
Atom editor still phones home prior to consent dialog - sneak
https://github.com/atom/atom/issues/20182
======
urthen
It performs an auto-update check. You _know_ it's just performing an auto-
update check. While there's not _no_ argument to be made here, it's not like
it's secretly collecting a bunch of data and reporting it before letting you
opt out.

The paranoid, accusatory tone in the issue does nothing to help your argument,
and I believe makes it harder for maintainers to take you seriously. Your
argument is well thought out, and I don't necessarily disagree with it in
principle, but you're making mountains out of molehills here. If you'd simply
pointed out the issue and asked that the auto-update check be performed after
the consent check - especially if it came with a PR implementing that - you'd
go a lot further.

~~~
hashkb
The maintainers who reply dodge the issue in a way that must be frustrating to
the reporter; and makes it seems like they'd probably not accept a PR that
modified this behavior. Calling privacy advocates "paranoid" in today's
climate is a bit suspect. There's a definite issue here that the Atom team
should address - a reasonable user would expect that, after opting out, the
app would never phone home, and it does.

Blaming tone is too easy - at this point the Atom team is representing
Microsoft, so I'd say the burden is on them to soak up a little snark;
especially coming from a user who maybe expects them to behave a bit more like
the GitHub of old. Even if they were a small open-source team I would still
expect them to directly confront the issue instead of beating around the bush.
It's about privacy, and splitting hairs to deny the reporter's reality is a
bad look.

~~~
lukasb
The "never phone home" UI should make it clear that it will still phone home
to check for updates.

But I'm sympathetic to Github here. Having users on unpatched software is a
bigger risk to them than not having 100% perfect insulation from sending their
IP address to Microsoft.

~~~
vunie
>Having users on unpatched software is a bigger risk to them than not having
100% perfect insulation from sending their IP address to Microsoft.

That's not a decision for Github to make. Let the user decide. Perhaps by even
presenting them with a dialog on first run that informs them then asks them ti
decide.

~~~
Multicomp
I agree wholeheartedly.

Somewhere out there (prog21 ?) is an article stating that the one in desperate
need of electricity (the computing device) is subject to the one in a position
to provide it (the user), and I agree with that sentiment.

I'd even like an IETF-standard-like T-shirt that says 'The user's will MUST be
obeyed as faithfully as possible unless prevented by unrecoverable
circumstances' or something like that.

Click-through EULAs and dialog boxes are another symptom of the 'elite-
developer-itis' our industry can sometimes exude.

------
f0ez
Everyone should just stop using atom, I found the way they responded to the
issue very condescending.

"You are certainly free to block the network access and Atom will work in an
offline mode if that is your preference, if that is not what you desire though
there are plenty of other editors out there that may fit your needs better."

No one asked them if they are free to block network access or if they are free
to use other editors.

------
awinter-py
I love this thread. Every important question for privacy-conscious power users
is raised in here: are automatic updates safe, how should software obtain
consent to act on your behalf, how can power users keep up with the arms race
of privacy settings, is phone-home inherently sleazy.

This user is running a firewall / connection observer (little snitch) -- as
more people adopt tools like that + ad blockers, and as businesses figure out
whether and how to serve those users, the norms for this stuff will get worked
out.

For now, businesses benefit tremendously from surveillance for both sleazy and
non-sleazy reasons and are totally incentivized to understate the potential
harms and the ways in which they use what they collect.

------
blakesterz
The answer given is, in part:

    
    
       "Atom is designed to run in an internet connected environment, doing things such as checking for updates (your first dialog) without prompting the user."
    

The problem with that, as I see it at least is, "doing things such as..." If
it said "It's ONLY checking for updates", that seems fine, but "doing things
such as..." could be literally anything, and maybe some of those things are
things that many people don't want done without consent.

~~~
sneak
Checking for updates sends a packet out of your computer that contains your IP
address, happens at a given point in time (timestamp), contains 'atom.io' in
the TLS SNI, and is accessible to your ISP, their network providers, the
national intelligence agencies that monitor those connections, Amazon network
administrators, Microsoft systems administrators, and GitHub systems
administrators.

It's telemetry because it happens whenever you open your editor, and it
includes your IP, which in the hands of some of those recipients (i.e. intel
agencies, your ISP, and Amazon) means your exact physical location (because
you ordered paper towels to your street address using that IP two hours ago).

It can never be _anonymous_ because it has to have a source IP on it, and even
if the TLS connection is zero data, the fact that it has "atom.io" in the SNI
field means that it's a data leak of the "person at 123 main street opened
their text editor (Atom) at 1:23PM", and it leaks that information to _a lot
of people_.

"only checking for updates" is, unfortunately, a form of telemetry, and must
be gated on a user's explicit consent to telemetry, otherwise it (no
hyperbole) sends an activity event that becomes available to thousands of
people against the wishes of the user.

Remember when librarians got all up in arms about warrantless collection of
what books you've taken out of the library? That was per-user. This is bulk
collection, and is way more invasive: it has second-granularity timestamps.

PS: Thank you, Edward Snowden.

