An ad plugin was stealing revenue for a year and I didn't even notice
kvirkvelia.comI'm of two minds about this. "Stealing" does seem to be a little too harsh given the plugin did say it would take a percentage if you make more than $1K and didn't buy a license. The 30% seems underhand (only because it's not spelled out in the repo) but I do understand the plugin author's position. Open source work, especially something like Ionic/Cordova/Capacitor plugins, are hard to make any money on and I've seen the GH issues for many cordova plugins, it's /rough/. Also there are so many things you need to support and edge cases that I can't even imagine the patience of someone maintaining one of those plugins.
I think it's clear the plugin author was/is happy to let the 2-30% stipulation fly under the radar and sit back and collect which doesn't sit great with me but also I kind of get it. I mean if you are going to take OS work and use it for your own gain (something I'm plenty guilty of myself I'll admit) then don't be surprised if not reading the license bites you in the butt.
In a perfect world OS devs wouldn't need to these methods to make it worth their time but we don't live in a such a world, people rarely donate to OS projects and expect issues/features to be added quickly and for free. People need money to exist and they don't owe you anything. Honestly if this plugin author had called out the 30% in their license I would say this blog author has no leg to stand on. As-is I'm glad the app developer got their money back and the plugin author should either stop charging more than 2% or update their license accordingly. But "stealing"? Too harsh, especially since you got your money back.
I suspect the line of thinking behind the 30% seems to be something along the lines of "they're fiddling their numbers to reduce our 2% cut, so let's just take a bigger cut".
I don't think this is entirely kosher for a bunch of reasons, but I'm willing to believe that it was a naïve person doing something naïve after being burned by someone cheating him out of his cut, or something along those lines.
At any rate, since the author of this article was unaware of the 2%, it doesn't really matter if the 30% would have been mentioned or not. That they took any cut could have been clearer, perhaps – I don't know how it looked like before on that Ionic plugin site, but it's plenty clear now so that's a solved issue (if it was an issue to start with). That this was added after this exchange (and before it was published) without any pressure further demonstrates the plugin author is essentially acting in good faith.
(Ionic CEO here) I think regardless, it's something developers don't expect so we're removing it from our site right now to avoid confusion and surprises (we’re going to be changing the whole design of this list soon anyways so it’s moot). The plugin description came from another project we support and trust plugin authors to write their own descriptions but we're realizing we need to scrutinize those more closely. I have no qualms with a plugin stating they are going to have this kind of revenue share but it doesn't belong on our site and seen as “official” which is confusing, so we're fixing that right now.
The plugin author seems like a standup guy who responded cordially and even returned money, which is something no scammer would ever do. Your platform, your rules. But I feel you're being unfair to him with this knee-jerk reaction.
Unfair to the plugin author? It's moot anyways because we're making a design change to the site and changing how we reference community plugins. We aren't stopping developers from finding and using whatever plugin they want to use, just changing how "official" they look on our website.
You shouldn't overreact this way. Really it doesn't speak well of your platform.
I feel like their response is not at all an overreaction. The plugin author was underhanded in their conduct. I wouldn't want to use a platform which allowed nonsense like that to proliferate, so am happy to see dubious stuff like this removed. To me it signals that the platform owners care about what is on their platform and are concerned about their users. That is a good thing.
The article seems to be down for me. But I’ve gathered it was spelled out in the license? They even returned money? Removing a person’s revenue stream because someone wrote a blog post is by default, an overreaction. If they’re going to change it all anyway, why rush it?
> But I’ve gathered it was spelled out in the license?
Just curious, is this your attitude towards other things as well? There used to be a very popular ebay scam, which had people sell large screen TVs and video game systems for very cheap. At the bottom of the auction description, in fine print, the auction also clearly stated that you were bidding/buying only a photo of the product, not the actual product. In other words, it was "spelled out", so no one was getting scammed according to your perspective here, right? It was on the fault of the buyers for not reading the license/auction description?
LOL. That’s pretty funny, actually. Is it a scam when toys say batteries not included in small print too? IDK, maybe it’s my outlook on making sure I’m getting what I’m buying (or what I’m not getting as the case may be)! I don’t see anything shady here, but I couldn’t access the article earlier. I’ll try again here in a bit!
So this scenario I proposed in another comment, you are fine with?
If on line 37, page 409, of a car rental agreement that you sign, it states that if you are an hour late in returning your vehicle, the car rental company will take your firstborn, and you sign this agreement, then it's on you, right?
Well, it would be non-binding since you can’t sign away another adult’s rights (assuming your first born is over 18). If the first-born is under 18, I guess it would depend on adoption laws as to whether this is something you can give away via a contract.
Folklore is full of this kind of stuff. Always read what you sign. Always. No exceptions. Better yet, get a lawyer to read it too.
Except that's not practical in real life. Do you get a lawayer to read the 40-page pamphlet full if liability disclaimers that comes with your coffee maker or any other appliance?
Well in the EU, those are basically non-binding by default. So not usually unless I want to go to sleep. But for everything else, yeah. If I rent a car, I read the whole thing right there at the counter. Buy a phone, same thing. If anything looks sketch I ask for a Print-out and do send it to my lawyers (this is why I pay €5 a month for legal insurance!) I usually hear back from them within a few hours. Why would anyone blindly sign a contract? Yeah there’s some dark patterns (like giving you the contract at the last possible second) but the only way to fight that is to be a dick and sit there reading the whole thing and clogging up the queue.
> But I’ve gathered it was spelled out in the license?
A 2% cut was spelled out in the license.
A 30% cut was not, but the plugin author silently upped it to that over vague assertions of abuse of the plugin.
