New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Urgent: Make javascript-errors-notifiers less invasive #28

Closed
henvic opened this Issue Oct 1, 2015 · 19 comments

Comments

Projects
None yet
4 participants
@henvic
Copy link

henvic commented Oct 1, 2015

Hello,

I have just posted on Hacker News and reported your extension to Chrome's webstore team after freaking out when I was debugging a web service of mine with Charles and found some strange requests.

Please, don't take this as a hateful message. I really enjoy your extension, but it's just too invasive. I know you say it collects data on the fine print at the store, but most of the extensions that does so anonymize the data first. I myself maintain some CLI tools and had to create a anonymizer to avoid collecting more data than user's would be comfortable sharing. https://github.com/node-gh/gh/blob/master/lib/cmd-anonymizer.js

Feel free to contact me if you have questions or need help.

screen shot 2015-10-01 at 3 00 12 am

Sorry for not trying to contact you first, but my first reaction was to alert people and find out more. Just then I realized it was almost certainly not intentional.

My link to the Hacker News post is https://news.ycombinator.com/item?id=10309432

@barbushin

This comment has been minimized.

Copy link
Owner

barbushin commented Oct 1, 2015

BTW, there is a paragraph in this Chrome extension description:

We are always trying to find a way to continuously improve JavaScript Errors Notifier, thus we've chosen Fairshare and Intenta as our trusted partner, which will collect the usage statistics from your browser. It's anonymous and will not include any of your privacy data. We concern about your data security as you always do. Please learn more about Fairshare privacy policy at https://fairsharelabs.com/analytics. Anyway, there is also alternative extension version, that does not collect any statistics: https://goo.gl/IRbqnY

If you think that it will be better when this extension will be banned for 86k users... then I'm not sure that you're enough smart to continue discussing this issue with you.

Intenta and FairShare are well known and trusted partners. In the same way Google Analytics collects users activity on 70% of web sites that they visit.

@barbushin barbushin closed this Oct 1, 2015

@henvic

This comment has been minimized.

Copy link

henvic commented Oct 1, 2015

Your description there says it's anonymous and won't include any privacy data. This is a blatantly lie.

People, just like me, will download and use it in good faith without knowing it is sending all the links they browse to to your analytics web service with a token to uniquely identify.

Of course you know you can retrieve personal identifying information on links such as account ids, usernames, emails, purchase orders, photo links, and more.

It's one thing to add such scripts to your own site. It's another to add a script that inconspicuously sends private data for all sites you browse to the analytics account of someone when you install an extension that has nothing to do with it. And yeah, I know many - if not most - sites use some kind of analytics service but they don't do like it.

non-https links will be even sent entirely unencrypted allowing man-in-the-middle attacks as well (e.g., private network links might end up on the Internet not only for you; and, of course, you always get the private sensitive data you claim you don't).

PS: You certainly have an attitude problem. Trying to play down this by saying you have something on the fine print and implying I am dumb? Really?

@henvic

This comment has been minimized.

Copy link

henvic commented Oct 1, 2015

@barbushin

This comment has been minimized.

Copy link
Owner

barbushin commented Oct 1, 2015

I've sent feature request to Intenta to use SSL, if they'll not change protocol I'll disconnect extension from their service.

Intenta and FairShare works with statistics information in the same way. Read this https://www.fairsharelabs.com/privacy

@barbushin

This comment has been minimized.

Copy link
Owner

barbushin commented Oct 1, 2015

Anyway, there is also alternative extension version, that does not collect any statistics: https://goo.gl/IRbqnY

@henvic

This comment has been minimized.

Copy link

henvic commented Oct 1, 2015

Fair improvement.

@barbushin

This comment has been minimized.

Copy link
Owner

barbushin commented Oct 1, 2015

Henrique, sorry, but I can't fix your paranoya. I have much more important things to do.

@henvic

This comment has been minimized.

Copy link

henvic commented Oct 1, 2015

Thanks. No need to worry about me, though. I am not going to bother you anymore.

PS: something smells fishy for Gmail, what a hilarious coincidence, isn't it? 😄

screen shot 2015-10-01 at 3 05 25 pm

@mateusleon

This comment has been minimized.

Copy link

mateusleon commented Oct 1, 2015

@barbushin Sorry man, this isn't a localized issue. It's quite necessary to look after your personal concerns over one impression and consider real facts to deal with this situation.

Suppose that if me, employed on one organisation that is supposed to be compliance with HIPAA statements, became a target on a trial, because while I was debugging one app of ours, it leaked data about medical issues of some patient.

You'll, then, explain to them that they are over reacting about this situation?

No, you'll not.

@barbushin

This comment has been minimized.

Copy link
Owner

barbushin commented Oct 1, 2015

@mateusleon But why you can't just use alternative extension version, that does not collect any statistics: https://goo.gl/IRbqnY?