~~~
mobjack
Almost any other network request puts you at more risk than this. If that is
your concern, then you are better off turning off your Internet.

If they were really trying to track you, there would also be an unique ID with
the request as that makes it much easier to identify you. IP addresses alone
are not as useful for those purposes.

~~~
sneak
That's fine; however opening my text editor (Atom), or running a static site
generator (Gatsby), or burning an iso file to a USB drive (Etcher) is not a
network request, and should not put me at risk.

------
jmull
It’s a little baffling the Atom team can’t seem to understand this is a bug. I
get that the tone of the report is a little off-putting, but a bug is a bug.
Fix it and move on.

~~~
sneak
They don't want to understand it, because understanding it would mean that a
big chunk of their userbase could download and use the software, see the opt-
out panel, opt out (because really, who wants to be spied on?), _and they
would receive no information whatsoever about it_.

That's what they're trying to avoid. It's not about the user convenience
benefits of autoupdate, it's about their metrics panel and the "success" it
implies going dark/trending down.

~~~
BurnGpuBurn
Which raises the question: Is Atom a true open source project or a Microsoft
business venture masquerading as an open source project?

I've had similar discussions about Mono.

~~~
sneak
You don’t get to gatekeep “open source project” on business venture or not.

If it has a free software license and the code is provided, it is a true open
source project.

Simply being an “open source project”, however, unfortunately, does not mean
that the maintainers are going to act ethically or not produce software that
abuses people’s human rights.

------
robomartin
What a number of comments in this thread miss is that in certain business
environments you cannot use software that calls home, regardless of the
reasons for the call.

Before someone says "it's open source, you can modify it", please understand
that very few users of FOSS have the time and necessary knowledge to audit
every single piece of code they install on their machines for compliance with
company security and privacy requirements.

It is my personal belief that the correct stance in these cases is one that
places privacy and security at the top of the stack. In other words, nothing
calls home unless the user enables it. You are not entitled to initiate any
such communications without user approval just because you wrote software
people decide to use. That's intrusive and entitled. It's wrong. Disclose it
and obtain their permission, and then it's OK.

Atom is cool, I like it.

~~~
kelnos
In those restrictive business environments, the IT admins have a couple
options: they can whitelist outgoing connections they've allowed and block
everything else, and they can disallow users from installing anything but
approved apps.

A business that says "you can't use software that calls" home is going to
completely fail at enforcing that unless they implement technical restrictions
that preclude it from happening in the first place.

------
nielsbot
I don't see why they can't just show an "Allow Atom to check for updates?" on
startup, just like so many other apps I've used.

------
owaislone
Somewhat unrelated but why dos Atom even exist anymore? MS should just fold
the Atom team into VSCode and go full in on VSCode. From Microsoft's
perspective, I don' see any reason for Atom to exist. It's not like Chromium
vs Chrome where Google wants to ship an open-source project with some
important proprietary bits and pieces.

~~~
kiaulen
Why does vim exist anymore? Neovim exists and has more and newer features. We
should just get rid of vim, and have Bram focus all his efforts on nvim
instead.

Some of us don't like VS Code (for lots of reasons) but do like Atom. From
Microsoft's perspective, they just bought a golden goose (GitHub) that can
bring them a lot of developer goodwill. If they kill off that golden goose,
they lose all the goodwill they just bought. Atom is a part of what GitHub
stands for. It's a hackable editor for the 21st century. And when you're one
of the richest companies on earth, you can afford to pay a few developers'
salaries for a lot of goodwill.

------
fortran77
I don't understand why Microsoft / Github doesn't get rid of Atom. It serves
no purpose with Visual Studio Code around.

~~~
jonny383
[https://thenextweb.com/dd/2018/06/08/githubs-new-ceo-
promise...](https://thenextweb.com/dd/2018/06/08/githubs-new-ceo-promises-to-
save-atom-post-microsoft-acquisition/)

~~~
ansonhoyt
I'm still nervous that Atom fades away, despite the promises and good
intentions of continuing to develop it. I'm nervous because...

