Dashboard Privacy Hole - I can see someone else's prints

Ever since Dashboard was introduced I had some privacy questions about exactly what Formlabs is sending to their cloud, and the associated risks (particularly with regard to intellectual property protection).

Today after I started a print I went to my dashboard, and was surprised to see it tell me I’m printing on two printers. I only have one Form 2.

Long story short, the other printer is one I sent back to Formlabs some time ago for refurb (and in fairness I should highlight their customer service was absolutely top notch). Looks like they missed doing a factory reset and/or disconnecting it from any linked dashboards.

I’m sharing this here for the community as a “public service”. I’m sure Formlabs will address this gap, but in the meantime before sending in your printer it might be prudent to:

  • Delete your history of printed model files from the unit
  • Disconnect it from your dashboard
  • Factory reset the printer

Here’s what I saw. The mermaid print is not mine:

Details for the print:

On a side note, if you’re the new owner of TalentedViper and just printed off a mermaid, feel free to drop me a line! I’d love hearing about how it’s doing in its new home.

1 Like

My name is Steven and I work on the web team here at Formlabs. Thank you for your post about TalentedViper and I apologize for its sudden reappearance on your Dashboard.

Deregistering a printer from all linked Dashboard accounts is a standard part of our RMA process. We reviewed our internal work tracking system for RMAs and can verify that the deregistration step was not completed when this printer was refurbished. The rest of the RMA steps were completed including wiping the internal memory and doing a factory reset.

We’re going to double-check to see if any other RMAs may not have resulted in deregistration.

We take the security of what you print quite seriously, and as a result we don’t collect full models or geometry information in Dashboard, as noted in our privacy policy: Full Models, 3D geometry, and personal information will not be collected without your additional and explicit consent.

We’ve since deregistered the printer from your account.

As for TalentedViper, it made its way to Formlabs HQ after being fixed up and it’s being actively used by folks in our office. I asked Mik about the print and he mentioned that the mermaid didn’t quite make it but he’s going to give it another go. This time, it won’t show up in your Dashboard so you’ll have to take our word for it. :slight_smile:

2 Likes

Thanks Steven. I understand this was an honest mistake and pretty unusual. Also appreciate you surfacing that extra information about not capturing 3d geometry.

Wish Mik luck for me on his second go of the mermaid!

@smerrill Looks like there are still some lingering bits.

e.g. I have never had a printer named LudicrousCat or SpecialToadlet, and I’m pretty sure I’ve never owned any Castable resin. Although I wouldn’t object to stumbling upon such a well-stocked resin and consumables library hiding out in some hitherto-unknown corner of my basement. And you should know I’ve got my eye on your FantasticCamel.

Let me know if I should pursue this with a new support ticket instead.


.

.

.

ps. I’m pretty sure there’s nothing sensitive in the images I’ve posted but if you disagree I’ll promptly take them down.

Did Formlabs provide an explanation for the additional 3 printers visible on your Dashboard ?

No, but to be fair, the additional 3 printers aren’t listed directly on my dashboard. They’re just present in the context of supplies which are. I’m guessing they leaked in after consumables were taken from said printers and then inserted into TalentedViper when it was still linked to my dashboard. Maybe it’s too complicated to disentangle the consumables from my account (or would risk wiping out my own legitimate history).

At least I can’t see other people’s jobs anymore.

The consumables are still present, and occasionally I discover entertaining new names of printers Formlabs is using. Today I see FarDonkey has Grey loaded, and FantasticCamel still hasn’t given up his CamelBeer ;-).

I should point out this was a pretty isolated case and anyone looking to “bash” Formlabs on the topic of security shouldn’t read too much into it. They also did explain that full model geometry is never uploaded under any circumstances.

I wouldn’t be so kind with Formlabs. The reason why I am allowed to use the Dashboard at work is because of the guarantee that specific print informations aren’t even shared with Formlabs without our consent, and yet we still print offline for some very sensitive projects. The fact that you see other printers serial number in your dashboard and the fact that that is linked to the consumables and not even the printer itself is a huge issue IMO, it should be acknowledged and solved ASAP.

Hi @JohnHue,

I empathize with your sensitivity on this.

Some food for thought: If you were Formlabs, how would you handle the situation where I lent you my half-cartridge of resin and you installed it in your printer? As far as the cloud can tell, we both “own” it, so it’s reasonable we’d both see things like the amount of resin left. If you gave me your used Tray, some would even argue it might not be entirely unreasonable for me to see the silhouettes of your prints under its wear history (although I expect that one’s more contentious). I think to solve edge cases like this, Formlabs had to either make some arbitrary decisions or create tooling (that would rarely be used) to deregister consumables.

Of course I probably shouldn’t ever see your printer names, or the fact that the cartridge I gave you is installed in your printer. And I certainly shouldn’t see your other consumables that were never even in my printer (although for all I know Formlabs did insert every one of those foreign consumables on my dashboard into TalentedViper at some point before removing the printer from my account).

I’m not absolving the company, and it’s clear there’s a hole here if a manual step is missed in the RMA process. I just wanted to add some perspective to avoid being the instigator of hyperbole.

That’d be absolutely fair.
However once one of those printers gets refurbished, everything should be wiped out and there should be some internal asset management tool that makes sure that any consumable or other data associated with a given serial number get wiped out. I also work in a hardware startup and, on top of my mechanical engineering job I am currently assuming multiple ad interim jobs including production management and RMA / refurbishing processes so I know you can’t have all the bells and whistles that a word-leading medical company would have (I worked for one of those, too)… but when it comes to consumer’s data being safely and privately handled, there’s no shortcuts,

That would be unacceptable, this would mean that data can be transferred from one account to the other with the exchange of some non-sensitive hardware (the tank).

Referring to my the beginning of my post, this should already be in place, and should not even be a manual process.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.