> "After check, we find your app in the black list, and a random higher rate will be applied. Usually when a guy is using a fake license key, or send unusual attacking request..."
Further in that same paragraph, the plug-in author goes on to say that they removed the guy’s app from said blacklist and even upgraded him to a fully paid license for free. And on top of all that he even gave dude back $4000 bucks!
I really don’t see either party as underhanded here, maybe lazy in respect to both communicating and with paying attention, but I can’t see either as being shady. It’s just a series of human errors.
> It’s just a series of human errors.
This reminds me of a game I ported from iOS to Windows Phone, actually. It was free and ad supported. I told my contact like 50 times he needed to get me an API key for Microsoft Ads, so I just used my own while I waited. Fast forward six months and the game launched after still asking every week and informing them that they needed to get me the API key or all ad revenue would go to me.
I set up an auto email to go out once a week asking for the API key. That person would reply back for literally any other issue.
They emailed me like 2 years later asking where their money is. I replied with the entire situation, screen shots of the emails and would be happy to send them the 1¢ they earned.
I never heard back from them until their lawyer contacted me. Sent him the same stuff. Never heard back from them either. They did post a blog post about how they were going after their ex-developer for “stealing” their ad revenue though. I lol’d and went on with my life. People do weird shit for some publicity. I’m not saying that’s what’s going on here, but it sure smells like it.
I'm left wondering how many other sites are quietly getting 30% of their revenue siphoned off due to a similar "malfunction", and how much of the easy refund process is to avoid a public fuss that'd reveal that fact.
And ionic is now on the list of "companies that operate at the whim of one person and should not be relied on for revenue"
Harder to fit in your business card, I'm sure, but hey, you've earned it!
Please don't cross into personal attack.
I appreciate the sentiment, but whose person was attacked here?
I asserted that as an investor, if a company is largely ran as a single person's whims, it becomes indistinguishable and unusable as a revenue producing entity.
I would invest in neither the person who thinks they're a company nor a company that thinks they're a person - neither were attacked, I simply said they wouldn't ever get a dollar.
Your comment was personal because it used "you" while talking to a person, and the snark in it was definitely crossing into attack.
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful. The snark thing is particularly a marker of bad comments here.
Huh? See my comment below, this whole thing will be a non-issue in weeks anyways as we’re changing this list. People think these plugins are “official” and this is one symptom of that, so this is just a temporary measure to reduce confusion
No it is not. Someone was misusing a plugin, wrote a blog about it, and you take side of the one who would be able to make bad press of your platform. This is not a temporary measure. This is a whim of a one person to remove someone from your platform without any due process nor integrity.
Yes, a good point. He should update the license (https://github.com/floatinghotpot/cordova-admob-pro/wiki/Lic...) to state from 2% up to 30%.
I would love to see open source developers make a lot of money; I think it's a great future for everyone. But I don't think there is any dichotomy in this case. If the service declares its price in percentages or dollars (as SaaS does), it's terrible to charge 15 times more.
Mistakes happen, but in this case, it's a conscious decision by the plugin author; I think stealing is the right word, especially when it turns out you've done it with thousands of apps
So he used code straight off GitHub, didn’t read the license terms, and then has the gall to call it “stealing” when the program does exactly as it says it would.
Either learn to read licenses, or have a list of approved licenses (MIT, GPL, etc.) and only use software thus licensed.
EDIT: What I mean above is the 2% which is specified in the “Licence Agreement” page – the article author is clearly considering this, too, to be “stealing”. Regarding the increase from 2% to 30%, that is way more questionable, and I do not defend it.
Thank you for your comment!
I don't think taking 2% is theft. Maybe it's a dark pattern, but it's definitely not theft. In the article, I say that I calmed down after explaining with 2%, which means my agreement with the situation.
The way the increase to 30% is made and the number of users with such a percentage says that the author deliberately increases the percentage without warning the user, which is theft
You using the software without a paid license was theft.
That's entirely false. The plugin offers three license options.
https://github.com/floatinghotpot/cordova-admob-pro/wiki/Lic...
> 3. Win-win partnership
> And, if you don't have enough money yet to get a license, or don't have a PayPal account, here is another flexible option worth considering, no need to pay a cent. We may call it partnership.
> We maintain, support, and version update for any plugin issues, you don't worry about its update or bugfix, just use it for free, and focus on your app or game logic.
> Ship our code with yours to end-user, no need paying a cent at all, instead, share 2 percent ad traffic, so that we can both benefit and cover our cost to maintain and enhance this project.
The problem is the plugin author silently raised that "share 2 percent ad traffic" to 30%.
What do you mean, without a paid license? The wording seems pretty clear to me: You can get a paid license OR you can share 2% of your ad revenue.
Someone committing a license violation does not magically grant you the ability to steal 30% of their revenue. If you want to punish the license violation, take them to court.
Also note that the software is MIT licensed. Tucking some random additional clauses on your website or somewhere else doesn't magically change the licensing, if you don't want to use MIT (and make them free to use it) then don't use MIT.
You buying software with a revshare agreement 100% does..
You operate in the us? You pay the irs. You operate in Brazil, you pay them.
The price was disclosed, optional and entered into freely. Dude is buying his lawyer a boat if he wants to fight it.
The revshare agreement was for 2%, not 30%.
The 30% was not disclosed and applied unilaterally. Per the email exchange:
> "After check, we find your app in the black list, and a random higher rate will be applied. Usually when a guy is using a fake license key, or send unusual attacking request...