Commits have dropped since mid-year:
[https://github.com/atom/atom/graphs/commit-
activity](https://github.com/atom/atom/graphs/commit-activity)

No blog posts since mid-year: [https://blog.atom.io/](https://blog.atom.io/)

I love Atom, so am hoping it gets rolling again soon.

~~~
kiaulen
From the community manager, on the atom slack:

> Lee Dohm: @aviatesk This is a temporary status. Atom’s pace of development
> has always fluctuated over time as developers join and leave the project,
> take parental leave, have vacations, etc.

Reference:
[https://atomio.slack.com/archives/C044E54H0/p157003367010460...](https://atomio.slack.com/archives/C044E54H0/p1570033670104600)

------
tschellenbach
If you feel strongly about a feature request on an open source project.... you
know maybe actually do the work and not just wine about it? This is why people
stop doing open source, these type of people with their weird feeling of
entitlement reporting issues.

~~~
dane-pgp
Please excuse the format of this reply, but this analogy is the best way I can
think of to offer a different perspective to the one you are expressing:

"If you feel strongly about human rights violations in a democratic
country.... you know maybe actually run for elected office and not just wine
about it? This is why people stop becoming political candidates, these type of
people with their weird feeling of entitlement exercising their right to free
speech."

To be clear, my point isn't that we should solve all data collection problems
with legislation (although that might be beneficial in some cases) or that
automatically checking for software updates is necessarily a human rights
violation. My point is that it's unreasonable to expect everyone who cares
about any feature request to write software to satisfy their needs, especially
if the upstream developers would refuse their patches. It's even more
unreasonable to demand that people who care about certain issues never try to
raise awareness of those issues with other people who might be affected or
might be able to do something about the problem.

~~~
sneak
Remember also that I'm asking for tracking code to be _removed_ , not added.

------
m3kw9
Could be some 3rd party libs doing that behind its back

------
jve
Can autoupdate be considered as telemetry?

Secondly. Atom download page ([https://atom.io/](https://atom.io/)) contains
text (well, someone may not even notice it, that's another issue):

> By downloading, you agree to the Terms and Conditions.

It says:

> Auto-Update Services > The Software may include an auto-update service
> ("Service"). If you choose to use the Service or you download Software that
> automatically enables the Service, GitHub will automatically update the
> Software when a new version is available

Moreover:

> Privacy > The Software may collect personal information. You may control
> what information the Software collects in the settings panel. If the
> Software does collect personal information on GitHub's behalf, GitHub will
> process that information in accordance with the GitHub Privacy Statement.

People don't read the TOS and complain.

~~~
chownie
I'm not sure it's reasonable to expect users to read the ToS to find out
whether their text editor will phone home. This also doesn't excuse the editor
sending analytics for users who opt out of analytics.

~~~
jve
This is EXACTLY what I expect to find out in TOS. Along with how they use and
with whom they share the data (privacy policy).

TOS actually is stronger than preferences. If TOS doesn't state that I can opt
out, I don't expect that I'm opted out of everything, even when I set such
preferences in software. And that they can introduce some phoning home at
will, as long as they comply with their TOS.

~~~
chownie
That answers a different question, whether you expect that content to be in
the ToS or not isn't relevant. I asked whether it's reasonable to expect users
to search the ToS to understand the behaviour of their editor.

I don't think it is reasonable, the language complexity expressed in a ToS is
vastly different to anything written that's really intended for users to read.
People with chronic illnesses experience brain fog and may not find it easy to
read a document like a ToS, the elderly, young and those who use english as a
second language are also more likely to have issues parsing one.

Even despite that point the software is currently in violation of its own
terms of service. If it sends telemetry before you can open the settings panel
then clearly you cannot "control what information the Software collects in the
settings panel", as the preceding telemetry message can't be prevented.

------
damm
Atom messes up my graphics driver on Linux; so it isn't installed any more.

Example: When i launch atom everything else in KDE disappears I can't see any
other apps until I tab over to them. Moving the window in focus fixes it so
the screen is back to normal until I launch a new application.

Quitting X and restarting it is the only thing that fixes it.

I liked Atom but like textmate it got forgotten and it will get harder to use
over time

~~~
SahAssar
That sounds like a bug in either XWayland/X or chromium rather than atom
directly. Does the same happen with other electron/chromium apps?

