I was attempting to use the web based console when the browser threw an error. I’ve reported the bug. What alarmed me was the script (in the page) attempted to notify bugsnag.com via a URL which included MY email address.

That and all the background access to sites like segment.io, customer.io and fullstory.com (while I’m logged in) makes me think I cannot trust DigitalOcean.

  • You can trust DigitalOcean for the same reason you may trust Google, Microsoft, Amazon, Samsung, Intel, IBM, etc. You can evaluate their privacy policy against their history as a company, and mitigate the risk for whatever data you decide to host on their services.

    Bugsnag has a well defined API and you can see here both the usage in code and the purpose of the user tracking feature: http://docs.bugsnag.com/platforms/browsers/#identifying-users

    If you then click on http://docs.bugsnag.com/api/deploy-tracking/ (in that documentation), you’ll see the releaseStage parameter’s purpose which is simply to track if you’re using the production panel or something else.

    bugsnag.com’s API is accessible over HTTPS so your information wouldn’t be seen even if you were using public WiFi.

    segment.io is a data analytics API used to track customers. This isn’t uncommon for companies with a very large user base.

    customer.io, however, is a messaging API. It uses analytics to perform its tasks, but there’s nothing inherently malicious about it.

    At this point it’s not obvious if you bothered to check if anything you brought up was actually untrustworthy. Looking at the domain and deciding if it looks scary seems to be the deciding factor more than actual risk.

  • I think I should have used the following as my question.

    Do you think DigitalOcean sending my logon id to a third party website is considered good business ethics given the logon id is the property of the customer ?

    My apologies for that confusion.

    Thank you gparent for your clarifications. Believe me, I wasn’t scared of the domain name, or anything it isn’t.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers
  • How exactly do I treat you with respect after a comment like that?

    • I’m not asking for respect, simply requesting that you clarify your question.

      • How can I trust DigitalOcean ?

        There, I have added a question mark.

        So, “What is your question?” makes sense. But what is this, “Are you looking for the best place to purchase tinfoil hats?”. It appears to me as some kind of personal attack. Am I wrong ?

        • Depends on how you define trust, plenty of Fortune 500 companies trust them.

          • I define trust as not sending my logon id to a third party because of a trapped error in a script.

            Yes, I understand the need to capture errors, preferably without exposing private information.

            Please don’t reply. You’re clearly intelligent but are choosing to treat this as a joke. You make a personal attack then ignore my question regarding that. It is admirable that you are passionate about DigitalOcean enough to challenge other customers (or perhaps you work for them), but obviously my question triggered some need in you to satisfy.

        • They will need an e-mail address if they need to contact you about the bug.

          • So bugsnag.com may possibly contact me regarding a bug in a page I have no access to (from an engineering perspective).

            Right. Got it. Many thanks.

        • No, DigitalOcean engineers who look at their Bugsnag reports may contact you.

          • So again, why send the email address (logon id) to bugsnag?

            They also send my user id. I would assume any report coming back to DigitalOcean would include that information too. There’s a fair chance DigitalOcean would know what to do with the user id.

            I’m not wanting to discuss the process. My question is regarding the need to send my logon id to a third party.

      • There really should be more important things you focus on, e.g. using 2FA.

Theses websites are analytics websites to keep track of users and user activities similar to google analytics. I assume only DO staff have access to theses information and bug reports.

  • Support agrees that yes, it is used for tracking bugs in scripts used. There are those analytical scripts as well.

    I just don’t consider sending my logon id to a third party as necessary. I mean stop and think for a moment here. What if your internet banking portal did the same? A person might say that’s not a comparison. However, how many people store their credit card information in their DO profile? The number is irrelevant and the point is moot.

    What is relevant is half of my logon credentials are been shared with a third party because of a script error.

    Thanks for replying.