Privacy of Printing Services

The Washington Post has an article about popular printing services, and whether or not they read your documents and mine the data when you use them for printing:

Ideally, printing services should avoid storing the content of your files, or at least delete daily. Print services should also communicate clearly upfront what information they’re collecting and why. Some services, like the New York Public Library and PrintWithMe, do both.

Others dodged our questions about what data they collect, how long they store it and whom they share it with. Some—including Canon, FedEx and Staples—declined to answer basic questions about their privacy practices.

Tags: , ,

Posted on July 11, 2023 at 7:57 AM23 Comments

Comments

Peter A. July 11, 2023 9:32 AM

And what about “cloud printers” that require Internet connection and an account with the manufacturer to function?

Clive Robinson July 11, 2023 10:02 AM

@ Bruce, Peter A.,

“…about popular printing services, and whether or not they read your documents and mine the data when you use them for printing

It rather depends on what you mean by “mine”.

A probably valid assumption would be that as the documents are being paid for, the documents were already massaged and proof read by one or more humans. Thus of a reasonably high standard.

So they would have value, not just as the documents, but for other purposes…

Look at it this way, if they stored all they printed out, that could be sold as more original content to be shoved through an AI LLM learning process. Thus avoiding many issues of Internet scraping…

@ Peter A.,

It’s not just print manufacturers, consider the value of the Microsoft Office “online” for “original human contrnt.

The person incharge of Microsoft currently appears to lack all morals when it comes to other peoples IP and it reflects down through the organisation.

I’m not at all surprised, and predicted that “Cloud Services” would be bad news in many ways years ago and let’s say they’ve lived well below expectation so far. Also if what the Industry is asking the EU to do against Microsoft for it’s behaviours they are currently at the bottom of the barrel…

Brenden Walker July 11, 2023 10:49 AM

@ Peter A.

“And what about “cloud printers” that require Internet connection and an account with the manufacturer to function?”

Often ‘require’ is a marketing lie….. Not saying it’s always that case, but for the DeskJet 2752e it is.

I think I had to remove a snapped on cover to access the USB port, once I did that and installed the software it’s fully functional.

Bob Paddock July 11, 2023 11:17 AM

A local church asked me to fix their new HP InkJet printer.
It insisted that we subscribe to some service in the UK for $6 per month.
Could not find an easy way around it in the time I wanted to spend on the task.
So I went and bought them a non-HP toner printer and donated it to the church.

Hope more people dump HP for this forced subscription crap.

lurker July 11, 2023 6:59 PM

@Petre Peter

conscription ≠ subscription

Even WaPo couldn’t wring the truth out of all the miscreants, so what’s a body to do when Lawyers, Accountants and @Clive Robinson insist on getting everything on paper? Perhaps a nice unerasable pencil that sends everything written back to China …

Wannabe techguy July 12, 2023 5:20 AM

@Clive Robinson

Why do you say that about the head of M.S.?
You may be correct, I’m curious.

ResearcherZero July 12, 2023 6:29 AM

Walking in your enemy’s shadow: fourth-party collection

‘https://www.youtube.com/watch?v=TO-uQ4sih-o

Grim Squeaker July 12, 2023 9:26 AM

@lurker re: wanting everything in print form – At least some semblence of privacy can be maintained over printed materials, given some basic diligence. You can bloody well assume that any content in digital form that lacks complex and expensive encryption will either turn up somewhere for sale to the highest bidder, or possibly made universally available for free.

lurker July 12, 2023 12:17 PM

@Grim Sqeaker

Sure, there’s a subtle difference between physical security and digital security. But @Bruce’s point is, if printing your material on paper involves passing it in digital form to a mechanical device that may be owned or operated by unknown forces, then it’s Game Over Man.

Clive Robinson July 12, 2023 12:51 PM

@ lurker, Grim Sqeaker,

“passing it in digital form to a mechanical device that may be owned or operated by unknown forces, then it’s Game Over Man.”

Just one addition,

“If they can get communications to it”.

I have a policy of not buying anything that “requires, needs, or uses without my consent data connectivity”.

This results in me not having the dubious upsides of “Spy on you tech” but it also has the downside for them of not just not being able to take my money under false pretenses, it also stops the “commoditizing” of me for their profit as well.

Has the loss of the dubious upsides effected my life?

Not that I’m aware of, but then I was born a little under a decade before the time when having a landline phone and a colour TV made you very much “upper middle class”. Likewise both parents having cars and at that time well paid professional jobs.

