[sillysaurus3]

This seems incredibly overblown. According to the diff, all they were collecting is time spent editing certain file extensions, along with a list of installed packages:

https://github.com/SideBarEnhancements-org/SideBarEnhancemen...

They're trying to figure out what languages people are actually editing on a day-to-day basis, and people here are calling for them to leave the company? Like, really?

People have been whipped up into a frenzy for data that a webapp wouldn't blink twice at collecting. But when it's installed locally it's somehow different than if we load a webapp in a browser?

I agree with you in principle, but it seems like people here didn't actually look at what was being collected. They just saw "data collection" and went absolutely nuts.

Yeah, collecting installed package names isn't really great, but it's pretty harmless, right? It's a stupid decision, but people seem to be looking for reasons to get upset.

They're not collecting filenames, and they take the sha1 hash of whatever could be personally identifiable. Why is any of this bad, or a violation of trust? They even say right in the readme that they're doing it and how to opt out: https://github.com/SideBarEnhancements-org/SideBarEnhancemen...

If they made it opt-in, no one would opt-in. I understand it's a slippery slope, but is this reaction appropriate?

[eropple]

1) Principle is what matters. This behavior is utterly and completely indefensible; screwing with people's private code for your whatever-nobody-cares startup is absolutely unacceptable at any level. I don't care how big your Series A round was or who your investors are, you just don't do it and you don't hide it and you don't lie about "forgetting" about it (and it should be considered a lie until proven otherwise because after the last couple weeks Adam Smith could fit in some Baghdad Bob photoshops).

2) Collecting non-bundled package names is another way to phrase "exfiltrating competitors' upcoming products." That by itself is sufficient evidence for me to want some heads.

[sillysaurus3]

Collecting file extensions bucketed by time plus a list of installed package names is spying on you?

I doubt they even thought of the competitor angle. I wouldn't have. Startups don't win by worrying what every new company is doing.

It wasn't a smart decision, but you're acting like they are uploading your entire source code tree. (I think someone even claimed that they were doing this at one point but was later shown to be mistaken.)

[eropple]

Man--I like you and I think you are a pretty awesome poster, so I'd like to go through an experiment with you. Upload the filenames of everything you've put through your editor in the last nine months. Pastebin it for me right now (and I say pastebin because I sure have no idea how secure Kite's stuff is so we're gonna be assuming that it's not, yeah?). The request is totally insane, right? Even beyond the pure principle of it, if you did that for half a dozen developers we'll find something you really don't want me to know about, be it business or personal. (Ever use, say, org-mode or vimwiki?)

I'm willing to be strident because heads on pikes are how you ensure this is not repeated in an amplified way. Kite might be dopey, stupid, careless, and mean instead of actively malicious. Doesn't matter. The next one will be if clear lines are not drawn.

[sillysaurus3]

Your posts are pretty good too! I completely agree that collecting filenames would be a blatant breach of trust. If they were doing that, I'd be the first one labeling the company as evil. But my hangup is that they didn't actually do that, and what they did do seems benign.

The thing is, market forces are pretty good at settling these issues. It's an open-source plugin, so everyone can see what they're doing. If they start being naughty, people can uninstall and switch to something else. But why are we punishing them before they did anything serious, along with locking down the ability of anyone else to ever collect any kind of usage data about their plugins? Even something harmless like "time spent trying to figure out the options screen"?

I hope it doesn't seem like I'm trying to defend spyware here. Collecting metrics about your product is the first step toward improving it. The motive seems like a positive one, not a negative greedy one.

[ricardobeat]

> Collecting metrics about your product

This plugin is not their product, they are merely taking advantage of it's popularity for their own purposes.

> The thing is, market forces are pretty good at settling these issues

True, and the market seems to be unhappy with this approach and publicly taking a stance against it, right here. I believe this is as serious as any other case of hijacking a popular extension for collecting data, the specifics of what is being collected don't matter the littlest bit (and could change at their will).

On "positive intent": they did all of this with a commit message that doesn't mention 'Kite' at all, even uses a hardcoded IP address to avoid a domain name. It was clearly shady and meant to go unnoticed.

[eropple]

They did do something serious, is what I'm saying. Consider people who use a text editor--the same text editor they write code with!--for, say, a list of notes. I have a list of meeting notes in Markdown, for example, in a git repo. Sure, I doubt Kite is paying attention to that I met with X on Y. But I really, really don't care that they're not paying attention (because I don't know who's gonna get ahold of it next--are they keeping it, are they packaging it for resale, is their server pwned, how do I know and how do they verify). Fundamentally, I care that they stole it. The act demonstrates either ill will or negligence so grave as to substitute for ill will.

