Ask HN: My app is being bullied on Google webstore, What to do?

[sanchitml]

My latest free webstore app (Link given below) is being attacked by group of cyber bullies from past 2 days. Here are the details:

Day 0: - I had almost 100 reviews on my app. Most of them were 5/5. And chrome webstore was showing full five stars for this app.

Day 1: - A guy (with empty profile) posted a 1/5 rating, claiming that my app is not safe to use. And interestingly only the same day, I got more than 20 new 1-out-of-5 ratings, and none of them had any text reviews. Generally I rarely get less than 5/5 rating, you can check from the below link.

Day 2: At Day 1's end, I posted a reply on the guy's review that my app is safe, and you can contact me on the given ID. Next day I woke up and saw, his 1/5 review starting with "Avoid this app" is on the top, and my reply was completely removed. Which can only happen when lot of people click on mark-as-spam.

So, I need help from you guys. I do not have any contact at Google, and even if there was not sure how much they can help. Any suggestions what should I do next?

Note: We can discuss this later/seperately, but my app is 100% safe and I am an ethical developer.

https://chrome.google.com/webstore/detail/sticky-notes-just-popped/plpdjbappofmfbgdmhoaabefbobddchk/

[arihant]

"Inspectlet records videos of your visitors as they use your site, allowing you to see everything they do. See every mouse movement, scroll, click, and keypress on your site. You never need to wonder how visitors are using your site again."

Why would you use a service like this in your extension? Sounds like a dumb idea to me! They are privacy intrusive and say that proudly on their main page, so you were not tricked into using a malicious tracking service, you diligently chose it - the bad reviews are justified.

[scrollaway]

The reviews on there look fine to me. The one guy is being a bit paranoid and dickish but you can never please everyone.

Sure, you got a few bad reviews out of it, but unless it continues for several days I wouldn't worry too much about it. FWIW I haven't looked at the app or its source code but I wouldn't call this "cyber bullying".

Have you considered releasing the source code on github and linking to it so people can easily take a look and see for themselves?

[themartorana]

It's true. I own a company that makes casual games. We had people yelling so loudly that the game cheated and dealing hands wasn't random that we actually posted the source code. It doesn't mean anything - loud people more often want to hear their own loudness than anything.

We have millions of players, but the most vocally aggressively negative - those that just bash us as a company and as liars non-stop have been playing our games for years. YEARS.

You will never get away from trolls in any industry that has public reviews. Ask any restaurateur on Yelp, anyone with an app on any App Store, etc. It's absurd but just part of the deal at this point in time.

[ankitml]

What strikes me most is that the highly vocal, polarizing negative reviewers are mostly filled with false information.

[sanchitml]

Happy to release the code. But will take some time from my end. Thanks for this suggestion.

Not sure myself about the term "Cyber Bullying", but I used this word because I got:

1). more than 20 1-ratings (You cannot see these 20-25 negative ratings as there are were no text reviews written with it.)

2). few complaints+emails on the same day.

3). And my app rating came down from 5 to 4, thats a huge setback on the competitive end. (Lost the app's repo which took an year to build)

4). Few comments which have been cross-upvoted so all new / old users sees them on top. And my reply down-voted by the same group that it was removed completely by Chrome. Today I had to reply on it for the third time. And I do not have bandwidth to keep refreshing page every few hours.

[hamster_nipples]

The developer had already posted the source code on GitHub back in March 16 2014 and has not pushed anything since. Somewhere between March and September he added Inspectlet, Google Analytics and Double Click to his local copy and uploaded it Chrome Web Store.

I came across this junk by chance. I needed a note-taking app. Simple as that. I became suspicious after I noticed the websocket connection to herokuapp.com — he's logging client IP ... no sh*t.

[mattkrea]

Did you remove the analytics piece the review seems to be complaining about? If so I can imagine that someone might be upset that they couldn't disable it.

[sanchitml]

Yes, removed it ages ago. Was trying this new analytics startup, never worked out though.

