
VSCode silently opts you in to data collection - alangibson
https://code.visualstudio.com/docs/supporting/faq#_how-to-disable-telemetry-reporting
======
tapirl
I disabled the telemetry feature before, but the latest vsc version reverts it
to enabled automatically, holy creepy.

And the latest version introduces many other data collection ways. Search them
in settings with the keyword "online", you will find them all. Don't know
whether or not there are other hidden ways which are not shown in the setting
page.

~~~
nathantotten
I’d file a bug. This is almost certainly not intentional.

~~~
blibble
yeah just like for every large Windows update your default browser
accidentally gets reset to MS Edge

totally a bug

~~~
KyeRussell
Microsoft is a very big company and I have absolutely no doubt that the
Windows team and the VSCode team hardly ever—if at all—talk.

I also question how 'evil' policies like this could propagate across company
divisions to the point where they are actually implemented in code—in today's
age where engineers have a lot of agency over what they do and often speak
up—without someone leaking said policy.

This is just a conspiracy theory.

~~~
bostik
Or perhaps a result of tying team bonuses and promotions to "increased
coverage", whatever that means for each product.

Not necessarily malicious - just myopic.

------
tmkbry
[https://imgur.com/a/wii2zVT](https://imgur.com/a/wii2zVT) is what everybody
gets when starting VSCode for the first time.

~~~
samuelg123
I’d argue this isn’t enough. They should explicitly ask, especially when
you’re using the application to handle sensitive material such as unreleased
code.

~~~
rhizome
It's user-hostile, business-unfriendly, and completely intentional.

~~~
WalterGR
Which information that VSCode sends as part of the telemetry are user- and
business-hostile?

~~~
rhizome
I was referring to the content of the notification dialog.

------
sam0x17
This is why it is a great idea to use VSCodium. An open source fork of VSCode
that removes telemetry and packages itself for all major operating systems.

[https://github.com/VSCodium/vscodium](https://github.com/VSCodium/vscodium)

~~~
smartbit
_After installing VSCodium, you must manually disable telemetry in your
settings file to stop it from sending tracking data to Microsoft._

[https://github.com/VSCodium/vscodium#getting-all-the-
telemet...](https://github.com/VSCodium/vscodium#getting-all-the-telemetry-
out)

~~~
macns
_Even though we do not pass the telemetry build flags (and go out of our way
to cripple the baked-in telemetry), Microsoft will still track usage by
default. After installing VSCodium, you must manually disable telemetry in
your settings file to stop it from sending tracking data to Microsoft.

The instructions here and here help with disabling telemetry._

~~~
kardos
Good first issue for a new contributor?

------
nathantotten
I know a lot of people don’t like things like this, but also remember not all
data collection is malicious. If you look at what they actually collect it’s
not pulling a bunch of personal info. They collect usage, perf and errors. As
a product manager (not for vsc or MS) I use this type of telemetry all the
time to make priorization decisions. It’s a balance, but my hunch is the team
at MS uses this info exclusively to make the product better.

Of course, you should always be able to disable this sort of collection.

~~~
TheAceOfHearts
No, you should ALWAYS explicitly ask for user consent. You should explain
exactly what kind of data is being collected and how it's used and ask them if
they are fine with that. Anything else is unethical.

I'll happily enable certain kinds of data collection when a tool is
transparent and it makes its data collection opt-in.

~~~
arghwhat
I'm a privacy advocate, but I'm 100% okay with on-by-default error collection,
as long as the logging is scrubbed of personal data.

Usage analysis is different, and should be opt-in.

