This practice being considered acceptable has been a nightmare - we had OSS libraries add spying later, change their APIs for disabling it, etc. When it's a nested dependency, even worse.
Now and then we run our stack with mitm monitor just to sniff out this dangerous crap. More recently, we are seeing it in ML libraries. For a security vendor to do it is extra bad because they can't claim not understanding why it's bad and often illegal.
Now and then we run our stack with mitm monitor just to sniff out this dangerous crap. More recently, we are seeing it in ML libraries. For a security vendor to do it is extra bad because they can't claim not understanding why it's bad and often illegal.