Things You Should Know About Windower v4

[Aureus]

I don't really know much about Google Analytics, but I think the concern is that this information is being collected unbeknownst to the user, and a typical user isn't going to know what's being gathered, or what the Windower team is doing with the data.

I've updated the installer text and posts to include analytics information. So lay to rest any fears of collecting data unknown to the user

They say it's being used to track plugin usage, but the data they collect could also easily be sold to an ad agency or any number of other interested parties. "What they don't know can't hurt them" is a terrible policy when it comes to information security.

No, it can't. No personal identifying information is collected. And I highly doubt any ad agency would have any use for the knowledge that X% of windower users are from north america. Google analytics data isn't nearly as fine-grained as you think it is

Plus, as mentioned, there are plenty of ways to block this system-wide if you're concerned about privacy.

[Obsidian]

So BG should have a big warning label as well? FFXIAH? FFXIDB? Pretty much every site most of the users of Windower are guaranteed to be on?
Just because it's easier to block from a browser? It's hard to make that argument as well when the people you're worrying about aren't going to know how to do that either. =/

I understand the concern, but it's misplaced in saying that Windower is at fault when it's not the first to do this, just the first to be blamed.

Ideally, anyone collecting information about you should inform you that they are doing so, yes. I'm willing to bet that somewhere, buried in the Terms of Use for BG and its ilk, they make mention of their data collection policy. It's not like in this case the information is just hidden away somewhere. Until it was brought to light by someone decompiling the source code, there was no mention of this practice anywhere.

Edit: Not trying to sound accusatory. It's late and getting increasingly difficult to articulate myself. I was just trying to point out that BG (probably) warns users about its usage tracking policies somewhere.

[Aureus]

It's not like in this case the information is just hidden away somewhere. Until it was brought to light by someone decompiling the source code, there was no mention of this practice anywhere.

Dude, it went live like 24 hours ago. I forgot it in the writeup. There's no mass conspiracy here, it was a mistake, it's been rectified.

[Kohan]

Dude, it went live like 24 hours ago. I forgot it in the writeup. There's no mass conspiracy here, it was a mistake, it's been rectified.

Considering how adorably condescending the "ultra-paranoid type" line you've added is, I am not so inclined to believe that you "forgot," but we'll go with that.

As you've stated that it does not collect any personal information, does this mean that Windower anonymizes the information that it submits?

[Praenuntiae]

Considering how adorably condescending the "ultra-paranoid type" line you've added is, I am not so inclined to believe that you "forgot," but we'll go with that.

Was just thinking that myself, along with "If you're that paranoid about security, just add a hosts entry for google-analytics.com? I'm not seeing how this is a big deal." and "I guess I just don't understand why" but either way I'm glad to see this "oversight" has been remedied.

[Aureus]

Considering how adorably condescending the "ultra-paranoid type" line you've added is, I am not so inclined to believe that you "forgot," but we'll go with that.

Considering that all the uproar is over something that the website we're all posting on uses, I'd say the "ultra-paranoid" is a justified modifier. It has hardly been a secret, anyone in our IRC channel was already aware of it as we've talked about it multiple times. It just got forgotten in the post.

As you've stated that it does not collect any personal information, does this mean that Windower anonymizes the information that it submits?

There's nothing sensitive to submit, really. Google analytics doesn't have anything more modular than your country and language, basically.

[Kohan]

Considering that all the uproar is over something that the website we're all posting on uses, I'd say the "ultra-paranoid" is a justified modifier. It has hardly been a secret, anyone in our IRC channel was already aware of it as we've talked about it multiple times. It just got forgotten in the post.

What happened on your IRC channel is unimportant, as the majority of the people who are reading this thread have likely never been there, and never will be. That you are so willfully condescending toward people who are discussing this is unfortunate, especially since some of those discussing it actively in this thread are not "ultra-paranoid," and are in fact plenty educated in relation to Google Analytics and privacy matters.