[tokenizerrr]

I just installed your extension and looked at the source. The Google tracking/analytics code appears to still be there at least, both in popup.js (referenced by popup.html) and in jquery.js (which is apparently more than just jquery?). At least it seems that all you're tracking is behavioral info, but still it seems a bit much. Especially for an extension that calls itself private and secure.

[sanchitml]

How should I mention that private & secure is about the 'note data', not how much time menu item was opened.

Also I enquired about the privacy issue in Google Analytics, only thing I got was: - "Google tracks that visit via the user's IP address in order to determine the user's approximate geographic location."

I am using is custom events. Lets say I do not use Google-Analytics but my own server who just record custom events (anonymized IP Addresses) then the app will be considered private and secure.

Read Privacy Issue section on http://en.wikipedia.org/wiki/Google_Analytics#Privacy_issues.

What I feel from all these is - it is justified to call the app secure as its about the user data, not anonymized behaviour analysis. That is only for app improvement, and independent of a particular person (ie. privacy).

[tokenizerrr]

What I'm saying is that an app which claims to be secure & private should not be running any kind of analytics on user behavior in their browser.

[eps]

> Lets say I do not use Google-Analytics but my own server who just record custom events (anonymized IP Addresses) then the app will be considered private and secure.

Hahaha... No, of course it will not be. No app with phone-home analytics is private.

[ankitml]

An app promising keeping your notes and note data private doesnt necessarily need to avoid analytics. Analytics and aggregate user data cant be avoided if a developer wants to improve user experience. Keeping users and their experience at the center isnt a bad thing. Your note data isnt logged to any servers in this app.

[hamster_nipples]

Your app is neither private nor secure. I saved the original version before you read my review. DevTools clearly shows it recording keystroke events. Just out of curiosity, why did your app also open a websocket connection to herokuapp.com?

[samsheen]

I've seen loads of extensions that use Google Analytics to track user behavior. They of course post this on the details page with a link to the Opt-Out.

Could you tell us more about the "new analytics startup"? It seems like that's the code the reviewer was referring to (which you have said is no longer there in the extension)

[gergles]

A note of "trust me, I promise this is legit" is exactly what I would expect from a piece of malware. You need to directly address the allegations of using a keylogger/screenlogger somewhere to counter the negative review, not just say "No, I promise this is clean".

Just my 2c.

[sanchitml]

I mentioned my email-id there, to contact and discuss their concerns with me. If someone still feels unsatisfied, he is allowed to post a negative review. But bringing 25+ 1/5 ratings with him on the same day, getting my replies group-downvoted is not a solution.

If the developer is not meant to be trusted, then what is a good solution to this problem? Not everyone would want to open-source their app/game.

[tokenizerrr]

Your app is already "open source", I can download the crx and look at all the source code, but not a lot of people do this. If you want to seem trustworthy then put it on github with a restrictive license if you feel so inclined.

[ankitml]

yep source code of all chrome apps is available to everyone yet I wont call it open source. Open source is a step more from source code being available. I second the decision for choosing a restrictive license and putting the code over github.

[tokenizerrr]

Yeah, I know it's not technically called open source, but I mean that the source is available and readable. Hence the quotes. :)

[samsheen]

I just noticed that the said "bully" has stated in his comments that you had integrated inspectlet.com. I checked it out and it looks like a screen recording service. If this is truly the case, then I think he may be correct as interpreting this as a violation of privacy.

I think the best course of action would be to do the following

1. Put up code on github as others have suggested, thereby reassuring existing users

2. Publicly state in a reply to the comment that you had indeed integrated the screen recording service to help you understand user behavior, so that you could make a better app.

3. Put a disclaimer on the details page for Google Analytics with a link to opt out.

[sanchitml]

"Bully" is not for that comment or his words (Ofcourse he should have contacted me first) but for the following: (copied from below comments)

1). more than 20 1-ratings (You cannot see these 20-25 negative ratings as there are were no text reviews written with it.) 2). mass complaints sent to Google that day. 3). And my app rating came down from 5 to 4, thats a huge setback on the competitive end. (Lost the app's repo which took an year to build) 4). Few false reviews which have been cross-upvoted so all new users sees them on top. And my reply down-voted by the same group that it was removed completely by Chrome.