"Telemetry" and "personally identifiable and sensitive data" are very different things both morally and legally and boy howdy do I have a different reaction to one or the other.

Market forces are only good at settling issues when the market participants have perfect information. Nine months of spying that somebody just happened to notice to reveal it? (Ditto the Atom thing?) The damage has already been done. "With many eyes, bugs are shallow" has a certain truth to it (although I have Heartbleed calling on line two), but nobody's auditing everything, nobody can audit everything, and the damage that can be done because nobody has that information has the potential to be both personal and very high.

[sillysaurus3]

Wait, sorry, I think I missed something.

They did do something serious, is what I'm saying. Consider people who use a text editor--the same text editor they write code with!--for, say, a list of notes. I have a list of meeting notes in Markdown, for example, in a git repo. Sure, I doubt Kite is paying attention to that I met with X on Y. But I really, really don't care that they're not paying attention (because I don't know who's gonna get ahold of it next--are they keeping it, are they packaging it for resale, is their server pwned, how do I know and how do they verify). Fundamentally, I care that they stole it. The act demonstrates either ill will or negligence so grave as to substitute for ill will.

"Telemetry" and "personally identifiable and sensitive data" are very different things both morally and legally and boy howdy do I have a different reaction to one or the other.

If I'm reading this correctly, you're saying Kite has access to your meeting notes? How? According to the diff, they were only uploading the file extension.

If they're uploading PII (let alone the contents of code files), that's completely different, and I'd turn on them in a heartbeat. Did they do that?

[AdmiralAsshat]

So, to use an analogy:

"Yeah, we broke into your house and rummaged through your stuff, but it's okay, we were only there to count how many spoons you had.

Yes, I know, we could've asked you before we broke into your house, but we tried that before, and for some reasons we had no takers. And it was really important to our researchers that we get a good idea about the number of spoons!"

[hsod]

Or how about if the spoon company paid your cable guy to count how many spoons you have while he was in your house.

[fooey]

Kite basically just invented a new spyware/malware industry that specifically targets the development community.

This kind of behavior needs to be stomped on hard and fast.

[dahntrump]

i mean executing malicious dynamic code as a plugin of a legit tool isn't that different from a malicious browser plugin

[kuschku]

Collecting any data without request is unacceptable, and unlawful.

In fact, it might violate more than a dozen of laws in the EU.

This is a general matter of principle. You do not get to access anything that is mine without approval.

If no one opts in, that's your problem, and you need to rethink your business model - and not break into users systems and steal their data. This is malware.

[sillysaurus3]

I'll agree with you if you explain this: Why is it ok for a website to do it, but not ok for an editor plugin to do it? Just because the content is streamed from a server? That's a rather convenient distinction.

I don't endorse Kite's behavior, but our reaction here is so far over the top that it seems like normal onlookers will start to take us less seriously. We're talking about violations of law and data theft over answering the question "Which language are you editing today?"

Zero tolerance is a rejection of "Let the punishment fit the crime."

[kuschku]

It's not okay for websites doing this, and any website doing this from May 2018 on will end up fined hundredthousands of dollars every time they do this.

The European General Data Protection Regulation [1] is coming, and everyone that doesn't comply with it will have more than just a little problem.

No site or program is allowed to track or store anything about me, to transmit anything to a third party, or to even connect to a third party without my explicit authorization, and I have to be able to opt out of it all, and still be able to use it.

This is a simple moral principle of consent. You don't get to access anything that is mine without my explicit consent.

[1] https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

[rankam]

I don't know anything about the regulation and just skimmed the Wikipedia article for a minute, but isn't this regulation unenforceable in practice? If I have a website, how am I supposed to know if a visitor is a citizen of the EU? If my company operates outside of the EU, the EU has no jurisdiction.

[matty22]

I work for an email software company based in the US, but we are required to take GDPR very seriously. Large swaths of how our application stores and handles data has to be rewritten, because if a single one of our clients' emails is sent to a citizen of the EU, and we are not compliant with the new rules, we and our client are legally liable.

How that pertains to a normal website on the internet, I am not sure.

*Edit: At least this is my understanding and my company is already making development plans on how to comply with the new law.

[kuschku]

This is an interesting thing, but, in response to the US applying their laws supraterritorially[1], the EU has decided that the EU GDPR will apply supraterritorial (aka, everywhere, globally, as soon as an EU citizen could be affected).

