I fell for this. I enabled it because I was curious about trying new development tools, only to find out later it uploaded all of the source code on my computer to their service. What the hell.
It took me months to get through to a human to get them to delete my code, including two emails to the CEO.
I like the idea, but there is no way I would use it after this experience.
WTF, this could get people fired. Many companies do not descriminate whether an employee has uploaded code to a third party server intentionally or not. If corprate software monitors catch this happening, its pink slip in many places. I just can't believe anyone would play with developers this way. What a cruel company.
It could also get Kite sued.
Someone should definitely sue Kite.
Wait until they get their funding.
> WTF, this could get people fired. Many companies do not descriminate whether an employee has uploaded code to a third party server intentionally or not.
That is why developers should be very careful what applications they install on the corporate computer and what cloud services they use.
It's true; "fool me once" and all that. But it really doesn't make the world a better place to live if it's easier to get fired by accident.
> it uploaded all of the source code on my computer to their service.
That sounds crazy, so I reviewed their privacy policy[0]. It looks like Kite now requires users to whitelist the directories it indexes and automatically purges files you remove from the local index.
The Privacy Policy says that:
> When you use our services, we may collect [...] Any source code files on your computer's hard drive that you have explicitly allowed our services to access. To learn how to control access to your source code files, please visit our FAQ.
The FAQ[1] says
> Kite only uploads files that:
>
> 1. Have a .py file extension,
> 2. Are children of a whitelisted directory,
> 3. And are not ignored by a .kiteignore file.
That doesn't seem like "any source code file on your computer" to me - unless it whitelists root by default, which would be a hella dark pattern.
Also, removing a file from the local index should remove it from the server as well [2]
[0] https://kite.com/privacy [1] http://help.kite.com/category/30-security-privacy [2] http://help.kite.com/article/10-how-do-i-delete-files-from-k...
> Also, removing a file from the local index should remove it from the server as well [2]
Maybe you are thinking only for your self. What about the majority of the users of minimap/(other hacked plugins) who doesnt know this is going on, and they are not aware that some files need to be deleted from someone elses server.
ps. i know "hacked" is not the proper term here ,but you get the idea.
I totally agree that putting proprietary integrations into open source packages is shady. However, I don't think that the Minimap "kite promotion" [0] went so far as too actually upload code to Kite's cloud platform. It looks like it just added tool tips that referenced Kite's documentation. That's distracting and unwanted, but not as egregious as uploading your code without permission.
[0] https://github.com/atom-minimap/minimap/commit/16c11d82b889c...
It sounds like they changed something after I signed up. I am not super paranoid, but I am pretty savvy about privacy and keeping my data safe. There is no way in hell I would have agreed to upload all of my data to their service.
I was actually questioning myself when I realised what had happened -- I thought, "perhaps I just messed up". But after I saw this story about their other dark patterns, I'm convinced they just deceived me.
Their privacy policy as of 31 of December 2016:
https://web.archive.org/web/20161231231542/https://kite.com/...
Seems similar enough to current version.
Not sure when you're seeing the privacy policy change was made but as an early user of the Kite desktop tool, directory whitelisting has been in place for a year or more.
If you look at the screenshot posted by one of their founders it lists the user directory as the default whitelist: https://user-images.githubusercontent.com/87728/28395021-e04... and isn't clear on uploading everything from there
Hard to read that wording and not infer it was specifically phrased like that to prevent saying "we upload literally every file, recursively, in the below directory".
Easy to see very intelligent and circumspect people interpreting "where enabled" to mean "when I ask for autocomplete" and "your code" to mean "that specific snippet" because who the hell would actually think it's cool to just carte blanche upload other people's workspaces?
If you want to see if they have any of your data, check: https://kite.com/settings/files
I have zero faith this page actually works though. A few months ago I deleted all of my data and I checked back today and it has reappeared. (I uninstalled the client and deleted my login token back then too, so as far as I can see it's their issue.)
I have sent them a stern email to delete my data. If you want your data deleted too, I would recommend doing the same rather than trusting their web interface. None of the emails on their website seem to work, though. Emailing the CEO does work eventually, but I don't want to start a witch hunt. My email is in my profile if you want his email.
wtf are those guys doing, uploading source code without consent feels criminal, source code with app configs/secrets has ultra sensitive information.
anybody has a list of infected packages so others can quickly remove with `apm uninstall ...`?
Well technically you did consent by clicking "Enable Kite". I'm not familiar with Kite but the linked image has a line that says, "Click here to learn more.". I'd wager that it eventually links to a page that explains that all your source will be uploaded to their servers.
Now that doesn't make it any less shady though...
Hiding a detail like this into a "read more" is uber-shady. They deserve all the backlash they're getting.
Funny how I now read this as Uber-shady.
What they did is figuratively a felony (literally a "indictable offense") here in Canada. These guys are going to go to prison. Courts have ruled time and time again that hiding unreasonable or otherwise illegal actions in ToS does not absolve liability or criminality.
Just out of curiosity, what part of this is considered illegal? Not defending Kite here, but it seems that even though they are using some shady tactics to gain users, none of their product/ToS seems illegal.
Theft of copyrighted material, if bfirsh's claim of having the tool upload _all of the source code on his computer_ without asking about it.
Maybe even corporate espionage.
> Theft of copyrighted material
Copyright infringement is not theft. These are two completely different issues. When data is copied it is not taken away from the owner like when physical goods are stolen. Secondary damages may or may not occur, but they are not the same as depriving someone of a good. As an analogy, I wouldn't steal a car, but I surely would copy a car if I could do so by simply pressing a button...
