[eropple]

They did do something serious, is what I'm saying. Consider people who use a text editor--the same text editor they write code with!--for, say, a list of notes. I have a list of meeting notes in Markdown, for example, in a git repo. Sure, I doubt Kite is paying attention to that I met with X on Y. But I really, really don't care that they're not paying attention (because I don't know who's gonna get ahold of it next--are they keeping it, are they packaging it for resale, is their server pwned, how do I know and how do they verify). Fundamentally, I care that they stole it. The act demonstrates either ill will or negligence so grave as to substitute for ill will.

"Telemetry" and "personally identifiable and sensitive data" are very different things both morally and legally and boy howdy do I have a different reaction to one or the other.

Market forces are only good at settling issues when the market participants have perfect information. Nine months of spying that somebody just happened to notice to reveal it? (Ditto the Atom thing?) The damage has already been done. "With many eyes, bugs are shallow" has a certain truth to it (although I have Heartbleed calling on line two), but nobody's auditing everything, nobody can audit everything, and the damage that can be done because nobody has that information has the potential to be both personal and very high.

[sillysaurus3]

Wait, sorry, I think I missed something.

They did do something serious, is what I'm saying. Consider people who use a text editor--the same text editor they write code with!--for, say, a list of notes. I have a list of meeting notes in Markdown, for example, in a git repo. Sure, I doubt Kite is paying attention to that I met with X on Y. But I really, really don't care that they're not paying attention (because I don't know who's gonna get ahold of it next--are they keeping it, are they packaging it for resale, is their server pwned, how do I know and how do they verify). Fundamentally, I care that they stole it. The act demonstrates either ill will or negligence so grave as to substitute for ill will.

"Telemetry" and "personally identifiable and sensitive data" are very different things both morally and legally and boy howdy do I have a different reaction to one or the other.

If I'm reading this correctly, you're saying Kite has access to your meeting notes? How? According to the diff, they were only uploading the file extension.

If they're uploading PII (let alone the contents of code files), that's completely different, and I'd turn on them in a heartbeat. Did they do that?

[eropple]

What happens when the file name is "2017-02-12 - meeting with John Doe.md"?

(This is the same reason, scaled down, that people are angry and concerned about stuff like phone metadata collection.)

[sillysaurus3]

They split off the extension and only collect the ".md" part: https://github.com/SideBarEnhancements-org/SideBarEnhancemen... If it's an unrecognized extension, they set it to blank.

That's why I was so confused why people are upset.

[eropple]

Yup - I understand that; I looked at the code. But, and I think I expressed this poorly, I have no assurances except through forensics (i.e., having to go grovel through a bunch of code for a few frigging sidebar functions that have no reason to be sending anything anywhere in the first place!), that that's all they did. The breach of trust has been created and it has created a relationship (an unwitting one) that they could change at will.

[sillysaurus3]

Yeah, after thinking it over, I agree. It also wasn't clear to me that they were trying to hide the fact that they were submitting the statistics to Kite. I thought they were being up front about it. Your reaction (and everyone else's) makes complete sense in that context. It was strange that a list of file extensions caused such uproar, but it's doubly strange that they tried to be shady about collecting it.

I guess it's best to enforce a blanket ban on this behavior. I still can't get over how dumb it was for Kite to do this. All they had to do was be open and honest about it and nobody would've cared too much. Crossing over into the realm of paid spyware is way too far.