A possible privacy issue with EPANET-Z

EPANET-Z is a modified version of EPANET which displays online maps/imagery as a background. This is a very useful tool which expands the capabilities of EPANET. The program, from Zonum Solutions, is downloaded about 30 times a month from this blog only.

It is clear that in order to fetch the background images the program must communicate with the the mapping services (Google, Yahoo and Virtual Earth) so an Internet connection is needed for the program to work. These mapping services have their privacy policies which usually nobody reads (see Google’s privacy policy for example). However, what is the privacy policy of Zonum Solutions? Well, you can find them here. This policy is about the privacy issues of the website but what about the software application like EPANET-Z?

Back in 2008, when I started to use EPANET-Z I know that some data is transferred to the mapping services but I also knew that they serve images (EPANET-Z is like a web-browser showing images) and the water distribution network is drawn in the application on-top of these images. Last week a colleague told me that EPANET-Z is not working well and there is an error message showing. When I ran the program I saw the following error message:

As can be seen in the URL field of this message, the program is accessing a web page over at Zonums server. This web page (opens in a new tab) loads the background images to the browser embedded in EPANET-Z. I guess there are some technical reasons why the program is communicating with Zonums server and not directly with the mapping services but this raises some privacy questions such as: what data is being sent to the server? what is collected? who has access to this data?

As far as I was able to check via web traffic monitoring tools, the water distribution network data is not transferred to the Internet. The program will mainly send the server the map coordinates needed to be shown. On the server side some data is being collected via Google Analytics and anther web statistics service (I think it’s by Yahoo). For those interested in browser privacy check out the Electronic Frontier Foundation’s (EFF) browser uniqueness tool.

I have communicated with the software author and was told that indeed maps communication is done through Zonum’s website since the maps services API’s key must match the developers domain. This is usually true for the free use tier. Additionally, anonymous usage statistics are collected.

As for the bug which started all this, it seems that Yahoo discontinued their map services in the previous form so the program can not load Yahoo maps. The author replaced the Yahoo maps with Bing Maps by Microsoft so now when the user selects Yahoo maps it’s actually Bing maps that are being shown.

Looking into the future, the author of EPANET-Z told be that a new version of the program is scheduled in the next few month. I recommend that a full disclosure regarding the data transfer and collection will be made.

The bottom line is that I will be continuing using the program but everyone should make their own choices.