The majesty of visuals
Power BI is a great tool to visualize the data. There are many default visuals like bar charts, column charts, line charts, pie charts, tables, maps, KPI’s:
However, there are also plenty of Custom Visuals which can be imported from a file or the marketplace.
Is it possible, that there are Custom Visuals in the marketplace which seem not to be secure? Is it possible that our Data can be sent to the third-party visual provider? Let’s check that!
Verification with Fiddler
I asked our Developer, Lukasz Klimczuk, to use Fiddler to find out what exactly happens when using custom visuals. Fiddler is a common tool for investigating the requests sent by various applications.
We tested couple custom visuals. We found out, that the best time to record requests with Fiddler is to switch between pages in the report, e.g. from a blank page to the page with the tested visual.
It’s also easier when Fiddler tracks Power BI process requests only. We filtered the other processes out.
The analysis was still not so easy, because in some cases the number of requests was enormous. In most cases, we did not find anything suspicious. Often visuals simply download images like maps, etc.
After couple minutes and switching between different custom visuals we shouted: „Gotcha!“ We found a few requests to an external host that contained data from the dataset.
It was terrifying as we revealed which data have been transfered to the external service…
What if there were very sensitive data from your company? Do you think a client of yours would be happy finding out that the data are not processed in a sandbox-like-solution? Think about the GDPR…
The data from our Proof of Concept were transferred through the custom visual called: Narratives for Business Intelligence (Narrative Science Inc.)
Hopefully you don’t have to make the investigation using the Fiddler for every custom visual! Simply before loading the custom visual into your .pbix file, check the Additional Information for the Visual itself:
If the above statement is present – you should double-check if the data displayed through that particular visual aren’t too sensitive and decide if it is OK for you to use that visual. Furthermore, you can also find the certified visuals on the Microsoft’s website, that are checked for safety:
„A certified custom visual is one that has met a set of code requirements and has passed strict security tests“.
Don’t panic! There are a lot of certified custom visuals which work as a sandbox and do not send data over the internet. However, be aware of those visuals which do send data over the internet and be cautious when choosing a right visual for the right data.