RE: Surreptitious reporting...

Subject: RE: Surreptitious reporting...
From: "Sharon Burton" <sharon -at- anthrobytes -dot- com>
To: "'David Neeley'" <dbneeley -at- gmail -dot- com>
Date: Fri, 25 Sep 2009 10:25:26 -0700

See below.


sharon

Sharon Burton
MadCap Software Product Consultant
Managing your content, one topic at a time
www.anthrobytes.com
951-369-8590
IM: sharonvburton -at- yahoo -dot- com
Twitter: sharonburton


-----Original Message-----
From: David Neeley [mailto:dbneeley -at- gmail -dot- com]
Sent: Friday, September 25, 2009 9:57 AM
To: sharon -at- anthrobytes -dot- com
Cc: TECHWR-L
Subject: Re: Surreptitious reporting...

Sharon,

Correct me if I am wrong, but--

You stated the product collects information without the user's
knowledge or consent, and using a "server" sends it to the vendor.

Sharon: No, it collects the info from the server you the author put your
help on. (I don't know how the CHM stuff works and I can't speak to that.
Talk to MadCap's support for specifics about that)

Not from a website the user voluntarily visits, but from his or her
desktop. Without consent, without an opt-out (presumably).

Sharon: The help is hosted on the server you the author put the help on.
Your user voluntarily visits your docs hosted on your server.

How is this like a website the user voluntarily visits?

Sharon: Because your users visit your help on your server. No one is forcing
your users to do anything, just like no one forces you to go to any web page
in the world.

The user PAYS FOR THE SOFTWARE and expects it to be as advertised--not
other than, more than, or different than advertised. If the reporting
is not disclosed and is not consensual, where is the parallel?

Sharon: Then you the author should disclose that to your users. This is
hosted on your server (optionally, on a MadCap secure server). All files
that you host on any server for any reason have this level of reporting.

Unless there is something different than what you have stated in this
thread, I'm sorry--but it is clearly wrong and a dangerous precedent.

Sharon: Then don't visit web pages because this basic level of reporting is
done on every web server in the sky. But this is hosted on your server where
you decide to put your docs.

Were I running a doc shop, I simply would not have software I could
not trust which may represent a security hole.

Sharon: Nor should you. But there is no security hole because nothing is
installed and no information is being sent anywhere. The user pings your
server to look at your help docs. Your server already collects that ping
information. Feedback runs reports about your server ping activity.

Were I responsible for creating documentation that would collect
information from my customer's computers without their knowledge and
consent, I would definitely not want the potential public relations
damage and the word of mouth that might get out about it. In such
case, if I was the one who employed that software and the customers
became angry about it once they discovered it, I would probably lose
my job over it also.

Sharon: Yes, but you see, Feedback doesn't collect information from your
users computers. It collects information from your server and how your
server was pinged.

What I fail to understand is why you so casually dismiss the concerns
of so many on this list regarding this. The point is not what
information is gathered. It is not why it is gathered. Instead, it is
that *ANY* information is gathered and sent off premises without the
knowledge and consent of the customer.

Sharon: No information is "gathered and sent off premises". All information
is collected from your server computer about what happens at your server.
I'm not casually dismissing it - I'm telling you that what you think is
happening isn't happening.

This is a total disaster waiting to happen once software becomes
widely known to be doing such a thing, especially with today's
increasing awareness of security issues.

Sharon: There is no security risk because nothing is installed on your users
computer, nothing is *sent* anywhere. The server you host your docs on is
already collecting information about your server activity. Feedback
generates reports about what your server is already tracking and creates
reports for you. You run those reports and see what your users did on your
server.

And it would all be so easy to fix--simply disclose it and make the
behavior completely optional--possibly with some documentation of just
what information is collected and why. In that case--with full
disclosure--you will suddenly move from being considered sneaky and
potentially dangerous to someone who is actually seeking to make the
product better on behalf of the customers.

Sharon: If you think that you're being sneaky because your server is
monitoring what is being done in it, then you have a problem. Because your
servers are already doing this. Feedback, should you decide to buy it and
install it on your server, simply aggregates that info and generates reports
for you. (again, I don't know how the chm part works. Contact support to
find out more)

Yes, it might be a little bit of a sales job. No, it should not be an
insurmountable obstacle.

What is so hard about that? And why would you object to openness and
full disclosure to the customer who is, after all, paying the bills?

Sharon: I think that part of your upset is that you think MadCap is somehow
spying on you or your users. It's not. You buy Feedback, you install it on
your server. You run reports about your users and other stuff. It's all in
your control. MadCap has no interest in what your users are doing.