There's nothing sensitive to submit, really. Google analytics doesn't have anything more modular than your country and language, basically.

As that's the information supplied by providing your IP address, yes. By anonymizing the data, you wouldn't receive as accurate of location information. Does Windower anonymize anything (e.g., by only providing a partial IP), or does it collect everything that Google Analytics can possibly collect? Is this functionality accessible to developers creating plug-ins, et al?

[Aureus]

As that's the information supplied by providing your IP address, yes. By anonymizing the data, you wouldn't receive as accurate of location information. Does Windower anonymize anything (e.g., by only providing a partial IP), or does it collect everything that Google Analytics can possibly collect? Is this functionality accessible to developers creating plug-ins, et al?

We don't report IP, google derives this information on upload. And again, I really cannot stress this enough, this site collects the same data. As does ffxiah. As does every other website you use.

[Kohan]

We don't report IP, google derives this information on upload. And again, I really cannot stress this enough, this site collects the same data. As does ffxiah. As does every other website you use.

Though as established, users may choose to block Google Analytics in their web browser, and in various countries, the freedom to do so is in fact required due to their privacy laws.

Would I be correct in assuming that this is what you're using? https://github.com/noxad/google-analytics-dot-net

[Aureus]

Though as established, users may choose to block Google Analytics in their web browser, and in various countries, the freedom to do so is in fact required due to their privacy laws.

I see this now, but it seems a tad hypocritical to me to react so negatively to standard analytics, on a site which uses the exact same thing no less(which is NOT mentioned in the privacy policy, by the way, only google adsense is).

Would I be correct in assuming that this is what you're using? https://github.com/noxad/google-analytics-dot-net

We use this: https://developers.google.com/analyt...l/v1/reference

[Praenuntiae]

I see this now, but it seems a tad hypocritical to me to react so negatively to standard analytics, on a site which uses the exact same thing no less(which is NOT mentioned in the privacy policy, by the way, only google adsense is).

Huge difference between this site, and your program "By using this site, you consent to the collection and use of this information by us." taken directly from the privacy statement for this website, I can also with fairly high certainty say that any other website collecting user data will have similar statements somewhere not just throw the code in there.

(that is of course until you fixed it)

[Kohan]

I see this now, but it seems a tad hypocritical to me to react so negatively to standard analytics, on a site which uses the exact same thing no less.

If that's what you believe is happening here, I'm afraid that you're misreading much of what has been said.

I, for one, take no issue with Google Analytics. However, due to my familiarity with software development and my understanding of the related industries, I understand the importance of transparency. In today's world, your average soccer mom may know that a little casual game she'll download to her phone could harvest her personal data, and she will look out for that. Does she understand how or why it does that? No, but it's a concern for her nonetheless. She is not unique; in online mobile shops and among major digital product distributors alike, customers are ever on the lookout for data harvesting, due to their increased awareness. I speak for them, not for myself, as you and I are the minority, and they the majority.

As they are the masses, they are the ones who will be using Windower. They will see this thread, and they will wonder. Without transparency and the reassurance it provides, they may well choose not to use Windower. To them, it will be a case of "better safe than sorry."

Furthermore, there are laws that require either the anonymization or at least full disclosure in relation to data being harvested, and this does cover Google Analytics as well. That is why its data can be anonymized, as documented here in relation to JavaScript, and as natively provided in the library that I mentioned before.

On that token, even though the various websites that users visit may use Google Analytics, it does not mean that these websites use it in the same capacity that Windower does. Most probably, they do, as I doubt any of them are tailored to accommodate foreign privacy laws. Then again, maybe they are.

What I am asking is what other people would want to know, but wouldn't know how to articulate as well. It seems like you're doing a simple request that does not anonymize the IP, and therefore provides all of that information. Is this correct? Additionally, is this only supplied to the core developers, or is it available to anyone developing plug-ins/scripting (as I imagine it may be, since you've stated that it will be used to determine which tools should be continuously worked on)?

