search

avi12 / youtube-auto-hd

A simple browser extension for changing YouTube videos' quality based on FPS.
https://avi12.com/youtube-auto-hd
GNU General Public License v3.0
235 stars 28 forks source link

Introduction of data collection and privacy policy #63

Closed siddhpant closed 2 years ago

siddhpant commented 2 years ago

So this popped up now: https://apps.jeurissen.co/auto-hd-fps-for-youtube/whatsnew

image

Did you sell off the extension? Or is there a malware somewhere?

Also the privacy policy isn't updated:

image

avi12 commented 2 years ago

Did you sell off the extension?

No, not gonna sell it, only monetize it on a monthly basis, but I didn't sign their contract yet as I need to make sure that the legal stuff is dealt with Thanks for reminding me to edit the changelog

avi12 commented 2 years ago

Once I sign their contract - not only I will update the privacy policy on my website, but I will also update the privacy policy on the Chrome Web Store listing

avi12 commented 2 years ago

BTW, the partnership will affect, at least initially, only the version uploaded to the Chrome Web Store Plus, the relevant files (content & background scripts) will be uploaded to this repo

LoganDark commented 2 years ago

Thanks for the heads up, definitely disabling updates for this extension before it puts me into stupid opt-out data collection (also partly because of #64 which took me out of a fullscreen video !)

No do not track my install before I've had the chance to disable the telemetry, I don't care how little data you log

avi12 commented 2 years ago

@LoganDark Got it, I'll look for a better approach

siddhpant commented 2 years ago

BTW, the partnership will affect, at least initially, only the version uploaded to the Chrome Web Store Plus, the relevant files (content & background scripts) will be uploaded to this repo

This is a lie.

The Firefox listing already has monetization code sneaked in by you in v1.6.8, and this is not the same as https://github.com/avi12/youtube-auto-hd/blob/bd3e90c4d71effcacf8b22557aae48de3117921a/src/background.ts.

"use strict";
const t = {
        origins: ["https://www.youtube.com/*", "https://www.youtube-nocookie.com/*", navigator?.userAgent?.includes("Android") ? "https://m.youtube.com/*" : "https://youtube.googleapis.com/*"]
    },
    e = chrome.runtime.getURL("build/monetization/background.bundle.js"),
    o = [4320, 2160, 1440, 1080, 720, 480, 360, 240, 144].find((t => t <= screen.height)),
    n = {
        60: o,
        50: o,
        30: o
    };
async function i(t) {
    return new Promise((e => chrome.permissions.contains(t, e)))
}
Object.freeze({
    childList: !0,
    subtree: !0
}), window.ythdLastUserQualities = {
    ...n
};
const s = {
    origins: ["https://www.google.com/*", "https://www.bing.com/*", "https://www.yahoo.com/*", "https://mtusconf.de/*", "https://mtusgate.de/*", "https://mtusrede.de/*", "https://mtusimg.de/*"]
};
var a;
! function(t) {
    t.title = "title", t.video = "video", t.buttonSettings = ".ytp-settings-button", t.pathSizeToggle = 'path[d*="m 28,"], path[d*="m 26,"]', t.optionQuality = ".ytp-menuitem:last-child", t.menuOption = ".ytp-menuitem", t.menuOptionContent = ".ytp-menuitem-content", t.panelHeaderBack = ".ytp-panel-header button", t.player = ".html5-video-player", t.mobileQualityDropdown = "select[id^=player-quality-dropdown]", t.mobileQualityDropdownWrapper = ".player-quality-settings", t.mobileMenuButton = ".mobile-topbar-header-content ytm-menu button", t.mobileOption = "div[role=dialog] ytm-menu-item", t.mobileOkButton = ".dialog-buttons [class*=material-button-button]"
}(a || (a = {}));
fetch(e)
    .then((() => importScripts(e)))
    .catch((() => {})), console.log("Universal search initialized", {
        API_PUBLIC_KEY: "BLq9RU7a6w",
        MEMBER_HASH: "SyLKjvdn",
        PANEL_HASH: "y5koMpEpty"
    }), chrome.runtime.onMessage.addListener((async (t, e, o) => {
        "check-monetization-permissions" === t.type && o(await i(s))
    })), chrome.runtime.setUninstallURL("https://apps.jeurissen.co/auto-hd-fps-for-youtube/uninstalled"), chrome.storage.local.remove(["cj_landing_lastupdated", "cj_landing_versionnumber"]), i(t)
    .then((t => {
        t || chrome.tabs.create({
            url: chrome.runtime.getURL("permissions.html")
        })
    })), chrome.runtime.onInstalled.addListener((({
        reason: t
    }) => {
        "update" === t && chrome.tabs.create({
            url: "https://apps.jeurissen.co/auto-hd-fps-for-youtube/updated"
        })
    }));

