Show/tell users if an integration connects to the internet itself or not

Recently a third party integration with Platinum status and IoT class Local Push that I am using added a feature to also connect directly to the manufacturer’s website of the device to check for firmware updates for devices that cannot connect to the internet themselves.
Although this could be considered a helpful feature in some cases, in my case this was an unpleasant surprise as I explicitly had disabled internet access for these devices as I didn’t want the manufacturer to be able to track what devices are running on our network.

This made me realize that from a privacy perspective it can currently be quite difficult to understand whether any integration connects to the internet themselves as well or not as apparently the IoT class is not a good indicator for this. The example integration I’m talking about does mention it connecting to the manufacturer’s website in it’s readme, but it’s listed quite far down the page as part of the description of the firmware update entity which users might not be looking at when installing the integration.

As I feel this issue applies to all integrations, it would be helpful if Home Assistant adds a separate attribute besides IoT class that indicates to users whether integrations are really fully local or are also connecting to upstream servers on the internet for whatever reason. It could be just a boolean but even better, maybe integrations should be required to just list all upstream servers they connect to in a manifest file (and which are not user configurable).

Potential ways to implemented this feature:

1. Use an honor system. To KISS, just enforce that any integration adds a manifest.json with DNS names that integrations connects to (unless the user has to input them themselves) and list these DNS names on the website.

2. Enforce that the manifest.json is correct by forcing integrations to use an official hass library to make upstream/internet connections which checks the manifest for allowed connections.

From a privacy & legal perspective, I guess that the 2nd would be the absolute best as it’d be a runtime check/filter. But the first one is much easier, less invasive and could probably at least be checked on code commits with some code checker (f.e. the same one that checks the integration quality scale)?

_{PS: I’m deliberately not naming the integration that made me realize this as I feel that doesn’t add anything of value to this FR as this seems a generic issue with all integrations. Also I don’t want to give the impression that the developer in question did something wrong or something like that}

Where else would firmware updates come from?

That’s not the point though is it?

I don’t care about what reason any integration has to connect to upstream servers on the internet, cause until proven otherwise I’m sure we can trust the developer of an integration to have a valid reason to do that.
All I’m saying is that users should be able to quickly see to which upstream servers any integration connects to (if any) before installing an integration

Just disable the update.xxx entity and it will never check for updates.

I’m following this out of curiosity. I was hoping someone would say it’s incorrect to say that an integration marked “local” can connect to an external server without permission.

I think the user should be the one who decides which data to share with external servers. I assumed HA would give some indication so the installer could make that decision.

This especially applies to firmware updates. First of all, I’d like the option to review and test updates prior to rolling them out to multiple devices. Bugs and other breaking changes have been known to occur. There’s the possibility that the vendor could update the firmware to block local use and force the device to only go through their cloud. I had that happen to me with one brand of devices I was using. Finally, some users would have an issue over the security implications of sending data to a third party, even if it’s only the IP address and the number and type of devices installed.

For all these reasons, I assumed this sort of thing would be disclosed before installing the integration. If that’s not the case, then this FR seems pretty important. Or am I misunderstanding the issue?

You already have that option.