Urgent: Make javascript-errors-notifiers less invasive

[henvic]

Hello,

I have just posted on Hacker News and reported your extension to Chrome's webstore team after freaking out when I was debugging a web service of mine with Charles and found some strange requests.

Please, don't take this as a hateful message. I really enjoy your extension, but it's just too invasive. I know you say it collects data on the fine print at the store, but most of the extensions that does so anonymize the data first. I myself maintain some CLI tools and had to create a anonymizer to avoid collecting more data than user's would be comfortable sharing. https://github.com/node-gh/gh/blob/master/lib/cmd-anonymizer.js

Feel free to contact me if you have questions or need help.

Sorry for not trying to contact you first, but my first reaction was to alert people and find out more. Just then I realized it was almost certainly not intentional.

My link to the Hacker News post is https://news.ycombinator.com/item?id=10309432

[barbushin]

BTW, there is a paragraph in this Chrome extension description:

We are always trying to find a way to continuously improve JavaScript Errors Notifier, thus we've chosen Fairshare and Intenta as our trusted partner, which will collect the usage statistics from your browser. It's anonymous and will not include any of your privacy data. We concern about your data security as you always do. Please learn more about Fairshare privacy policy at https://fairsharelabs.com/analytics. Anyway, there is also alternative extension version, that does not collect any statistics: https://goo.gl/IRbqnY

If you think that it will be better when this extension will be banned for 86k users... then I'm not sure that you're enough smart to continue discussing this issue with you.

Intenta and FairShare are well known and trusted partners. In the same way Google Analytics collects users activity on 70% of web sites that they visit.

[henvic]

Your description there says it's anonymous and won't include any privacy data. This is a blatantly lie.

People, just like me, will download and use it in good faith without knowing it is sending all the links they browse to to your analytics web service with a token to uniquely identify.

Of course you know you can retrieve personal identifying information on links such as account ids, usernames, emails, purchase orders, photo links, and more.

It's one thing to add such scripts to your own site. It's another to add a script that inconspicuously sends private data for all sites you browse to the analytics account of someone when you install an extension that has nothing to do with it. And yeah, I know many - if not most - sites use some kind of analytics service but they don't do like it.

non-https links will be even sent entirely unencrypted allowing man-in-the-middle attacks as well (e.g., private network links might end up on the Internet not only for you; and, of course, you always get the private sensitive data you claim you don't).

PS: You certainly have an attitude problem. Trying to play down this by saying you have something on the fine print and implying I am dumb? Really?

[henvic]

This is no better than Lenovo shipping laptops with adware that hijacks HTTPS connections.

[barbushin]

I've sent feature request to Intenta to use SSL, if they'll not change protocol I'll disconnect extension from their service.

Intenta and FairShare works with statistics information in the same way. Read this https://www.fairsharelabs.com/privacy

[barbushin]

Anyway, there is also alternative extension version, that does not collect any statistics: https://goo.gl/IRbqnY

[henvic]

Fair improvement.

[barbushin]

Henrique, sorry, but I can't fix your paranoya. I have much more important things to do.

[henvic]

Thanks. No need to worry about me, though. I am not going to bother you anymore.

PS: something smells fishy for Gmail, what a hilarious coincidence, isn't it? 😄

[mateusleon]

@barbushin Sorry man, this isn't a localized issue. It's quite necessary to look after your personal concerns over one impression and consider real facts to deal with this situation.

Suppose that if me, employed on one organisation that is supposed to be compliance with HIPAA statements, became a target on a trial, because while I was debugging one app of ours, it leaked data about medical issues of some patient.

You'll, then, explain to them that they are over reacting about this situation?

No, you'll not.

[barbushin]

@mateusleon But why you can't just use alternative extension version, that does not collect any statistics: https://goo.gl/IRbqnY?

[henvic]

Google has policies for the Chrome Web Store and this extension doesn't abide by it. I have highlighting just a few points below.

People usually are nice to each other and abide by them. This is why we can have nice things.

Developer Program Policies

1. We don't allow unauthorized publishing of people's private and confidential information, such as credit card numbers, government identification numbers, driver's and other license numbers, or any other information that is not publicly accessible. Additionally, we don't allow items that collect, store, or transmit user credentials or other private user data in an unsafe or unauthorized manner.
2. Spyware, malicious scripts, and password phishing scams are also prohibited in the Chrome Web Store. Where possible, make as much of your code visible in the package as you can. If some of your app's logic is hidden and it appears to be suspicious, we may remove it.
3. Your app must comply with Google's Webmaster Quality Guidelines.
4. Don't misrepresent the functionality of your app or include non-obvious functionality that doesn't serve the primary purpose of the app without clear notification to the user.
5. Forcing the user to click on ads or submit personal information for advertising purposes in order to fully use an app or extension provides a poor user experience and is prohibited.

Webmaster Guidelines: Quality guidelines

Don't deceive your users.

Unwanted Software Policy

We’ve found that most unwanted software displays one or more of the same basic characteristics:

• It is deceptive, promising a value proposition that it does not meet.
• It tries to trick users into installing it or it piggybacks on the installation of another program.
• It doesn’t tell the user about all of its principal and significant functions.
• It affects the user’s system in unexpected ways.
• It is difficult to remove.
• It collects or transmits private information without the user’s knowledge.
• It is bundled with other software and its presence is not disclosed.

[mateusleon]

Thanks @henvic. Your post proves my point.

[barbushin]

• It collects or transmits private information without the user’s knowledge.

But there is a paragraph in description explaining Intenta and FairShare usage. What is wrong?

BTW, there is one more extension with 864k users that is also integrated with FairShare https://chrome.google.com/webstore/detail/speakit/pgeolalilifpodheeocdmbhehgnkkbak

And this one, 240k users https://chrome.google.com/webstore/detail/fb-color-changer/kfmpgofbpmkihnamkhcoohnmipjkfjph

And this one about Intenta https://chrome.google.com/webstore/detail/chrome-currency-converter/anbfhidldjknonaihbalghlebaijealk

And this also https://chrome.google.com/webstore/detail/screen-shader/fmlboobidmkelggdainpknloccojpppi

After refusing the offers of multiple fishy ad and url gathering companies, I have partnered with a good-hearted startup named Intenta who use anonymous url data to improve the relevancy of ads on the internet. So basically if you are, for example, looking to buy a book, and Intenta is partnered with a company that sells the same book for a smaller price, then you might later see their ads for the cheaper book instead of other less relevant ads, so you get some good deals and save a bit of money while I get paid a few cents for my +400 hours of work on Screen Shader.

Installing an ad-blocker, of course, will nullify intenta's effects for those who don't want good deals when shopping online.

[barbushin]

I've forced Intenta to use SSL for statistics data requests https://github.com/netplenish/intenta-extension-sdk/releases/tag/2.0.4

Released JEN v2.1.24 that works over SSL.