Privacy issues


#1

I’m concerned about the way Atom is currently collecting usage information.

First, there are obviously multiple packages built-in that send data not only to GitHub but also to Google. So far, I found the packages metrics and exception-reporting sending data together with an unique identifier. In case of the metrics package this identifier is generated from the MAC address of the network interface making the user identifiable even across installations.

I found similar issues in 3rd party packages, e.g. atom-beautifier. This application per default is also sending usage data, again together with an unique identifier.

All this data collection is totally intransparent to the end user. Without looking through all the settings I would not even know about it and the time I get to checking the settings, data might already have been transmitted. There is no control over where exactly this data is transmitted to, what is collected and which 3rd parties are involved in data collection. There is also no way of knowing if there are more packages sending data and whether or not they even allow the user to turn it off.

I understand that there might be legitimate interest in this data; however this interest is never more important than the users right to have total control over his data. Please respect that and change your defaults accordingly. Additionally, with a growing number of packages, uncontrolled data collection of 3rd party packages should be somehow prevented by the application as a part of its security framework.

I therefore suggest multiple improvements:

  • Per default all data collection must be turned off. If the application itself or any of the 3rd party package wants to send some sort of usage data this has to require explicit user permission (opt-in).
  • There should be some sort of sandboxing of 3rd party packages, namely they should not be allowed to make any network requests or access files outside their home directory (I don’t know if that is maybe already the case?) without explicit user permission.
  • In case the user chooses to opt-in into data collection there should be some sort of dashboard showing exactly what information has been transmitted and a global option to revoke permission. Additionally there must be an option to regenerate the UID in case the application is using such an ID.

#2

This has been brought up a few times. Here’s a comment explaining the decision to track by default. Long story short…

  • The welcome screen informs the user that metrics are being collected and informs them of how to disable collection.
  • This is a beta, and the metrics are useful!

With regards to third party packages, there is an ongoing discussion about improving Atom’s security model. Since Atom packages are just node packages, it is non-trivial to restrict certain operations, but it is being considered.


#3

In addition to @postcasio’s astute observations, you can regenerate the UID anytime you like by deleting the current ID and restarting Atom.

Here’s the previous discussion here about the metrics packages:

And here’s the previous discussion regarding the security model:


#4

Given that this is a duplicate of other conversations, the discussion of those aspects belongs on those topics. Please continue the discussion there.

Closing as duplicate in 24 hours unless there are objections.


#5

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.