Below is a letter that was emailed to all Duo administrators on Thursday, March 8, 2018. We have published it here in the spirit of transparency.
At Duo, our goal is to protect your mission. It’s an aspiration that we try to live up to every day through our products, our people and our support. Today, in the spirit of transparency, we wanted to provide insight into a case where we didn’t quite live up to this goal, and what we’ve done about it.
Like many software companies, Duo collects aggregated and pseudonymized usage analytics and performance data that help us understand how our customers are using our products and how we can further improve customer experience and service. These usage analytics include data that you might see in a traditional web analytics tool like pseudonymous data about device characteristics, session details and feature usage.
When we introduced analytic collection into our app, we wanted to provide our mobile users with control over their data privacy. We allowed users to easily opt out of this data analytics collection via a simple toggle in the settings of Duo Mobile. Unfortunately, we recently learned that this toggle was not working as expected and Duo Mobile continued sending usage data, even when users had opted out of this feature.
What Did We Do About It?
This issue was brought to our attention by a security researcher, Erin Ptacek, on February 23, 2018. We activated our standard response procedures and within 12 hours we had created, tested and submitted new builds of Duo Mobile to the Google Play (Duo Mobile for Android 3.19.2) and Apple App Store (Duo Mobile for iOS 3.20.4) that temporarily removed our usage data collection tool, and disabled the 'send usage data' toggle in the settings menu. The revised app was available to all customers within 24 hours of the initial report.
Please note that we have also purged all usage data ever collected from this source since we did not have a clear path to identifying which data had been collected as a result of this bug.
We sincerely apologize for this oversight in our implementation of this feature. We are currently reevaluating our usage analytics strategy and plan to reintroduce usage analytics collection in a future release of Duo Mobile. Please note that our crash reporting tool was unaffected by this bug and continues to function as expected.