Open source editor Atom collects user data without consent

Atom is a cross-platform text editor for programmers from GitHub. Yesterday, a user filed an issue with Atom saying that it had collected user data without consent. A user write:

Atom is contacting Microsoft/GitHub processes running on Amazon servers on first launch without consent, and leaking my IP address and timestamp to the manufacturer, as well as transmitting the fact that I use Atom (via outbound request) to thousands of other people and organizations.

A user’s IP address, as well as the tracking/telemetry/analytics/autoupdate target host IP are both transmitted from the user’s machine at time of first launch (adding a timestamp to these first two pieces of data).

This tuple of (user source IP, atom.io destination ip, TCP port, TLS SNI hostname, timestamp) leaks usage information to thousands of different people when it is sent from the user’s computer: ISP, hosting providers, network interchanges, intelligence services (hi Ed!), Microsoft internal systems administrators, GitHub systems administrators, and Amazon network administrators. The user is given no opportunity to opt out of this, to prevent it, and is not even made aware of it happening.

This means that the work on #12281 is incomplete. The software is still transmitting user data without consent before the consent dialog even appears.

Lee Dohm from the Atom team posted a final response, acknowledging that the telemetry package should not send information before clicking the button, and will investigate its premature connection to central.github.com. On the other hand, he insisted on the Atom’s design pattern, and the rest, especially the automatic update check, retained the current design approach.

We agree that the telemetry package shouldn’t send information before a button is clicked, so we’re definitely going to investigate premature connections to central.github.com before the user has explicitly clicked a button and we are tracking that in atom/telemetry#33.

We can appreciate that different people make different tradeoffs when it comes to network exposure versus functionality. We’ve made choices that we feel strike a good balance for the majority of users, so we’ll be leaving the rest, specifically auto-update checking, the way it currently is designed.