Open sneak opened 4 years ago
Arcanemagus
commented
4 years ago A few points here:
sneak
commented
4 years ago It's not silent, the dialog directly tells you this will happen
The dialog does not indicate that it will happen via the network. Even if the text is updated, it is absolutely not reasonable to transmit telemetry data when the user explicitly clicks the "please don't send telemetry data" button.
"current" as a version doesn't tell us anything 6 months later, please fill this out
Edited.
Atom hasn't used Google Analytics for quite a long time, data is sent directly to an internal GitHub pipeline
Edited. I updated the version and the name of the tracking companies in the issue.
sneak
commented
4 years ago FYI, the software attempts to connect to central.github.com on first launch prior to selecting anything in the telemetry dialog.
sneak
commented
4 years ago @Arcanemagus - your updated title for the issue is incorrect. The software is connecting to central.github.com prior to the user opting in or out. It's not simply the opt-out sending telemetry - it sends the telemetry automatically, silently, before the user does anything at all.
Description
Atom violates a user's consent by silently spying on them (transmitting their opt out) across the network to Microsoft processes running on Amazon servers/network.
Steps to Reproduce
Expected behavior:
No telemetry is sent.
Actual behavior:
Telemetry is sent.
Reproduces how often:
100% of the time a user selects opt out.
Versions
1.41.0
Additional Information
The text "We only register anonymously that you opted-out." is a false statement.
The "registration" is a network request that is absolutely not anonymous: it includes your IP address, which, in the right hands, is a physical location. The method used by Atom to transmit the information cannot transmit anonymously.
It's compounded by the fact that you have explicit withdrawal of consent to such tracking, and yet you're still spying by transmitting user activity data. This is really, really bad.
When the user opts out of tracking, you don't get to make any more tracking web requests using their computer. Doing so makes the opt-out button fraudulent. As others have pointed out in atom/atom#12281, the text below it does not even plainly indicate that it's going to be transmitting this information to thousands of other people, instead opting for the weasel word "register", which could be interpreted to mean only locally (which is what a reasonable person would guess considering they're opting out of tracking). Instead, you enable them to be tracked.
It doesn't matter that you don't see the IP address; many others at GitHub, Microsoft, and Amazon, as well as those who have access to Amazon's network data, can. This is thousands, perhaps hundreds of thousands of people (over 1M humans have a TS clearance in the USA). Thanks to people like Ed Snowden, we now know that permanent logging of such information by third parties is routine, and thanks to the extent of their reach, we know that they can easily resolve IP addresses to physical location.