Comment by RubenSandwich
8 years ago
Look at this clear dark pattern: https://outline-prod.imgix.net/20170721-QVaxMDgDwdZ1TBufCdq4.... (Image taken from the article.) Want to use our service, then only lists positives. Or these other services, then only list negatives.
If you're reading this Kite. I now have a negative view of your product. We cannot allow corporations to take over open source tools. Donating is perfectly fine and encouraged, but the above example is a downright take over. If you want another tool then create one, don't take over an existing one and use the communities trust of that tool to promote your product.
I fell for this. I enabled it because I was curious about trying new development tools, only to find out later it uploaded all of the source code on my computer to their service. What the hell.
It took me months to get through to a human to get them to delete my code, including two emails to the CEO.
I like the idea, but there is no way I would use it after this experience.
WTF, this could get people fired. Many companies do not descriminate whether an employee has uploaded code to a third party server intentionally or not. If corprate software monitors catch this happening, its pink slip in many places. I just can't believe anyone would play with developers this way. What a cruel company.
> WTF, this could get people fired. Many companies do not descriminate whether an employee has uploaded code to a third party server intentionally or not.
That is why developers should be very careful what applications they install on the corporate computer and what cloud services they use.
1 reply →
It could also get Kite sued.
2 replies →
> it uploaded all of the source code on my computer to their service.
That sounds crazy, so I reviewed their privacy policy[0]. It looks like Kite now requires users to whitelist the directories it indexes and automatically purges files you remove from the local index.
The Privacy Policy says that:
> When you use our services, we may collect [...] Any source code files on your computer's hard drive that you have explicitly allowed our services to access. To learn how to control access to your source code files, please visit our FAQ.
The FAQ[1] says
> Kite only uploads files that:
>> 1. Have a .py file extension,
> 2. Are children of a whitelisted directory,
> 3. And are not ignored by a .kiteignore file.
That doesn't seem like "any source code file on your computer" to me - unless it whitelists root by default, which would be a hella dark pattern.
Also, removing a file from the local index should remove it from the server as well [2]
[0] https://kite.com/privacy [1] http://help.kite.com/category/30-security-privacy [2] http://help.kite.com/article/10-how-do-i-delete-files-from-k...
It sounds like they changed something after I signed up. I am not super paranoid, but I am pretty savvy about privacy and keeping my data safe. There is no way in hell I would have agreed to upload all of my data to their service.
I was actually questioning myself when I realised what had happened -- I thought, "perhaps I just messed up". But after I saw this story about their other dark patterns, I'm convinced they just deceived me.
1 reply →
If you look at the screenshot posted by one of their founders it lists the user directory as the default whitelist: https://user-images.githubusercontent.com/87728/28395021-e04... and isn't clear on uploading everything from there
1 reply →
> Also, removing a file from the local index should remove it from the server as well [2]
Maybe you are thinking only for your self. What about the majority of the users of minimap/(other hacked plugins) who doesnt know this is going on, and they are not aware that some files need to be deleted from someone elses server.
ps. i know "hacked" is not the proper term here ,but you get the idea.
1 reply →
Not sure when you're seeing the privacy policy change was made but as an early user of the Kite desktop tool, directory whitelisting has been in place for a year or more.
If you want to see if they have any of your data, check: https://kite.com/settings/files
I have zero faith this page actually works though. A few months ago I deleted all of my data and I checked back today and it has reappeared. (I uninstalled the client and deleted my login token back then too, so as far as I can see it's their issue.)
I have sent them a stern email to delete my data. If you want your data deleted too, I would recommend doing the same rather than trusting their web interface. None of the emails on their website seem to work, though. Emailing the CEO does work eventually, but I don't want to start a witch hunt. My email is in my profile if you want his email.
wtf are those guys doing, uploading source code without consent feels criminal, source code with app configs/secrets has ultra sensitive information.
anybody has a list of infected packages so others can quickly remove with `apm uninstall ...`?
