[patrickyeon]

"The OS snitching on us and then annoying the user" is an interesting definition of "offensive", but definitely not the one I meant. Let me put it another way: if you put the appropriate amount of effort into asking "what's the robust, minimally invasive, least-likely to be misinterpreted and/or abused, way for me to accomplish this?" you are likely to create a better product and less likely to have something like this pop up.

So let's say you're making the tracking notifier, and you work for UPS. The regex is `1Z[0-9]{16}`. All good, you're being nice, someone opens your app and you already know what shipment they're interested in. Then a "growth hacker" joins your group and mentions that it'd be nice to know how many of your customers also use FedEx, so the regex is changed to also grab FedEx tracking numbers (`(1Z)?[0-9]{16}`, I think). And now someone gets the genius idea of checking up on package shipped by competitors and popping up a notification "tired of waiting on DHL? UPS delivers within 2 days 99.995% of the time" when they miss a delivery. Even though they never asked UPS abotu their DHL package.

See how that progresses? See how it's offensive, even if you're not annoying your user more than you normally would with spammy push notifications, and even before your user suspects that you're spying like this? Do you see how this whole series of escalations aren't available, or at least not as easy, if you only check the copy buffer when it's likely a user is about to paste? Instead of "tweak what we already have" you have to "include a new snooping routine".

If you're thinking "all is fair in love and war" here, and this seems like genius marketing: 1) this is your heads up that your morals are not in line with society's, and 2) do you think this will be a marketing win if the regex is loosened enough that you pop up a UPS notification about "package with tracking number (phone number someone just gave me)"? What about if my UPS account for work notifies me about some very private personal packages? Especially some shipped via OnTrak?

Anyway, as I said in my first comment. I'm disappointed that people don't think they should try to worry about downsides and failure modes of their design and engineering work. Maybe it's a matter of norms and priorities being different in the consumer app/web world vs. many other domains.

[untog]

Well yes, you've just invented an outrageous scenario then talked about how outrageous it is. You asked:

"Is it that much to ask that you find the least offensive way to serve your user?"

So, suppose UPS is not doing anything that you've just described. Say they are regexing for UPS numbers only. How would that be considered offensive?

[patrickyeon]

Monitoring the copy buffer, from the background, is an overreach, and doing that and then pretending like it's the reasonable thing to do is what I describe as offensive. The point I was trying to make was that even doing less than that, but not designing with an intent to be minimally invasive from the start, sets you up to head into the "outrageous scenario" that yeah, I'll grant you I completely made up. But FWIW it is also completely in line with how I've seen people operate.

Suppose you want to offer this capability but only check the copy buffer when the user has signalled an intent to provide you with input. How is that not the least galling design decision? I'm having trouble figuring out how to express that it also serves as a personal (and team-internal) signal that "we are here to serve the user, and not to take advantage of them, even if that's inconvenient for us". Maybe that doesn't matter, or maybe lacking that is what leads to things like the Uber "Ride of Glory" blog post and worse?

Something I meant to imply in my first comment, but not the reply to you, is that furthermore limiting your exposure to user data limits the likelihood that a series of bugs puts it into your logs and then leaked out to the world. No, it's not done on purpose, but no amount of good intentions fixes it. Defaulting to being less invasive also reduces your likely level of impact.