Not arguing here at all because I agree with you in principle, but I wanted to point out for the sake of consideration trust it appears the plug-in author was in Russia if I’m not mistaken. I have no idea how Russian law works with regard to this, but I think it’s somewhat unfair for us to jump to the conclusion that their courts are acting like ours; for all we (I?) know, IP law for software may not be enforceable in Russia. Or it could be dark pattern gated behind high court fees, unattainable representation, etc.
The license clearly says: "You don't have to pay, we are also okay if just share 2 percent user traffic"
The licence allows the author of this article to even strip the part of the code that takes the 2% fee if he wanted to.
I think it also speaks highly of you that you engaged with him, signed your name, and made rational arguments. These are not the actions of a thief, but of someone who has thought about their business model and is willing to stand by it.
That said, if you really wanted to impress, you'd improve the visibility of your practices for each individual developer, by providing a dashboard that fully discloses revenue-over-time, along with proactive notifications when your terms change. The MVP here would be a single email sent when the 2% term changes.
This business model where the providing party retains the right to change terms arbitrarily has always concerned me, in the same way something like an indentured servitude contract would, and yet they are all too common. But its everywhere, and no self-interested business would take steps to reduce it's power against the counter-party. There is a whole set of problems here that neo-liberal capitalism not only cannot solve, but actually seem to make worse. It's easy to point the finger at a single dev, or a small team, and say "you're unethical!" but in truth I think the statement is more informed by the ability to identify the actor than the action itself, which is endemic. (To take two examples: variable rate mortgages, and credit card debt, neither of which are modeled by consumers and both of which are certainly gamed by the counter-party.)
FYI, you're responding to the author of the article, not the author of the plugin :)
Oh, ha. Well, maybe that's even better as I don't think the OP appreciates how unusual it is to have someone take actual responsibility for their decisions, whether or not you agree with them.
We're super glad to have saved you from almost paying a developer
Who authorized the code to run?
Yea, he is not the first to discover this. I ran into this exact issue (same github repo and software package), back in ~2013. In my case, this revenue sharing was quietly introduced during the plugin update.
So I just forked an older version of their code and ran from that. I also made a post telling the guy it was kinda shady, they didn't seem to care.
The software license is MIT, but there's a page on their wiki that vaguely says they take a cut of your earnings over 1000$. It definitely does not mention 30% however:
> If you have used this plugin for FREE but monetized more than $1000, you are also required to get a license, or share us some Ad traffic as stated in win-win partnership model below
> Ship our code with yours to end-user, no need paying a cent at all, instead, share 2 percent ad traffic, so that we can both benefit and cover our cost to maintain and enhance this project.
MIT license does not disallow monetization or rev share. It does allow you to fork this plugin and remove the code responsible for rev share, etc. This is all above board.
From their license agreement:
> If you have used this plugin for FREE but monetized more than $1000, you are also required to get a license, or share us some Ad traffic as stated in win-win partnership model below.
https://github.com/floatinghotpot/cordova-admob-pro/wiki/Lic...
The project however includes the following the license: https://github.com/floatinghotpot/cordova-admob-pro/blob/mas...
Surely releasing code under an MIT license makes their statement invalid. Why would I be "required to get a license" and offered a couple of commercial options? It sounds like they need to get some legal help to properly license the project in the way they want to.
Furthermore, pricing should be clear. It's deceptive to hide it within their so-called "license" section. As a developer, why would I read the license section if it's clearly marked within GitHub as being licensed under MIT and has a LICENSE file confirming that?
It depends on the details of the license. If it was a bog standard MIT license (which in this case it is) then you could surely fork the repo remove that logic and carry on with your day (though you'd probably still need to credit the original author with the attribution clause) - MIT like licenses can dictate some terms around uses while allowing most modifications though.
That said - you do need to actually modify the code yourself, if you instead decided to use some man-in-the-middle attack to modify the packets in flow you may still be misuing the software. There are ways you could approach a solution that would in fact violate the license, as trivial as it is to circumvent.
In my opinion, the way they present pricing is deceptive. They have a table of contents and hide pricing details under "License".
The very first paragraph reads:
>You can use the plugin for free, or you can also pay to get a license. IMPORTANT!!! Before using the plugin, please read the following content and accept the agreement. THIS WILL AVOID POTENTIAL PROBLEM AND DISPUTE.
If as a user you're paying 2% of ad revenue, the plugin isn't free.
> If you don't want to get a license as your apps may not earn too much, or you don't have a PayPal account to pay, here is a compromised option. You don't have to pay, we are also okay if just share 2 percent user traffic, so that we can cover our effort and focus on maintenance and online support.
They don't make clear that that's the default behaviour. That by doing nothing you're consenting to their 2%.
If a developer wants to profit from their work, they should behave like a business.
The monitization bit is the "license" for use of the code. The MIT license applies to the source code itself, not the execution of it.
MIT allows you to: "use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software". That's it.
Thank you. I’m realising my understanding of licenses was inaccurate and that I really ought to scrutinise projects more thoroughly.
The author of software can release his work under any number of licenses, or none at all. An author can release the same code under MIT, Apache, GPL, MPL, or commercial license at the same time.
If the code is tagged as being MIT in GitHub and includes an MIT license file, can an author reasonably argue that an end-user is receiving the code under a different license?
> If the code is tagged as being MIT in GitHub
Yes
> includes an MIT license file
Maybe. MIT license permits additional license restrictions on top of license. For example, MIT code can be copied into a proprietary system with a different license, which will forbid copying code out.
> there's a page on their wiki that vaguely says
A page titled “License Agreement”, clearly linked from the home page.
(Regarding the 30%, I agree – this was questionable at best.)
It is listed as MIT in the package.json, the LICENSE file, and the plugin.xml file. That’s more than reasonable enough to consider it MIT, and that’s where license information would be picked up by e.g. any license-scanning tools.
