Comment by bfirsh
8 years ago
I fell for this. I enabled it because I was curious about trying new development tools, only to find out later it uploaded all of the source code on my computer to their service. What the hell.
It took me months to get through to a human to get them to delete my code, including two emails to the CEO.
I like the idea, but there is no way I would use it after this experience.
WTF, this could get people fired. Many companies do not descriminate whether an employee has uploaded code to a third party server intentionally or not. If corprate software monitors catch this happening, its pink slip in many places. I just can't believe anyone would play with developers this way. What a cruel company.
> WTF, this could get people fired. Many companies do not descriminate whether an employee has uploaded code to a third party server intentionally or not.
That is why developers should be very careful what applications they install on the corporate computer and what cloud services they use.
It's true; "fool me once" and all that. But it really doesn't make the world a better place to live if it's easier to get fired by accident.
It could also get Kite sued.
Someone should definitely sue Kite.
1 reply →
> it uploaded all of the source code on my computer to their service.
That sounds crazy, so I reviewed their privacy policy[0]. It looks like Kite now requires users to whitelist the directories it indexes and automatically purges files you remove from the local index.
The Privacy Policy says that:
> When you use our services, we may collect [...] Any source code files on your computer's hard drive that you have explicitly allowed our services to access. To learn how to control access to your source code files, please visit our FAQ.
The FAQ[1] says
> Kite only uploads files that:
>> 1. Have a .py file extension,
> 2. Are children of a whitelisted directory,
> 3. And are not ignored by a .kiteignore file.
That doesn't seem like "any source code file on your computer" to me - unless it whitelists root by default, which would be a hella dark pattern.
Also, removing a file from the local index should remove it from the server as well [2]
[0] https://kite.com/privacy [1] http://help.kite.com/category/30-security-privacy [2] http://help.kite.com/article/10-how-do-i-delete-files-from-k...
It sounds like they changed something after I signed up. I am not super paranoid, but I am pretty savvy about privacy and keeping my data safe. There is no way in hell I would have agreed to upload all of my data to their service.
I was actually questioning myself when I realised what had happened -- I thought, "perhaps I just messed up". But after I saw this story about their other dark patterns, I'm convinced they just deceived me.
Their privacy policy as of 31 of December 2016:
https://web.archive.org/web/20161231231542/https://kite.com/...
Seems similar enough to current version.
If you look at the screenshot posted by one of their founders it lists the user directory as the default whitelist: https://user-images.githubusercontent.com/87728/28395021-e04... and isn't clear on uploading everything from there
Hard to read that wording and not infer it was specifically phrased like that to prevent saying "we upload literally every file, recursively, in the below directory".
Easy to see very intelligent and circumspect people interpreting "where enabled" to mean "when I ask for autocomplete" and "your code" to mean "that specific snippet" because who the hell would actually think it's cool to just carte blanche upload other people's workspaces?
> Also, removing a file from the local index should remove it from the server as well [2]
Maybe you are thinking only for your self. What about the majority of the users of minimap/(other hacked plugins) who doesnt know this is going on, and they are not aware that some files need to be deleted from someone elses server.
ps. i know "hacked" is not the proper term here ,but you get the idea.
I totally agree that putting proprietary integrations into open source packages is shady. However, I don't think that the Minimap "kite promotion" [0] went so far as too actually upload code to Kite's cloud platform. It looks like it just added tool tips that referenced Kite's documentation. That's distracting and unwanted, but not as egregious as uploading your code without permission.
[0] https://github.com/atom-minimap/minimap/commit/16c11d82b889c...
Not sure when you're seeing the privacy policy change was made but as an early user of the Kite desktop tool, directory whitelisting has been in place for a year or more.
If you want to see if they have any of your data, check: https://kite.com/settings/files
I have zero faith this page actually works though. A few months ago I deleted all of my data and I checked back today and it has reappeared. (I uninstalled the client and deleted my login token back then too, so as far as I can see it's their issue.)
I have sent them a stern email to delete my data. If you want your data deleted too, I would recommend doing the same rather than trusting their web interface. None of the emails on their website seem to work, though. Emailing the CEO does work eventually, but I don't want to start a witch hunt. My email is in my profile if you want his email.
wtf are those guys doing, uploading source code without consent feels criminal, source code with app configs/secrets has ultra sensitive information.
anybody has a list of infected packages so others can quickly remove with `apm uninstall ...`?
Well technically you did consent by clicking "Enable Kite". I'm not familiar with Kite but the linked image has a line that says, "Click here to learn more.". I'd wager that it eventually links to a page that explains that all your source will be uploaded to their servers.
Now that doesn't make it any less shady though...
I don't really want to defend Kite, but when it says "Kite achieves this by analyzing your code in the cloud" I would assume that my code is uploaded to the cloud.
8 replies →
Hiding a detail like this into a "read more" is uber-shady. They deserve all the backlash they're getting.
1 reply →
This is why some data protection and privacy laws are starting to require active, informed consent before taking some actions, instead of merely specifying "consent".
Even without that, basic contract law in many places requires a degree of mutual understanding for the contract to be valid in the first place. You can't just bury a surprising term with a huge effect deep inside a long legalese document and expect it to actually stand up in court, and if you're doing something dubious and relying on that as your defence then you might be in for some disappointment.
What they did is figuratively a felony (literally a "indictable offense") here in Canada. These guys are going to go to prison. Courts have ruled time and time again that hiding unreasonable or otherwise illegal actions in ToS does not absolve liability or criminality.
17 replies →
Makes me imagine some angry and equally shady person might contribute to some open source projects that Kite uses internally. With a ToS addition giving them access to all available data on the company network if you are Kite.
Obviously this would a be a terrible thing to do and no one should.
It does not just feel criminal, it probably is. On top of that it might make you liable for reproducing some company code without permission. Very very bad idea.
I've almost been bitten by them in the same way. I vaguely remember that it was through HN that I found out about Kite and installed their plugin(s). It definitely felt 'dirty'.
>only to find out later it uploaded all of the source code on my computer
It didn't ask? Sounds like malware, and meets the definition of theft. Inviting someone into your house does not give them permission to steal things in your home, and leave with them.
Kite has been mentioned few times in hn, latest here: https://news.ycombinator.com/item?id=13977982
It clearly states in the diagram that the code you run Kite on will be analyzed in the cloud. If it truly uploaded "all of the source code on [your] computer" then obviously that is radically different but from my experience with the product, it did not upload my code besides what was directly related to what I was working on and understood would be analyzed in the cloud, just like Code Climate or any other code analysis service.
That could be enough to get your fired and or sued depending on the status of the code on your computer.
That is theft of the highest order!!!
It's not theft, neither sorted nor random.