I’m using HA for a longer time and with many different integrations and HACS Cards. The server is local - by intention.
However, what I’ve seen are more and more cards connecting to different locations in the internet doing metrics, speedtest and …?
Of course, if you use Teamtracker, Flightradar and other cards, they need to get the information from the net.
But this is not what I’m talking about. I have the impression that authors of cards and integrations do sometimes establish other functionality to get metrics and more.
I’m not saying that this is illegat; it might be a real legitimate interest.
What I’m missing is a design rule/guideline that this has to be communicated transparently during card install or wherever.
For instance I see connections to speedtest-praha.quantcom.cz … I have no idea which card is causing this and in general I see my HAS Server talking to several destinations continiously.
For me this a bit of a trust problem towards the Home Assistant solution in general - as the privacy is one of the points on the feature list…
Custom Integrations, custom cards, add-ons, docker containers maintained by the community, and all the other community created stuff all have one thing in common. They are not regulated, and only removed if they are found breaking the core functionality or something major.
Which is a good point like android asking for permission to install, but is going to be real difficult to implement as there is so many integration that require API connections, and so many modification on core to implement ,
there is something that is been use in android , kodi for example allow unknown sources
2025-06-22 11:53:06.458 WARNING (SyncWorker_0) [homeassistant.loader] We found a custom integration pfsense which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant
Thank you for sharing your thoughts. I got the point of a real difficult developers change to implement such thing. Beside a technical way to enable a hard restriction wthin the code, there might be a policy based approach possible, too.
We see integrations reaching “bronze”, “silver”, “gold”… status. Maybe it’s a good think to start with a “green” status, based on the confirmation of the coder that the code does not use tracking or other metrics and all network connections of the integration are documented and required to deliver what’s in scope of the integration.
I can imaging the arguments about process owner, workload, maintaining, organization … and I have no answers.
I’m just a user who takes care on independency, privacy and transparency…
Many thanks again for all you feedback - I liked reading all these views.
Yes, I can see that HAS IP is going to an IP in the Internet, but I can’t see which
integration triggers it. Or is there something I’ve not been aware of?
I’ve not looked into the underlying HASOS - maybe there is a process view which provides related information.
And we have an IoT class for each integration which are local push/poll or cloud… The later is the one which only works with other peoples computers
It is as easy as just disable the integrations (one by one) and see what the traffic does. Or the opposite, disable all that integrations and then enable them one by one observing the traffic.
Also like mentioned, if you can survive without cloud data (weather, flight radar etc.) you might just disable the Internet access for HA completly and just turn it on when updating. Can’t get much more transparent/private