David

On Fri, Sep 25, 2009 at 18:21, Sharon Burton <sharon -at- anthrobytes -dot- com> wrote:
> OK, let's all calm down a bit. This is a massive over-reaction. Let's take
a
> deep breath. Now we're throwing claims around that MadCap is breaking the
> law and we should all demand a refund of all MadCap products and complain
to
> the FTC. And claiming that those at MadCap should be ashamed of themselves
> for pushing the product.
>
> Sigh.
>
> No one is collecting *personal* information of any sort in Feedback. None.
> Not a drop. No information other than any basic web server you visit is
> being collected. Not a drop more.
>
> *Nothing* is installed on your computer, *nothing* is being "sent".
>
> You are all aware that every time you visit the most vanilla website,
basic
> information is collected. No personal information is collected when you
> visit information about your visit is tracked. There is nothing illegal
> about that, as far as I know. But IP address, search keywords that got you
> there, pages visited, page that exited the website, and so on are all
> tracked by servers for all websites. Not a drop of personal information is
> tracked.
>
> Here's a thought - if you find this to be the worst thing ever, stop
> visiting web pages on the 'Net. Because every single website you visit is
> collecting this sort of basic non-personal information. It really is.
>
> If you choose, you as a user can opt in to the Web 2.0 features of
Feedback
> and post comments in the Flare help, for example. You don't have to do
this
> if you don't want to. Nothing bad happens to you if you chose to not do
> this.
>
> But I want to repeat to the list again: Not a single drop of personal
> information is collected about you. Not a drop more information is tracked
> than the basic reporting of all web pages you visit in the world.
>
> (God, where is Mike when I need him...)
>
>
> sharon
>
> Sharon Burton
> MadCap Software Product Consultant
> Managing your content, one topic at a time
> www.anthrobytes.com
> 951-369-8590
> IM: sharonvburton -at- yahoo -dot- com
> Twitter: sharonburton
>
>
> -----Original Message-----
> From: techwr-l-bounces+sharon=anthrobytes -dot- com -at- lists -dot- techwr-l -dot- com
> [mailto:techwr-l-bounces+sharon=anthrobytes -dot- com -at- lists -dot- techwr-l -dot- com] On
> Behalf Of David Neeley
> Sent: Friday, September 25, 2009 6:33 AM
> To: TECHWR-L
> Subject: Surreptitious reporting...
>
> I'm afraid I must side with the majority on this one. With all the
> security problems out there, if ANY application was trying to collect
> any data without my express knowledge and permission, I would wonder
> what else it might be collecting despite the protestations of the
> vendor.
>
> While my firewall would catch it, the vendor would also catch my
> demand for a refund and, quite possibly, a lawsuit and more probably
> an FTC complaint.
>
> Personally, I want to know and agree any time an application wants to
> send data anywhere. Companies like Microsoft love this sort of thing,
> yet their track record for security is abysmal--to take just one
> example. Their "security center" complains about a "possible security
> issue" every time I boot into Windows simply because I will not enable
> automatic updates--yet they themselves are a major source of problems
> with gaping security holes like Active X, to give just one example.
>
> If you work with a large organization, ask your IT security folks what
> they think about a piece of software that is set to send data about
> use to the vendor without the knowledge or assent of the company. I
> suspect you have better than even chances they will be adverse to the
> idea.
>
> Even if the intent of the software was benign, it is so outrageous on
> its face (from the customer's perspective) that I would seriously
> question the judgment of the company and its product managers who has
> pushed this.
>
> I cannot see any reason at all why it should not be totally voluntary
> on an opt-in basis after being fully disclosed to the customer.
>
> MadCap's part of all this lies in enabling it in any way that may not
> require such advance disclosure and permission.
>
> However, remember it isn't MadCap's liability so much as it is any
> company's who produces online help using this tool and sells it into
> the marketplace.
>
> David
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>
>
>


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Free Software Documentation Project Web Cast: Covers developing Table of
Contents, Context IDs, and Index, as well as Doc-To-Help
2009 tips, tricks, and best practices.
http://www.doctohelp.com/SuperPages/Webcasts/

Help & Manual 5: The complete help authoring tool for individual
authors and teams. Professional power, intuitive interface. Write
once, publish to 8 formats. Multi-user authoring and version control! http://www.helpandmanual.com/

---
You are currently subscribed to TECHWR-L as archive -at- web -dot- techwr-l -dot- com -dot-

To unsubscribe send a blank email to
techwr-l-unsubscribe -at- lists -dot- techwr-l -dot- com
or visit http://lists.techwr-l.com/mailman/options/techwr-l/archive%40web.techwr-l.com


To subscribe, send a blank email to techwr-l-join -at- lists -dot- techwr-l -dot- com

Send administrative questions to admin -at- techwr-l -dot- com -dot- Visit
http://www.techwr-l.com/ for more resources and info.

Please move off-topic discussions to the Chat list, at:
http://lists.techwr-l.com/mailman/listinfo/techwr-l-chat


Follow-Ups:

References:
Surreptitious reporting...: From: David Neeley
RE: Surreptitious reporting...: From: Sharon Burton
Re: Surreptitious reporting...: From: David Neeley

Previous by Author: RE: Surreptitious reporting...
Next by Author: RE: Follow-up to question about getting feedback from users
Previous by Thread: Re: Surreptitious reporting...
Next by Thread: Re: Surreptitious reporting...


What this post helpful? Share it with friends and colleagues:


Sponsored Ads