With the multiple contradictory statements, even just within the README, though, my company’s lawyer would say we can’t use this dependency at all if I showed it to them.
Afaik, the MIT licence grants you the freedom to do whatever you want with this code.
This code is written to share revenue with the author after a threshold, but that's merely the application/code working as intended.
You're free to fork the code, remove this sharing and republish the dependency under another name for example, that's the only thing that MIT is about
The argument in this thread is that you can’t, and you agreed to the other License Agreement. See the root comment, which thinks that this code is not under the MIT license.
And as I said: a feature like this is entirely possible with the MIT licence, because it only addresses the licenced source code, not what said code actually does at runtime. Just read the licence yourself, it's exceptionally short.
------
Copyright (c) <year> <copyright holders>
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
I agree in principle. It is bad form to not try to respect industry conventions.
However, blaming "e.g. any license-scanning tools" is not correct either, since that would be clearly a limitation of the license tool, encoding assumptions of location and standardization that are nothing more than convention. I mean this in the sense that if you went to court and your excuse was "my tool didn't pick that up", you would probably not be victorious, since the terms were laid out clearly for human consumption.
And I agree, a lawyer would not want to use this dependency, but it shouldn't take a lawyer to do that. You are responsible for the legal implications of using anyone else's software.
The point is that licenses and license offers are self-sufficient, a "clarification" from another document simply does not constitute a binding clause in a license.
If you have an offer of the MIT license from the author (as in the LICENSE.txt), then no clarifications or restrictions linked from the home page affect it, and other offers of other licenses are possible but not relevant if you like this particular offer.
The MIT license also clearly states that the software comes with NO WARRANTY (in all caps) and that you use it at your own risk. I don't see what the MIT license has to do with this at all.
Maybe. That’s a very… programmer-like way of looking at licenses, though, and it’s not necessarily compatible with how licenses are interpreted by judges.
There is no indication that anyone was charged to use the software- it was the software that charged them
shady, but then again good enough for apple so..
A technical reading of the license suggests that the licensee can choose one of three options, the first of which is "Free and Open Source, no support", which fits the OP needs and is also the one offered in the LICENSE.txt of the repository. Nothing in that license offer requires them to pick the second - "commercial" - option for commercial use as the other two options don't prohibit commercial use, and if other offers (e.g. that MIT license in the LICENSE.txt) are made.
So I there's no reason for the licensor to assume that the commercial offer was chosen and that the licensee agreed to that 2% withholding, much less a 30% one.
If you want to use the "Free and Open Source, no support" you also have to:
> Fork the source code and maintain it yourself (bug fix, any future changes on Cordova and SDK, integration support, etc.); see the open source project here: https://github.com/floatinghotpot/cordova-plugin-admob
Which I think it's clear that's not what happened here, the blog author was using AdMob Pro and thus unable to qualify for "Free and Open Source, no support".
AdMob Pro has the exact same license (https://github.com/floatinghotpot/cordova-admob-pro/blob/mas...) and I see no reason whatsoever why someone using a product named "AdMob Pro" would be unable to use it as free and open source without support, certainly the name of the product does not influence that.
The author has written their license poorly in a stupid manner that allows everyone to use their product for free - that's why lawyers are useful and why for small developers it's a very good recommendation to use one of standard licenses instead of trying to write their own from scratch. As of now, perhaps due to the author's legal incompetence, the license also allows free usage for commercial purposes.
You can use it for free, that doesn't mean it won't take a cut. I could write code under MIT that is a keylogger, it's free to use, doesn't meant there aren't other consequences. In fact MIT protects the creator from any of those consequences.
Sure, based on the license, someone could fork AdMob Pro and remove the ad sharing but that's not what the blog author did.
> In fact MIT protects the creator from any of those consequences.
Eh. For something like a keylogger, not really; there are laws against writing and distributing malicious software. In the UK, you can write malware for educational purposes, but woe betide those whose malware escapes or “escapes”: no MIT license disclaimer will save you.
Sudo Rm -rf /
Running that without a proper license may cause unexpected behavior, contact me to obtain a license.
If you are a licensed user, it will likely render your system inoperable.
What law did I just break?
Considering it's:
• short enough, and non-novel enough, not to count as a copyrightable work
• explicitly described as malicious in the accompanying documentation
• not viable for use in a cyberattack (since it can only be run once you've already won)
• doesn't actually work, due to a typo
you probably haven't broken any laws. But, again, I'm not a lawyer; please seek legal advice from an expert in the laws of your jurisdiction if you want an accurate answer.
> malicious software
Keyloggers don't have to be malicious (e.g. you can use it for a global hotkey hook). Thus, writing such software doesn't have to be done with that mindset at all. That being the case, it is ambiguous whether or not those laws apply.
The GitHub page said it would take 2% but actually took 30%. How is that "exactly as it says it would"?
He called the 2% “stealing”, too. Sure, the slow increase to 30% was not documented, and I can see a good argument being made there.
Could you please hint us to the sentence where he calls the 2% “stealing”, too?
You yourself say that "the increase from 2% to 30% is way more questionable". What is "questionable" about that? Maybe that is not stealing but it is an obvious fraud.
I really don't get what your motivation could be to defend that kind of shit.
> What is "questionable" about that? Maybe that is not stealing but it is an obvious fraud.
The plugin author claims that the ramp-up to 30% is an anti-abuse measure. Supposedly, something triggered the abuse abuse flag and the rev-share ramped up as a "get in touch with us" signal, with the additional rev-share refunded when the user does get in touch.
