Glimpse "calling home"?

[Justin Pealing]

I've just noticed that when glimpse is enabled it seems to be "calling home" to "api.mixpanel.com/track" at the end of every request - the call seems to be in "glimpse.insight.js" on line 307. As a result I obviously have some have some questions:

• Is this part of the Glimpse core, or part of some other non-core module?
  
• What information exactly is being tracked here?
• How do I disable it?
  

Worryingly I can't find any mention of this on the getglimpse.com website.  Whats going on here? When I first saw this call happening I thought my PC had been infected with some sort of spyware!

[Anthony van der Hoorn]

I'm sorry this caught you off guard, that is not our intension.

This is to be expected and went out with the last release - http://blog.getglimpse.com/2014/02/04/glimpse-1-8-2-released/ (see Glimpse Insights support). Its a part of an effort to try and make better decisions for choices we make -http://blog.getglimpse.com/2014/01/22/getting-greater-insights-into-glimpse/.

It is a part of core but when switched off, its a complete removal (from the blog post):

If you do opt-out, there will be no traces of Insights in your code base. Insights was designed not simply to be a switch on or off, but to be a complete removal. Meaning no traces of the Insights code will remain if you choose to opt out.

The information being gathered can be viewed if you have a look at local storage. If you want a better view than that, you can get the client repo - https://github.com/glimpse/glimpse.client/ - and running the test client - https://github.com/Glimpse/Glimpse.Client/blob/master/test/Client.html. Once you have that open you will see a tab called "Insights" on the right which shows the data as its being collected. Also, if you want to see the source code involved, its isolated to this one file - here is the specific code that captures the events https://github.com/Glimpse/Glimpse.Client/blob/master/source/glimpse.insight.js#L345-L520.

You are right about the fact that it should be on the site. We have a new site coming out soon and its noted there. Its an oversight and the fact that we have been focusing on the new stuff. In response to an earlier question - https://twitter.com/greensky/status/431491507590160384 - we have also updated the Glimpse.axd to have the code required to opt-out. This will go out with the next release.

As an action item on this, I'll update the config help page of the current website to make sure the same information thats in the post will be noted there. Also I would like your feedback if there is anything else you think we can do to help. For the sake of completeness, the following is the opt-out code which goes in your web.config: 

 <glimpse> 
   <clientScripts>
      <ignoredTypes>
        <add type="Glimpse.Core.ClientScript.Insight, Glimpse.Core"/> 
      </ignoredTypes>
    </clientScripts>
  </glimpse>

Lastly, as we get time, we will be making the data collected publicly available. If this is something you are interested in helping out with, we could sure use the help. We believe that information like this will not only help us make better decisions, but help the community inform us what they want beyond what we here from the occasional person on twitter or at conferences.

Let us know what you think.

--
You received this message because you are subscribed to the Google Groups "GetGlimpse-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to getglimpse-de...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Andreas Håkansson]

This really should not be an opt-out option, but rather an opt-in. I understand that you want to gather metrics but transparently rolling this out is bad practice, no matter how good your intentions are. I say transparent because, considering how most people will install Glimpse using Nugets (either fresh installs and updating existing installs), it won't be be obvious to anyone but those that first read the change logs - which is not something you can assume. My recommend would be to update this to opt-in and take the beating of not being able to gather as much metrics as you would if you leave it opt-out.

Calling home, for what ever reason, without explicit user consent it just bad conduct. I would be amazed if there weren't laws regulating this - if not globally then at least in many countries (Microsoft couldn't even turn on Package Restore as default for a long time because of legal issues in some countries like Germany). Big companies all use the "Participate in xxx program" option where you can opt-in into these kinds of metrics gatherings.

Thanks

[Justin Pealing]

Thanks - in hindsight it was a bit of an overreaction on my part, it was just a bit scary to see it happening and not be able to find any information.on it.

I'm glad that its so easy to disable - personally I don't mind being tracked if its for a good cause, but I thought it would be best to make sure that it was definitely disabled before shipping the software to customers.

Having seen the blog post I don't think I have any other feedback - the blog post makes it really clear whats going on and how to opt-out.  I also completely support it being an opt-in (instead of an opt-out).

[Nik Molnar]

Thanks for the feedback Justin and Andreas.

