Package harvests email addresses and private data to send to remote infrastructure

[cmjdiff]

Describe the Bug

SponsorLink harvests email addresses and private/proprietary data from users' devices to send to remote infrastructure.

Expected Behavior

Packages not harvesting email addresses and private/proprietary data from users' devices to send to remote infrastructure.

[pchasco]

SHA-256 is not an acceptable method of anonymizing user identifiable information for the GDPR. This has been ruled by court in at least one European country, Germany.

[kzu]

Yep, seems to be the case I need to be even more "randomizing" on the front. Working on #13 to bring the source to this repo, and move on from there on something more solid.

[cmjdiff]

Yep, seems to be the case I need to be even more "randomizing" on the front. Working on #13 to bring the source to this repo, and move on from there on something more solid.

No, you don't need to be "even more randomizing". You need to be not harvesting data of any sort whatsoever.

[laurids]

even more "randomizing"

even more

There is no randomizing in plain SHA-256 hashing.

[KeterSCP]

@kzu LMAO! Just stop it, if you want money, move your project to a paid license. DONT mess with analyzers, warnings and scrapping, you have been warned by Microsoft employee that what you are doing is not allowed.

[cmjdiff]

To move away from this "this is bad and you should feel bad" and towards the technical aspects for a moment, currently you're creating a persistent identifier in order to associate a particular user with your sponsorship data. Since to achieve what you want, you need to be able to make that association, an ephemeral identifier won't work. It has to be persistent to be able to associate it. You can't do the thing advertisers do and use an ephemeral ID that the user can reset in various ways, because they're more interested in your characteristics than your identity.

This isn't an implementation bug. It's not even a design flaw. It's inherent in the goal you're trying to achieve. You can't do it without this sort of malware behaviour. Which, for an OSS maintainer, means you can't do it, full stop.

[pchasco]

Yep, seems to be the case I need to be even more "randomizing" on the front. Working on #13 to bring the source to this repo, and move on from there on something more solid.

Or perhaps this was just a bad idea, and it is forcing the companies you want sponsorship from into actually spending money migrating to other frameworks instead.

[kzu]

The code is now open source in this repo too. As I documented in my blog post ~6mo ago, there is no harvesting happening, just a convenient and simple (albeit problematic according to many) to quickly and (more or less safely) mapping a user to his sponsorship. I'm closing this for now, please continue to give feedback on this particular issue at #31

[cmjdiff]

Reopening a new issue, because the published code still appears to harvest private/proprietary data to send to remote infrastructure.

[pchasco]

The code is now open source in this repo too. As I documented in my blog post ~6mo ago, there is no harvesting happening, just a convenient and simple (albeit problematic according to many) to quickly and (more or less safely) mapping a user to his sponsorship. I'm closing this for now, please continue to give feedback on this particular issue at #31

No one cares that you posted about this six months ago. No one was reading your blog back then. Now, I'm afraid, you may be getting more attention...