
.NET core spies on users by default - Ice_cream_suit
https://github.com/dotnet/cli/issues/3093
======
manigandham
Lots of FUD as usual with these topics.

The .NET Core CLI/SDK dev tool to build and package code is the only thing
sending telemetry. It's not the main `dotnet` command itself nor anything in
the runtime. The data is also available for anyone to analyze:
[https://docs.microsoft.com/en-
us/dotnet/core/tools/telemetry](https://docs.microsoft.com/en-
us/dotnet/core/tools/telemetry)

It's definitely nothing out of the ordinary and is common practice among many
tools and apps you already use. Your smartphone sends back way more data if
you're that concerned.

There's also a warning the first time you use it, and if you're using
something like this then it's a reasonable expectation that as a software
developer you understand the message and how to disable it if you want to.

EDIT: the insights based on this telemetry are also interesting to look at and
add further clarity: [https://blogs.msdn.microsoft.com/dotnet/2017/07/21/what-
weve...](https://blogs.msdn.microsoft.com/dotnet/2017/07/21/what-weve-learned-
from-net-core-sdk-telemetry/)

~~~
bad_user
> _Your smartphone sends back way more data if you 're that concerned._

That's not true. My iPhone asked me if I want to share iPhone / iCloud
analytics and I said no. This wasn't an opt-out, but an explicit question. I
remember my Google Nexus asking me about it as well, including for Google's
Keyboard. I said no and again no opt-out happened.

And in fact it would be illegal to collect user telemetry in the EU without
the user's explicit consent ;-)

~~~
nonamechicken
I have very limited apps in my phone. And I have disabled almost all Google
creepware (except Google Play Services, Maps etc) and opted out of anything
Google allows me to do. Still, I see this in Disconnect Pro:

[https://imgur.com/a/ajRbI](https://imgur.com/a/ajRbI)

~~~
bad_user
Are you asking me to debug your phone?

Google Analytics is a service that can be used by websites, online services
and mobile apps to track users. If I were to guess, those are requests made by
the browser or by the apps that you have installed. I was also talking about a
Nexus 6 phone, with the pure Android experience, not whatever Samsung or the
others are doing.

I don't feel this is relevant to the discussion at hand though.

~~~
nonamechicken
According to Disconnect Pro, these are the apps does the tracking in my phone:
Google Play Services, YouTube, SmartThings, Outlook & Firefox Focus
([https://imgur.com/a/Ga9Bj](https://imgur.com/a/Ga9Bj)).

I understand that other apps could be doing analytics through Google Play
Services. But I don't want that. Whether it is Google doing it (I still get
location based alerts even though I have disabled location history) or third
party apps, Google is facilitating it (of course I am aware of the argument
you are the product if its free). Since I have no way of opting out, I have to
install Disconnect with admin privileges (which in itself is scary to me). I
am also in the process of setting up a pfsense box so that I can block Google
and Microsoft telemetry at home.

I shouldn't have to do all these.

------
cjsuk
Summary of the key problems:

1\. Microsoft won’t engage with customers on removal of this even if it causes
problems.

2\. The feature fires off before it informs you.

3\. We don’t trust Microsoft after they turned their platform into a data
gathering and leak risk.

4\. This spans more than just windows as a platform so the assumption that opt
out is OK is leaking onto privacy respecting platforms.

5\. This is resurrected because it’s still being fought.

6\. No one else does this. This is new and we don’t want the assumption that
it’s ok to go forward any more than it has.

7\. Steamrolling opinion is not how you treat customers. That’s how you lose
them.

Microsoft are doing a big platform push for tooling I.e SQL server,
powershell, VScode etc and we’re making it known that when in Rome, do as
Romans do.

A lot of younger users will be used to telemetry as a feature and are not
sensitive to it. This does however pretty much kill the product for
healthcare, finance and defence sectors.

In my case this signifies the end of a 15 year investment of my life in a
platform.

~~~
MarkSweep
How does this “kill the product for healthcare, finance and defence sectors”?
This is part of the SDK tooling, it should not installed or run in the
deployment evnvironment. (If teletmetry is bad, running “dotnet restore” to
download code from the internet is worse).

If having telemetry in the development environment is bad too, then so was the
“Visual Studio Customer Experience Program”. While that was opt-in, I would
think that if telemetry was so dangerous that precautions would be taken to
prevent it from being turned on. Precautions that would be at least as
difficult as setting an environmental variable.