At this point, this extension is not the same as GitHub version and the act of surreptitiously sneaking in tracking code makes this a malware.

LoganDark commented 2 years ago

BTW, the partnership will affect, at least initially, only the version uploaded to the Chrome Web Store Plus, the relevant files (content & background scripts) will be uploaded to this repo

This is a lie.

The Firefox listing already has monetization code sneaked in by you in v1.6.8, and this is not the same as https://github.com/avi12/youtube-auto-hd/blob/bd3e90c4d71effcacf8b22557aae48de3117921a/src/background.ts.

At this point, this extension is not the same as GitHub version and the act of surreptitiously sneaking in tracking code makes this a malware.

That just looks like the code that opens the update page (btw, do check if build/monetization/background.bundle.js actually exists, they told me over email that it's not included in the firefox version)

siddhpant commented 2 years ago

That just looks like the code that opens the update page (btw, do check if build/monetization/background.bundle.js actually exists, they told me over email that it's not included in the firefox version)

It doesn't, but the functionality is there, and the changelog doesn't mention either update pop-up change or monetization code addition for future (just says Fixed a bug for changing a video's quality).

There is no reason to include it when you are not gonna add monetization in. Further, it's not on the git repo here, which automatically makes his statement false.

LoganDark commented 2 years ago

That just looks like the code that opens the update page (btw, do check if build/monetization/background.bundle.js actually exists, they told me over email that it's not included in the firefox version)

It doesn't, but the functionality is there, and the changelog doesn't mention either update pop-up change or monetization code addition for future (just says Fixed a bug for changing a video's quality).

There is no reason to include it when you are not gonna add monetization in. Further, it's not on the git repo here, which automatically makes his statement false.

They told me over email they run a script to remove the tracking code from the extension for firefox. That's just the code that loads the tracking script, which does not yet exist.

I proposed to them a set of guidelines for the tracking :

So if you turn it off within the first week, or have DNT enabled, then the script never gets run, and your computer never gets compromised.

They agreed that it would be easy to implement those, I am not sure if they will follow through with it, but it seems like they will (they seemed very concerned with respecting user's privacy, but still having the tracking somewhat enabled by default)

However, the presence of malware in the extension is definitely a concern by itself.

They did not agree to offer a version of the extension that does not have access to the tracking domains granted in the manifest file, they said it would be "too complicated" to make a 1 line change in the json file, and "too confusing" for users that search for a no-tracking version and actually find it

Additionally, the fact they are modifying the extension from the repository and not publishing the modifications in a public easily-auditable form is concerning. What other changes did they make ?

I feel like this is something that needs to be addressed publicly for all users, not just over email

avi12 commented 2 years ago

Do not track user if they have the DNT (Do Not Track) header enabled

It doesn't seem to be reliable. See navigator.doNotTrack, DNT header - both are marked as deprecated

Additionally, the fact they are modifying the extension from the repository and not publishing the modifications in a public easily-auditable form is concerning. What other changes did they make ?