We highly value your opinions and we'll keep pushing to find the right way to make this experience buttery smooth and non-jarring for everyone. I think your ideas are pretty good, we'll have to figure out the best way to move forward from here.

If you have any other thoughts, please let us know!

Thanks,
Nik

--

[Andreas Håkansson]

The one thing that concerns me the most (other than the actual opt-in/out thing) is that I personally feel that we, the open-source community cannot afford to do things like this. There is already a credibility question when it comes to using open-source in the Enterprise and especially in the .net ecosystem. Glimpse is widely used and there are plenty of CTOs and managers out there that would not understand the concept of benign data-mining like this - something that could damage the credibility even more.

Now I am not trying to put this weight on your shoulders Nik and Anthony - merely pointing out a side-effect that you may not have considered.

People freak out when free services like Facebook and Gmail collect data, it's even more frowned upon when it's part of components we might ship in our software

[leqid]

Easier to beg forgiveness than to ask permission, eh?

 

I am really bummed in so many ways about this "feature".... most fundamentally about your lack of respect for privacy, and that I won't be using Glimpse any more.

 

Sending "customer experience data" of any kind to a third party should be OPT-IN.

 

(Has Reflector been doing this behind my back, too? The apple doesn't fall far from the tree, so I'm assuming so. Grrr.)

 

I've reported as abusive the 1.8.2 package on NuGet. I've also made several posts on the Internets in an attempt to raise awareness of what is happening.

[Anthony van der Hoorn]

An important thing to remember here is that we are people and we are not evil. We posted the blog post and tweeted that this was something that we where intending to do and didn't here anything back.

Its obvious with the constructive feedback we have received that we need to go back to the drawing board on this. I will be releasing a release within the hour which has Insights fully removed. Then I'll start another discussion here on the best way to go about it. Hopefully that will result in an opt-in experience that works for everyone or the removal of the feature entirely.

Again, we are trying our best here to make the best product we can. Please bear that in mind moving forward. I will notice the list here directly when the release has gone live.

[Julie Lerman]

I can vouch that Anthony & Nik are not evil. J

[Andreas Håkansson]

My point is that no matter how benign and good-intended the data gather is - having something opt-out while it's not clearly communicated to users (Nuget installs and updates don't communicate this) is just going to leave a bitter taste. Like I said, I have no doubt that the intentions are the best.. but sometimes we cannot act even on the best of intentions. I know you, Julie knows you.. but what about 230,895 downloads? Do they trust you? What signal would it send to them? 

[Julie Lerman]

That wasn’t my point. I do agree that this should be opt-in and that opt-out was a mistake. My point is that based on knowing Anthony & Nik, I look at it as mistake to make it opt-out and I don’t think that they were intentionally attempting to sneak this one past anyone.

 

Julie

 

From: getglim...@googlegroups.com [mailto:getglim...@googlegroups.com] On Behalf Of Andreas Håkansson
Sent: Wednesday, February 12, 2014 3:26 PM
To: getglim...@googlegroups.com
Subject: Re: [getglimpse-dev] Glimpse "calling home"?

 

My point is that no matter how benign and good-intended the data gather is - having something opt-out while it's not clearly communicated to users (Nuget installs and updates don't communicate this) is just going to leave a bitter taste. Like I said, I have no doubt that the intentions are the best.. but sometimes we cannot act even on the best of intentions. I know you, Julie knows you.. but what about 230,895 downloads? Do they trust you? What signal would it send to them? 

[leqid]

I didn't intend to imply that you are evil, or even use the word evil. What I intended to say, and stand by, is that your behavior is disrespectful.

 

Are you saying that developers should read every blog post and every tweet about every software package that they install? Those blog posts you mention don't seem to have any detail about what was actually going to happen.

 

Anyway... THANK YOU for considering removing the feature. I've literally been sick to my stomach about this all morning... like I've been taken advantage of by someone I trusted. (My first mistake: trusting unknown parties online. Guess I needed a refresher on that important lesson.)

 

(And if that really is Julie Lerman, using Programming Entity Framework for current projects. Great book! Hope an update is in the works...)

[Anthony van der Hoorn]

OK new release is up. Insights has totally been removed. 

@leqid Sorry that you feel the way you do. Please note it wasn't our intent. If you feel up to it, it would be nice if you could update your posting to reflect the change we have made.