~~~
flukus
> How does this “kill the product for healthcare, finance and defence
> sectors”? This is part of the SDK tooling, it should not installed or run in
> the deployment evnvironment.

This will also be installed in places like the build server that may have
extra permissions into the production environment. Often the firewall between
production and development won't be as great as you think and all software has
to be compliant because the developers will be dealing with real private data.

> If teletmetry is bad, running “dotnet restore” to download code from the
> internet is worse

"dotnet restore" could be hitting a local repository only, which is much more
common in these environments.

> If having telemetry in the development environment is bad too, then so was
> the “Visual Studio Customer Experience Program”.

Typically it would be disabled, but things slip through the cracks, no matter
how many precautions there are, which is why off by default is important.

Aside from that, it kills trust. The developers don't even understand that
this is a privacy violation and refuse to fix it, so when the next thing on
the slippery slope comes along I don't expect them to appreciate the
ramifications of it. Will compiler error codes be considered telemetry? How
about exceptions? How about code metrics? I can't trust the dotnetcore
developers to respect privacy.

~~~
zamalek
> "dotnet restore" could be hitting a local repository only, which is much
> more common in these environments.

You have to do this as part of your configuration. Alongside that
configuration, you can change a single environment variable to turn telemetry
off.

> but things slip through the cracks

I don't see how negligence is a valid counterargument. You could use the
external repository by mistake and do far more damage. Are you more likely to
forget about the the telemetry opt-out? After all this fuss I doubt it.

The root comment also claims that Microsoft refuses to engage and allow the
removal of it. The environment variable exists, Microsoft has clearly engaged
and allowed the removal of it. This comment chain is FUD.

Finally, if you really care about privacy this much you should be building
things from source. This applies to .NET Core as much as it applies to GCC.
.NET Core is open source, so this is absolutely possible to do.

~~~
svick
> Finally, if you really care about privacy this much you should be building
> things from source. […] .NET Core is open source, so this is absolutely
> possible to do.

It's not that simple. Until recently, you had to have .Net Core installed to
build .Net Core. There is now a way to build from source
([https://github.com/dotnet/source-build](https://github.com/dotnet/source-
build)), but it only works on Linux.

------
caleblloyd
It also tells you that telemetry is enabled and gives you instructions to
disable it the first time you run the `dotnet` command.

Just like any other tool that automatically checks the telemetry box for you.
You just need to use an environment variable instead of a checkbox in this
case because it is server software.

~~~
oblio
If I'm reading the comments right, it sends some stuff during installation. So
before you can do anything.

~~~
sitharus
It uses an environment variable, you can set that before running the
installer.

~~~
flukus
Only if you know about it prior to installation. Opt-out is simply never
acceptable and it should be considered spyware until it's fixed. I can't
believe there are so many apologists for this sort of behavior.

All that's missing is hiding the information in a basement, without stairs and
a sign saying "beware of the tiger".

~~~
electricEmu
> Only if you know about it prior to installation.

This is a piece of third party software. "Should be" doesn't override reading
the manual and knowing what you're installing.

~~~
flukus
>
> [https://www.microsoft.com/net/core#windowscmd](https://www.microsoft.com/net/core#windowscmd)

Can you point out where in the installation instructions I'd find out about
this telemetry or do you seriously expect me to read every single piece of
documentation this might be hidden in? Considering this was added after the
initial release, do you expect me to re-read the documentation on every single
update?

Sorry, but even if your argument was correct, this just (deservedly) burns any
good will I had with MS, which wasn't much but at least I used to have some
for the .net team.

~~~
electricEmu
> Can you point out where in the installation instructions I'd find out about
> this telemetry or do you seriously expect me to read every single piece of
> documentation this might be hidden in?

I expect someone who cares about telemetry to search for it. It is well
publicised, discussed, and available [1]. There is a telemetry warning when
first using the tool.

> Considering this was added after the initial release, do you expect me to
> re-read the documentation on every single update?

No, but I would expect you to read the release announcements. [2]

> Sorry, but even if your argument was correct, this just (deservedly) burns
> any good will I had with MS, which wasn't much but at least I used to have
> some for the .net team.

So, regardless of correctness you would have been burned anyway. Microsoft
even releases the telemetry gathered under a creative commons license [3]. You
can opt out of this completely transparent and well documented option.