@henvic

This comment has been minimized.

Copy link

henvic commented Oct 1, 2015

Google has policies for the Chrome Web Store and this extension doesn't abide by it. I have highlighting just a few points below.

People usually are nice to each other and abide by them. This is why we can have nice things.

Developer Program Policies

  1. We don't allow unauthorized publishing of people's private and confidential information, such as credit card numbers, government identification numbers, driver's and other license numbers, or any other information that is not publicly accessible. Additionally, we don't allow items that collect, store, or transmit user credentials or other private user data in an unsafe or unauthorized manner.
  2. Spyware, malicious scripts, and password phishing scams are also prohibited in the Chrome Web Store. Where possible, make as much of your code visible in the package as you can. If some of your app's logic is hidden and it appears to be suspicious, we may remove it.
  3. Your app must comply with Google's Webmaster Quality Guidelines.
  4. Don't misrepresent the functionality of your app or include non-obvious functionality that doesn't serve the primary purpose of the app without clear notification to the user.
  5. Forcing the user to click on ads or submit personal information for advertising purposes in order to fully use an app or extension provides a poor user experience and is prohibited.

Webmaster Guidelines: Quality guidelines

Don't deceive your users.

Unwanted Software Policy

We’ve found that most unwanted software displays one or more of the same basic characteristics:

  • It is deceptive, promising a value proposition that it does not meet.
  • It tries to trick users into installing it or it piggybacks on the installation of another program.
  • It doesn’t tell the user about all of its principal and significant functions.
  • It affects the user’s system in unexpected ways.
  • It is difficult to remove.
  • It collects or transmits private information without the user’s knowledge.
  • It is bundled with other software and its presence is not disclosed.
@mateusleon

This comment has been minimized.

Copy link

mateusleon commented Oct 1, 2015

Thanks @henvic. Your post proves my point.

@barbushin

This comment has been minimized.

Copy link
Owner

barbushin commented Oct 2, 2015

  • It collects or transmits private information without the user’s knowledge.

But there is a paragraph in description explaining Intenta and FairShare usage. What is wrong?

BTW, there is one more extension with 864k users that is also integrated with FairShare https://chrome.google.com/webstore/detail/speakit/pgeolalilifpodheeocdmbhehgnkkbak

And this one, 240k users https://chrome.google.com/webstore/detail/fb-color-changer/kfmpgofbpmkihnamkhcoohnmipjkfjph

And this one about Intenta https://chrome.google.com/webstore/detail/chrome-currency-converter/anbfhidldjknonaihbalghlebaijealk

And this also https://chrome.google.com/webstore/detail/screen-shader/fmlboobidmkelggdainpknloccojpppi

After refusing the offers of multiple fishy ad and url gathering companies, I have partnered with a good-hearted startup named Intenta who use anonymous url data to improve the relevancy of ads on the internet. So basically if you are, for example, looking to buy a book, and Intenta is partnered with a company that sells the same book for a smaller price, then you might later see their ads for the cheaper book instead of other less relevant ads, so you get some good deals and save a bit of money while I get paid a few cents for my +400 hours of work on Screen Shader.

Installing an ad-blocker, of course, will nullify intenta's effects for those who don't want good deals when shopping online.

@barbushin

This comment has been minimized.

Copy link
Owner

barbushin commented Oct 6, 2015

I've forced Intenta to use SSL for statistics data requests https://github.com/netplenish/intenta-extension-sdk/releases/tag/2.0.4

Released JEN v2.1.24 that works over SSL.

@felickz

This comment has been minimized.

Copy link

felickz commented Dec 6, 2015

hey @barbushin , i see you have mentioned the removal of FairShare & Intenta ... can you link the commits?

@barbushin

This comment has been minimized.

Copy link
Owner

barbushin commented Dec 6, 2015

hey

FairShare integration was not in GitHub, it was added to code manually(to manifest.json) before uploading to WebStore, so there is no commits about it.

but you can review source code of last extension version by yourself, just search directory with name jafmfknfnkoekkdocjiaipcnmkklaajd on your hard drive

@barbushin

This comment has been minimized.

Copy link
Owner

barbushin commented Dec 6, 2015

And yes, it was completely removed.

@felickz

This comment has been minimized.

Copy link

felickz commented Dec 15, 2015

@barbushin awesome news... out of curiosity, why the change of heart?

Have you considered other means to monetize?

@barbushin

This comment has been minimized.

Copy link
Owner

barbushin commented Dec 15, 2015

This decision is about -$5000 of my yearly income, but, anyway, it makes me feel better :)

Right now I'm developing some errors and logs tracking/monitoring/aggregation/reporting/managing service for web-developers. I hope to get release in this Summer, so I will try to announce it inside JavaScript Errors Notifier. It will be not aggressive AD message displayed inside JEN error popup only once, and then it will be automatically removed if user will not be interested to click it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment