Privacy disclosure - RMerl/asuswrt-merlin.ng GitHub Wiki

Short version:

The only outbound connection made with me by this firmware is when the firmware checks for availability of a new version. During this check the only information that might be obtained is the IP address of the connection (part of the HTTPS connection). This information is only technical purposes, and will not be shared with any third party.

Long version:

The only outbound connection established by this firmware with the Asuswrt-Merlin developer is through the new firmware version check function, which is enabled by default since firmware version 380.64, and can be disabled by the end-user if he desires to do so.

The firmware version check works by downloading a plain-text file over HTTPS, and locally (on the router) checking if there is a newer version available for the specific router, by examining the downloaded file content. The only information that might be obtained by the remote server is the IP address of the connecting router (which is normal for any web connection). No other information is transmitted. By default, this check is made either every 48 hours, if initiated by the user, or following a reboot of the router. The update frequency can potentially change with future firmware releases if deemed necessary.

The new firmware check uses the same mechanism as put in place by Asus for their own original firmware check, but with a few changes, such as directing the firmware check to the Asuswrt-Merlin server and disabling the automatic download of new firmware.

Your IP address may be logged by the server's web server, and can be retained in the server logs for up to a month, as part of the server's regular log rotation. The content of this log file is only kept for troubleshooting purposes, for example to track and block abusive connection attempts to prevent disruption of the service, or to evaluate the server load generated by this process. These log files and the logged IP addresses will never be shared or accessed by anyone other than the server administrator (currently the Asuswrt-Merlin lead developer), unless ordered to do so by a court of law.

This firmware version check service can be discontinued at any time, in which case the DNS entry containing the update server's hostname and IP address will be deleted, causing them to fail. The specific firmware check server used may be changed as deemed necessary by the Asuswrt-Merlin developer. Should a server change occur, all other conditions of this privacy policy will remain in effect.

BY USING ASUSWRT-MERLIN FIRMWARE, YOU AGREE THAT YOU CONSENT TO THIS PRIVACY POLICY AND ANY CHANGES HERETO IN THE FUTURE. YOU AGREE THAT CHANGES MAY BE MADE TO THIS PRIVACY POLICY AT ANY TIME WITHOUT ANY GIVEN NOTICE AT THE DISCRETION OF THE ASUSWRT-MERLIN DEVELOPER.