Atom Community Splits Over Phone-Home Privacy Issue

Is it OK for an application to phone home with telemetry data before asking users? Some users of the open source text editor Atom say no. However, the program's developers say yes. Or, more accurately, 'we do not care'. The spat between the two factions, which arose on the code sharing site GitHub in late November, raises questions over what constitutes normal behavior, what warrants a breach of privacy, and what constitutes telemetry data at all.

The problem arise after an online user calling themselves sneak posted a message in a discussion on the Atom repository. "Atom is contacting Microsoft/GitHub processes running on Amazon servers on first launch without consent, and leaking my IP address and timestamp to the manufacturer," they said, "as well as transmitting the fact that I use Atom (via outbound request) to thousands of other people and organizations."

This all happened in spite of a 2016 project to add consent for telemetry to the Atom code base. That project produced a dialog box that invites users to opt out of sending telemetry data to the Atom team. That data helps the developers decide what to focus on next, the box explains.

Sneak's problem is that Atom is sending data before the box is even shown. According to the Atom developers, this communication is a simple check for program updates, and it's this that the user doesn't get to switch off.

Sneak garnered some support from others. Github user blordpluto chimed in: “Folks can reasonably disagree about the privacy impact of something like this, and/or the feasibility of personal workarounds. However, I fail to see how anyone fair-minded could accept that an identifying outgoing connection is sent before the user presented with an opt-in/out. That's a dark pattern. Any organization that practices it is staining its own credibility. It's just a falsehood, and a bad precedent on every level.”

Still, the Atom team has decided that it doesn't care about the issue. It said: “if that form of ‘telemetry’ is an issue for you feel free to block the network access or create a version of Atom that doesn't check for updates. This isn't something the Atom team is currently interested in changing though.”

The great thing about Atom is that, as its developers point out, it's an open source product so you can just alter the code if you don't like what it does, but this whole argument raises the question of what constitutes telemetry data. When you're programming an application to 'phone home' with data that's useful for the developers, it's worth considering what data ranks as sensitive. That is a difficult task because it will vary according to the user base and the individual users within that community. Developers must find their own acceptable level, and ensure that they communicate it properly.

What’s Hot on Infosecurity Magazine?