Taken at face value, I think that's not unreasonable, though the lack of logging from the plug-in author's side is questionable (asking the customer how much they wanted refunded).
Where I think the jury is out is whether that is actually what happened, or whether the plug-in just ramps up every customer to see what their pain tolerance is.
The 2% is stealing because no reasonable person would expect to see such a clause in an open source software project. The 2% clause was hidden, all the way at the end of the doc. The plugin author is a conman.
Why do you call it Open Source? The plugin itself does not call itself Open Source, and clearly links to another project for those people who want an Open Source program.
https://github.com/floatinghotpot/cordova-admob-pro/blob/mas...
> Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files
The code being free does not mean usage is free. Qt’s code is free to look at, but you still need to pay them for certain things. Licenses apply to the code, not what it does.
Firstly, I was addressing the claim in the comment I replied to that it's not open source. It's licenced under MIT
That's not what the licence states at all...
> Permission is hereby granted, free of charge, to any person ... including without limitation the rights to use .. copies of the Software.
The licence states Permission is granted free of charge to use the software, if the software is charging then that's a breach of the licence..?
They used the software, it did what it was programmed to do. The breach seems entirely on the licensee
This is used for popular game engines. It's not a bad model. If you make nothing you pay nothing if you profit you pay a %. It removes the need to buy upfront.
That's incorrect. The license stated he would share 2% of the ad traffic, but it looks like the plugin was taking 100%.
100%? I can only see references to 30% at most. Which is questionable, since the license only specifies 2%. But not 100%.
They actually have MIT LICENSE file in the offending plugin repo.
Were you charged to download or use it?
Ha, caveat emptor. Oh, wait, OP isn’t even a buyer and paid nothing for the code and blindly built it into the app. No reading, no understanding, just copying.
OG plug-in author has a problem with people abusing license key system, builds in code to detect it. Disclaims it vaguely, OP gets bitten and has the gall to call it stealing. Author offers to help OP out, OP puts him on blast.
Zero sympathy, even at 30%.
There is a huge divide between "oh hey you didn't read the license and missed the fact that this OS addon takes 2%" and "the license said 2%, but it's actually 30%, oops my friend!"
I see zero difference. There is an explicit mention that bad things will happen if you subvert the license system. A license is $20, OP is just too lazy to read the terms of code he blindly incorporates.
Op called 2% stealing, 30% is for basically triggering the anti cheat. OP should have paid paid the license and read the rules.
The author didn't at first didn't even notice the addon was taking a cut, let alone attempted to "cheat" it. That is clearly the author's "oops", but what are you getting on about "cheating?"
In the license, it clearly state that is perfectly acceptable to use the addon unlicensed, and if you go above a certain monetization level, it will take a cut. The explicitly calls out the cut as 2%. Except the license was a lie, it is not 2%, it's 30%. That is theft.
If the addon took 2%, as the license explicitly states, it would have been completely legal. It was not 2% and it is theft.
Is it really a good model for funding Open Source software to bake in clearly illegal landmines that steal from anybody using said OSS? If so, that feels way more like malware than OSS.
What if someone is willing to pay 2% and not pay 30%? Do you think most people who are willing to pay more than 0% are willing to pay both numbers?
Or are you punishing OP simply because they didn't know there was 2% involved? If so you don't really see zero difference, you just are exacting some punishment.
What part of this license says they owe 30% and don't have the right to just use the software? https://github.com/floatinghotpot/cordova-admob-pro/blob/mas...
I'm confused, where in the license does it give them the permission to randomly assign an ad-share percentage? This seems highly suspect, and probably illegal in most jurisdictions. In fact, reading the actual license agreement here https://github.com/floatinghotpot/cordova-admob-pro/wiki/Lic... seems to suggest that they will stop serving ads, not randomly start increasing ad share.
Yeah I'm not seeing it either. It's even weirder that the code itself is distributed with an MIT license, which suggests you're free to download and modify the code to disable the revenue sharing. This conflicts with some of their other statements though. In the readme they do outline the option to use it with a open source license (without any support), but they seem to contradict this in the following sentence in their readme:
>If use in commercial project, please get a license, or, you have monetized more than $1000 using this plugin, you are also required to either get a commercial license ($20). As a commercial customer, you will be supported with high priority, via private email or even Skype chat.
Which is nigh illegible.
Does anyone know what happens when someone publishes conflicting licenses?
Since the Wiki part isn't a license itself, I would think there isn't legal relevance to it, but given that the author doesn't seem to be a native English speaker, a generous interpretation might be that a commercial user could still fork this; it's 'required' in the sense that you have to pay for the convenience of having it available on NPM, which the author disallows you from making trivial changes to and republishing on there.
That's unlikely to be legally enforceable on NPM, but they might honour takedowns anyway.
You were free to give author money the moment you used his code, why are you worrying about the license - you can copy, modify and maintain a version that pays you.
You just have to, you know, work
Not a license issue: you ran the code. I can give you the software for free, if it makes transfers to my account, it doesn't matter if you pirates it.
Yeah, it actually does matter. Intent is incredibly important in law.
I think this is the closest bit:
“Kindly reminder, do not use a fake license key or a license key from others, do not share your license key with others. Abuse of the license key may cause negative impact.”
I feel there is a bigger issue here that I don't see anyone having brought up.
Blogging dev was too cheap to just pay $20 for a license for code that would generate him money. THAT is really the bigger issue here, regardless of everything else, including the fact that he was in violation of the agreement, i.e., >$1,000 MRR.
Here's a little pro tip for everyone, don't cheap out on paying someone $20 for the work they do, when it will be generating you significantly more income.