I however along with all my friends did not use phones and well TV only had three channels by then and they were mostly not that good. So our activities were more physical than informational, most of us had pocket knives, matches, string, and similar bits and bobs in our pockets and “building camps” an almost endless activity in the summer months. Most of us could shoot, fish, set traps, and chop down trees. Oh and cooking, I guess we all knew how to do that to some extent before we were ten…

Do any of that these days and you’ld br called “ferral” or worse and “locked up for your own safety”…

Technology of the sort we are getting, is not good for “the public” but the Corporations, that’s a different story, the more helpless they can make you, the more money they can make from you, and they will unless you decide otherwise and learn those skills and have fun with them…

PaulBart July 12, 2023 2:29 PM

@Clive so close

is not good for “the public” but the Corporations,

As if only “Corporations” are interested in making money off “the public”.

lurker July 12, 2023 6:17 PM

@Clive Robinson

re, communication,
sure, if you know, and pop the hidden tab to get at USB like @Brenden Walker you might be safe. If his ‘puter that drives the printer has some other connection to the world, then all bets are off. I still feel a little sorry for those who don’t know and just follow the instructions on the box.

Clive Robinson July 12, 2023 9:15 PM

@ PaulBart,

“As if only “Corporations” are interested in making money off “the public”.”

Well… These days with Governments being out-sourced, and Serious Organised Crime Cartels hiding behind Off-Shore “Limited Liability Partnerships”(LLPs) set up by Panamanian Law Firms…

It’s kind of got difficult to,

“Spot the Saint’s from the Sinners”

Because they all pass the “Duck Test” for “nefarious behaviours”…

Clive Robinson July 12, 2023 9:55 PM

@ lurker, ALL,

“If his ‘puter that drives the printer has some other connection to the world, then all bets are off.”

An issue, that I’ve talked about here and other places for what feels like a life time…

There is that old saying,

“If only the walls could talk…”

Well they can… as @RobertT and I pointed out with diagnosing how BadBIOS could work on this blog a decade ago, based on very similar work we had independently done back in the 1980’s.

But as with discussions with @Nick P, about other TEMPEST / EmSec issues we were “well ahead” and most a decade and a half later nave not yet realised they need to think about it.

As an example I pointed out why Code Signing could and would fail, and those “Walled Gardens” of Apple and Google prove it every day.

I’ve also pointed out “air-gapping” is a security failure this century, it’s quite deficient. If you are not “energy-gapping” then you are not even playing security “Janet and John” style… Yet next to nobody does it…

You might remember I got a bad rap for saying “secure messaging apps” were very definately,

“Not secure by design”.

Even though it was simple to demonstrate as fact. I think most security professionals now accept that it’s “the reality of the world” but hey “the tech is cool…”.

I can give people advice as to what to do and the mechanics and methods involved in how to do it.

But will the ordinary user do it?

No because of “convenience”.

I can prove quite simply that it is not possible for Govenments to stop E2EE if people want to use it. But it requires the individuals to take a little responsibility for their own actions. And as you can guess overwhelmingly people will not dissipline themselves to do it…

So the old,

“You can lead a horse to water, but…”

Applies and the old,

“Give me liberty, or give me death!”

Cry of Patrick Henry two and a half centuries ago, has become,

“Give me convenience, and bring me death!”

As those CIA assets in China and Iran discovered to late was not the way to go…

So what to say… I guess you could say I’ve failed, because I’ve not convinced people…

Peter A. July 13, 2023 7:22 AM

@Clive Robinson, @all

That’s true that most computing and communications is not secure and most people ignore it. The real question is “not secure against whom” and what data/messages you put through it.

I have absolutely no issue with transmitting “Honey, I’ll be back at XX hrs, please put on the potatoes” over a cellphone that could be wiretapped by any 3-letter agency over here at little more than a mouse click. I don’t even bother to carry a “secure messaging app” capable device. But phone link is secure against most criminals outside of the gov’mint. However, some other family issues are hushed and postponed till I’m back home. Same for email: chit-chatting is fine, but keep serious things away. I still run my own email server for configurability and security (or at least for my own control over the level of insecurity), but more than half addresses of other people are at Gmail et consortes, so privacy is very limited.

As for printing, I got tired of mending my old parallel-port compact LaserJet after another toner incident and a slight breakage of plastic during my impatient cleaning, so I put it in the trash. But I had to print something urgently, so I had to buy something NOW, and browsing through the online shops I was shocked, hence my first post in this thread (I haven’t observed the printer market for quite a time). I look back with nostalgia on what HP used to be… Got a USB-only thing the size of a camping fridge, at least it works without WiFi, “drivers” and other crapware. I’m still looking for some used laser in good condition and with parallel port (it’s mostly unidirectional). Plus the old equipment has not enough memory for common spyware.

Clive Robinson July 13, 2023 10:38 AM

@ Peter A., ALL,

Re : All messages can kill.

Please do not take this the wrong way, but…

“I have absolutely no issue with transmitting “Honey, I’ll be back at XX hrs, please put on the potatoes” over a cellphone that could be wiretapped by any 3-letter agency over here”

Are you sure of that?

