Thursday, August 10, 2017

Redgate is "evil"

This is a sad blog for me to write. A product I absolutely love is now being used for evil1 by the creators. If you have ever done any database work with Microsoft SQL Server, you've probably heard or maybe even used Redgate's various database tools. Those tools are a godsend and I can't imagine using SQL Management Studio (SMS) without Redgate2. It's literally the first thing I install after installing SMS. It's a tool that if my job didn't pay for it, I'll buy it with my own money. I love it that much.

So imagine my surprise yesterday when I realize that Redgate had made a few changes to their products. Originally, the licensing was pretty straightforward. You pay for a number of licenses, get your license key(s) and put it in the product. That's it. It was based on the honor system (i.e. that you aren't using it on more servers than you paid for). I am not naive enough to think people wouldn't have abused the system. It's the software industry...it's full of pathological smart people. So I wasn't too upset when, months ago, Redgate introduced a new way of licensing that required each developer to have a Redgate account. I work on a team of 7 developers...that's 8 developer licenses total. Plus a couple of licenses for our test servers. It was a pain to have to maintain yet another set of username/password for a product I was used to setting & forgetting. Still, I loved the product and the utility far exceeded my reluctance to create new accounts.

Fast forward to yesterday. I was using Fiddler to debug something else and found a bunch of HTTP requests to Redgate servers.



See all those calls to /v1/usageevents and /updateserver/check.asmx? The checking for product update didn't bother me even though I hate it. I would rather be in control of my product updates. But still that's not unusual. But the calls to "usageevents"? That was odd. Why is Redgate posting my usage events (whatever that is) to the mothership? Let's see what's included in the request:




  • EventType seems harmless enough
  • Product Id: Sure why not.
  • Product version: meh
  • Event UUid: Interesting...
  • Usage UserId:.....hold up...what's going on here?

This means that Redgate has assigned me a unique ID and is tracking me with that ID. Let see what's in other requests.


What do we have here...they are collecting all sorts of information about my computer that's not directly related to their products. I get needing this information for diagnostic after a user has complained about an issue. But silently collecting this info and sending it to some server that could be on the other side of the world is egregious in my book. 

I sent them a tweet...you know because it's 2017 and who the hell is going to call a customer service number when you can tweet and shame them publicly. I said:


A day later they replied:

I went to the link and it said users can opt out. Well I checked my settings and I never opted in! So why the heck is it still sending my data back home? I sent them this:



Waiting for their reply to that. For now I have to decide: just how much do I love Redgate? I'll probably end up using my hosts-based ad blocker to block access to their mothership from my computer.


1: Evil in this context means Google's "Don't be evil". Not actual evil.
2: I use a mix of singular and plural forms to refer to Redgate products. I use a bunch of their products and found it easier to refer to them collectively.