Frankly, regardless of whether or not the plugin dev is sketchy or not, the blogger dev violated the terms of the agreement and seems rather ungrateful that he was given back what he should not have even gotten back.
“No one thinks anyone else deserves payment for creating good work, unless they’re the one who could be getting paid, in which case it’s a travesty that they’re not” is an ethical standpoint that’s widespread in Silicon Valley. For example, it’s why Facebook users don’t receive dividend payments for the investment of their harvested data. “We realized that we could profit from inattention|opensource, so of course that’s ethical, because Finders Keepers rules” is a bad look for both parties in this post — the plug-in author who takes a revenue share without providing a financial statement, and the site operator who can’t be bothered to pay $20 for a core revenue stream of their site.
How anyone can defend this type of behaviour is beyond me.
It is theft, the hidden cost in the licence agreement* states 2%, taking that up to %30 for no reason and with no warning based on some arbitrary 'black list' is theft.
* as shady as that is
You.. Ran... Their.. Code..
How anyone can think they're entitled to assume how it should run is ignorance sufficient to shred what remains of my humanity.
He didn't demand you give him money, he said if you ran his code, it will act as he intended.
You ran his code. It worked as intended.
> You.. Ran... Their.. Code..
I did not...
> He didn't demand you give him money, he said if you ran his code, it will act as he intended.
He did not...
He said it would act one way, then it secretly acted another against the contract that was entered in to
> It worked as intended.
It did not...
Even their staff admit they never intended to charge him 30%
At least the plugin guy was reasonable-ish. That does sounds like a really odd experience. It does pay to always check all of the dependencies you are using and their terms. When I was younger I got hit by limits when using a free tier of a service, but they just throttled us which lost us users.
The plugin guy can afford to be reasonable-ish. It reduces the likelihood of the scam being publicly disclosed, and I'd wager that 99% of people never notice the plugin is doing this.
Oh come on, it's not a scam and he's not stealing anything. It's clearly mentioned on the license and it's up to the users to go through it (like any other open-source plugin or software they use). At the end of the day the plugin creator was polite, understanding and returned money back even though he was not obliged to do so. It's a win-win situation as they clearly describe it, but the OP wasn't satisfied with the high (30%) percentage.
The plugin was secretly taking 15x what it claimed to.
The ease with which a (substantial!) refund was offered makes me think it wasn't an isolated incident.
> the OP wasn't satisfied with the high (30%) percentage.
The OP was never informed of the high percentage!
How is hiding 2% in your wiki (instead of in LICENSE where it belongs), and then taking 30% instead of 2%, not a scam? If someone listed a price of $2 for a burrito and then charged you $30 at the register, you would not consider that OK.
They did consider it thousands of time, they just didn't supervise what their worker agreed to
It looks to me that the plugin author isn't only trying to get the money he's owed from people who are trying to scam him. Which still isn't a great thing, especially since it can happen mistakenly, but it's at least a little more understandable.
How is it a “scam” if the terms are clearly posted?
EDIT: The percentage increase from 2% to 30% was not posted; I withdraw my opinion on that.
The "30% markup if our algorithm thinks you're doing something sneaky" was not disclosed.
True, it was not. I concede this point.
2% was clearly posted. Yet the plugin was taking 30%.
The terms are not clearly stated, the explicit LICENSE document https://github.com/floatinghotpot/cordova-admob-pro/blob/mas... offers a standard MIT license, unlike the wiki description.
The license states how you may use the code, not what the code does.
Huge red flag: they offer you some money back in hopes you don't turn them into the "authorities".
That's how settlements work, yes.
Is it though? A settlement in a civil case is money in exchange for not pursuing further civil legal action.
A situation of "we're giving you money so that you don't report a crime" (which is implied by "turning in to the authorities") is more like extortion/bribery than it is a settlement.
Wouldn’t not offering any money back be an even bigger red flag?
In any scam there's a part where you cool off the mark so as to not have them go squealing to the cops. Maybe you give 'em some money back, maybe you teach them the lesson of how to bounce back after a loss. Google "cooling the mark out" to read some academic research on this.
Based on the comments I should make a left-pad and put in a random file 'if you use this, you need to give me you house and first born child'. Because appearantly whatever you put down is legal and enforceable.. shm..
Taking reveneu without a contract smells like fraud to me.
IBM wouldn't touch JSLint because there was a clause that said JSLint couldn't be used for evil. Some people do their homework and others don't.
the license IS the contract. When was the last time you actually signed something when you used a SAAS?
Anon wrote the code, op ran the code thousands and thousands of times.
Yeah, anon is the enemy for wanting to get paid
Stealing seems an almost libellous term for using a software with a revenue model the author did not bother checking out.
The software says nothing about taking 30% under certain circumstances.
> Kindly reminder, do not use a fake license key or a license key from others, do not share your license key with others. Abuse of the license key may cause negative impact. [0]
This is the closest it gets to calling out the the 30% but I agree, it should be clearer.
[0] https://github.com/floatinghotpot/cordova-admob-pro/wiki/Lic...
It shouldn't be clearer - the plugin author should require an affirmative response from the developer that they accept those terms.
> It shouldn't be clearer - the plugin author should require an affirmative response from the developer that they accept those terms.
Ehh, I disagree. We all know developers would click through any terms without reading anyway and the onerous is on us to read the license before we integrate 3rd party code, which we rarely do. I see this as /just deserts/, a sort of hat tip and "well played sir". The 30% that is not mentioned is the sticking point, the 2% is absolutely reasonable and I might even say I'd think 30% is reasonable IF it had been called out in the license.
The affirmative response is downloading and using the plugin.
The only thing plugin users agreed to was the LICENSE, which is actually MIT!
https://github.com/floatinghotpot/cordova-admob-pro/blob/mas...
