Data Privacy Breach on First Run


#1

I admire the Atom project and appreciate its recent open-sourcing. I don’t know much about Atom, if a little nodejs, but do wish to give a first impression.

On first run I got an exhaustive file indexing of all available hard disks? Is that correct? I saw Atom scanning encrypted drives and immediately killed the process and uninstalled the app as a horrible security breach. The last thing a security auditor needs is an app that aggressively scans everything to ‘help’ him without so much as asking.

Make a dialog to ASK permission with checkboxes to prohibit certain folders. Beaucoup folders and files need never interact with Atom and I neither need nor want Atom’s help to auto-find them from a magic entry box.

Thanks Team


#2

I’m guessing it was the tree view scanning the working directory to build the directory tree… What directory were you in when you opened Atom?


#3

To be fair… What do you mean by “scanning” though? Is the application actively collecting data from those folders as opposed to just indexing the names and structure?
I’m not sure what’s so privacy-invading in that behavior? Your OS does it every time you open a folder, same with any other application that works with with file system directories.

I don’t think atom has any in-built feature to collect data and send it off somewhere, although I could be wrong. Of course that would change things.


#4

Actually, there are the exception-handling and metrics built-in packages, which do collect anonymized data and send it off to GitHub. They can be disabled like any other package in the Settings View, though.


#5

Then I think it might be worthwhile making that fact a bit more public. I know not only auditors are sensitive to this kind of thing.
Is there a privacy section somewhere in the documentation?


#6

Not here:

https://atom.io/docs/latest/

Might be a good idea to create one though.


#7

Appreciated responses. From memory I was reading Atom’s faux-OSD hints in the middle of the window, and hit ctrl-P or something suggested. So atom dropped me I guess into a file-open text entry box. It was at the top of the window.

I started typing thinking I was text entry but found myself looking at file names being guessed for me while atom trolled my drives. I knew they were accessed heavily just watching hardware LEDs blink. I only see those LEDs working that steadily for major file ops like backup.

I assume Atom was in $HOME at the time. Various cipher drives from other people were mounted there for miscellany filesystem maintenance work they wanted done.

Probably Atom was indeed constructing an indexed file list, which is the breach here. Data proper would be worse of course but names alone are a breach.

I noticed more awful ‘googleisms’ in atom’s config folder, the user/machine fingerprint ID GUIDs. Yuk! Disable those. I was about to reset GUIDs myself with XXXX-XXXX’s.

I read GitHub ToS but they made me feel just as icky. They are basically corporate-speak with the usual soft coddling to persuade you how much they care about your privacy in some unspecified sense that is subject to change without notice, while they try to make money off you.

Just from a speedup standpoint disk scanning should go. Disk I/O is always the worst bottleneck on a PC. I am actually trying to help atom become faster. I think the default should be OFF with an option to enable for people who want it.

Final note (unrelated) just for Linux builds, not to say Mac OS X which may be different -

Conf dir belongs not at {HOME}/.atom but rather {XDG_CONFIG_HOME}/atom (sans hidden-file dot). That’s the new and improved FreeDesktop.org spec.

Thanks again


#8

There is an issue open for that part.