[sillysaurus3]

Your posts are pretty good too! I completely agree that collecting filenames would be a blatant breach of trust. If they were doing that, I'd be the first one labeling the company as evil. But my hangup is that they didn't actually do that, and what they did do seems benign.

The thing is, market forces are pretty good at settling these issues. It's an open-source plugin, so everyone can see what they're doing. If they start being naughty, people can uninstall and switch to something else. But why are we punishing them before they did anything serious, along with locking down the ability of anyone else to ever collect any kind of usage data about their plugins? Even something harmless like "time spent trying to figure out the options screen"?

I hope it doesn't seem like I'm trying to defend spyware here. Collecting metrics about your product is the first step toward improving it. The motive seems like a positive one, not a negative greedy one.

[ricardobeat]

> Collecting metrics about your product

This plugin is not their product, they are merely taking advantage of it's popularity for their own purposes.

> The thing is, market forces are pretty good at settling these issues

True, and the market seems to be unhappy with this approach and publicly taking a stance against it, right here. I believe this is as serious as any other case of hijacking a popular extension for collecting data, the specifics of what is being collected don't matter the littlest bit (and could change at their will).

On "positive intent": they did all of this with a commit message that doesn't mention 'Kite' at all, even uses a hardcoded IP address to avoid a domain name. It was clearly shady and meant to go unnoticed.

[eropple]

They did do something serious, is what I'm saying. Consider people who use a text editor--the same text editor they write code with!--for, say, a list of notes. I have a list of meeting notes in Markdown, for example, in a git repo. Sure, I doubt Kite is paying attention to that I met with X on Y. But I really, really don't care that they're not paying attention (because I don't know who's gonna get ahold of it next--are they keeping it, are they packaging it for resale, is their server pwned, how do I know and how do they verify). Fundamentally, I care that they stole it. The act demonstrates either ill will or negligence so grave as to substitute for ill will.

"Telemetry" and "personally identifiable and sensitive data" are very different things both morally and legally and boy howdy do I have a different reaction to one or the other.

Market forces are only good at settling issues when the market participants have perfect information. Nine months of spying that somebody just happened to notice to reveal it? (Ditto the Atom thing?) The damage has already been done. "With many eyes, bugs are shallow" has a certain truth to it (although I have Heartbleed calling on line two), but nobody's auditing everything, nobody can audit everything, and the damage that can be done because nobody has that information has the potential to be both personal and very high.

[sillysaurus3]

Wait, sorry, I think I missed something.

They did do something serious, is what I'm saying. Consider people who use a text editor--the same text editor they write code with!--for, say, a list of notes. I have a list of meeting notes in Markdown, for example, in a git repo. Sure, I doubt Kite is paying attention to that I met with X on Y. But I really, really don't care that they're not paying attention (because I don't know who's gonna get ahold of it next--are they keeping it, are they packaging it for resale, is their server pwned, how do I know and how do they verify). Fundamentally, I care that they stole it. The act demonstrates either ill will or negligence so grave as to substitute for ill will.

"Telemetry" and "personally identifiable and sensitive data" are very different things both morally and legally and boy howdy do I have a different reaction to one or the other.

If I'm reading this correctly, you're saying Kite has access to your meeting notes? How? According to the diff, they were only uploading the file extension.

If they're uploading PII (let alone the contents of code files), that's completely different, and I'd turn on them in a heartbeat. Did they do that?

[eropple]

What happens when the file name is "2017-02-12 - meeting with John Doe.md"?

(This is the same reason, scaled down, that people are angry and concerned about stuff like phone metadata collection.)

[sillysaurus3]

They split off the extension and only collect the ".md" part: https://github.com/SideBarEnhancements-org/SideBarEnhancemen... If it's an unrecognized extension, they set it to blank.

That's why I was so confused why people are upset.

[eropple]

Yup - I understand that; I looked at the code. But, and I think I expressed this poorly, I have no assurances except through forensics (i.e., having to go grovel through a bunch of code for a few frigging sidebar functions that have no reason to be sending anything anywhere in the first place!), that that's all they did. The breach of trust has been created and it has created a relationship (an unwitting one) that they could change at will.

[sillysaurus3]

Yeah, after thinking it over, I agree. It also wasn't clear to me that they were trying to hide the fact that they were submitting the statistics to Kite. I thought they were being up front about it. Your reaction (and everyone else's) makes complete sense in that context. It was strange that a list of file extensions caused such uproar, but it's doubly strange that they tried to be shady about collecting it.

I guess it's best to enforce a blanket ban on this behavior. I still can't get over how dumb it was for Kite to do this. All they had to do was be open and honest about it and nobody would've cared too much. Crossing over into the realm of paid spyware is way too far.