Closed Bug 362054 Opened 19 years ago Closed 19 years ago

StumbleUpon needs to describe data collection and include link to privacy policy in its description

Categories

(addons.mozilla.org Graveyard :: Administration, defect)

Product:
addons.mozilla.org Graveyard
Component:
Administration
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: tokul, Assigned: shaver)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060830 Firefox/1.5.0.7 (Debian-1.5.dfsg+1.5.0.7-2) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060830 Firefox/1.5.0.7 (Debian-1.5.dfsg+1.5.0.7-2) I suspect that addons.mozilla.org is used to distribute malicious extension and plugin developer is astroturfing or removing negative feedback about his extension. People on irc.mozilla.org #addons channel recommended filing bug about it or contacting extension developer. I don't know other way to report about it. Some people might think that StumbleUpon extension is spyware or adware. I've posted comments about it on extensions page. Comments got deleted. It is possible that comments got deleted because I've pasted incorrectly formated text or my comments are too big or you want to review comments. I prefer to keep my tinfoin hat on and think that my review was correct. There is no preview option in comments page and I can't see line feeds in tiny textarea used for comments. Main extension issues: 1. extension can be used to deliver ads (http://www.stumbleupon.com/ads/). Yet extension claims that it is not adware. "Personal recommendations" are ads. Extension provides ad supported service. 2. extension hijacks home page in order to force user signup. 2.89 and later versions should do that only once. 3. user information is stored on remote servers and StumbleUpon "may share some aggregate information about our userbase with sponsors and business partners." 4. Version 2.88 changelog entry looks like extension uses some custom protocol. "* Improves sign-up support for people using proxies and advanced firewalls.". Basic HTTP POST and GET requests should work with proxies and advanced firewalls. I suspect astroturfing in comments, because bad reviews are removed and overwhelmed with positive '5 out of 5' reviews. I strongly recommend reviewing extension's code and making sure that it does not violate user's privacy. I recommend reviewing behaviour of StumbleUpon extension developer and making sure that addons.mozilla.org is not used to promote malicious extensions. I understand that this report is not a bug and I should contact extension developer first, but I don't want to have private communications that can't be reviewed by other people. Reproducible: Always
(In reply to comment #0) > 1. extension can be used to deliver ads (http://www.stumbleupon.com/ads/). Yet > extension claims that it is not adware. "Personal recommendations" are ads. > Extension provides ad supported service. "Adware" is not a useful term, really, since it is used to mean things ranging from "has links to a site that displays Google AdSense" to "rewrites content to insert its own ads" to "spams the user with new windows and tries to trick them into clicking on it". StumbleUpon, like most reputable search engines, appears to include paid links in the "results" they send to "Stumbling" users. I don't think that their actions here constitute abuse or put the user at risk, and I wouldn't describe it as "adware" (which for me is a term that tends towards the abusive side of the spectrum). > 2. extension hijacks home page in order to force user signup. 2.89 and later > versions should do that only once. I don't think that this makes the extension spyware or adware, even by the broadest definitions, and it sounds like the problem that you're describing was fixed in the latest version, so I'm not sure what the complaint is, exactly. Sorry if I'm missing something! > 4. Version 2.88 changelog entry looks like extension uses some custom protocol. > "* Improves sign-up support for people using proxies and advanced firewalls.". > Basic HTTP POST and GET requests should work with proxies and advanced > firewalls. I don't understand why this would be a problem, though it's not clear what the extension actually _does_ that you find to be related to it being spyware or adware. Inference from text in the changelog doesn't really tell us much. > I suspect astroturfing in comments, because bad reviews are removed and > overwhelmed with positive '5 out of 5' reviews. We unfortunately don't have any good way, at present, of tracking the deletion of comments (though they are performed by a reviewer and not by the extension developer, to be clear). Comments that are inflammatory, rude, or make accusations without substantiation are often subject to deletion, though. Based on my own real-life encounters with StumbleUpon users, though, I would not be surprised at all to find that they were real users. I have literally been stopped at parties when wearing a Firefox fleece by someone who wanted to tell me about StumbleUpon, strange though that may seem. > I strongly recommend reviewing extension's code and making sure that it does > not violate user's privacy. As StumbleUpon does seem to collect aggregated data, they should mention that in their description, and I'll mail them today to ask them to update their description appropriately. The StumbleUpon authors have been good members of the Mozilla extension community for quite some time (as evidenced by their low extension number, for example), and I have high confidence that they'll act quickly to clarify the data collection issue in their description. I haven't seen any evidence that they act maliciously (that is, to harm users or put them at risk), and with the exception of the missing privacy policy reference, I think they're in pretty good shape with their current listing and offering. For your technical questions about "custom protocols", I recommend that you contact the developer directly. They will be able to speak to the details there much more effectively than we can. Thanks for your detailed report, and for bringing the lack of privacy policy information to our attention! Apologies for the cumbersome comment interface; we are hard at work on a replacement that should be much more usable.
Status: UNCONFIRMED → ASSIGNED
Component: Policy → Add-ons
Ever confirmed: true
Summary: Is stumbleupon extension spyware or adware? → StumbleUpon needs to describe data collection and include link to privacy policy in its description
StumbleUpon's description has not been updated.
Bleh. I went looking for the mail I sent, and found that I bounced it (typo, I think). I'll resend it today, thanks for the reminder.
Assignee: nobody → shaver
Status: ASSIGNED → NEW
Copying the author here, as well.
Status: NEW → ASSIGNED
Blocks: 373259
I've added both the Terms of Service/EULA and Privacy Policy links to the stumbleupon entry at preview.addons.mozilla.org. (new AMO has sections for both) The new AMO is slated to go live on Mar 15th.
Thank you.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Component: Add-ons → Administration
QA Contact: policy → administration
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.