[endijs]

I was big fan of original Flattr, that's why i was excited for 2.0 too. However that "extension" setup is something that still keeps me in evaluation phase, rather than 100% in. I inspected extension (not 100% of it, but a bit of code, storage, xhr calls). Some findings:

* They use whitelist (visible in source) of sites, thus they do not record activity on all sites, but just the ones in whitelist.

* You can individually block sites from being tracked even if they are in whitelist (by click on the icon). This gets respected.

* They store a lot of data "locally". Things like timestamps, cursor activity, time spent on the page etc. This does not get sent to flattr, but sits in local storage.

* Once "site/page" qualifies for a flattr, path with title is sent to flattr. No other information (i.e. - no query string, no mouse activity etc.).

* They record things, that they should blacklist. For example - common cms paths (wp-admin/) is reported, but should not be. In some sites they report paths that should be blacklisted (like in twitter they report /settings/ ).

* In youtube.com icon for extension looks disabled (like nothing is being recorded), however they still store data in local db (browsing history, videos viewed). Nothing is sent to flattr though. This should be updated. Either show in icon that you record data, or do not record anything.

All in all extension does not look malicious at the moment. But it's not perfect either. And i'm not sure that there will be a point where i will feel 100% confident with it. Most likely i will try to use it, but will continue to inspect regularly to see if its still solid.

Edited: fixed some typos.

[bonqis]

Pretty good summary!

We have tried to be as thorough as we could with what data the extension saves in local storage, even with the first release. There are always improvements that can be done and will be done.

We are going to add to the blacklist to not send things like twitter settings or wp dashboards etc.

Youtube is a bug that sneaked in just before release, in reality the UI does not reflect that youtube is supported and used. It's being addressed right now.

[vog]

I never understood why they decided to coorperate with the AdBlock Plus creators.

From a technology point of view, that might have been a gain for them.

But does this outweigh the loss of the "trust in advance" that they would otherwise receive?

Also, what's about the risk of being dragged into bad reputation? (Which might happen as soon as AdBlock Plus gets bad media coverage, once again.)

[endijs]

As Flattr 1.0 did not get any traction, my guess is that they went with AdBlock Plus creators (Eyeo) just because Flattr run out of cash and Eyeo was the one who offered to invest and later on to buy out. Simple math. Even though I'm not fan of what Eyeo have done in the past, fact that old team was able to continue to work on this, makes me hopeful, that this will not turn out to be some sort of malicious or grey area project. But time will tell.

[vog]

> makes me hopeful, that this will not turn out to be some sort of malicious or grey area project

Looking at their "all-knowing, privacy-friendly algorithm", they are already there:

https://blog.flattr.net/2017/06/key-elements-of-the-new-flat...

Even the title is an oxymoron, let alone the scary description.

[endijs]

Even though it's scary topic, currently they are still in good standing. At least in my eyes. Even though they collect data (how else can you evaluate who to flattr), its stored locally and they do not send it off. If there will ever be a situation where they send something more than they should, this project is dead and there will be no way back.

[bonqis]

In reality it's the opposite and that is why we join their boat. There is no company that tries to fix the internet in the profound way eyeo does. They care about all the things most internet companies does not. The reputation they got are based on stories created by the ad industry, and yes, obviously they hate eyeo.

[vog]

> There is no company that tries to fix the internet in the profound way eyeo does

Which issue is fixed by "acceptable ads" in a better way than a plain ad blocker that has no exceptions?

The former tries to "mediate" between ad providers and users, while the latter is an actual "user agent" in every sense of the word.

Maybe it is just me, but I don't see any shortage of the former. And I'm missing the latter one in many aspects of the internet. NoScript, uBlock origin and miniwebproxy[1] all are just first steps to fix issues which browsers (in the sense of real "user agents") shouldn't have in the first place.

[1] https://www.tedunangst.com/flak/post/miniwebproxy

> The reputation they got are based on stories created by the ad industry, and yes, obviously they hate eyeo

Not sure which stories you allude to. I'm not aware of any such stories, being placed by the ad industry or any other entity.

However, I am aware of much criticism that is based purely on their business model, by well-known people far away from the ad industry, without involvement of any additional stories.

> and yes, obviously they hate eyeo

Almost nobody feels sorry for the ad industry, but it is quite a far stretch to argue that we (i.e. the ad targets) should like Eyeo because they are the enemy of the enemy.

Maybe my perception is wrong, but all people I know don't care, because they just see different flavors of shady businesses that happen to step on each other's feet.

What's noble in being involved in that game?

[the8472]

> * They use whitelist (visible in source) of sites, thus they do not record activity on all sites, but just the ones in whitelist.

Is that in the manifest or in the source?

[endijs]

To view whitelist you can go to "background page" of extension and check out source for /lib/background/index.js . Whitelist starts from line 12440 and ends on 50262.