Well technically you did consent by clicking "Enable Kite". I'm not familiar with Kite but the linked image has a line that says, "Click here to learn more.". I'd wager that it eventually links to a page that explains that all your source will be uploaded to their servers.
Now that doesn't make it any less shady though...
31 replies →
It does not just feel criminal, it probably is. On top of that it might make you liable for reproducing some company code without permission. Very very bad idea.
I've almost been bitten by them in the same way. I vaguely remember that it was through HN that I found out about Kite and installed their plugin(s). It definitely felt 'dirty'.
>only to find out later it uploaded all of the source code on my computer
It didn't ask? Sounds like malware, and meets the definition of theft. Inviting someone into your house does not give them permission to steal things in your home, and leave with them.
Kite has been mentioned few times in hn, latest here: https://news.ycombinator.com/item?id=13977982
It clearly states in the diagram that the code you run Kite on will be analyzed in the cloud. If it truly uploaded "all of the source code on [your] computer" then obviously that is radically different but from my experience with the product, it did not upload my code besides what was directly related to what I was working on and understood would be analyzed in the cloud, just like Code Climate or any other code analysis service.
That could be enough to get your fired and or sued depending on the status of the code on your computer.
That is theft of the highest order!!!
It's not theft, neither sorted nor random.
I would not forget to mention the owners of these projects who handed the projects over to Kite. I think they are in the wrong as much as Kite.
Iff they had foreknowledge that the changes were going to happen, which is unlikely. Id be surprised if Kite bought/acquihired/etc the product by disclosing a list of shady changes beforehand.
The minimap author, committing those changes after being hired by them, labelled them "Implement Kite Promotion".
2 replies →
Beautiful use of "iff" in a sentence! ("iff" = "if and only if" for those wondering).
Contrarily, I would be surprised if the devs sold their code without asking, “why do you want it?”
Isn't that a bit too witch-huntery? It is Kite who is actively doing the shady stuff.
One of the owners was hired by Kite half a year ago.
1 reply →
In a security-sensitive corporate setting it is already harmful if anything gets uploaded to some cloud service - if this occurs, the damage already happens and anything that follows is "just" damage containment.
I believe about every company that develops software has some clauses about what software is allowed to be installed on the corporate computers and who has to initial any request to install a new program on the computer.
It's interesting watching HN get indignant when a company treats them the same way their idol companies treat everyone else. A lot of grab all data, track everything, and hide the creepiness in fine print type companies.
A system of permissions for plugins would be welcome in my mind for Atom, similar to browser plugins or mobile apps. Then a new "feature" would require the "transmit your code to a third party" permission.
How would you enforce that?
Please share the link for writing the negative review. It will make it easier for others as well to leave one.
> We cannot allow corporations to take over open source tools.
I don’t know how much I agree with that statement in general. There are several major open source projects with corporate “control” – Mozilla, Google and Apple control/heavily influence Firefox, Angular and Swift respectively and there are probably a dozen others. The idea that corporations are “bad” is a tired trope. Some corporations are bad, some are good, some are in the middle.
But I agree with your actual actual sentiment though – corporate involvement in open source should be as benevolent as possible.
"Some corporations are bad, some are good, some are in the middle."
I don't think we need to bring morality to the discussion and complicate the issue.
Corporations are organized around profit, open-source is not. With only that in mind you can predict what will happen in most of the cases.
To put Mozilla, a not-profit, in this context, in the same set that Google and Apple is not fair, by the way.
"Corporations are organized around profit, open-source is not. With only that in mind you can predict what will happen in most of the cases. "
All three of these statements seem like nonsense.
First, "Corporations are organized around profit". No, they are legal entities, organized around articles of incorporation. These have a purpose statement. Often, those purpose statements are directed toward lawful business goals. But you do not have to be.
Non-profit vs profit corporations can, quite literally, have the same set of purposes. The only difference between the two is what you can do with profits.
"open-source is not".
