[eropple]

Man--I like you and I think you are a pretty awesome poster, so I'd like to go through an experiment with you. Upload the filenames of everything you've put through your editor in the last nine months. Pastebin it for me right now (and I say pastebin because I sure have no idea how secure Kite's stuff is so we're gonna be assuming that it's not, yeah?). The request is totally insane, right? Even beyond the pure principle of it, if you did that for half a dozen developers we'll find something you really don't want me to know about, be it business or personal. (Ever use, say, org-mode or vimwiki?)

I'm willing to be strident because heads on pikes are how you ensure this is not repeated in an amplified way. Kite might be dopey, stupid, careless, and mean instead of actively malicious. Doesn't matter. The next one will be if clear lines are not drawn.

[sillysaurus3]

Your posts are pretty good too! I completely agree that collecting filenames would be a blatant breach of trust. If they were doing that, I'd be the first one labeling the company as evil. But my hangup is that they didn't actually do that, and what they did do seems benign.

The thing is, market forces are pretty good at settling these issues. It's an open-source plugin, so everyone can see what they're doing. If they start being naughty, people can uninstall and switch to something else. But why are we punishing them before they did anything serious, along with locking down the ability of anyone else to ever collect any kind of usage data about their plugins? Even something harmless like "time spent trying to figure out the options screen"?

I hope it doesn't seem like I'm trying to defend spyware here. Collecting metrics about your product is the first step toward improving it. The motive seems like a positive one, not a negative greedy one.

[ricardobeat]

> Collecting metrics about your product

This plugin is not their product, they are merely taking advantage of it's popularity for their own purposes.

> The thing is, market forces are pretty good at settling these issues

True, and the market seems to be unhappy with this approach and publicly taking a stance against it, right here. I believe this is as serious as any other case of hijacking a popular extension for collecting data, the specifics of what is being collected don't matter the littlest bit (and could change at their will).

On "positive intent": they did all of this with a commit message that doesn't mention 'Kite' at all, even uses a hardcoded IP address to avoid a domain name. It was clearly shady and meant to go unnoticed.

[eropple]

They did do something serious, is what I'm saying. Consider people who use a text editor--the same text editor they write code with!--for, say, a list of notes. I have a list of meeting notes in Markdown, for example, in a git repo. Sure, I doubt Kite is paying attention to that I met with X on Y. But I really, really don't care that they're not paying attention (because I don't know who's gonna get ahold of it next--are they keeping it, are they packaging it for resale, is their server pwned, how do I know and how do they verify). Fundamentally, I care that they stole it. The act demonstrates either ill will or negligence so grave as to substitute for ill will.

"Telemetry" and "personally identifiable and sensitive data" are very different things both morally and legally and boy howdy do I have a different reaction to one or the other.

Market forces are only good at settling issues when the market participants have perfect information. Nine months of spying that somebody just happened to notice to reveal it? (Ditto the Atom thing?) The damage has already been done. "With many eyes, bugs are shallow" has a certain truth to it (although I have Heartbleed calling on line two), but nobody's auditing everything, nobody can audit everything, and the damage that can be done because nobody has that information has the potential to be both personal and very high.

[sillysaurus3]

Wait, sorry, I think I missed something.

They did do something serious, is what I'm saying. Consider people who use a text editor--the same text editor they write code with!--for, say, a list of notes. I have a list of meeting notes in Markdown, for example, in a git repo. Sure, I doubt Kite is paying attention to that I met with X on Y. But I really, really don't care that they're not paying attention (because I don't know who's gonna get ahold of it next--are they keeping it, are they packaging it for resale, is their server pwned, how do I know and how do they verify). Fundamentally, I care that they stole it. The act demonstrates either ill will or negligence so grave as to substitute for ill will.

"Telemetry" and "personally identifiable and sensitive data" are very different things both morally and legally and boy howdy do I have a different reaction to one or the other.

If I'm reading this correctly, you're saying Kite has access to your meeting notes? How? According to the diff, they were only uploading the file extension.

If they're uploading PII (let alone the contents of code files), that's completely different, and I'd turn on them in a heartbeat. Did they do that?

[eropple]

What happens when the file name is "2017-02-12 - meeting with John Doe.md"?

(This is the same reason, scaled down, that people are angry and concerned about stuff like phone metadata collection.)

[sillysaurus3]

They split off the extension and only collect the ".md" part: https://github.com/SideBarEnhancements-org/SideBarEnhancemen... If it's an unrecognized extension, they set it to blank.

That's why I was so confused why people are upset.

[eropple]

Yup - I understand that; I looked at the code. But, and I think I expressed this poorly, I have no assurances except through forensics (i.e., having to go grovel through a bunch of code for a few frigging sidebar functions that have no reason to be sending anything anywhere in the first place!), that that's all they did. The breach of trust has been created and it has created a relationship (an unwitting one) that they could change at will.