Both are punishable crimes though, so I don't see what difference the point makes
The primary difference is that copyright infringement is a civil offense, not a criminal one, so nobody would be "going to prison".
Copyright Infringement is an act, and at least here in the US, an act which both criminal and civil laws provides specific penalties/remedies. On the criminal side, obviously, one of the penalties is imprisonment.
Ah, I was unfamiliar with criminal penalties for copyright infringement. Could you go ahead and link me to the relevant US Code text that provides for such penalties?
https://www.law.cornell.edu/uscode/text/17/1204
This happens to be the one under which Kite would fall (since they're infringing copyright for "commercial advantage").
That still leaves corporate espionage, which (last I checked) is a very severe offense. If that "source code" contained significantly-sensitive data (like medical info or info about legal cases), then there's a giant can of worms right there (and each of those worms has a surname of "Felony").
There is such a thing, in the US at least, as criminal copyright infringement.
No, but if that copyright material contained trade secrets then it is criminal.
And if it contained gold, it's actual theft.
But that's about as unlikely as the code containing trade secrets.
Plus:
- For copyright infringement, they'd need to actually redistribute the code. Using it for machine learning and distributing short snippets wouldn't be copyright infringement.
- For that trade secret stuff you'd need to prove intent.
For copyright infringement, they'd need to actually redistribute the code.
IANAL, but I don't think so. In MAI v. Peak[1], the court determined that even loading a program from disk to RAM was a copy, and therefore infringing without a license. Congress has since then added a specific exception for "Machine maintenance and repair", but that's it. Copying from a remote machine and storing it in their disks should certainly qualify.
[1] https://en.wikipedia.org/wiki/MAI_Systems_Corp._v._Peak_Comp....
> But that's about as unlikely as the code containing trade secrets.
Unpublished code, is itself a trade secret. Even just the processes, procedures, organisation, tooling, library use, etc in the code provides a competitive advantage. i.e. The 'metadata' is also a trade secret.
The only intent you'd need to prove is that the accused is using the trade secret to the 'economic benefit of anyone other than the owner'.
It seems obvious that Kite is training a proprietary ML algorithm, with trade secrets, for their own economic benefit.
Nuh huh
It's one thing to infringe on the copyright of a public work
Another, very different thing is to copy something that's not public and might be considered IP or a trade secret
This isn't necessarily only about copyright infringement (though it's definitely that too). If some of the source code on your machine contain sensitive information, like API keys, database passwords, etc.
Legally, the word "theft" isn't only used when one party loses anything; a victim of identity theft doesn't lose their identity, yet we don't call it "identity infringement". I'm not familiar enough with US law to know for sure, but it wouldn't surprise me if the word "theft" is used somewhere for obtaining sensitive information without permission.
I don't really want to defend Kite, but when it says "Kite achieves this by analyzing your code in the cloud" I would assume that my code is uploaded to the cloud.
If you're going to upload potentially private code from your user's computer to your servers, you better warn him with big fat red letters before you upload a single byte.
Which code is "my code" here?
My assumption from that dialog box would be that at most, the code I currently have open in my editor would be uploaded. Not all the source code on my computer.
How can autocomplete work without looking at all the other code too?
Edit to add: oh, wait, I misunderstood. It grabs all the code on your computer? That's crazy. I just meant it's not totally unreasonable to grab the whole git repo you're working in, say.
Yeah, screw kite.
Exactly. How do they know what is my code, or somebody elses? Dodgy.
If you don't want to defend Kite, why bother defending Kite?
I'm not defending their actions. I'm just saying that I don't think they're as surprising as people make them out to be given the messaging in the product.
This plugin helps for sites like Kite:
https://chrome.google.com/webstore/detail/cloud-to-butt-plus...
This is why some data protection and privacy laws are starting to require active, informed consent before taking some actions, instead of merely specifying "consent".
Even without that, basic contract law in many places requires a degree of mutual understanding for the contract to be valid in the first place. You can't just bury a surprising term with a huge effect deep inside a long legalese document and expect it to actually stand up in court, and if you're doing something dubious and relying on that as your defence then you might be in for some disappointment.
Makes me imagine some angry and equally shady person might contribute to some open source projects that Kite uses internally. With a ToS addition giving them access to all available data on the company network if you are Kite.
Obviously this would a be a terrible thing to do and no one should.
It does not just feel criminal, it probably is. On top of that it might make you liable for reproducing some company code without permission. Very very bad idea.
I've almost been bitten by them in the same way. I vaguely remember that it was through HN that I found out about Kite and installed their plugin(s). It definitely felt 'dirty'.
>only to find out later it uploaded all of the source code on my computer
It didn't ask? Sounds like malware, and meets the definition of theft. Inviting someone into your house does not give them permission to steal things in your home, and leave with them.
Kite has been mentioned few times in hn, latest here: https://news.ycombinator.com/item?id=13977982
It clearly states in the diagram that the code you run Kite on will be analyzed in the cloud. If it truly uploaded "all of the source code on [your] computer" then obviously that is radically different but from my experience with the product, it did not upload my code besides what was directly related to what I was working on and understood would be analyzed in the cloud, just like Code Climate or any other code analysis service.
That could be enough to get your fired and or sued depending on the status of the code on your computer.
That is theft of the highest order!!!
It's not theft, neither sorted nor random.