I'm not even sure what you are trying to say here. Very large amounts of popular open source, is, in fact, produced by for-profit companies, and has been since the beginning of open-source. The term was even created by a group of people at a for-profit company. So ....
"With only that in mind you can predict what will happen in most of the cases."
No, you can let whatever biases you seem to have stoke your imagination and prognosticate. You can't actually predict what will happen. There are plenty of happy, well functioning for-profit companies in open source that have been helping open source for many many many years. There are also plenty of non-profits that have harmed open source greatly.
It takes a lot of blindness to see this stuff as simply black and white.
So let's discuss your argument by taking Red Hat. For-profit, pure open source company. Founded 1993. Are we (I work at Red Hat) behaving badly?
11 replies →
Corporations are just legal structures.
For instance, you call Mozilla a non-profit. But it is a non-profit corporation, a legal entity that has organized itself in a certain way and applied for special tax treatment.
11 replies →
> With only that in mind you can predict what will happen in most of the cases.
With just this information and no other, I think I'd predict corporations to make better software than open source. I take it that's not what you had in mind.
(This is for similar reasons that I expect for-profit companies to provide better service than government-run ones. I don't particularly want to get into a debate right now about whether that actually happens, just trying to explain my intuitions.)
6 replies →
Mozilla made firefox. Google made angular. Apple made Swift. That's not "taking over". While I am not a fan of this phenomenon either, that has nothing to do with the current situation. They simply built something and open sourced it, nothing was "taken over".
I'm going to take a contrarian stance on this one: I believe there is no story here — adding an ad for an opt-in cloud-based tool to dev tools is not spyware. It's opt-in! It's clearly stated. Would people raise a fuss to find out their CI service like CircleCI or linter service like Code Climate had access to their code (it's sufficiently obvious)? I don't really see why this tool is any different other than they are one of the first to make a code analysis service that runs in realtime.
I beta tested the Kite product when it first launched maybe two years ago. I don't use it today but I would try it again. Since then they've only tightened down on permissions and made things clearer.
Kite was also not the first to run ads in an IDE plugin (Wes Bos has sponsored several), at least not in Sublime. Personally it's not my preference to have ads either but ultimately this is up to the maintainer of each repo. The tool is still free to use. It clearly states that using the cloud engine will upload your code to do analysis in the cloud. It's 2-3 sentences, not like it's buried in some long EULA.
Shame on the article for labeling inserting an ad as "taking over" and labeling an ad as "spyware"… pure clickbait targeting non-devs.
The new Kite engine also clearly states it is a cloud-based service and they build integrations for their service. The whole industy works the same way. You don't have to use their engine to use autocomplete-python and its opt-in too.
It is opt out. You can read the comments from the Kite developer yourself.
https://github.com/atom-minimap/minimap/issues/588#issuecomm...
Your comments are such a poor defense of a dubious feature I wonder if you have a connection to Kite.
It appears you have misunderstood my argument. The atom-minimap extension you linked is not the autocomplete-python extension discussed in the parent thread. I have not used the atom-minimap extension and didn't make any comments on it — I use Sublime. My comments are about the autocomplete-python extension.
I think you're overlooking the diagram linked above which shows enabling the Kite engine is an opt-in button click. The CEO also states that it is opt-in in the article: "Most users who install autocomplete-python close the engine selection prompt, which results in not getting Kite or its benefits," [the CEO] said in an email.
https://outline-prod.imgix.net/20170721-QVaxMDgDwdZ1TBufCdq4...
As I stated above, I beta tested the Kite product early on and have used it in Sublime through a similar add-on. I am not a current customer / user, but I do make my own dev tools. It was always completely transparent to me that they are sending code to their server to run a cloud analysis platform. Based on that, I still maintain that the community is massively overreacting to something that was made explicit upfront.
Well, who benefits from having the ads there? Wouldn't it be better for most users without the ads? What value is Kite adding?
It's a slippery slope, similar to the controversies over using BitKeeper for the Linux kernel or adding DRM to HTML5 (both justified, I think). The openness in open source needs to be defended.
