Hacker News new | ask | show | jobs
by dabber 3249 days ago
/u/michael0x2a on Reddit put together a nice tl;dr[1] of the story arc for those that don't want to dig through the thread.

tl;dr for that is basically:

Kite has been collecting "anonymous" data from sublime users with the SideBarEnhancements plugin installed. This has been happening for atleast a year and the data collected included activeNonBundledPackageNames which is basically a list of packages installed via Package Control.

It seems they were intentionally unclear about who the data was sent to and did not think to remove it from the plugin after the Atom Minimap incedent because:

> the truth is we didn't remember [2]

[1] https://www.reddit.com/r/programming/comments/6qwtfz/kite_in...

[2] https://forum.sublimetext.com/t/rfc-default-package-control-...
3 comments
sillysaurus3 3249 days ago
What precisely is Kite collecting in this case? Ideally backed by a link to a github repo proving that they're collecting whatever people are saying they're collecting.

I've been reading for about 10 minutes and can't find any references. The closest I found was https://twitter.com/gerardroche/status/891802572373319680 which links to https://github.com/kiteco/kite-installer/blob/master/ext/tel... but that doesn't actually say what they're collecting.

That class seems to be collecting time spent, identified by the variable `name`. But it's not immediately obvious what `name` is being set to. If it's set to a full file system path, then I agree it's a breach of trust. But if it's something generic like 'options screen' then clearly they're just trying to improve their product.

People here seem to be losing their minds over this, so I'm trying to figure out whether it's justified or if it's another game of telephone.

EDIT: Found the code: https://github.com/SideBarEnhancements-org/SideBarEnhancemen...

Am I misreading this, or is everyone losing their minds over collecting how much time was spent editing certain file extensions? The only thing that seems to be remotely dubious is "activeNonBundledPackageNames", and that doesn't seem sensitive.

link
oAlbe 3249 days ago
The reddit comment linked says:

> Post #27 (wbond):

> > adam314: Hi everyone, member of Kite here. The SideBarEnhancements telemetry was

> > originally added to gather data around what programming languages we should support next.

>

> [wbond:] The question is, why did you try to hide who the data was being sent to? And why did you ask

> to capture activeNonBundledPackageNames? That bit of data seems like a very non-anonymous

> collection of information. You could be capturing internal package names and consequently

> exfiltrating the existence of development of competitors products.

link
detaro 3249 days ago
It uses a machine-specific identifier (MAC address), making it traceable across the public IPs sending data. With some resolution due to the hourly pings. That could be valuable in the right/wrong scenarios, although there are tons of other things recording data like that of course (websites).
link
macrael 3249 days ago
Does kite own SideBarEnhancements? How did this code get past a PR?
link
wbond 3249 days ago
They apparently paid the author (Tito) to add it in. Originally he had pulled all of his packages from the default channel because he was unhappy that we require semver for all new packages (to allow newer features to work). After a bunch of users complained, he added SideBarEnhancements back (his most popular package), but apparently at some point later Kite paid him to add tracking code to it.
link
fooey 3249 days ago
If an addon maintainer was successfully bribed to add something like this to their addon, that maintainer should probably be banned from the ecosystem along with everything Kite touches.

Kite is the primary corrupting force here, but the people who keep taking money to screw over their userbase need to be punished as well.

Sublime, Atom, and VSCode all need to step up right now and make it clear that this kind of behavior is 100% unacceptable

Edit:

Allowing this addon straight back into the Sublime ecosystem reflects extremely poorly on them as well.

https://github.com/SideBarEnhancements-org/SideBarEnhancemen...

link
wbond 3249 days ago
Please see https://forum.sublimetext.com/t/rfc-default-package-control-... for the reason that SideBarEnhancements was re-added. In this case not re-adding it would lead to continued tracking of users, which seems to me would be the more negligent action on my part.
link
dabber 3249 days ago
To your edit:

I'm not sure how Package Control handles removals of packages but if they are left installed in sublime then this was probably the best move.

If the package was left "orphaned" in the editor the telemetry would remain but I'm pretty sure PC updates packeges automatically by default so pushing an update without it makes sure the code is removed for most users.

link
adamsmith 3249 days ago
For what it's worth, we didn't remember. There was no upside to keeping it there.
link
eropple 3249 days ago
Just an upside to doing it at first, was it?

I hate that we're even talking about your company and that we have to because it's a bad actor that's hurting people. Talking about what you're doing, even condemning this ratshit behavior most strongly, kind of empowers your company, and your company doesn't deserve press--even bad press. Kite deserves the equivalent of an unmarked grave.

link
detaro 3249 days ago
So what's going on with the data collection? Do you still control the IP the system reports back to, or are users reporting their details to somebody else? Are you still using data arriving there?
link
frgtpsswrdlame 3249 days ago
Sure but you also put the code there in the first place. How much of your sketchy behavior is driven by VC demands?
link
yvesmh 3249 days ago
Will there be upsides to adding it to other plugins though?
link