And there has never been such thing as Inspectlet in the app, and also the person who commented this is not communicating with me, so I would let this one go. And thus no need for that statement. Will make the app opensource, so this will never be an issue in the future, "hopefully".

[hamster_nipples]

> And there has never been such thing as Inspectlet in the app

Looks like you forgot to delete the HTML comment tag, "<!-- Begin Inspectlet Embed Code -->", from the bottom of popup.html. You may want to do it asap before he "lies" about that too ;)

> Will make the app opensource, so this will never be an issue in the future, "hopefully".

You already made it open-source (https://github.com/Epinx/Sticky-Notes), but then uploaded a separate malicious version to the chrome web store. Open-sourcing it would only give users the impression that it's safe, while giving you a chance to twist and slither away like you just did.

[hamster_nipples]

> And there has never been such thing as Inspectlet in the app

I had downloaded the crx file before you removed Inspectlet. Yes. There was such a thing as Inspectlet in the app, and it was used specifically to record user keystrokes.

[hamster_nipples]

I am the guy who made the original claim. You integrated the Inspectlet screen recorder and keylogger into your extension. Enough said.

The popup's textarea className had a hyphen, which caused inspectlet to include this in the data to upstream. This was done deliberately; if you were watching user's on your end, you would have noticed and corrected this. Instead, you allowed this to go on for months.

You were also doing this in your $7.99 "pro" version, which was mysteriously unpublished days later... Here's a suggestion: why don't you unpublish this one too and get off the webstore.

[okbake]

Does putting an analytics piece inside of a Chrome extension allow the creator to see which website a user is currently viewing when using the extension? Or are the analytics limited to the extension itself? For example, a simple extension that makes the background-color of the current page red, if there are analytics on that extension could the developer potentialy know which site the user is on?

[sanchitml]

Simple anonymized analytics, like clicking of a button. Basically the analytics without which nowadays apps/websites are considered incomplete.

Chrome doesnt allow extensions to get that data unless the extension asks for daring permissions like "Access your data on all websites".

Currently the app asks for no such permission. There were some features I planned to integrate like user right-click a text and click on 'send to Sticky note', but now terrified whether to even ask for such permissions.

[samsheen]

AFAIK - Yes. The developer could potentially run the analytics in the background html and from the content scripts track events sending the url as parameters.

[virde]

Dont really know why its being targeted. I see a key logger comment, any extensions being used that might be suspect? and something on analytics? which I see you say has been removed . Anyway its hard to stop a chain of bad targeted comments, but it shouldn't really affect until it continues to happen for a few days. Trolls will be trolls

[lowlevel]

There are going to be a few dicks at every party. You can't really avoid that out here...

[xdfsx]

Yeah, he had a keylogger before.

[ankitml]

Perhaps, you need to distinguish between aggregate analytics and keylogging.

[arihant]

The tool he was using is not only a keylogger but is capable of recording videos of users while using his app. We know how to distinguish, he was using a keylogger and video recorder.

[sanchitml]

The whole point of me posting this on HackerNews was 'The Guy on webstore is lying'.

Which part do you not understand when I say I NEVER used any keylogger. This is the only reason I didnt comment on any of your comments. Please edit or remove them.

[hamster_nipples]

> The whole point of me posting this on HackerNews was 'The Guy on webstore is lying'.

I'm that guy. No, I am not lying. I have the original version (prior to Aug 27 update) that recorded keystrokes.

After reading your comments on this thread, it seems to me that you're in a panic and desperately trying to dispel the whole thing. My only regret is that I didn't get to warn people earlier.

[sanchitml]

I am sorry buddy, wrong 'Guess'.

[kurz]

sdfs