

Ask HN: My app is being bullied on Google webstore, What to do? - sanchitml

My latest free webstore app (Link given below) is being attacked by group of cyber bullies from past 2 days. Here are the details:<p>Day 0:
- I had almost 100 reviews on my app. Most of them were 5&#x2F;5. And chrome webstore was showing full five stars for this app.<p>Day 1:
- A guy (with empty profile) posted a 1&#x2F;5 rating, claiming that my app is not safe to use. And interestingly only the same day, I got more than 20 new 1-out-of-5 ratings, and none of them had any text reviews. Generally I rarely get less than 5&#x2F;5 rating, you can check from the below link.<p>Day 2:
At Day 1&#x27;s end, I posted a reply on the guy&#x27;s review that my app is safe, and you can contact me on the given ID. Next day I woke up and saw, his 1&#x2F;5 review starting with &quot;Avoid this app&quot; is on the top, and my reply was completely removed. Which can only happen when lot of people click on mark-as-spam.<p>So, I need help from you guys. I do not have any contact at Google, and even if there was not sure how much they can help. Any suggestions what should I do next?<p>Note: We can discuss this later&#x2F;seperately, but my app is 100% safe and I am an ethical developer.<p>https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;sticky-notes-just-popped&#x2F;plpdjbappofmfbgdmhoaabefbobddchk&#x2F;
======
arihant
"Inspectlet records videos of your visitors as they use your site, allowing
you to see everything they do. See every mouse movement, scroll, click, and
keypress on your site. You never need to wonder how visitors are using your
site again."

Why would you use a service like this in your extension? Sounds like a dumb
idea to me! They are privacy intrusive and say that proudly on their main
page, so you were not tricked into using a malicious tracking service, you
diligently chose it - the bad reviews are justified.

------
scrollaway
The reviews on there look fine to me. The one guy is being a bit paranoid and
dickish but you can never please everyone.

Sure, you got a few bad reviews out of it, but unless it continues for several
days I wouldn't worry too much about it. FWIW I haven't looked at the app or
its source code but I wouldn't call this "cyber bullying".

Have you considered releasing the source code on github and linking to it so
people can easily take a look and see for themselves?

~~~
themartorana
It's true. I own a company that makes casual games. We had people yelling so
loudly that the game cheated and dealing hands wasn't random that we actually
posted the source code. It doesn't mean anything - loud people more often want
to hear their own loudness than anything.

We have millions of players, but the most vocally aggressively negative -
those that just bash us as a company and as liars non-stop have been playing
our games for years. YEARS.

You will never get away from trolls in any industry that has public reviews.
Ask any restaurateur on Yelp, anyone with an app on any App Store, etc. It's
absurd but just part of the deal at this point in time.

~~~
ankitml
What strikes me most is that the highly vocal, polarizing negative reviewers
are mostly filled with false information.

------
mattkrea
Did you remove the analytics piece the review seems to be complaining about?
If so I can imagine that someone might be upset that they couldn't disable it.

~~~
sanchitml
Yes, removed it ages ago. Was trying this new analytics startup, never worked
out though.

~~~
tokenizerrr
I just installed your extension and looked at the source. The Google
tracking/analytics code appears to still be there at least, both in popup.js
(referenced by popup.html) and in jquery.js (which is apparently more than
just jquery?). At least it seems that all you're tracking is behavioral info,
but still it seems a bit much. Especially for an extension that calls itself
private and secure.

~~~
sanchitml
How should I mention that private & secure is about the 'note data', not how
much time menu item was opened.

Also I enquired about the privacy issue in Google Analytics, only thing I got
was: \- "Google tracks that visit via the user's IP address in order to
determine the user's approximate geographic location."

I am using is custom events. Lets say I do not use Google-Analytics but my own
server who just record custom events (anonymized IP Addresses) then the app
will be considered private and secure.

Read Privacy Issue section on
[http://en.wikipedia.org/wiki/Google_Analytics#Privacy_issues](http://en.wikipedia.org/wiki/Google_Analytics#Privacy_issues).

What I feel from all these is - it is justified to call the app secure as its
about the user data, not anonymized behaviour analysis. That is only for app
improvement, and independent of a particular person (ie. privacy).

