Recently, I wrote about M0AWS' concerns, (note: that post may later be edited and may not reflect the original post), highlighting data collection by PA3GSB from various Radioberry units as they become active.
Because this story has developed over the past few days, I've removed my original post to ensure the facts now available represent fairness to all parties. I had tried to contact PA3GSB using his QRZ.com email address, but that simply bounced back; I could at the time find no other way to contact him.
Later, I was provided with a new email address. This, I'm told, appears when one uses the PA3GSB Radioberry software - which of course I didn't have (nor did my own Radioberry come with that operator's software).
So I was finally able to ask some questions, to which Johan, PA3GSB, quickly provided some detailed answers. I don't think, however, the answers amount to a reasonable justification for how the data was handled, and I'll try to explain why.
 |
| Extract from M0AWS' post on the issue, accessed 22-24/10/2025, asserting the data collection was "spyware". |
Firstly, Johan is clearly an enthusiastic developer. The data collection was obviously not malicious and neither I nor M0AWS have ever suggested it was. M0AWS did assert it was "spyware". It seemed at first glance to be someone who thought future projects of his would benefit from knowing details of the network of Radioberry units, but that the data had not been handled in a sensitive way, being published online. This included the MAC address and, if the user had entered those details, callsign and locator. Those are clearly inter-relatable identifiers that amount to a potential security risk to the user.
This was what appeared in public (I've redacted callsigns and locators) up until I made contact with PA3GSB about these issues on 24/10/2025; I've redacted the few callsign and locator details:
PA3GSB, who takes issue with the claim this data collection was described by M0AWS as "spyware" and had not been previously contacted about it by anyone, says that his software, on initial use, gives the user the option to enter or to decline to enter their callsign and locator. It's clear from his website that few choose to enter their details. But some have. Entering those details might appear to some to be a normal part of ham operating and they might think it is necessary, for example, for their details to appear on some reporting map or other. I would do so, for example, to use it with WSPR.
Johan does not, however, deny that the MAC address reporting and publishing was a choice the user could NOT make. All the user could potentially see was a wiki page notice (if anyone saw it) that, if their Radioberry was connected to the internet, it would be "registered".
There is a link to the site where the data is published and so a reasonably curious person could see what would be published if they proceeded - but be unable to prevent/stop the MAC address being collected and published. Another issue was that, if the details had been published in the past, it remained published, no matter how long ago that was.If they didn't want this, some might conclude they were lumbered with a unit they'd paid maybe £150 or more for and now couldn't use 'out of the box' in a plug-and-play manner, which many do want (though other software without this data collection are readily available and now often supplied by Chinese sellers).
 |
| The notice that PA3GSB software use online will result in "registration", with a link to the page where MAC address and other details were published without restriction. |
PA3GSB accepts in his response that collecting and publishing MAC addresses was "bad" and that he was to remove it. And, indeed, the MAC address was removed immediately, as this screengrab from this morning shows:
 |
| PA3GSB's site, accessed 08:05UTC, 24/10/2025. The MAC address column has now been removed. It's unclear whether Johan is still privately collecting the MAC details and, if so, how securely that data is being held. |
Johan could readily justify, even in law, that collecting such data has a lawful basis; there is no prohibition on data collection under GDPR per se. But there was always a need to ask whether collection was necessary, justified and within the users' reasonable expectations. I don't think Johan can reasonably claim he did so in the way he ultimately went about it, and his immediate removal of the MAC details upon my contact supports this view.
Johan could collect and use that data without difficulty in law by simply ensuring it was processed in a (private) way that didn't compromise users' personal data/IT security. Whether he was/is storing that data in a way that meets GDPR requirements in terms of overall security (pseudo- or full anonymisation. encryption, etc) isn't known. But he should ensure now that he is fully compliant with all elements of GDPR.
Where I would, to an extent, agree with Johan is that, if someone wants to question or criticise someone else in writing, the conventional way to go about it is to first ask the person subject to the reportage for his response. Perhaps M0ASW, like me, found Johan's email address on QRZ bounced and then didn't try some other route to establish contact, though according to Johan, his correct email address appears within his software (I don't have a copy, so can't check, but I take it at face value). I had to make contact with another operator in PA-land to get his address. M0AWS later claimed he did try to contact the developer, without success.
Overall, M0AWS, whilst perhaps not quite giving the full picture, did highlight an important aspect of this software and that some users, at least, would end-up entering their callsign and locator details and only later realising this would be matched-up in public against their MAC address. If it had, they couldn't quickly stop what had already appeared remaining online, indefinitely.
What PA3GSB has not now done is to make his data gathering page private. He offers no reason as to why any of this is appearing in public. The data has, at least at the moment, no apparent practical use to anyone other than him.
I think PA3GSB is a good person, genuinely offering something positive to the ham community. But he has, unfortunately, put himself in an indefensible position by quite seriously overlooking his GDPR duties. That he takes no money for much or anything of what now happens with Radioberry and is essentially a private individual is no defence, because any data collection has to be done in a lawful manner.
If anyone wants to delete some or all of the data collected by PA3GSB, then you have Article 17 rights to request he do so. In practice, there would be no reasonable basis for him to refuse, especially given the narrative of how the data came to be collected and published in the first place.
Also don't forget there are other software options. The one supplied with my Radioberry, and one that works very well, is developed by John Melton, G0ORX, who confirms that neither his nor the version by DL1YCF gather or publish any such data.
I've just asked M0AWS for his response to Johan's explanation. Surprisingly, he appears to back-pedal on his claims to some degree, saying now that the source code is open and can be edited to remove any objectionable actions (he later wrote to say I have "misrepresented" his email and wasn't back-pedalling at all). Make of it what you will. But not everyone will know how to modify code, or want to. He also says, deploying bold text to do so, that "it's important not to blow things out of proportion". Well, it was he who wrote a section about what he, and nobody else, called "spyware", wrongly suggesting that none of the data gathering can be opted out of; in fact, only the MAC address was ever non-optional, "bad" though that itself was.
If anyone is in any doubt as to whether the word "spyware" is a good or a bad thing, here's respected and long-established antivirus company, Norton's definition, matching what anybody would reasonably conclude it means:
"Spyware is malicious software that secretly monitors your activity and collects sensitive information, like passwords, location data, or browsing habits, without your consent."
The key fact is that it was not secret and two-thirds of the relevant data was entirely up to the user to enter, or not. The fact the data was published in public was clear for all to see (and mentioned in the Wiki page). Yes, it was something that shouldn't have been done, but it wasn't "spyware" in the way ordinarily understood.
No comments:
Post a Comment