Hey AliceWonderFull,
I work on the Jetpack team, and I wanted to answer a few of the questions you had here.
First, and probably the most important concern you had: as far as I know, Jetpack doesn't violate any of the plugin guidelines defined here:
https://wordpress.org/plugins/about/guidelines/
If you disagree, it would probably be best to let the plugin review team know about your concerns, as forum volunteers can't remove a plugin from the repo for you. You can contact the plugin review team by emailing plugins at this domain.
a dozen or so of the jetpack features use the wordpress.com cloud which is not open source - but would have to be reverse engineered in order to use an alternative.
That's correct, as that's the idea behind the Jetpack plugin: it allows you to use features of the WordPress.com cloud on your self-hosted WordPress site.
That's allowed in the plugin repository. See section 6 here, about "Serviceware" plugins.
That's also very common in the plugin repository: there are quite a few plugins allowing you to add Google Analytics or other stat services, you'll also find plugins managing Stats or Related Posts, and calculating these on third-party servers, and it's hard to count how many plugins help you add iFrames from other services to your site (e.g. Facebook / Twitter sharing buttons).
For a user to manage their subscriptions they then have to get a wordpress.com account - which I for one have no intention of ever doing.
No, you do not need a WordPress.com account to manage your subscriptions. You can add, edit, and remove subscriptions to WordPress.com and Jetpack sites without having a WordPress.com account.
You can access your subscription settings here:
http://subscribe.wordpress.com/
the jetpack plugin doesn't ask the user if their e-mail address can be shared with wordpress.com - it just does it. User leaves a comment, checks the box saying they want updates - just like they would do in a WordPress blog that doesn't use jetpack - and their e-mail address is shared with wordpress.com
That's indeed how Jetpack Subscriptions work, and it's important to mention that we won't send you any emails or do anything with your email address until you confirm your subscription by clicking the link in the confirmation email you receive. That's how double opt-in works, and why it's important.
That's also how most of the other subscription services I know work today. Most of the other subscription plugins in the repository use the same methods, so you'd get a similar behaviour if you were to look at how Feedburner, Mailchimp, and other subscription services. I wouldn't remove any of these plugins from the repository, though.
Javascript popup asking the user if it is okay to share their e-mail address with wordpress.com.
If the user clicks cancel, then nothing is sent and the user is not subscribed to the blog.
It's not that difficult of a concept to ask a user before sharing their private information with a third party, and it is easy to do.
That's an idea, and something that could be described as "triple opt-in", I guess. It's a nice idea, and would help site owners provide absolute transparency about what they do with their readers' data.
I've never seen that implemented anywhere, though. That's most likely because one more step would probably turn potential subscribers away.
Instead, site owners concerned about absolute transparency on their sites (either for personal or for legal reasons) have either stopped using third-party services, or provide a warning to let their readers know about the different tools used to track them on the site. They can do so via small popups (there are quite a few plugins that do that in the repo), or by creating a specific page on your site listing the different third-party services in use on the site.
You could also warn your readers in the subscription form, like so:
http://i.wpne.ws/Yr3e
Or you could add a notice above or below the comment form to let your users know exactly what will happen if they check that subscription box.
I'm sure there are other alternatives I didn't think of. It might be worth getting in touch with some German site owners if you are looking for other alternatives, as German laws require a lot of transparency about these things.
What jetpack is doing is spyware
I wouldn't call that spyware. This very page includes services that are collecting data about me without my consent. Here is what I could gather from looking at the page source:
- Google Analytics gets data about my location, browser, OS, where I came from, ...
- Quantcast, like Google Analytics, collects data about me to help media agencies deliver ads tailored to me.
- Since I'm logged in to my Facebook and Twitter account, the 2 buttons below track my visit to this page. Since I'm logged in, it's not really without my consent, though; I did accept the terms and conditions when I signed up, after all. Let's scratch these 2 from my list.
Would I call that spyware? No.
Do I blame WordPress.org, or Google Analytics, or Quantcast? No.
Can I do something about it if that bothers me? Yes, I can install browser extensions like Ghostery that will help me choose what information I give away when browsing the web.
I hope that answers some of your questions. I don't aim to convince you about anything, and if you still think that plugins collecting data about your readers without their consent shouldn't be allowed in the repository, I can only encourage you to make a list of such plugins, and send an email about it to the plugin review team.
If you have questions about Jetpack, do not hesitate to post in the Jetpack support forums, or send us an email!