Sugar and Pendo Analytics - deactivating it

Thanks for mentioning this "issue". I am curious: how does Sugar define "anonymized metadata" (as stated in the blog entry Say Hello to Sugar 9 | SugarCRM Blog )?

What kind of data is transferred in detail?

If it is not "anonymized" in terms of GDPR, we would need a DPA (data processing agreement) with Pendo. And we would need to keep all users of our Sugar instance informed about the fact that their data is collected and their "movements" are tracked.

Besides the aspects of EU's GDPR, there is something called "information security" or "trade/business secret". As Julia already mentioned, I too do not want to share the information when, why and how often I, my coworkers or our customers use Sugar. It's none of your business, Sugar.

Regarding GDPR

The login page has a new section/div "marketing-extras" on the right side. This loads an iframe from files.sugarcrm.com, which loads Google fonts and GoogleTagManager (https://www.googletagmanager.com/gtm.js?id=GTM-K7Z5GPW).

Hi Julia Weinhold.  Thanks for your feedback. 

As you mention in your post above, Sugar included Pendo, a usage analytics tool, in this year's Spring release.  Pendo gives new insight into product functions and usability.  Pendo data will help prioritize the bugs we fix, and the new features we build.  Being able to see how our customers interact with Sugar will help us respond more quickly to your needs.  Pendo will also give customers the ability to receive educational content, product tours, and guides directly.  Users will be alerted to new features and changes in functionality, and guided through new processes step-by-step. Ultimately, using Pendo will result in a better product, a more intuitive and streamlined user experience, and a direct channel for empirical feedback from Sugar customers.

Gathering analytics using a tool like Pendo is standard operating procedure in modern application development.  In order to deliver innovative new features and respond to the needs of customers, it is important to understand how products are used.  Pendo provides visibility while protecting the privacy of users and complying with data privacy regulations like GDPR as well as Sugar’s privacy policy.  All user data is anonymous, we're not collecting any personally identifiable information, and we do not share collected data with other parties.

While it is possible to disable Pendo through code customization, we sincerely ask that you don't.   Pendo is an extremely efficient channel to give anonymous product feedback to Sugar.  Disabling Pendo will disrupt this feedback loop and interfere with Sugar's ability to deliver the most impactful new features and solve your most important problems, including our ability respond quickly to resource and load issues that can affect system availability.

I just figured out, that you can disable it in config.php: 

'marketing_extras_enabled' => false,
'marketing_extras_url' => 'marketing.sugarcrm.com/content',

 Hi Drew McDaniel, 

Thank you very much for your answer! But for us (meaning the CRM team at my company), it raises some doubts as to the usefulness of the feature – at least for on-premise-customers.  

Being able to see how our customers interact with Sugar will help us respond more quickly to your needs. Pendo will also give customers the ability to receive educational content, product tours, and guides directly.  Users will be alerted to new features and changes in functionality, and guided through new processes step-by-step. 

There are reasons why we are on premise customers. We want to have control over our data and more freedom of design. In consequence we have customized a lot and are probably using some modules and features a bit differently than intended by SugarCRM. Guiding our users and informing them about new features and changes is our job as Sugar admins, because Sugar can’t know how we are exactly using those features in our own customized environment or even if we do at all (as they might not fit in our specific business processes). To not confuse my users with information they don’t need, I prefer channeling the information/documentation for them and communicating only what is really relevant to them. 

Disabling Pendo will disrupt this feedback loop and interfere with Sugar's ability to deliver the most impactful new features and solve your most important problems, including our ability respond quickly to resource and load issues that can affect system availability. 

This might make sense in a cloud-environment, but not on-premise. Because you’d practically had to analyze our whole database structure and server configurations to identify those issues. It is also our job as the responsible persons for Sugar in our company to maintain the infrastructure in a way that it works smoothly. We don’t see how anonymized data might help on that front – in the end you have no (and shouldn't have any)  influence on our database and servers if problems are caused there. 

If you want to really support us in that process, you should make Pendo an optional analyzing feature, which we can activate with our own Pendo-account and ID (preferably in the system settings). If Pendo is that good, we would have no problem paying for it ourselves. (Maybe we can get a SugarCRM group discount from Pendo ;-D ) In that way we would have access and control over our own data and could share it with you if we thought it necessary. We as the hosting party would directly benefit from the data and could make changes and improvements to our systems and configurations right away. The impact would be much greater.   

We can understand that analysis like that is important for your cloud-hosted instances and will help you a lot on that front. But even if it can't be optional for all customers it should at least be communicated in a proper and transparent way. The least thing to do would be mentioning it in the release notes or the “What to expect when upgrading”-documentation. Even if your customers aren’t all able to make the choice (ideally based on information they received from you!) then at least I’m sure they want to and should be informed about it.  

