User Tools

Site Tools


What we collect

If you decide to turn the data collection on, you will have to agree with some sort of EULA that defines the scope of the data collection and the retention policy

All of the data is transmitted over a secured channel (HTTPS POST requests or TLS-secured TCP connection).

On the router, there are a few programs running in the background (if you allow them) which collect data and sends it to our servers.

Ucollect

Ucollect is a small daemon for collecting and analyzing network data and provides a plugin for doing analysis.

Ucollect watches packets on the Internet (WAN) interface and analyzes their headers. We collect only the important information in the headers (for example: protocol or address) and we do not collect the data itself. We're only analyzing remote addresses (so that means that collected data doesn't contain the user's IP address).

Base statistics

Ucollect splits packets into categories (for example all packets, incoming, TCP, etc.). For each category we continuously determine the number of packets (?) and their total size. This data is sent to our server.

These statistics help us monitor common Internet usage; for example: How much the IPv6 usage is growing or ratio between download and upload.

Currently we retain the data for 10 days, then it’s deleted or anonymized. (either the local or remote end of the communication is dropped). During the 10 days, it is possible to link the records with you, but to be honest, it's far less interesting for three-letter agencies than the data collected by your ISP.

Statistics PCAP

The PCAP interface is for examining packets passing through network card, which provides us with statistics. For example: How many packets were made available by the application and how much of it was thrown away because the network card was too busy to handle it.

These statistics are sent to our server and are used to check the health or performance status of ucollect itself.

Detecting anomalies

Traffic is compartmentalized (hashing packets for example by remote IP address). Size of these compartments are send to server, where they're merge together via the router group.

On these aggregate sizes (?) anomalies are detected (compartments which are really different from expected size are compared to other compartments and their history of sizes). If we would detect an anomaly, server requests routers for keys (IP addresses) which matches given compartners.

This should help us to reveal unexpected behaviour caused by widespread malware (for example sending spam from compromised computers or DDoS attacks).

Data are generated in aggregated form - so we can't determine on which devices anomaly was detected.

Nikola

Nikola analyzes logs from the router’s firewall (IPTables). Nikola sends records of packets, which are caught by the firewall. Usually it tries to connect from outside to non-existing services (for example: Brute-forcing your password on SSH or scanning ports).

Currently we retain the data for 10 days, then it’s deleted or anonymized. (either the local or remote end of the communication is dropped). During the 10 days, it is possible to link the records with you, but to be honest, it's far less interesting for three-letter agencies than the data collected by your ISP.

Logsend

Logsend just parses the information about “our” services (uCollect, Nikola) and important router health information (like if the firmware updates was success and if wasn’t It will send to us some stuff from syslog) and sends it to our server This helps us to find any problem with the overall health of your router and improve automatic updates.

This data is deleted after 10 days.