Feature Request: Add privacy policy

[ngdenco]

In the reviews for the extension itself, there is a comment stating this:

WARNING: THIS EXTENSION GATHERS YOUR BROWSING HISTORY AND SElLS IT TO 3RD PARTY ENTITIES

However I cannot find any evidence of this claim, whether to back it or disprove it.

In the 'about' page, could there be information added regarding your privacy policy and whether or not information is gathered for third parties?

[deanoemcke]

That comment is erroneous. This extension does not collect or sell browsing history. I have commented to the person on the chrome webstore.

The extension DOES require permission to your chrome history, as this is required for some of the functionality of the app. However, it does not store this history, and does not profit from it in any way.

For more information on why the extension needs access to your history please see this gitHub thread: #213

Also, here is a link to the privacy policy for the extension: https://greatsuspender.github.io/privacy

[ngdenco]

Perfect, thanks. If not already in any of these places (I could not find them but didn't look very hard) - I would recommend a link to the policy in your "about" page in the app, perhaps as well as on the actual store page.

It may be prudent to summarize your response to me here also in the "about" - maybe with another page that is labelled something like "Why do we ask for x permissions?"

[deanoemcke]

Yes, I agree the 'about' page would be a good place for it.
The privacy policy is already linked in the chrome webstore page.

[CollinChaffin]

Usually would not chime in when an issue has been answered, but since I am not only a DEV myself for 30yrs but also a loyal serious power-user of TGS since the initial release. Admittedly I have never done serious Java/JS work on the professional side as it is not my preferred language, but like most DEVs can certainly read other languages if need be.

With that said, when I look at closed-source extensions that absolutely HAVE been proven to be secretly malicious, uncovering those takes serious work as almost always not only is their original source code not available to review, but it then requires decompiling and reverse engineering those sources, just to then begin the time-consuming, daunting task of tracing the code. The HUGELY popular Chrome Extension, Stylish, is a perfect example. I had already done some of this daunting work and had already been warning folks not to use it and now we know just how deep that rabbit hole went. Then, look at Stylus, an extension that does the EXACT same thing - but posts 100% of its code on Github for the world to review (and better yet, be able to contribute to help improve it). I know which I personally trust. :)

My point? I am in no way saying you will NEVER find malicious apps/extensions with full source code online, but I have never seen one that still wasn't seriously obfuscated (unnecessary if you're truly open-source) to hide their true intent. And why? If you were laundering money, would you DARE to post your financial ledgers on the internet, opening yourself up to even the POSSIBILITY that a CPA would quickly shed light on your activities? Of course not.

TGS is a perfect example of a true Opensource effort, with 100% of it's source code available, and NOT obfuscated in any way allowing anyone who can even read code to peruse through it at any time, day or night and they also welcome code contributions. Just spit-balling but I'm guessing as popular as this extension is, it wouldn't take but hours for something to be identified in the code that should not be there (including browsing data collection). I know that personally, I have had no issues calling out obfuscated code where it should not be (in other apps NOT TGS!) and quickly bringing bad intent to light and any good DEV usually will do the same as to do our best to eliminate those that give the industry a bad name.

Again just my opinion but I make an attempt to read through the code initially of an Opensource project I then look at longevity and # of participants and cannot remember ever getting that far into that process and finding it to be malicious.

[ngdenco]

I agree with the overall sentiment. I have a few "counterpoints" to the situation, however:

• The standard user will not look through source code, nor know what to look for
• I am a Java developer and looked through a few parts of the code, and admittedly was lost in finding anything. Afterall, it's not like the code doing this is called "third-party-transfer". Sifting through open source isn't super friendly to anyone (moreso if it's not your language), but of course it's eons better than closed.
• You are attributing selling data to third parties to maliciousness. There are tools who actively do sell information to third parties, and let you know they may do that in their clauses. Even in the case of open source, they could still be doing this. It could easily be the business model of the program, and not hidden from users. With that being said I wanted to know a yes or no answer to the original question, regardless of morality of the action.

[CollinChaffin]

Certainly agree with your points in fact it is funny you say that as I was posting over a EIGHTEEN MONTHS ago in many places including different repos here on Github (StylishThemes/StackOverflow-Dark#44) because a legitimate marketing company is who quietly purchased Stylish, and their privacy policy was immediately altered to flat out state they could(would) do as much, so I was surprised when folks were so surprised to find out they then took advantage of it. And, in agreement that is why the policies are important at least those that are honest and legit enough to post them as they do demonstrate intent. IMO the TGS policy is out there and pretty straight forward and with their totally un-obfuscated source here I personally am not at all worried. 😉