Because I’m almost certain the opposit applies.

Prosecutors and all those behind them have absolutly no interest in justice.

They will take anything and twist it any way they can to make you look guilty.

This is not my oppinion, but the oppinion of more honest lawyers and Law Enforcment officers who advise you,

“Never talk to the Police”

Because even a totally innocent person telling the absolute truth can have it used against them as has been proved so many times.

Neither the prosecutor or police who –are often “elected” in the US, but even if not– get promotion and pay increases on “Meeting and Exceeding Conviction Numbers” are interested in truth or justice. They just want a quick and easy body count to climb up the ladder.

But this is not new, there is the famous quote attributed to Cardinal Richelieu that puts it fairly starkly,

“If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.”

But in the case of your,

“Honey, I’ll be back at XX hrs, please put on the potatoes”

Is so openly a “secret code phrase” to signal when to commit a very serious terrorist attack you should by now be on your way to an Orange Jumpsuit in a cage at one end of Cuba…

Why? Remember that pair of inept wanabe’s that thought using a “cake recipe” was a safe cover… Well “cooking potatoes” is just another variation…

That would be an “Easy Sell” in the US where prosecutors and law enforcment can pre-bias a trial by running it in the national media… And do so on an almost daily basis, as we see even in International News Media…

Now tell me do you prefere the chair or the needle as apparently hanging is not cruel enough…

Oh and before anyone argues I’m a socialist or liberal, have a look at the leanings of those in the US in jail who have “talked themselves in” by bigging it up etc. If nothing else the FBI are having a field day with a whole bunch of them right now, even those that were lawyers in high positions…

vas pup July 13, 2023 5:57 PM

Ok. do this without What about printer at work place? Do company doing maintenance have a chance to extract data out of its part?

E.g. work place is government unit and private company XEROX or just its technician could do this for foreign actor?

The solution should be as printer printed copy, electronic data of the copy in its buffer or other soft/hardware part should be deleted simultaneously.

John Morris July 13, 2023 6:55 PM

@vas pup
Nah, if you configure it right, Xerox printers are fairly secure. FIPS certified in fact. As jobs finish the display goes through “printing, complete and then secure delete” It does a full overwrite of the file at the end of the print job. Is there an ‘evil firmware’ that uploads every job to China? Or worse, the NSA? No way to really know of course, but it would be a real scandal if one were caught doing anything of the sort.

When you pay real money for a printer they make their money from that, when you pay $20 at Walmart they make their money datamining you after selling you overpriced ink.

CallMeLateForSupper July 15, 2023 8:52 AM

@sticky “The printer has no access to the public Internet.”

(A little humor:) Tell me, what private internet you surf, because I too use CUPS and want me some mo’ security.

#Clive Rattling your chain. It has been too long since my previous post; had to think very hard -hurt myself!- to remember my posting name.

Clive Robinson July 15, 2023 11:05 AM

@ CallMeLate…,

It’s been a while, hopefully you are well, and gainfully surviving if not thriving?

As for a printer and keeping it of the Internet, may I recomend not a firewall but a fireaxe and get in the swing 😉

More seriously my solution for longer than I care to remember is,

“Segregation, segregation, segregation.”

At first with air-gapping back in “dial-up days”, then for convenience in the RF cage rack (faraday shielding) but of more recent times “energy-gapping” as part of carefull power conditioning of a solar power system.

Mind you one of my printers an Epson dot matrix for “two or three part carbon copy” is as noisy as a dentists drill only more teeth jaring…(it’s why it went in the RF cage, shut the door and even the noise goes down 60dB). Whilst getting tractor feed stationary is still relatively easy, the ribbons… Ever tried “inking your own?” from older ones… Mrssy messy messy till you work it out. As for the HP ink jet well that’s so last century but still works and supprisingly I can still get non-HP cartridges. But laser printers what can I say… They appear almost as consumable as the toner cartridges, and getting “wired network only, PostScript II”[1] is not as easy as it once was…

As for “Internet” I realy don’t do it @home except by a creaking old mobile phone… Though I have experimented with using a Y2K PC stripped of all hard drives and other semi-mutable memory with the OS a version of Linux that runs on such old kit, from a CDROM… I see the cost of the wire through the wall as way to expensive by a long way these days…

So yeah “Savings by Security” 😉

[1] There are a number of advantages to PostScript even today, especially if you can program in it (it’s stack based like Forth). A big advantage is the number of “filters” you can find lurking in dark corners that will do things like “strip the text out as ASCII files” you can then stick in a software repository and inverted text database for your own “Fully searchable Document Repository”. Back when I first did that CUPS and GIT was not even “twinkles” and the most favoured software version control repository was the “Source Code Control System”(SCCS) which is a half century old this year, and you scripted with Make…

Life was so much easier back then as you had “no choice” to slow you down…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.