Recently @gerry pointed out that it appears the third most popular package in the Package Control default channel is apparently sending data to the startup Kite:
This seems to explain why a generic package providing extra menu items would be collecting info about how many minutes of time were spent editing Python code.
This has prompted some discussion about what, if anything, Package Control should (try to) do about privacy and dark patterns in packages that are part of the default channel. I’d like to get feedback from the community as to what users think should happen.
One proposed solution is to:
- Disallow opt-out telemetry from packages in the default channel. Any packages found collecting user info without having the user opt-in will be immediately removed from the channel and only permitted to be re-added if they have changed to opt-in.
This would not prevent authors from creating their own PC channel (which has been supported from the beginning) and publishing opt-out packages, it would just prevent them from being included in the default channel. A simple channel with one or two packages could be hand-maintained without much effort. If someone wanted to set up an automated channel (that crawls package info), that can be adapted from the code base at https://github.com/wbond/packagecontrol.io.
If you can share your thoughts, I’d like to gather feedback and then decide what, if any, action should be taken to address the privacy of Package Control users. Please also share this topic with any Package Control users you can so we can get as much feedback as possible.