Disclaimer: I am not an Automattic employee but I recently did have an opportunity to meet some of the people who work on Jetpack in person. They're good people and I like them.
jetpack is basically spyware, and it violates the spirit of open source.
I'm really sorry your feel that way, but the Jetpack plugin like many plugins is an interface to a service. That makes it software as a service which while that sometimes gives me headaches is allowed and does not violate the GPL or the guidelines in this repository. That includes the spirit of the GPL.
https://wordpress.org/about/gpl/
What they do with data that passes through their cloud is anyone's guess, as it is not open source we have no way of really knowing.
Now THAT'S a good point and a fair question.
I'll ping someone, but the Jetpack team is working on a page that clearly explains what data is used, how it's collected, why etc. That page may already be in place and I just don't know the URL.
For example the related posts functionality and Omnisearch means that they need to download all of your posts and data. It's the only way to get good results for those features.
Jetpack is not installed by default, it doesn't ship with WordPress and installing it is 100% optional. So is the part where you create a WordPress.COM account. Virtually all of the functionality is available in other plugins from other authors.
Jetpack and WordPress.COM do collect data and is the Swiss Army Knife of plugins. But intentions count and calling Jetpack spyware and malware really isn't justified.
Spyware by definition is something that collects data without disclosing it for nefarious reasons. While the data collected should be more transparent as well as what/where it goes and how it's used I will bookmark that information when I find it and share it here.
The malware label is also uncalled for; if it were malware then it would not be so easy to remove from your installation. Intentions count for a lot and the intentions of the Jetpack team are good.
The user gets an e-mail from wordpress.com to confirm but it is already too late to object to their e-mail being shared with wordpress.com because that already took place without the user approving it.
The email is used to send a confirmation. That's called double-opt in and how would that confirmation get sent without having the email address? Also some (really reasonable) countries require that confirmation by law. It's a good idea to ensure that people are not subscribing via some third party without their consent.
I do recommend that if you are not comfortable with it, just remove the plugin. Don't install it or use it, that's always been the user's choice.