I understand that Windower v4 will also be capable of updating a user's plug-ins on its own. What methods does it use to do this?

[Aureus]

Huge difference between this site, and your program "By using this site, you consent to the collection and use of this information by us." taken directly from the privacy statement for this website, I can also with fairly high certainty say that any other website collecting user data will have similar statements somewhere not just throw the code in there.

(that is of course until you fixed it)

Yeah, but "this information" doesn't mention the analytics data, only the adsense data. The only way to see that analytics is used is to check the page source.

[Praenuntiae]

Yeah, but "this information" doesn't mention the analytics data, only the adsense data. The only way to see that analytics is used is to check the page source.

If you want to refer strictly to Google analytics data how about the Terms of Service policy you accepted in order to use Google analytics take a look you will find this "You must post a Privacy Policy and that Privacy Policy must provide notice of Your use of cookies that are used to collect traffic data".

Also "this information" is referring to all data collected by the site both for adsense, registration, and all other forms listed if any.

[Aureus]

As they are the masses, they are the ones who will be using Windower. They will see this thread, and they will wonder. Without transparency and the reassurance it provides, they may well choose not to use Windower. To them, it will be a case of "better safe than sorry."

And that's the reason for my, as you liked to call it, condescending and dismissive attitude. These metrics are NOT a big deal, and we both know it. I don't want to cater to misinformed panic, I want to shut it down.

What I am asking is what other people would want to know, but wouldn't know how to articulate as well. It seems like you're doing a simple request that does not anonymize the IP, and therefore provides all of that information. Is this correct? Additionally, is this only supplied to the core developers, or is it available to anyone developing plug-ins/scripting (as I imagine it may be, since you've stated that it will be used to determine which tools should be continuously worked on)?

I understand that Windower v4 will also be capable of updating a user's plug-ins on its own. What methods does it use to do this?

We're doing a simple post with barebones information. A client guid, OS version, and launcher version. This is followed by a followup post to finalize the data on app launch and to upload the plugin statistics.

Only 2 people have access to the data, Iryoku(who wrote the launcher and would be a much better person to answer implementation-specific questions once he wakes up) and myself. I don't anticipate anyone else being given access, the information is half curiosity (how many users do we actually -have-?) and half prioritization (if an update breaks 10 plugins, what order do we fix them in?).

Plugin updates go through our server, a manifest is checked and downloads whatever is necessary via comparing version numbers.

[Kari]

Though as established, users may choose to block Google Analytics in their web browser, and in various countries, the freedom to do so is in fact required due to their privacy laws.

You MAY choose to block them in your browser. You MAY also choose to block them from other sources.
The freedom is the same in both situations.

Still, everyone now understands that this is apparently important to some people somewhere, and it's since been remedied.
The way this thread started out was really slanderous though. The OP has some false claims about what information was being gathered, hardly explained Google Analytics, and then tries to downplay 4.0 as an unnecessary version upgrade.

A post explaining Google Analytics, and asking for it to be made known would have been fine. None of the rest was necessary. I can't blame aureus for being defensive.

[Praenuntiae]

You MAY choose to block them in your browser. You MAY also choose to block them from other sources.
The freedom is the same in both situations.

Still, everyone now understands that this is apparently important to some people somewhere, and it's since been remedied.
The way this thread started out was really slanderous though. The OP has some false claims about what information was being gathered, hardly explained Google Analytics, and then tries to downplay 4.0 as an unnecessary version upgrade.

A post explaining Google Analytics, and asking for it to be made known would have been fine. None of the rest was necessary. I can't blame aureus for being defensive.

I agree that this could have started out differently as well. In the end all that really matters is people will be informed of what data is collected and what it's used for which it appears it now is. I disagree with the condescending tone of certain parts of said statement especially being that it's required by google's ToS to even use google analytics. That is however Aureus's choice.

[Kohan]

And that's the reason for my, as you liked to call it, condescending and dismissive attitude. These metrics are NOT a big deal, and we both know it. I don't want to cater to misinformed panic, I want to shut it down.

One of the best ways to do that, though, is not to dismiss it, but to explain why it isn't a concern, and to do so in layman's English. You may feel that it's a bother, and that it's unimportant, but someone who does not know any better will be scared off by that. They're going to want to read something that reassures them. They'll look for a FAQ, or a help document, or a ReadMe (perhaps not so much that nowadays), or they'll Google about it, wanting to know, "Why does this collect my information?" They won't know what a post or anything of the sort is (well, not in software terms, anyway—maybe they'll think of a wooden post)—they just want someone to pat them on the head and tell them, "it's all right, everything's safe."

It may seem like an unnecessary bit of hand-holding, but it isn't—it's good for one's reputation and their public relations. People complain about data gathering, DRM, and anything else they're exposed to. It's also literally illegal in some parts of the first world to gather such data without the user's consent and understanding.

We're doing a simple post with barebones information. A client guid, OS version, and launcher version. This is followed by a followup post to finalize the data on app launch and to upload the plugin statistics.

Only 2 people have access to the data, Iryoku(who wrote the launcher and would be a much better person to answer implementation-specific questions once he wakes up) and myself. I don't anticipate anyone else being given access, the information is half curiosity (how many users do we actually -have-?) and half prioritization (if an update breaks 10 plugins, what order do we fix them in?).

Plugin updates go through our server, a manifest is checked and downloads whatever is necessary via comparing version numbers.

In other words: some basic data about the user's PC is collected, but nothing that identifies them as an individual. Although the full IP and therefore their entire geographic location data is included, the location data is discarded, as you have no use for it; all that you collect and maintain is a database involving things like OS saturation, and what version of the Launcher they've got. As for the plug-in updating, you scan the DLLs for their version numbers, submit that information in a manifest that then compares against whatever you have on your servers, and subsequently, any newer plug-ins are downloaded to the user's machine.

Have I missed anything, or would that cover it all?

[Aureus]

One of the best ways to do that, though, is not to dismiss it, but to explain why it isn't a concern, and to do so in layman's English. You may feel that it's a bother, and that it's unimportant, but someone who does not know any better will be scared off by that. They're going to want to read something that reassures them. They'll look for a FAQ, or a help document, or a ReadMe (perhaps not so much that nowadays), or they'll Google about it, wanting to know, "Why does this collect my information?" They won't know what a post or anything of the sort is (well, not in software terms, anyway—maybe they'll think of a wooden post)—they just want someone to pat them on the head and tell them, "it's all right, everything's safe."

It may seem like an unnecessary bit of hand-holding, but it isn't—it's good for one's reputation and their public relations. People complain about data gathering, DRM, and anything else they're exposed to. It's also literally illegal in some parts of the first world to gather such data without the user's consent and understanding.

As you may have noticed, public relations is not one of my strong points

In other words: some basic data about the user's PC is collected, but nothing that identifies them as an individual. Although the full IP and therefore their entire geographic location data is included, the location data is discarded, as you have no use for it; all that you collect and maintain is a database involving things like OS saturation, and what version of the Launcher they've got. As for the plug-in updating, you scan the DLLs for their version numbers, submit that information in a manifest that then compares against whatever you have on your servers, and subsequently, any newer plug-ins are downloaded to the user's machine.

Have I missed anything, or would that cover it all?

Slightly backwards on the updating, manifest is downloaded which contains the current versions, this is compared locally against the currently installed versions, and any necessary updates are downloaded.

[Kohan]

Slightly backwards on the updating, manifest is downloaded which contains the current versions, this is compared locally against the currently installed versions, and any necessary updates are downloaded.

Ah, I literally read that not long before and obviously forgot between then and my summary. I understand.