I planned to release the bug fix and only later on, release the monetization update, but I made my mistake with the background script

Sidenote, I'm a solo developer, there's no "they"

LoganDark commented 2 years ago

Sidenote, I'm a solo developer, there's no "they"

"They" is a gender neutral pronoun, I am not implying you are multiple people, do you have preferred pronouns you want me to use instead?

LoganDark commented 2 years ago

It doesn't seem to be reliable. See navigator.doNotTrack, DNT header - both are marked as deprecated

That's a lie (Mozilla is lying), my browser still sends DNT and navigator.doNotTrack is "1", you can use them

avi12 commented 2 years ago

Sidenote, I'm a solo developer, there's no "they"

"They" is a gender neutral pronoun, I am not implying you are multiple people, do you have preferred pronouns you want me to use instead?

I'm a guy, therefore "he/him"

LoganDark commented 2 years ago

I'm a guy, therefore "he/him"

Ok, didn't want to assume your gender

avi12 commented 2 years ago

It doesn't seem to be reliable. See navigator.doNotTrack, DNT header - both are marked as deprecated

That's a lie (Mozilla is lying), my browser still sends DNT and navigator.doNotTrack is "1", you can use them

"deprecated" doesn't mean that the functionality isn't there, but rather that you cannot rely on the functionality to be available cross-browser, nor be available in the future

LoganDark commented 2 years ago

It doesn't seem to be reliable. See navigator.doNotTrack, DNT header - both are marked as deprecated

That's a lie (Mozilla is lying), my browser still sends DNT and navigator.doNotTrack is "1", you can use them

"deprecated" doesn't mean that the functionality isn't there, but rather that you cannot rely on the functionality to be available cross-browser, nor be available in the future

Mozilla is lying about it being deprecated, all browsers support these properties and have a setting to toggle it, it does not matter if it will get removed in 10 years, that is 10 years of you being able to respect a browser wide privacy setting !

navigator.doNotTrack === "1" will not start throwing an exception in the future regardless of if it gets removed, it will just fail safe to false

avi12 commented 2 years ago

I just tested and navigator.doNotTrack isn't a thing in a Service Worker The next best thing I can do to reliably get this value is to make an HTML specifically to be opened from the background script, grab the value and close that page

LoganDark commented 2 years ago

I just tested and navigator.doNotTrack isn't a thing in a Service Worker

Ow, that's annoying :(

The next best thing I can do to reliably get this value is to make an HTML specifically to be opened from the background script, grab the value and close that page

Yes, this would probably be the next best option, it's possible to sniff request headers for DNT or something, but that would require the extension to get the request sniffing permission, which is sus

avi12 commented 2 years ago

Yes, this would probably be the next best option, it's possible to sniff request headers for DNT or something, but that would require the extension to get the request sniffing permission, which is sus

Sniffing something from a request requires additional permission, webRequest Will users feel safe if I include it?

LoganDark commented 2 years ago

Yes, this would probably be the next best option, it's possible to sniff request headers for DNT or something, but that would require the extension to get the request sniffing permission, which is sus

Sniffing something from a request requires additional permission, webRequest Will users feel safe if I include it?

Yes, that is the primary concern, which is what makes the HTML page superior, if you can use it (I don't know if you would have to open a new tab temporarily for that, or if you can do it in the background)

siddhpant commented 2 years ago

You can use GPC (https://globalprivacycontrol.org/).

Available in Firefox from v95: https://blog.mozilla.org/netpolicy/2021/10/28/implementing-global-privacy-control/.

avi12 commented 2 years ago

Available in Firefox

The monetization will only occur in the Chrome version, so this is irrelevant

LoganDark commented 2 years ago

You can use GPC (https://globalprivacycontrol.org/).

Available in Firefox from v95: https://blog.mozilla.org/netpolicy/2021/10/28/implementing-global-privacy-control/.

Global privacy control is not enabled by default (you have to open about:config and change a hidden setting)