need to add one two observations for @dgironella :

(1) Why is that there? To detect unlicensed usage, like its docs say, of course. BUT ALSO, to have a record of what domains are using Backpack in production - what versions and in what combinations. This wasn't our intention at first, it was a side-effect. But it was particularly useful in March 2021, when there was a security issue for those using SQL Server. Thanks to those records, we were able to identify who is using SQL Server + Backpack 4.1.17-4.1.34 in production, and contact them directly. And not only did we contact the people who bought Backpack. We even contacted people who were pirating it. Who were actively avoiding paying our license fee. Why? Because we're good guys, and wanted to keep people safe. For the security reason alone, that ping is worth keeping, if you ask me.

(2) I understand you think "detect unlicensed usage" is an excuse. It's your right to be skeptical, and skepticism is healthy in my opinion. But please try to look at it from our perspective. Imagine you worked at a piece of software for 6+ years, for many hours every every day and many nights. In all your spare time, then full-time, then it became your livelihood, you main source of income and it put bread on the table for you and your team, every month. It's the reason you can pay your mortgage. The reason you can go on vacation. Imagine you were in that position. And you know, from public stats, that less than 1% of the people are using it legally (and 60% of those licensed are using a free license). Imagine you are in that situation. Would you not want to have a better insight into who is using your software illegally? Would you not want to better protect your intellectual property? I think, if you try to put yourself in our shoes, you'd see that we have no bad intentions, and that the stats are perfectly reasonable, especially considering our previous business model was "the source code is public, but please be a gentleman and pay". Nothing that we do should point you towards thinking we are bad people. Quite the contrary: We didn't collect any sensitive info. We didn't sell or make available anybody's info to any third party. We clearly state it in our privacy policy (though, granted, we could put that information more front-and-center). Notice we're not even using Google Analytics any more. We're definitely not perfect, but we do try to be as private and careful with our users' info as possible. Hell... for a long long time we didn't even build an interface for the stats we collect. We didn't even look at it for years. And when we did, and hired someone to go after people using our software illegally, we discovered... it's not worth it. It costs us more money to go after the unlicensed usage... than the price of our software. We could take legal action but... we don't want to do that. We'd hate to do that - it's just not who we are. So we didn't. And instead, we decided to hasten the move to open-core, which is something we wanted anyway. We thought that should help in that respect: having backpack/pro closed-source would give us more information and control in who is downloading our software. It's too early to tell, we've only done in 2 weeks ago, but yeah... hopefully this will reduce the piracy rate. We hope open-core kills 2 birds with one stone. Have an open-source software that people can use absolutely for free... AND reduce piracy.

I hope the story of this feature brings some insight into why it's there. And eases your concerns about it. Unfortunately this is all I can do to ease your concerns - other than our 6-year history of being good guys.

But let's bring this to today.

Maybe you could help us with your opinion on what to do next - @dgironella . I think it'd be very valuable, because we obviously have different points of view. And your point of view is valid, and one that I think more people hold. I'd like a solution that is good for everyone (or as many people as possible). So please take a look at my suggestions below: https://github.com/Laravel-Backpack/CRUD/discussions/4210#discussioncomment-2206103

[tabacitu]

Hey @dgironella ,

Sorry to have caused you anger or disappointment. I agree - we can probably do a better job of explaining it. Maybe you can help us with that. Where in the docs would you have expected to read that?

Then again, like @pxpm said, now that Backpack\CRUD v5 is free and open-source... it's a bit weird to have it there at all. So we could make it optional... or move it to pro... or remove it entirely. Let's think about it, talk with more people, see what the best course of action is.

We could:

• (A) Remove the stats
• (B) Make the stats optional (add a config option in config/backpack/base.php)
• (C) Move the stats to backpack/pro

We can't do (A), because we still need the stats in Backpack\PRO, to see who's bought just a Single license but is using it in multiple projects. So let's choose between B or C.

IF we do (B), and make it optional/configurable in backpack/crud:

• PROs:
  • people who don't want it can opt out;
  • it's more visible, because most people go through the config/backpack/base.php file anyway;
  • even free users can benefit from this as a security feature (we reach out if we think you're vulnerable to something);
• CONs:
  • only free users could opt out... pro users cannot; which is... weird... for free users to have more options than pro users; like I said, we still need this ping to see who's using backpack/pro in multiple projects;

IF we do (C), and move it to backpack/pro:

• PROs:
  • it's cleaner, the free and open-source software has no usage stats;
• CONs:
  • free users cannot benefit from this, the security feature basically becomes a PRO feature;

---

I think I prefer option B. It has more benefits, it's more transparent and more configurable. You?

PS. For PRO users, this will probably be a lot more transparent in the future, anyway. We plan to show all domains that are using their tokens, in their Backpack account. That will not only make it super-clear that Backpack's sending usage stats. But it will also allow them to see if their tokens are being used by someone else. It's something a lot of people have asked for, and we plan to do it. We just never got to it.

[ziming]

Personally I'm for it being optional as well. With the default being opt out. Those who want the security related alerts can opt in.

I would also imagine that a person who pirates it would rather not be contacted, as it would likely give them a heart attack instead.

I am not for (C) because if the sending of stats can't be stopped via "normal" means, legal or security may step in & stop the developers from using the package. Every company works differently so I can't say for sure. But I would imagine some companies may be quite strict about it. Even though no PII was sent.