#1312 Privacy issue with "call home" feature

closed-rejected
Editor (491)
5
2013-04-07
2011-04-12
No

The plugin sends messages on plugin loading and opening of the editor to https://ping.aptana.com/ping.php. Some users may not mind the "usage tracking" done this way, Others do dislike this built-in "call home" feature for privacy reasons. The transmitted data might not be that sensitive but tracking users identified by a unique id and their ip address without asking for permission is a questionable (and illegal?) feature in my opinion.

The attached patch (against version 1.6.3) disables the network transmission completely. If the feature is desired by others a configuration option could be the compromise to take (off by default hopefully).

Discussion

  • Harri Porten

    Harri Porten - 2011-04-12

    Disable ping

     
  • Fabio Zadrozny

    Fabio Zadrozny - 2011-04-12

    Hi there,

    Thank you for the patch, but unfortunately this 'fix' won't be included.

    The ping is completely anonymous, and it's not tied back to a user (and it's only used to collect data on the software popularity).

    I also I don't think it's illegal either (if it was, all homepages you visit would be illegal, but IANAL, so, I'll ask one to be sure about it).

    Anyways, the code is there, so, you're free to patch your own version... (but just wanted to reassure you that the data collected is purely used to know about the software popularity/use and in no way breaches the privacy of any user -- and you can take a look at the source to confirm that only the usage data is collected).

     
  • Fabio Zadrozny

    Fabio Zadrozny - 2011-04-12
    • status: open --> closed-rejected
     
  • Harri Porten

    Harri Porten - 2011-04-13

    Hello Fabio. Thanks for your reply.

    Would you accept a patch that adds a clean function that allows a programmer using PyDev to disable this feature? We would be happy to prepare such a function.

    On the issue of legality: I'm not a lawyer either. There's nothing wrong with the statistics you want to collect. But keep in mind that most countries still reserve some rights to the person's whose data is being collected. Among these rights are typically a) a notification of the data collection and b) asking for consent. Search the Net for e.g. the European Union's "Data Protection Directive". One might argue that the collected information is not really personal data but there enough published recommendations and also court rulings that consider even plain ip addresses as personal data. In the case of the PyDev logging there is even the user-specific UUID involved.

    Even in case of an anti-piracy feature like "Windows Genuine Advantage (WGA)" Microsoft realized that its "call home" feature was problematic and started to inform the user about it when accepting the EULA.

     
  • Thomas Johnsson

    Thomas Johnsson - 2012-01-10

    Hello Fabio,

    I'd like to support hporten in this request for a way to turn off the 'ping home' feature.

    First let me say that I fully understand your desire to keep track of the usage of the versions of Pydev , and
    that it is in the interest of all Pydev users in the long run.

    However:

    For our customers we package Pydev, together with our domain specific language and plugins, for customizations of our planning software.
    Most likely, security-aware customers sit behind a firewall, or are even cut off completely from internet.
    In these cases, usage information (probably) does not reach aptana.com already now (depending on what the firewall does with https://aptana.com\).

    But just trying so may very well be reason enough to raise security concerns.

    My suggestion is the following:
    1.
    Turn off the pinging with a java system property when starting eclipse:
    eclipse ..... -Dorg.python.pydev.nopinghome .....

    2.
    in LogPingSender.sendPing, and/or whereever appropriate, use the property:

    if(System.getProperty("org.python.pydev.nopinghome") != null)
    // don't ping home
    else
    // ping home as before.

    I would say that most Eclipse+Pydev users are not likely to go to the trouble of searching the Pydev source code and then do the actual disabling,
    only the ones that are really concerned by it.

    Cheers,
    -- Thomas Johnsson
    Jeppesen Systems, Göteborg, Sweden

     
  • Martin Oberhuber

    The "call home ping" was removed for pydev-2.7.2 as per the release notes, git commit:
    https://github.com/aptana/Pydev/commit/aa87f2ed50f33ad35a1c6fd6060f4d2d1b5fd114

    So this ticket should now be marked "closed in 2.7.2" rather than rejected ?

    Note that I've been convinced that "calling home" without giving the user an option to opt-out is in fact illegal in Germany at least. That's why Eclipse UDC, JBosstools and Subclipse all show a dialog that allows to opt-out from the usage data collector.

     
  • Fabio Zadrozny

    Fabio Zadrozny - 2013-04-07

    Hi Martin,

    Well... it's closed in the PyDev fork I'm working on and made available in pydev.org, but Aptana Studio itself has a different version of PyDev that still has that feature (to be clear, while Appcelerator was backing PyDev, it wasn't really my call to keep that or not ...)

    So, now that I'm developing PyDev myself (or at least plan to be able to do it if the funding at http://igg.me/at/liclipse/ is backed up) I didn't see a reason to keep that on (just as a note, right now, it's already at 59% -- or just a gold sponsor away from being backed :) so, I think there are pretty good chances it'll work out).

    Anyways, the sf tracker is no longer monitored (I'm putting a different tracker which supports voting for issues if the funding goes through, but it's still not up).

    Just as a note, I'm also not really using the Appcelerator tracker anymore either, so, until I put up the tracker, please buffer issues until it's live :)

    Cheers,

    Fabio

    p.s.: this comment should make it clear for anyone with a doubt regarding the subject, as, I'm not really changing the status of the ticket.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks