Ask HN: My app is being bullied on Google webstore, What to do?
Day 0: - I had almost 100 reviews on my app. Most of them were 5/5. And chrome webstore was showing full five stars for this app.
Day 1: - A guy (with empty profile) posted a 1/5 rating, claiming that my app is not safe to use. And interestingly only the same day, I got more than 20 new 1-out-of-5 ratings, and none of them had any text reviews. Generally I rarely get less than 5/5 rating, you can check from the below link.
Day 2: At Day 1's end, I posted a reply on the guy's review that my app is safe, and you can contact me on the given ID. Next day I woke up and saw, his 1/5 review starting with "Avoid this app" is on the top, and my reply was completely removed. Which can only happen when lot of people click on mark-as-spam.
So, I need help from you guys. I do not have any contact at Google, and even if there was not sure how much they can help. Any suggestions what should I do next?
Note: We can discuss this later/seperately, but my app is 100% safe and I am an ethical developer.
https://chrome.google.com/webstore/detail/sticky-notes-just-popped/plpdjbappofmfbgdmhoaabefbobddchk/
57 comments
[ 2.6 ms ] story [ 118 ms ] threadApparently these things are OK for most people nowadays, and I guess if you use Chrome you don't care about your privacy anyway, and I guess I don't trust any closed source software at all, but having analytics in a browser extension is a pretty big no-no.
Just like 10 out of 1000 people click on this button so I should remove it. 400 out of 1000 people use this feature, so I should improve it.
How about educating end users on the analytics vs privacy part.
My opinion: ...and it should be both disclosed and opt-in.
My opinion: ...and users shouldn't act surprised by it.
> My opinion: ...and it should be both disclosed and opt-in.
And, perhaps, avoided completely–once your shop has resources to spare for in-house testing and usability research.
I installed your extension, and it's fantastic - here's my 5 star review!
It USED to read that you had to ask for opt-in permission BEFORE you began tracking (which is the current pattern my app follows, but how many other apps/extensions have I seen do this?.... 0).
In my app, upon install/launch it prompts the user with a popup asking if they would like to help the developer out by sending anonymous data. I made it opt-in (the user had to explicitly check the box). Out of a daily 4500 Active Users, I only have 4 people who opted in (it's less than 0.1% for those who don't want to do the math).
With the old policy of requiring user's permission to opt-in, it makes it really difficult for any developer (who follows the rules) to get any valid feedback. I've posted on the Google Group and Stack Overflow and the question is basically ignored because it's an open secret that most people simply treat it like any website analytics as in they embed the code to track and move on.
I currently follow the Firefox pattern/language choice:
[ ] Share performance, usage, hardware and customization data anonymously with the developer to help make ___ better. <<Learn More About Data Collected>>
TLDR; You'll get 0.1% compliance if you make data collection opt-in and you're upfront about data collection... it sucks because it makes the whole "Collect/Analyze Data" part of Development very difficult.
> [ ] Share performance, usage, hardware and customization data anonymously with the developer to help make ___ better. <<Learn More About Data Collected>>
IMO the wording is really important here. If I were to write this section of user preferences, I'd go for something like:
▸ Help improve X
Click on which expands the panel:
□ Allow collecting anonymized information about the usage of the application. It will be used for <reasons>. Only the following data will be sent to us over encrypted connection: <easy-to-understand list>. <<Learn more>>
(I know it's easy to give advice, though, and I don't have my own product on which to test copy ideas yet.)
IMHO all static websites have analytics, yes the HTML one's too. Browser extension need tools like analytics 100x more.
None of my websites have analytics, and I feel violated by the ones that do. Especially newspaper websites are big offenders. I even go as far that my custom build web server does not have a log. I don't want to know who visits my website, in fact if I had a log I'd get rid of it like it was the plague.
Why don't you just ask your customers what they want? That's what I do, I believe I also get more accurate information that way.
Also I enquired about the privacy issue in Google Analytics, only thing I got was: - "Google tracks that visit via the user's IP address in order to determine the user's approximate geographic location."
I am using is custom events. Lets say I do not use Google-Analytics but my own server who just record custom events (anonymized IP Addresses) then the app will be considered private and secure.
Read Privacy Issue section on http://en.wikipedia.org/wiki/Google_Analytics#Privacy_issues.
What I feel from all these is - it is justified to call the app secure as its about the user data, not anonymized behaviour analysis. That is only for app improvement, and independent of a particular person (ie. privacy).
Hahaha... No, of course it will not be. No app with phone-home analytics is private.
If we look at any authentic reference (Ex: http://en.wikipedia.org/wiki/Google_Analytics#Privacy_issues) we will find only when an app associates behaviour-analytics with attributes such as IP Addresses and Geolocation data, it may debate privacy issues, otherwise not.
If you see the word 'privacy', it only activates when an individual is being talked about. There are no specific users on this app, no email id, no unique id. All requests are considered similar irrespective of origin.
As for your claim of "no unique id", this is simply false. Google Analytics keeps track of an unique id for each user, they can tell you the count of unique visitors after all.
