Well, because, in order to satisfy the most finicky of its users (myself included), VS Code offers no less than 6 styles for its cursor ('block', 'block-outline', 'line', 'line-thin', 'underline' and 'underline-thin') and 5 animations ('blink', 'smooth', 'phase', 'expand' and 'solid'). Also, in a future release the themes will be allowed to change the color of the cursor to any of the 16,581,375 colors in the RGB spectrum.
Paul was talking about a different extension, but anyway...
The onclick event listener is the same thing Google does with the search results. Perform a search on Google and right-click a link, then you'll see the URL changes to the a Google proxy server that collects data about your click for analytics purposes. The reason is so the whole process is more transparent and the users can see the actual URL they end up with when clicking the link. The intention was not to hide anything, but to keep things as unobtrusive as possible. I'm sorry if it felt any other way!
My claim was not that I could have sold your passwords, it was that I could have sold the extension! Last time I checked, the extension itself was my property and I could sell it to whoever I want. What the buyer does with it shouldn't be any of my concerns. I was just pointing out that, if I would have sold it, the buyer might have been the kind of person that would do those terrible things.
The original post on productforums.google.com is complete BS and the extension was NOT suspended because of that, but because it failed to make it clear, in the context of the ads, which extension enabled the EcoLinks. This is not the first, nor last, piece of software that uses ads in order to support its development.
Also, the extension never logged anything from the users. All the "keylogger" stuff is just rumors started by people who are either incapable of reading a sentence from start to end or are knowingly lying about it.
It didn't alter the search results either. Those were exactly what Google returned for your search, nothing more, nothing less.
There was no malicious intent whatsoever. The whole purpose was to support further development of the extension through some form of advertising which you could disable at any point. The disable option was not even hidden among the other options; it had a dedicated page with a link in the main menu that only consisted of a checkbox - it was that simple and obvious.
Another false rumor is that the setting would enable itself automatically. No, it didn't! The only way that it would re-enable itself was to remove the extension and then install it right back. On uninstall all settings are lost and it fallbacks to the defaults.
The source code is plain HTML & JavaScript and it has always been available for anyone to review. Anyone could download the .CRX file and unzip it (it's just a special ZIP file) or take a look in the /%USER_FOLDER%/<PATH_TO_CHROME>/Extensions/kkelicaakdanhinjdeammmilcgefonfh folder (this varies based on your operating system) where the installed extension is. The source code has also been available at http://ionut-botizan.net
If you don't know JavaScript, you don't have to take my word for it; there is this prominent person in the web industry that, although he does not endorse this extension, has reviewed the code and confirmed there was no keylogger there: https://news.ycombinator.com/item?id=7048156#up_7056031
Another false accusation is that I bragged about how "I could sell your personal data and it wouldn't matter to me".
What I actually said is that "I could sell MY EXTENSION (as in transfer all rights and ownership to someone else) and it shouldn't matter to me (from a legal standpoint) what the buyer would do with it, be it collecting your private data or whatever". That claim was made just to point out that in fact I do care about the users' privacy and I chose not to sell the extension, even though I received plenty of offers. Some people asked "how could I even think of that"? Well, the extension is my property and receiving all those offers put me in the position where I had to think about it, whether I liked it or not.
In conclusion, yes, I admit the opt-out pattern is not the friendliest one and the whole thing could have been handled in some other way, but the reality is far from all these claims that I sneakily added malware to the extension, logged your keys and private data and sell all that to third parties or whatever.
The reality is I took your Google search results and converted them to sponsored links, plain and simple. All data that was transmitted when you clicked a search result was about the same that is sent whenever you click on any other ad or banner, which can not, in any circumstances, be used to identify you personally.
I am the developer and this is my answer; no excuses, just stating the facts. Learn what you want from it.
> All the "keylogger" stuff is just rumors started by people who are either incapable of reading a sentence from start to end or are knowingly lying about it
I went ahead and looked at the code after downloading the zipped extension you linked too, and I effectively cannot see anything re. key logger. Where was that first reported? I would like to ask the original reporter on what piece of code he based his conclusion that there was a key logger in there.
Edit: Never mind, I see this apparently comes from original poster on google groups, so I asked him exactly how he came to this conclusion.
Ok, that guy just explained what he meant by keylogging. Leaving aside the fact that he's wrong about how it all works (the results are provided by Google; nothing about the search was changed by the extension) and he never ever looked at the source code and what it is doing (probably because he's too dumb to understand any of it), what he means by keylogging is adding the search terms to the URL query string when clicking on a link.
(Ex: www.ecosia.org/url?url=http%3A%2F%2Fmicrosoftstore.com&v=microsoft store <- this italic text right here is the result of the keylogger in his opinion)
Holly crap? Do you honestly think I can monitor the whole internet so I can deny every affirmation made by some random dude?
Look! I deny it now, ok?! I haven't done anything like that. I just mentioned somewhere that it is technically possible to do such thing in an attempt to increase users' awareness about what would truly be a "horrible thing", unlike my attempt to support further development of my extension through advertising.
That's why I asked. I saw a few accusations of it, but in all the referenced threads, could not locate you mentioning the accusation at all. I've not used the extension in a while, otherwise I would have dug into the JS itself to answer the question.
That, my friend, sounds exactly as ridiculous as you are! If you know your JavaScript you can look at the source code and see that the extension is doing none of that. If not, you can try wireshark for yourself and see that there is no keystroke sent anywhere. The guy that made the claim is a complete A-hole that wanted to see the extension being remove from the webstore at any cost, including committing perjury.
No it doesn't re-enable after any update. It only re-enables if you uninstall the extension and install it back, because settings are lost and it switches to the default.
Please check your facts before making such claims, ok? Anyone with minimal JavaScript skills can look at the source code and see exactly what's happening!
Whether or not it was your intention or the design of your extension, that was the behavior I observed - hence my factual claim.
I've looked deeply into your extension and you did a very nice, impressive job. I don't believe anyone is discounting the quality of your work here. The pattern you exhibited by enabling the ecolinks feature by default (right or wrong) simply highlighted, for many, the risks inherent in granting browser extensions such great permissions to the browser.
NO! It wasn't logging anything! The only thing it was doing was proxying clicks on search results through Ecosia's analytics servers instead of Google's.
Anyone who still has the extension installed can view the source code by looking in their /%USER_FOLDER%/<PATH_TO_CHROME>/Extensions/kkelicaakdanhinjdeammmilcgefonfh
The extension is also available at http://ionut-botizan.net/window-resizer/ both as a .zip and .crx file.
Does that answer your question? :)