~~~
eps
> _Lets say I do not use Google-Analytics but my own server who just record
> custom events (anonymized IP Addresses) then the app will be considered
> private and secure._

Hahaha... No, of course it will not be. No app with phone-home analytics is
private.

~~~
ankitml
An app promising keeping your notes and note data private doesnt necessarily
need to avoid analytics. Analytics and aggregate user data cant be avoided if
a developer wants to improve user experience. Keeping users and their
experience at the center isnt a bad thing. Your note data isnt logged to any
servers in this app.

~~~
tokenizerrr
I would not consider it private, at all, though. It's not privacy if every
click you make is being monitored and analyzed.

~~~
sanchitml
Gathering aggregated and anonymized 'doesnot' hamper privacy.

If we look at any authentic reference (Ex:
[http://en.wikipedia.org/wiki/Google_Analytics#Privacy_issues](http://en.wikipedia.org/wiki/Google_Analytics#Privacy_issues))
we will find only when an app associates behaviour-analytics with attributes
such as IP Addresses and Geolocation data, it may debate privacy issues,
otherwise not.

If you see the word 'privacy', it only activates when an individual is being
talked about. There are no specific users on this app, no email id, no unique
id. All requests are considered similar irrespective of origin.

~~~
tokenizerrr
Look, you're welcome to think what you think, but I've read the source code of
your app and I am not comfortable using it, so I won't. Furthermore Google
Analytics has access to the user's IP address, and even though it may not
display it to you, Google still gets that information.

As for your claim of "no unique id", this is simply false. Google Analytics
keeps track of an unique id for each user, they can tell you the count of
unique visitors after all.

When you're boasting about privacy, do not track your users. What else are you
meaning to imply with "privacy"? That the notes are not being sent to your
server? Well, I goddamn hope so. Is there anything that makes your app more
private than any other?

------
gergles
A note of "trust me, I promise this is legit" is exactly what I would expect
from a piece of malware. You need to directly address the allegations of using
a keylogger/screenlogger somewhere to counter the negative review, not just
say "No, I promise this is clean".

Just my 2c.

~~~
sanchitml
I mentioned my email-id there, to contact and discuss their concerns with me.
If someone still feels unsatisfied, he is allowed to post a negative review.
But bringing 25+ 1/5 ratings with him on the same day, getting my replies
group-downvoted is not a solution.

If the developer is not meant to be trusted, then what is a good solution to
this problem? Not everyone would want to open-source their app/game.

~~~
tokenizerrr
Your app is already "open source", I can download the crx and look at all the
source code, but not a lot of people do this. If you want to seem trustworthy
then put it on github with a restrictive license if you feel so inclined.

~~~
ankitml
yep source code of all chrome apps is available to everyone yet I wont call it
open source. Open source is a step more from source code being available. I
second the decision for choosing a restrictive license and putting the code
over github.

~~~
tokenizerrr
Yeah, I know it's not technically called open source, but I mean that the
source is available and readable. Hence the quotes. :)

------
samsheen
I just noticed that the said "bully" has stated in his comments that you had
integrated inspectlet.com. I checked it out and it looks like a screen
recording service. If this is truly the case, then I think he may be correct
as interpreting this as a violation of privacy.

I think the best course of action would be to do the following

1\. Put up code on github as others have suggested, thereby reassuring
existing users

2\. Publicly state in a reply to the comment that you had indeed integrated
the screen recording service to help you understand user behavior, so that you
could make a better app.