~~~
mrob
Even if we accept that scrubbing of personal data is possible, which is far
from certain, that theoretically non-malicious traffic still provides
camouflage for malicious traffic. If we insist on opt-in, then we can apply a
very simple and fail-safe heuristic: any traffic the user didn't explicitly
request is malicious. There's no need for slow and error-prone analysis.

~~~
arghwhat
And how in the world do you intend to distinguish traffic?

How do you intend to tell the difference between Atom's and VSCode's Git(hub)
integration, app updater, package manager, telemetrics or an exploitation? The
difference between a Signal, WhatsApp or Telegrams' messages and their
telemetrics?

Your proposed heuristic only works for applications that would not otherwise
have any network traffic, and even then, only if you do on-machine per-process
network monitoring. Once it has any valid traffic what-so-ever (which is the
case for basically any modern GUI application), then you quickly descend into
needing to disassemble binaries locate the cause.

Opt-in vs. opt-out is about privacy and rights, not about security. Malicious
companies whose traffic are a security breach and things down those lines are
problems that belong in an entirely different discussion, whose root-cause is
much deeper than opt-in vs. opt-out.

Also, regarding scrubbing: A stack-trace and error message is far from private
identifying information. No harm done in sharing it.

~~~
mrob
>Git(hub) integration

If I select a git command from a GUI, that's an explicit request by the user.

>app updater, package manager

If something legitimately requires background network activity, and security
updates might qualify, it should go in Crontab. The system should have exactly
one package manager, and apps should not re-implement their own.

>telemetrics

If I turn it on, I'll remember I turned it on.

~~~
arghwhat
None of this makes any sense unless you're manually authorizing _all_
connect()/write() calls, manually monitor network traffic and correlate it in
real-time with user actions, or have some form of surveillance software to
automatically do this for you. All of these seem extremely improbable.

Otherwise, on the network, git fetch and telemetrics to github will be
indistinguishable (except if you start doing opaque data pattern analysis).
There's also no automatic correlation on the network.

On the machine itself, the closes you could get is something like Little
Snitch, which _still_ won't be able to help at all, as permitting Atom to
speak to Github on port 443 will permit everything while disallowing will
block everything, and it's also designed to be a manually populated whitelist,
rather than a constant authorization system.

> If something legitimately requires background network activity, and security
> updates might qualify, it should go in Crontab. The system should have
> exactly one package manager, and apps should not re-implement their own.

First of all, eww. Nothing is worse than updates running on a crontab, causing
shit to break because it updated automatically.

Also, welcome to 2018. Everything outside Linux bundle their own updater, and
on Linux, flatpak and other newfangled things bypass most package managers
(even with dnf's flatpak integration, it's still not going through any yum
repos).

------
krn
How is VSCode different from Firefox? Both have telemetry enabled by default,
and both allow to opt out of it[1].

[1] [https://www.mozilla.org/en-
US/privacy/firefox/](https://www.mozilla.org/en-US/privacy/firefox/)

~~~
WalterGR
_How is VSCode different from Firefox? Both have telemetry enabled by default_

Yep. So does Google Chrome, Apple macOS, Apple iOS, Canonical Ubuntu, and an
uncountable number of programs, apps, and websites.

But VSCode is a Microsoft product, so it gives us an opportunity to do some
serious pearl clutching and collectively lose our shit.

~~~
alangibson
The issue isn't that it's MS. The issue is that it is opt-out, not opt-in. Has
nothing to do with who's pulling the shenanigans.

~~~
Buge
Firefox is also opt-out.

~~~
NeedMoreTea
It's not silent though.

You get a little banner at the bottom of the start page on first run and a
button to go straight to the preferences option.

~~~
WalterGR
_It 's not silent though._

Neither is VSCode. How is Firefox morally superior than VSCode in this regard
then?

~~~
NeedMoreTea
"VSCode silently opts you in to data collection"

Sure seems that way. Never had any prompts about it.

~~~
WalterGR
The title of this post is FUD.

Look for the comment here that says

 _[https://imgur.com/a/wii2zVT](https://imgur.com/a/wii2zVT) is what everybody
gets when starting VSCode for the first time._

(It’s the 2nd highest top level comment at the moment.)

