Collecting Metrics in Atom Core


#1

I find the whole concept of tracking users with the excuse of collecting useful data ridiculous!

In the entire history of Open Source this has never been needed and users are extremely helpful in sharing information, data, and reports about bugs, how they use the application, and other stuff.

The metrics package in Atom needs to be removed! It is SPYWARE no matter what you call it and it doesn’t belong in Open Source software.

For me that is a major no go.

Open Source applications needs to be secure and spy-free by default, then you can leave the package for anyone who want to install it by himself!


Privacy issues
Acceptable Metrics/Tracking/Collecting data from Packages?
Atom packages in a highly controlled environment
#2

I would have to disagree with you there. All you need to do is look at the extensive literature on the fallibility of human memory to know that no matter how forthcoming someone is, they do not recall things accurately or even at all. I have worked on extremely high-volume websites that anonymously tracked how users used the web application and we learned things that people wouldn’t even have thought to report as a bug by examining workflows that led to people leaving the application early or heatmaps of where they hovered their mouse pointer.

I can respect that.


#3

Using the general fallibility of human memory is a poor excuse for “spying” on people.

Sure many people will not report anything, but GNU/Linux, BSD and the rest of the Open Source world would not be where it is where it not for the billions of reports from helpful users.

And besides, collecting data using Google Analytics hardly helps you develop software! Come on!

Making a sha1 of people MACs are uniquely identifying individuels, whether they remain anonymous or not.

Something is just plain wrong with metrics in Atom. It does not belong there. Not the way it is used and not the way its presence are being explained.


#4

Sure it does. Why do you think people do it? What do you think the evil purveyors of this spyware do with the data? I’m serious.


#5

I cited two examples that I personally experienced of ways in which collecting anonymized, aggregated data over thousands of users helped improve a web application.

I am not an employee of GitHub nor am I attempting to speak on their behalf. (See full disclaimer below)*

I also am not explaining the presence of the metrics package in Atom. I do not have access to the data the metrics package collects. I don’t know how it is being used, so I won’t even attempt to explain it … I don’t have the information necessary to do so. I can say that I trust GitHub with the metrics data they collect from my copies of Atom, but that is my personal choice and I don’t blame anyone for making a different one.

I do, however, feel that there are acceptable ways to gather and use application metrics data, as well as unacceptable ones. If you feel that there is no situation in which it is ever acceptable, then there isn’t a way we can reach an understanding … we simply have to agree to disagree.

* The ideas I express here do not represent the opinions of my employer, my family, my friends, GitHub, Inc., my local government, my fifth grade teacher, Mrs. Thomas, or even myself depending on how long ago they were written.


#6

Personally, I don’t think it’s fair to categorize all data collection as inherently bad.

For example, I think it would be great if packages had a ‘suggestion box’ sort of thing in the settings panel where people could vote on new feature suggestions and rate existing features in order to give users more influence in the development of packages. Also, in my syntax theme I have optional “extras” that can be activated through the settings panel, and I have no idea if anyone even likes or uses them. Being able to see which options people have enabled would let me make a better package.

I have to agree that opt-in should always be the default, but I also think a lot of people have different meanings of what constitutes an “opt-in” to begin with, which leads to a lot of the negative perception towards analytics. To many , to “opt-in” probably means to check a checkbox that says something like “I opt in to share x”, but I think these days there are a lot more ways we opt-in to share data.

By posting a reply on this topic for example, you are also consciously opting in to have the content of your post be made public on this site, and you are consciously agreeing to this; Also, by simply visiting a website, you’re opting in to let that site track your IP address. It’s not like simply installing tools such as Google Analytics gives websites the ability to capture some information about you that wasn’t previously available to them - i.e., they are not taking something from you - instead, by choosing to visit that site, you’re inherently choosing to give them the information to track.


#7

I don’t agree with this. Of course, the website has to know my IP address for technical reasons, but Google Analytics persists the IP address, which is not necessary for these technical reasons. Furthermore, I allowed the website to use my IP address to send me the response (in fact, I asked the website to do that, else I wouldn’t be able to read the content). But I didn’t allow the website to pass my IP address to a third party, nor to persist my IP address.


#8

Yeah, that’s true; I don’t think data should be shared with 3rd-parties unless the user explicitly agrees to, and everything I said I meant in terms of whatever entity the user directly interacted with.


#9

They are not respecting the privacy of the people. It is not debatable, ask permission before.


#10

Hmm. There appears to be a debate about this so I don’t see how that could be true.


#11

Your privacy is debatable, if you will, not mine.

Even in Europe the law requires explicit approval to collect user information, not simply opt-out.

The problem is that you will not give importance to privacy, so what you consider a minor issue. I think instead that my privacy is sacred.

So maybe I’ll find another project more in line with my ideas in which to participate.


#12

So you can’t use google analytics in Europe?


#13

The question is how to use it.

In Europe if you have a Web site and uses analytics, you need BEFORE sending any cookie warn users.

The law is not limited to the use of cookies, if you really are interested:
http://ec.europa.eu/justice/data-protection/data-collection/index_en.htm

These are directives, each Europe country legislates upon them.

Very briefly, data can be collected only with the prior explicit approval.


#14

This example of what makes Netbeans comply with European legislation.

Before (important it before) run the first time the application asks the user consent:

Subsequently ser must have easy access to disagree:

Finally it should be clearly informed what information is being collected:
http://netbeans.org/about/usage-tracking.html


#15

The directive protects personal data. Atom’s metric package doesn’t collect any personal data as far as I see it:

Personal data are defined as “any information relating to an identified or identifiable natural person
(“data subject”); an identifiable person is one who can be identified,
directly or indirectly, in particular by reference to an identification
number or to one or more factors specific to his physical,
physiological, mental, economic, cultural or social identity;” (art. 2
a)

(https://en.wikipedia.org/wiki/Data_Protection_Directive)

The Atom metrics package collects:

  • A unique UUID v4 random identifier is generated according to RFC4122
  • The screen width and height
  • The version of Atom being used
  • The name of each item opened in a pane such as EditorView, SettingsView, and MarkdownPreviewView
  • Exception messages (without paths)
  • Commands run (save core commands)
  • The amount of time the current window was open for
  • The amount of time the current window took to load
  • The amount of time the app took to launch
  • Deprecations: package name and version of each deprecation

Of which none is

information relating to an identified or identifiable natural person

unless the “unique UUID v4 random identifier” is linked to a natural person, which I think it isn’t, as you don’t have to sign up anywhere to use Atom nor ever have to submit any personal data. It’s only technical statistics, no IP adresses, user names, natural names, names of open documents etc. are being sent, therefore no personal data relating to an identified or identifiable natural person.


#16

In Europe the IP is a personal data, besides the unique identifiers “anonymous” are also legislated. Developers should not make decisions in this respect should make it a legal team.


#17

Of course IP adresses are personal data, but IP adresses are not stored in that context. See https://atom.io/packages/metrics.


#18

I’d prefer to be asked before using the Editor wether I want to have the metrics package enabled or not. I agree with you there, but I don’t think you could argue with legal reasons to do so, as the data collected are not personal.


#19

All that is in my computer is my privacy, ethically speaking.

Again, legally also:
http://ec.europa.eu/justice/data-protection/data-collection/index_en.htm


#20

That link is where I cited what personal data is defined as. I suppose we won’t get any further with this discussion unless a lawyer can take a look at the situation. I myself am not one and won’t continue this discussion therefore, because it’s only going to get more subjective.