So, if you're outside the EU, and you violate it, you might suddenly experience that your bank accounts get frozen.

[1] Just look at the recent case where US citizen sued Saudi Arabia in a US court, and the US senate overrode a veto of President Obama to allow this to happen supraterritorially.

[oAlbe]

> Zero tolerance is a rejection of "Let the punishment fit the crime."

There's to say though, as a counterpoint, that said principle always takes into account repeated offenses (recidivism), and they are at strike 3 or something.

[the_common_man]

I commented about this just yesterday how google felt that data collection is now 'common' - https://news.ycombinator.com/item?id=14893700

I think developers are (rightly) afraid this trend now hits their editors.

[pdkl95]

What they should be worried about is Kyllo v. United States[1]. When data collection is sufficiently normalized such that general public no longer expects privacy - crossing the bright line that currently makes police using the same type of data collection technology a search that requires a warrant.

If this it becomes commonplace for text editors to spy on some types of (meta)data, a warrant may not be required for the police to gather the same type of data without a warrant even if you do not use a "common" editor.

[1] https://en.wikipedia.org/wiki/Kyllo_v._United_States

[zitterbewegung]

I think that there is a clique on HN (which I am a part of) that values their privacy and security that is more vocal and aware than the average user. Also, in the webapp example I think keeping private source code and software private is much more important than your pictures / (micro)blog.

[hsod]

Yes, the reaction is appropriate. You seem to agree that this is malicious action, so your position is kind of hazy.

> People have been whipped up into a frenzy for data that a webapp wouldn't blink twice at collecting. But when it's installed locally it's somehow different than if we load a webapp in a browser?

Well, yes. But it's even worse than that. This code was submarined into an unrelated open source tool and sent the data to a company with which the user had no relationship whatsoever. That's a little different from Google keeping track of how often I log into GMail, isn't it?

Even the README you linked to (probably not seen by many users) seems intentionally misleading, as it is careful not to state to whom the metrics are sent, leaving the reader with the impression that they are being sent to the project maintainer and not to Kite, Inc.

[sillysaurus3]

Even the README you linked to (probably not seen by many users) seems intentionally misleading, as it is careful not to state to whom the metrics are sent, leaving the reader with the impression that they are being sent to the project maintainer and not to Kite, Inc.

This is an important point, and it's one I overlooked. I've never used SideBarEnhancement. I assumed users knew it was related to Kite. If `urlopen('http://52.52.168.91/status', json_body)` is the only indication where the data is sent, then that's unacceptably vague.

I suppose it's best for Sublime to force plugins to be opt-in for data collection, but as someone who wishes devtools were better, it's unfortunate a few groups with terrible PR skills are ruining it for everyone. It didn't need to turn out this way. They just needed to be open about what they were doing. They weren't even collecting anything to warrant being sneaky.

[hsod]

> I've never used SideBarEnhancement. I assumed users knew it was related to Kite.

Considering how many posts you've made in this thread defending Kite, this seems like a major gap in your understanding. A simple ctrl-F of both the Github README and the PackageControl page show no mention of Kite.

[sillysaurus3]

True, though all the code was doing was collecting a list of installed packages and a list of file extensions you've edited. Judging by the reactions here, you'd think they were uploading your entire ~/ directory.

I'm curious how Kite got the telemetry into that extension if it's unaffiliated. https://github.com/titoBouzout seems like a fairly standard github account, though it's strange he had no commits for six months until this incident.

[eropple]

They paid him, I do believe (saw this asserted by folks who'd know and saw no contesting it).

[hsod]

> True, though all the code was doing was collecting a list of installed packages and a list of file extensions you've edited. Judging by the reactions here, you'd think they were uploading your entire ~/ directory.

OK, so you acknowledge that this was an unacceptable privacy breach, you're just a little less upset about it than some other people here. Damning with faint praise, I guess.

> I'm curious how Kite got the telemetry into that extension if it's unaffiliated.

They probably paid him.

[sillysaurus3]

It's not a privacy breach to collect the file extensions you've edited bucketed by time. (Collecting the list of installed packages is debatable.) The unacceptable breach of trust was that they tried to hide the fact that they were doing it. It was incredibly stupid to hide it, since few people would've cared if they were just honest. Now they're in the same category as paid spyware marketers.

I'd rather look like a fool and get to the truth than stay silent and let a story go half told. At least people are clear about what precisely was being collected.