------
userbinator
Unless it's otherwise known, I think it's safe to assume that every not-tiny
application contains phone-home spyware these days. It's not long ago when
that wasn't the case, and many users had application firewalls that would
alert (and block by default) such attempts. I'd say Win10 was probably the
"breaking point" for such behaviour being normalised.

I'm one of those (probably tiny minority) who inspect the binaries of closed-
source applications before using them, and will reject those containing
networking-related functionality if the application should have no reason to
do so.

~~~
mygo
why not use something like Little Snitch or even TripMode to add opt-in
functionality for all apps trying to make network connections?

~~~
gpm
Along these lines for linux. I've got some hacky scripts set up on my computer
so that everything runs in a network namespace with only a loopback device
(i.e. no internet) unless I start it by typing `net command` (like `sudo
command` but for internet). I could post them if people are interested.

------
brett40324
When I first installed vscode, I assumed this was the case and yep, there it
was buried in preferences. Disable all of it, including automatic updates.
When you want to update, uninstall and install again fresh. Then disable
again. Repeat.

------
paglia_s
Has everyone already forgotten about GDPR?

~~~
ygra
Is this personally identifiable information? If not, then the GDPR has nothing
to do with it.

~~~
_trampeltier
Having names besides the bell in a apartment building is forbidden. GDPR is
fun ...

[https://wien.orf.at/news/stories/2941086/](https://wien.orf.at/news/stories/2941086/)

~~~
mschuetz
Read the article before spouting nonsense.

You're free to attach your name to the bell if you want for whatever reason.
Only landlords are now not allowed to attach your name to the doorbell by
default in Austria, and apparently they weren't allowed to do so since 1980
but it's only being enforced now.

------
kgwxd
At least they changed the code names, it used to be "telemetry.optIn = true",
showing how little they understand the term opt-in.

------
type0
Any reason why Microsofts own extensions are not able use the global settings
disabling telemetry?

[https://github.com/Microsoft/vscode-docs-
authoring/blob/mast...](https://github.com/Microsoft/vscode-docs-
authoring/blob/master/docs-markdown/src/telemetry/telemetry.ts)

~~~
CamperBob2
Because then they don't get to hoover up as much of your data.

------
xte
I have Emacs, why bother with other limited editors? Emacs can do what they do
+ far, far more so...

------
rubiquity
When Microsoft bought GitHub I didn’t think about GitHub Enterprise revenue. I
thought about all of the language package managers that use GitHub’s APIs for
downloading repos.

------
purplezooey
_... extensions may be collecting their own usage data and are not controlled
by the telemetry.enableTelemetry..._

wtf. So it's like whack-a-mole.

------
algorithm_dk
Nothing new here, VSCode had this for a long time. Also I don't find anything
wrong with shipping software with data collection on by default.

------
naikrovek
If someone wants to try to explain to me why the collection of application
telemetry is bad, that'd be great.

~~~
alangibson
It's not inherently bad. Collecting telemetry on an opt-out basis, as opposed
to opt-in, is.

------
frogperson
Is there a plug-in that pops a big red warning when telemetry is turned on?
That's woul be very useful.

------
electic
I guess this might be a precursor to the type of behavior we can expect to see
with the GitHub acquisition.

Secondly, is there anyone out there that has a solid emacs step by step guide
that might be able to replicate the functionality of vscode? I haven't had
time to look at it but I think the time has come where I can't put it off any
longer.

------
anonlastname
is this at all surprising given that we're talking about the company that made
windows? did we forget that for a while it would silently put telemetry in
your binaries?

~~~
WalterGR
_it would silently put telemetry in your binaries?_

What do you mean?

~~~
anonlastname
For a while VS code would do that but they claimed it was an accident.
[https://www.geeks3d.com/20160610/vs2015-how-to-remove-
window...](https://www.geeks3d.com/20160610/vs2015-how-to-remove-windows-
telemetry-function-call-from-your-c-binaries/)

