Atom is a cross-platform text editor introduced by GitHub specifically for programmers. Yesterday, a user gave Atom a call for its collection of user data without consent. “When you first start Atom, it contacts the Microsoft/GitHub process running on an Amazon server without consent and discloses my IP address and timestamp to the manufacturer, transmitting the fact that I used Atom (via outbound requests) to thousands of other people and organizations.”
Paul points out that the user’s IP address and information such as trace/telemetry/analysis/automatic ally target host IP are transmitted at the first launch, and the first two data also include timestamps. “When the tuple (user source IP, atom.io target ip, TCP port, TLS SNI host name, time stamp) is sent from the user’s computer, its usage information is leaked to thousands of different people: ISPs, hosting providers, network exchange, intelligence service providers, Microsoft internal system administrators, GitHub system administrators, and Amazon network administrators. Users simply don’t have the opportunity to opt out, or block it, or even realize it’s happening. “
For this reason, Paul is angry and classifies Atom as spyware, as defined as “spyware” – spyware is software that collects information about individuals or organizations without its knowledge and sends such information to another entity without the user’s consent.
He also noted that this situation meant that the work on PR #12281 was not yet complete. This is the Add telemetry consent setting proposed by the Atom team in 2016 to determine whether user usage information is collected. For now, according to Paul’s description, the data has been uploaded without even a consent dialog box.
The Atom team’s Arcanemagus then replies below, saying, “Atom is designed to run in a network-connected environment that can perform operations such as checking for updates without prompting the user… You are, of course, free to block network access, and Atom can also run in offline mode if you prefer. “
But clearly, this argument is not convincing enough, and Paul countered: “Nobody says it shouldn’t use the network, it just doesn’t use the network until the user grants it permission, otherwise it will cause data leakage, which is what the consent dialog box is all about.” “
Arcanemagus still thinks it’s OK to block network access, adding, “This isn’t something the Atom team is currently interested in changing.”
Lee Dohm, from the Atom team, issued a final response, acknowledging that the telemetry package should not send information before clicking the button and will investigate its premature connection to the central.github.com. On the other hand, he insists that Atom’s design patterns are so, and the rest, especially the automatic update check, retains the current design. And, again, “If you want an editor that works completely offline without any network connectivity, Atom is not for you.” “
In addition, after a re-emanating experiment, Paul proposed another issue, and found that even if he explicitly refused to consent and opted out of telemetry, the telemetry information would still be sent. The re-presenting rate for this situation is also 100%.
Under the 2016 PR, which added telemetry consent settings, there was a new discussion among netizens. One of the users said, “As things stand, this may be a violation of the GDPR (General Data Protection Regulation, General Data Protection Regulation). “