3\. Put a disclaimer on the details page for Google Analytics with a link to
opt out.

~~~
sanchitml
"Bully" is not for that comment or his words (Ofcourse he should have
contacted me first) but for the following: (copied from below comments)

1). more than 20 1-ratings (You cannot see these 20-25 negative ratings as
there are were no text reviews written with it.) 2). mass complaints sent to
Google that day. 3). And my app rating came down from 5 to 4, thats a huge
setback on the competitive end. (Lost the app's repo which took an year to
build) 4). Few false reviews which have been cross-upvoted so all new users
sees them on top. And my reply down-voted by the same group that it was
removed completely by Chrome.

And there has never been such thing as Inspectlet in the app, and also the
person who commented this is not communicating with me, so I would let this
one go. And thus no need for that statement. Will make the app opensource, so
this will never be an issue in the future, "hopefully".

~~~
hamster_nipples
> _And there has never been such thing as Inspectlet in the app_

Looks like you forgot to delete the HTML comment tag, "<!-- Begin Inspectlet
Embed Code -->", from the bottom of popup.html. You may want to do it asap
before he "lies" about that too ;)

> _Will make the app opensource, so this will never be an issue in the future,
> "hopefully"._

You already made it open-source ([https://github.com/Epinx/Sticky-
Notes](https://github.com/Epinx/Sticky-Notes)), but then uploaded a separate
malicious version to the chrome web store. Open-sourcing it would only give
users the impression that it's safe, while giving you a chance to twist and
slither away like you just did.

------
hamster_nipples
I am the guy who made the original claim. You integrated the Inspectlet screen
recorder and keylogger into your extension. Enough said.

The popup's textarea className had a hyphen, which caused inspectlet to
include this in the data to upstream. This was done deliberately; if you were
watching user's on your end, you would have noticed and corrected this.
Instead, you allowed this to go on for months.

You were also doing this in your $7.99 "pro" version, which was mysteriously
unpublished days later... Here's a suggestion: why don't you unpublish this
one too and get off the webstore.

------
okbake
Does putting an analytics piece inside of a Chrome extension allow the creator
to see which website a user is currently viewing when using the extension? Or
are the analytics limited to the extension itself? For example, a simple
extension that makes the background-color of the current page red, if there
are analytics on that extension could the developer potentialy know which site
the user is on?

~~~
sanchitml
Simple anonymized analytics, like clicking of a button. Basically the
analytics without which nowadays apps/websites are considered incomplete.

Chrome doesnt allow extensions to get that data unless the extension asks for
daring permissions like "Access your data on all websites".

Currently the app asks for no such permission. There were some features I
planned to integrate like user right-click a text and click on 'send to Sticky
note', but now terrified whether to even ask for such permissions.

------
virde
Dont really know why its being targeted. I see a key logger comment, any
extensions being used that might be suspect? and something on analytics? which
I see you say has been removed . Anyway its hard to stop a chain of bad
targeted comments, but it shouldn't really affect until it continues to happen
for a few days. Trolls will be trolls

------
lowlevel
There are going to be a few dicks at every party. You can't really avoid that
out here...

------
xdfsx
Yeah, he had a keylogger before.

~~~
ankitml
Perhaps, you need to distinguish between aggregate analytics and keylogging.

~~~
arihant
The tool he was using is not only a keylogger but is capable of recording
videos of users while using his app. We know how to distinguish, he was using
a keylogger and video recorder.

~~~
sanchitml
The whole point of me posting this on HackerNews was 'The Guy on webstore is
lying'.

Which part do you not understand when I say I NEVER used any keylogger. This
is the only reason I didnt comment on any of your comments. Please edit or
remove them.

~~~
hamster_nipples
> _The whole point of me posting this on HackerNews was 'The Guy on webstore
> is lying'._

I'm that guy. No, I am not lying. I have the original version (prior to Aug 27
update) that recorded keystrokes.

After reading your comments on this thread, it seems to me that you're in a
panic and desperately trying to dispel the whole thing. My only regret is that
I didn't get to warn people earlier.

------
kurz
sdfs