>the plugin author should require an affirmative response from the developer that they accept those terms.
It's free software provided without warranty. It's right there in the MIT license.
Incredibly shady percentage and even more shady way of responding. With that being said, calling it stealing is a bit much.
The blame is on you. Read the license of what you're using, and make sure what it's requesting in general. Triggering statement, so be warned: Ad Revenue supported products are generally ALL SHADY.
So, I'm astonished he gave you back some money. Probably a useless attempt to have less hassle moving forward, yet you went ahead and shared it.
At best, you're equally to blame. At worst, you just want stuff for free while you get paid for your work, the worst kind of entitlement.
> Read the license of what you're using
Here's the license:
https://github.com/floatinghotpot/cordova-admob-pro/blob/mas...
It's MIT.
Here's what they say "If you have used this plugin for FREE but monetized more than $1000, you are also required to get a license, or share us some Ad traffic as stated in win-win partnership model below"
If the MIT license is correct, they are lying: people don't need to get a license. The users already have a license that covers absolutely everything and they even have the right to edit the plugin to remove the % cut altogether.
Other things they are lying about, in their wiki https://github.com/floatinghotpot/cordova-admob-pro/wiki/Lic...
"Reminder: copy the code, change a plugin name, without feature enhancement, then publish to npm, is not allowed."
This is just false. The existing MIT license absolutely allows changing the name and republishing to npm.
Perhaps they just don't understand what is open source about. Absolutely all open source licenses allow forks.
The responses here to this story defending the plugin author are appalling. They all seem to boil down to "you didn't read the fine print or the source code, so whatever the plugin does is defensible". What if instead of taking a percentage of the ad revenue, the plugin siphoned credentials or ran malware as a revenue generator, or did whatever else? And what if it openly explained in the fine print that it would be doing this?
You don’t read the contract, you pay the price.
People just arbitrarily pulling in code from random people on the internet and expecting everything to be fine is hilarious. Your project, due the due diligence.
To answer the hypothetical, the author is still at fault even if was malware.
> To answer the hypothetical, the author is still at fault even if was malware.
Wow, that's as explicit victim blaming as you can get.
Victim blaming? OP is bragging about his revenue in the very same blog post! He used open-source code without taking the time to understand what the code did and somehow we're victim blaming?
> THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
That's the license OP agreed to when he used the code.
I really wonder if you have the same approach to all other situations with fine print, not just software contracts? Ebay scams, usury lending agreements, everything?
If on line 37, page 409, of a car rental agreement that you sign, it states that if you are an hour late in returning your vehicle, the car rental company will take your firstborn, and you sign this agreement, then it's on you, right?
> I really wonder if you have the same approach to all other situations with fine print
This isn't a fine-print, it's literally in bold in the license file. I am not renting a car that says it might not run but they'll still charge me.
> If on line 37, page 409, of a car rental agreement that you sign, it states that if you are an hour late in returning your vehicle, the car rental company will kill your firstborn, and you sign this agreement, then it's on you, right?
This is a bad example because killing my firstborn is illegal. This is more akin to a car rental that charges and extreme late fee that is written on page 1.
Dismissing something as "victim blaming" is the best way to say "I am not mature enough to accept that I have responsibilities, and I will play the role of a victim for as long as I can stay unaccountable for my actions".
I asked this question in another comment, but same thing: Just curious, is this your attitude towards other things as well? There used to be a very popular ebay scam, which had people sell large screen TVs and video game systems for very cheap. At the bottom of the auction description, in fine print, the auction also clearly stated that you were bidding/buying only a photo of the product, not the actual product. In other words, it was "spelled out", so no one was getting scammed according to your perspective here, right? It was on the fault of the buyers for not reading the license/auction description?
Dark patterns are not illegal, but they fall in the reputation loss category.
Taking your example: Ebay decided that they couldn't afford the reputation loss to accept listings with dark patterns so they updated their T&C to reflect that, but that doesn't mean that the action that ebay took was the absolute truth.
To name a different example about dark patterns: There are websites which color the "Accept All Cookies" button with the primary action color and they place the button after the checkboxes where you choose your cookies, in the place that most of us expect a "Submit" button. As far as the GDPR is concerned they're complying.
As a consumer it is your choice to stop doing business with persons and companies that use dark patterns.
The same applies to open source. You are seeing that the number of maintainers who are disrupting projects is increasing. Would you really trust your business to a person that you don't even know? It is your reponsibility to audit the code that you're using.
> What if... They plugin siphoned credentials or ran malware (etc.)
If you hypothesize that the software did something illegal, I hypothesize that nobody would defend it.
I'm not sure it's legal to say that in certain use cases, you will siphon off an unspecified amount of money from your customer? Imagine if an app like Venmo stated that?
I am a native Mac/iOS developer with a lot of experience. I did a contract where they wanted me to make some improvements to a large company's barnacle encrusted multi-platform Cordova app. I wouldn't normally touch that kind of thing with a bargepole but I was slated just to add some features to the Mac native app shell, beyond the scope of the embedded JavaScript app.
Those Cordova apps over a certain age and complexity are terrifying. Random plugins, ancient Cocoa Pods, abandoned JavaScript libraries, several different build systems (somehow all being used), Node.js modules with version conflicts that can never be resolved, pulled from all over the internet and all over time.
I am not surprised this guy had no idea what one 3rd party ad plugin was doing, if the app I saw was typical.
Alternate sort of off topic take: if you have a service that is valuable, charge people money for it instead of depending on ad revenue.
I try my best to stay away from ad supported business models, if there is an app in the App Store for instance that has an in app purchase to turn off ads, I have no problem paying for it if it something I’m going to use.