In the end Udo Siebrasse is right: We’ll always be beating around the bush as long as you (meaning SugarCRM) don't give examples or specify (i.e. make transparent!), what kind of data you gather through Pendo. And as long as that’s the case we won’t even consider re-activating it. We want to know: What exactly is tracked? Log-Ins, clicks, queries, settings? Our users should know about that! I mean, every website is nowadays telling you that it uses cookies and tracks you and consequently, so should SugarCRM. Another alternative: If the data is so widely anonymized, maybe there would be no problem in making a summary of it available for all customers (maybe once a year or so) and communicating at least roughly which conclusions were drawn from it for further improving the system. Fact is: even if it’s anonymized, it’s still our data - the data of our users - and we want to know what happens with it and comes out of it. Maybe this is just a very European or German point of view, but that’s how we see it.

Last but not least: Another and maybe even the biggest reason for us hosting the system on-premise (and for mentioning Pendo in the developer notes) is security. We have our system only available via VPN – the Pendo integration opens a big hole into that strategy and (according to their own demo-video) allows them to change the UI and therefore inject code into our system. We believe that you, of course, wouldn’t abuse this feature but if your Pendo-account or Pendo themself would be hacked, it would also leave our systems open to code injection attacks.  

So, understand, that we also have the following questions: Do you intend to use the features that have an impact on the UI and therefore could be used to inject third-party code? What measures are you taking to prevent that?   

Sorry for the novel here, but I hope you understand, that this is important for us ;-) 

Best wishes

Julia

Does SugarCRM includes other "backdoors" besides Pendo?

I only know about the license validation which is calling home.

Are there more hidden "services"?

Thanks again for your feedback Julia.  I think your suggestions about opening Pendo up to you as a customer and hosting party are interesting.  I can see data about how your own users are using Sugar would be helpful to you.

To answer your question about specifically what Pendo tracks... Pendo keeps track of button clicks, page views and time spent on pages.  It's not collecting any login info, queries or settings.  Pendo also isn't collecting any sensitive personal information, identifying information, or any information specific to your business for that matter.  It simply gives us visibility into how our customers are using Sugar, which is most useful for us at an aggregate level.  As I mentioned previously, Pendo will help us deliver better products to you and make sure we're devoting our resources to solving your most important problems.

Hi Drew McDaniel,

thanks for considering the possibility to use our "own" Pendo.

But you haven't quite answered most of the questions.

Talking about the data gathered:

Let's make a concrete example: I'm on a list view page for x seconds, then decide to build a filter on a certain field. Then I'm opening a record that was a result of my filter by clicking on the name of the account, looking at the detail view for x seconds, make some changes and add a related record. So, you wouldn't track the name of the account record I'm clicking, but would you know e.g. the name of the module I've been in (I mean custom modules could tell a lot about a business and its processes...)? Would you know that I added a call? To get the spent time, you would need to put time stamps on all those actions, right? Don't get me wrong, I get that you're saying, it's nothing to worry about - and maybe I'm personally thinking that, too. But this is something that is not about me personally. I want to know it so thoroughly because, when we do the update, I intend/have to inform my users about this. And if only one of them has a problem with even that kind of information being tracked - be it as anonymized as it will - we will deactivate Pendo. Period.

Also, you have left out the most important (and most interesting) question about the security issue this brings up. As I said, we are hosting Sugar locally because we want to know and control who has access to our data and how data can leave our system. With Pendo we don't know exactly which data leaves our system (see my points above) and have a hole opened to get outside code in.
So, even at the risk of repeating myself: Do you intend to use the features of Pendo that have an impact on the UI and therefore could be used to inject third-party code? What measures are you taking to prevent that?

Last point (again): documentation. Are you intending to go on leaving your customers (or at least the ~99% of them who didn't read the blog post or follow this discussion here) in the complete dark about this? Just put some information on this thing into your Release and Developer Notes! Are you scared that, if they knew, people would ask for the possibility to make this optional and you wouldn't get enough data? It's simple: communicate transparently and specifically what data you want to gather and let people decide willingly, if they want or not. Of course many will opt-out, but the ones who stay opted-in either do it for the reason to help you, because they trust and like you (here you also have to bring hard facts and good reasons! - A simple "It makes Sugar better!" won't do - at least it doesn't for me.) or because they haven't read those notes and don't care. But at least there is a fair chance for everyone to know.

Julia Weinhold
Did you, or anyone else here, get any further with testing method to deactivate Pendo using config_overide, or dis you have to modify core files?

Hi Vincent Amari,

no, we have just deactivated Pendo in the config and have removed the Pendo-URL. Then only a quick repair and it's not sending anything out. :)