As mentioned I will start a new thread on the list which will pickup on the how we as an open source community can (if all) do even opt-in.

In addition, I will start posting blog posts to this list. One thing is clear, we don't have as much of an engaged community on the blog and twitter as we thought. Traditionally, we haven't had a great response to questions on the list, but hopefully to the new thread, we will get a good discussion going.

[Anthony van der Hoorn]

As a side note, I'm going to followup with a blog post letting people know whats happened as well.

[Nik Molnar]

Hehe:

> "Traditionally, we haven't had a great response to questions on the list" - Anthony

But when there is something done wrong or poorly the community is very swift to let us know! This reminds me of the great "we're going to sign our assemblies" post from 2012. I'm really glad to have people who care enough to let us make decisions and move the project and community forward - but still provide us rails so we don't go off the deep end.

Thanks for your encouragement and grace Julie. It's always a delight working with you.

As a side note, the data that has been gathered is anonymous. Would everyone like us to post it here for individual analysis?

Thanks,
Nik

[leqid]

Please note that I never said anything about your intentions... but one can hurt others without intending to do so.

 

Thank you for removing the "Insights" feature so quickly. Having everything unfold within the space of a few hours DOES speak highly of your intentions to the community.

 

>>If you feel up to it, it would be nice if you could update your posting to reflect the change we have made.

Done. Main post is here http://stackoverflow.com/questions/21737079/how-can-i-prevent-glimpse-1-8-2-from-posting-to-api-mixpanel-com. Note that it is completely factual.

 

I'm going to leave the post there, though, because 1.8.2 is out in the wild.

 

-

 

So... Does 1.8.3 send or receive data in any form to any device or place that is NOT the web server or browser where it is executing?

[avanderhoorn]

@leqid makes total sense and thanks very much! I'm just glad we where able to move quickly.

[leqid]

Hi again. Perhaps you missed my question above. I was hoping for clarity before considering installing Glimpse again. Thank you!

 

Does 1.8.3 send or receive data in any form to any device or place that is NOT the web server or browser where it is executing?

[Anthony van der Hoorn]

I'm not trying to be difficult, but exactly sure which question you are referring to. Could you ask it again so I don't miss it?

[Anthony van der Hoorn]

Oh ok I see it... I missed it because it looked like a signature with the "-", sorry about that.

All calls to mixpanel have been remove. All code that is responsible for doing what insights does has been removed. All the code was isolated to 1 file, so this was pretty straight forward.

To fully answer your question, there is a check that happens once a day to check for updates. This has been there since pretty much day one - around 3 years now. It notifies users when a new update is available.

[leqid]

Does 1.8.3 send or receive data in any form to any device or place that is NOT the web server or browser where it is executing?

[Anthony van der Hoorn]

If it wasn't clear the afore mentioned version check happens from the client, not the server.

[leqid]

Very good. THANK YOU!

[Matt Cowan]

I just installed glimpse from nuget, and I'm seeing this showing up in requests.  Is it enabled again, I thought this was removed? The api.mixpanel.com is blacklisted at this gov. client and "red flag" alert notifications are getting sent out  ...

[Matt C.]

k, seems to be related to using "Install-Package Glimpse.Mvc5" ... If I run update-package on Glimpse and Glimpse.AspNet after that, I see that those packages are quite old and get updated ... 

[Nik Molnar]

Yes Matt,

You must have gotten an old version. All of that code has been pulled out.

Thanks,
Nik

On Fri, Jan 30, 2015 at 6:19 PM, Matt C. <matthew...@gmail.com> wrote:

k, seems to be related to using "Install-Package Glimpse.Mvc5" ... If I run update-package on Glimpse and Glimpse.AspNet after that, I see that those packages are quite old and get updated ... 

--

You received this message because you are subscribed to the Google Groups "GetGlimpse-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to getglimpse-de...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[ellery-...@utulsa.edu]

Is there a way to turn this bit off? I can't seem to find any mention of it in the docs..

[Anthony van der Hoorn]

Just update to the latest version. This was in one release that went out over a year ago. It was removed after a few days. So just updating to a later version will fix this. There was also an optout if you need to stay on that version but I would recommend updating.

--
You received this message because you are subscribed to the Google Groups "GetGlimpse-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to getglimpse-de...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[ellery-...@utulsa.edu]

for the once a day update check?