When you're boasting about privacy, do not track your users. What else are you meaning to imply with "privacy"? That the notes are not being sent to your server? Well, I goddamn hope so. Is there anything that makes your app more private than any other?
To put it bluntly, I don't give a flying f%ck about this. You said "private" and then your app phoned home behind my back - you outright lied to me. There's one definition of privacy, doubly so for people who actually care about it, and it doesn't come with weasel caveats like yours. So that one star you got is wholly justified and you should really listen to what people here are telling you, because that's exactly the feedback you are not getting from people giving you 1 star in the Chrome store.
In the end it's all really simple - either remove analytics from the app or remove "private" from its description.
Analytics aggregate data are just the strawman. Note data WAS in fact being recorded from individual users and sent to Inspectlet servers.
Could you tell us more about the "new analytics startup"? It seems like that's the code the reviewer was referring to (which you have said is no longer there in the extension)
Sure, you got a few bad reviews out of it, but unless it continues for several days I wouldn't worry too much about it. FWIW I haven't looked at the app or its source code but I wouldn't call this "cyber bullying".
Have you considered releasing the source code on github and linking to it so people can easily take a look and see for themselves?
We have millions of players, but the most vocally aggressively negative - those that just bash us as a company and as liars non-stop have been playing our games for years. YEARS.
You will never get away from trolls in any industry that has public reviews. Ask any restaurateur on Yelp, anyone with an app on any App Store, etc. It's absurd but just part of the deal at this point in time.
Not sure myself about the term "Cyber Bullying", but I used this word because I got:
1). more than 20 1-ratings (You cannot see these 20-25 negative ratings as there are were no text reviews written with it.)
2). few complaints+emails on the same day.
3). And my app rating came down from 5 to 4, thats a huge setback on the competitive end. (Lost the app's repo which took an year to build)
4). Few comments which have been cross-upvoted so all new / old users sees them on top. And my reply down-voted by the same group that it was removed completely by Chrome. Today I had to reply on it for the third time. And I do not have bandwidth to keep refreshing page every few hours.
I came across this junk by chance. I needed a note-taking app. Simple as that. I became suspicious after I noticed the websocket connection to herokuapp.com — he's logging client IP ... no sh*t.
Just my 2c.
If the developer is not meant to be trusted, then what is a good solution to this problem? Not everyone would want to open-source their app/game.
Which part do you not understand when I say I NEVER used any keylogger. This is the only reason I didnt comment on any of your comments. Please edit or remove them.
I'm that guy. No, I am not lying. I have the original version (prior to Aug 27 update) that recorded keystrokes.
After reading your comments on this thread, it seems to me that you're in a panic and desperately trying to dispel the whole thing. My only regret is that I didn't get to warn people earlier.
Chrome doesnt allow extensions to get that data unless the extension asks for daring permissions like "Access your data on all websites".
Currently the app asks for no such permission. There were some features I planned to integrate like user right-click a text and click on 'send to Sticky note', but now terrified whether to even ask for such permissions.
I think the best course of action would be to do the following
1. Put up code on github as others have suggested, thereby reassuring existing users
2. Publicly state in a reply to the comment that you had indeed integrated the screen recording service to help you understand user behavior, so that you could make a better app.
3. Put a disclaimer on the details page for Google Analytics with a link to opt out.
1). more than 20 1-ratings (You cannot see these 20-25 negative ratings as there are were no text reviews written with it.) 2). mass complaints sent to Google that day. 3). And my app rating came down from 5 to 4, thats a huge setback on the competitive end. (Lost the app's repo which took an year to build) 4). Few false reviews which have been cross-upvoted so all new users sees them on top. And my reply down-voted by the same group that it was removed completely by Chrome.
And there has never been such thing as Inspectlet in the app, and also the person who commented this is not communicating with me, so I would let this one go. And thus no need for that statement. Will make the app opensource, so this will never be an issue in the future, "hopefully".
I had downloaded the crx file before you removed Inspectlet. Yes. There was such a thing as Inspectlet in the app, and it was used specifically to record user keystrokes.
Looks like you forgot to delete the HTML comment tag, "<!-- Begin Inspectlet Embed Code -->", from the bottom of popup.html. You may want to do it asap before he "lies" about that too ;)
> Will make the app opensource, so this will never be an issue in the future, "hopefully".
You already made it open-source (https://github.com/Epinx/Sticky-Notes), but then uploaded a separate malicious version to the chrome web store. Open-sourcing it would only give users the impression that it's safe, while giving you a chance to twist and slither away like you just did.
Why would you use a service like this in your extension? Sounds like a dumb idea to me! They are privacy intrusive and say that proudly on their main page, so you were not tricked into using a malicious tracking service, you diligently chose it - the bad reviews are justified.
The popup's textarea className had a hyphen, which caused inspectlet to include this in the data to upstream. This was done deliberately; if you were watching user's on your end, you would have noticed and corrected this. Instead, you allowed this to go on for months.
You were also doing this in your $7.99 "pro" version, which was mysteriously unpublished days later... Here's a suggestion: why don't you unpublish this one too and get off the webstore.