While I would not argue anything about ads directly, I think that all users benefit from having additional options in the plugin, and if the ad is relevant to a portion of users and leads to some users discovering an additional dev tool for their workflow than it was worthwhile. That is the perspective I have in mind for the hypothesis that Kite was testing.
I genuinely don't understand why this service is getting a disproportionate amount of backlash relative to the plethora of cloud based services out there that analyze one's entire codebase. Maybe it's because they're interacting with the code from the dev machine directly vs integrating with repos on the git server? Would that make it different to you?
2 replies →
Hi Ruben, founder of Kite here. I think this issue deserves a more thorough response because there are a lot of misrepresentations in the article.
One misrepresentation that I wanted to quickly highlight is that the autocomplete-python install flow has three steps, not just the one linked in to in the screenshot above. The other two are:
Enter their email address - https://user-images.githubusercontent.com/87728/28395016-dc7...
Read a warning, decide if they want to whitelist any files - https://user-images.githubusercontent.com/87728/28395021-e04...
Small technicality: these screenshots say that Kite is installing but it's actually only downloading the installer binary to memory; the actual install doesn't happen unless the user goes through all three steps.
It's also worth noting that if the user clicks "Add Later" no code is sent to the Kite servers for analysis until they whitelist a directory.
You are trying to blame the user, but the design of this flow is to blame. It does not explain clearly what is going on.
It's funny seeing this now to see where I tripped up. When you say "enable access in /Users/ben", I guess 6-months-ago-me assumed it meant "enable access to code in /Users/ben when I am working on it". It felt a bit like an iOS permissions dialog, where I was giving you access to my filesystem. Parsing it now, I realise that the text above the button says "where enabled, your code is sent to our cloud".
You could argue I should have read that more carefully, but that copy doesn't scream to me "I'm about to upload all of the source code on your computer including proprietary stuff and secrets". Because that button was the default highlighted button, I assumed it wasn't going to do anything drastic like that. (It's like Ryanair having a big red "YES I WOULD LIKE INSURANCE" button, hiding the "no I don't want to spend $100" button somewhere in the small print.)
Above all, you certainly shouldn't have included that as a shady update to some Atom extension I was using.
> I think this issue deserves a more thorough response because there are a lot of misrepresentations in the article.
From the article:
> Smith also said that most of the negative reaction was due to confusion around what the tools actually do. (Connor pointed out that it’s not possible to review what Kite does, since it itself is not open source.) Then he blew this reporter off. “I apologize in advance that I can't answer any further questions,” he wrote. “I need to focus on other parts of the business, including continuing to improve the product for our users, and conflict like this is always doubly distracting.”
The above sounds like you were given the opportunity to explain things but shrugged it off as a distraction.
If it deserves a more thorough response, why hasn't that been given? Even in this reply you only "quickly highlight" one point.
Yeah, I came here to say exactly this.
Even with the additional steps and even with explicit whitelisting of directories (from screenshots it looks like it defaults to the user directory, which is just bad) before code's uploaded, the point is that Kite took over a useful, popular open source package, clearly hitching on to the popularity of the package to promote Kite, which is distasteful when it comes to OSS.
Why not fork the original autocomplete-python with one that has Kite enabled instead? Then users who want Kite or use Kite are able to do so, without screwing over everyone else who have no idea what Kite is and dont want anything to do with it.
Reminds me of software downloaded in the past that comes with some random search toolbar that gets installed in browsers. Annoying. Shady. Not cool.
This. That would have been the correct solution. Fork the code and offer their "Kite enabled" version separately. If Kite has to resort to these type of tactics to push their product it seriously makes me doubt it's efficacy. If they can't market their product based on it's merits, why would I want to use it?
Then how do you explain this? https://user-images.githubusercontent.com/4001044/28342719-3...
Don't weasel your way out of this Ruben.
The post you are responding to is by Adam, adamsmith, the CEO of Kite. We are different people and I have no relation to him at all. Just to be clear.
3 replies →