Piracy is a thing and in poorer countries people don't give a sh*t that they're suffocating you, so I'd rather support the ad industry than get suffocated by the people who is supposed to support me in the first place.
Sounds like OP is in Russia. I'm not sure people are as willing to pay for services there.
AdMob indeed. It does what it says on the tin.
The entire site is blocked by my ad blocker.
It's what's worrying with running WordPress plugins: you mean I'm downloading some PHP code written by somebody unknown and this code executes whatever it wants on my server???!!!
It seems I'm the only one that is bothered by this.
And no I don't at the time nor the skill to audit everything or to use a static site like Hugo.
What is the difference between downloading a wordpress plugin and running it in your server and downloading a jar from maven/a js package from npm and running it?
Nothing. These are also very, very dangerous and expose your site to supply-chain attacks.
The article linked to here [0] which is a must-read for everyone who feels that adding a dependency is safe.
[0] https://medium.com/hackernoon/im-harvesting-credit-card-numb...
I work with C#, most (all?) Nugget packages I download are open source, which isn't the case of a lot of WP plugins that are obfuscated.
They're also centrally managed by Microsoft, so if there was a problem with one package they could kick it out of the Nugget repo.
But in the end you're right, it's mostly a matter of trust and finger crossed.
Isn't that what WordPress is in the first place?
Absolutely, but it's still scary nonetheless! The problem is that there's not many viable alternative to WP.
Isn't any piece of software "some <lang> code written by somebody unknown and this code executes whatever it wants on your server"?
You didn't pay your vendor for a year and they noticed
> the drop was due to the Russian government blocking us in an attempt to monopolize the mobile electronic diary market. I’ll save this story for later
I kinda want that story right now lol.
That same plugin has bitten me in the past as well. I used it to display full screen interstitial ads. Despite the author raking in cash from users the plugin was rather broken when I used it. The biggest shortcoming is that it wouldn't properly differentiate ads that the user completely watched and ads that the user dismissed.
This is not a theft. You used the plugin from the github, didn’t even bother to check the license, used someone elses work with small fee. Guy even returned you the money. It’s probably some kind of dark pattern, but certainly not a theft. Pay the plugin and you’ll not have to pay the fee.
How to get rich:
1) Create a nice plugin to serve ads
2) Bury a complex revenue sharing logic in the terms of use that nobody read anyway
3) Profit
If you are not obeying license, then you are a pirate.
| ____ | | |o o| | | "" | | O O | | \ / | | X | | / \ | | O O |
Look at the GitHub profile. The eyes are dead. You can always tell a man by his eyes.
Author is typical parasite, uses open source projects and other people time and dare to say they are stealing. Read license agreement before usage.
But even if you read it, you would have legitimate reason for concern when they started taking more than the 2% stated since there is no mention of taking more than 2% (except in the private email from the plug-in author, which isn't part of the terms)
The repo's LICENSE is the MIT license. If you read it you would have no idea the project is going to steal 30% of your ad revenue.
That's what happens when you freeload. I think we're seeing more pushback now against people like this abusing free software from the developers who break their back to provide it.
If you want to use it, PAY. FOR. IT.
That software is never claimed to be free software, and explicitly disclaims being Open Source.
"never claimed to be free software" and "explicitly disclaims being Open Source" don't cancel out that he published it with an open-source MIT license.
https://github.com/floatinghotpot/cordova-admob-pro/blob/mas...
> PAY. FOR. IT.
What about the Linux kernel and numerous other FOSS?
He was paying for it. 2%. Then the open source hero started taking 30%. Without warning or disclosure.
Defending this is a great way to trash the reputation of open source.
The reputation of open source is already trashed. Companies like Amazon abused what started as a passion for many people, and that passion is now costing them their wellbeing so they're revolting.
The real open source belongs inside the GPL bubble, where you are legally obligated to share back, and it was battle tested when closed platforms like iOS gained traction.
Did people help pressure Apple to make licenses like GPL viable in their walled garden? Or did people dissed GPL-ed software because they couldn't use it in the Apple ecosystem? The moment we conceded with "LGPL with linking exception" marked the loss of the iOS battle.
Remember that GNU exists because Stallman couldn't ahem install a printer. And guess what? People avoid the distros with ONLY FOSS components because "it's impractical". If a distro becomes popular is because it includes a collection of proprietary drivers.
Our convenience is what made open source what it is today. And you know what? I accept my fault in the great scheme of things.
I was burned by people profiting with work I made for free while I was struggling to survive during the 2008 crisis. I am already familiar with the feeling of betrayal by the people who was supposed to support my work. Open Source was not for me.
> abused what started as a passion for many people
Maybe for some, but having a project used and sold by Amazon would be the endgame for me.
"If you have a high user traffic, please consider to get a license, it will be more cost-effective. Or else you might be unhappy someday."
*"Or else you might be unhappy someday."*
If that isn't a threat, I don't know what is. This guy's plugin should be removed immediately for such actions.
The author of this software is very clearly a non-native English speaker, and while more than skilled enough to communicate reasonably effective on technical matters, they're also not really skilled enough to fully grasp all the nuances of these types of things. I don't know what they intended with that exactly, but I'm sure not going to jump to conclusions.
I think that's just a fact. License is $20. This guy is clearly making more than $1000 on his site so the license is cheaper.
Just a reminder to folks who are looking for alternative's, we're building an open source ad network for developer-focused sites: https://www.ethicalads.io/.
We also take 30% of the revenue (which is around industry standard), but it's very well-defined in our Publisher Policy: https://www.ethicalads.io/publisher-policy/