Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Atom violates a user's consent by silently spying on them (transmitting their opt out) across the network to Microsoft processes running on Amazon servers/network.
Steps to Reproduce
No telemetry is sent.
Telemetry is sent.
Reproduces how often:
100% of the time a user selects opt out.
The text "We only register anonymously that you opted-out." is a false statement.
The "registration" is a network request that is absolutely not anonymous: it includes your IP address, which, in the right hands, is a physical location. The method used by Atom to transmit the information cannot transmit anonymously.
It's compounded by the fact that you have explicit withdrawal of consent to such tracking, and yet you're still spying by transmitting user activity data. This is really, really bad.
When the user opts out of tracking, you don't get to make any more tracking web requests using their computer. Doing so makes the opt-out button fraudulent. As others have pointed out in atom/atom#12281, the text below it does not even plainly indicate that it's going to be transmitting this information to thousands of other people, instead opting for the weasel word "register", which could be interpreted to mean only locally (which is what a reasonable person would guess considering they're opting out of tracking). Instead, you enable them to be tracked.
It doesn't matter that you don't see the IP address; many others at GitHub, Microsoft, and Amazon, as well as those who have access to Amazon's network data, can. This is thousands, perhaps hundreds of thousands of people (over 1M humans have a TS clearance in the USA). Thanks to people like Ed Snowden, we now know that permanent logging of such information by third parties is routine, and thanks to the extent of their reach, we know that they can easily resolve IP addresses to physical location.
A few points here:
The dialog does not indicate that it will happen via the network. Even if the text is updated, it is absolutely not reasonable to transmit telemetry data when the user clicks the "please don't send telemetry data" button.
Edited. I updated the version and the name of the tracking companies in the issue.