[1] [https://docs.microsoft.com/en-
us/dotnet/core/tools/telemetry](https://docs.microsoft.com/en-
us/dotnet/core/tools/telemetry)

[2]
[https://blogs.msdn.microsoft.com/dotnet/2016/05/16/announcin...](https://blogs.msdn.microsoft.com/dotnet/2016/05/16/announcing-
net-core-rc2/)

[3] [https://blogs.msdn.microsoft.com/dotnet/2017/07/21/what-
weve...](https://blogs.msdn.microsoft.com/dotnet/2017/07/21/what-weve-learned-
from-net-core-sdk-telemetry/)

~~~
dahauns
>No, but I would expect you to read the release announcements. [2]

Yeah, well...where is it?

[https://blogs.msdn.microsoft.com/dotnet/2017/08/14/announcin...](https://blogs.msdn.microsoft.com/dotnet/2017/08/14/announcing-
net-core-2-0/)

[https://github.com/dotnet/core/blob/master/release-
notes/2.0...](https://github.com/dotnet/core/blob/master/release-
notes/2.0/2.0.0.md)

Or do you seriously expect me to read every beta/RC release note of versions I
won't ever use for elementary issues like this?

------
paxys
It collects redacted usage data for dotnet development commands - e.g. dotnet
restore for package management - not run a backdoor on your production servers
like the title implies. If you scroll down the thread you'll see that it
doesn't even collect arguments you pass to the commands.

If you think that npm or any other tool you use doesn't do the same you are
delusional.

~~~
4lch3m1st
Well, it is an opt-out feature, which is already a way to purposely collect
data if you're not playing attention enough. Plus, if npm has such flaw, this
is still no excuse for Core to do the same.

------
mappu
Visual Studio Code also has opt-out telemetry enabled by default, with no
warning (that i've seen).

[https://code.visualstudio.com/docs/supporting/faq#_how-to-
di...](https://code.visualstudio.com/docs/supporting/faq#_how-to-disable-
telemetry-reporting)

~~~
jve
People don't read TOS, Agree the terms and then complain. If this kind of
privacy is really important for people, they should at least read TOS.

[https://code.visualstudio.com/license](https://code.visualstudio.com/license)

> DATA. The software may collect information about you and your use of the
> software, and send that to Microsoft. Microsoft may use this information to
> provide services and improve our products and services. There may also be
> some features in the software that enable you to collect data from users of
> your applications. If you use these features to enable data collection in
> your applications, you must comply with applicable law, including providing
> appropriate notices to users of your applications. You can learn more about
> data collection and use in the help documentation and the privacy statement
> at
> [http://go.microsoft.com/fwlink/?LinkID=528096&clcid=0x409](http://go.microsoft.com/fwlink/?LinkID=528096&clcid=0x409).
> Your use of the software operates as your consent to these practices.

------
gatmne
Extremely disappointing.

First we had to keep a close eye on our browsers, now we have to keep track of
our text editors, dev tools, operating system, and even our own hardware. if
we're really lucky, some will have some obscure way of limiting it.

Making you job easier and improving your product are not valid excuses for
this kind of despicable behavior.

When I set up my next dev machine, everything will be sandboxed or the entire
machine air-gaped. Some developers and software vendors can no longer be
trusted.

~~~
svick
> if we're really lucky, some will have some obscure way of limiting it.

In this case, it tells you how to completely turn it off the first time you
use it.

------
Gaelan
Is there any reason this matters? Besides the automatic reaction of "data =
evil" that I'm seeing, I see no reason why it even remotely matters that this
data gets out.* I see no practical way MS could benefit from this other than
by improving the open source project. Maybe if they _reallly_ wanted to they
could link your IP to a Facebook/Google account so you could get ads for
developer tools? Is there actually a good reason to turn this off?

* I'm assuming MS is being honest about what they're collecting in their documentation. If someone has evidence that their sources/binaries say something different, feel free to bring it up.

~~~
jabot
> I see no practical way MS could benefit from this other than by improving
> the open source project.

Then why don't they make it opt in?

> Is there actually a good reason to turn this off?

Security. In the sense of "enable only needed features, to reduce attack
surface".

Of course it would be even better to not have it turned on by default in the
first place.

Microsoft comes from a place of being automatically distrusted by a lot of
people, and for good reason. It may seem unfair to you, but they have to
conduct better than this to make up for this disadvantage.

~~~
Gaelan
> Then why don't they make it opt in?

Perhaps because they think it is a reasonable default that few people will
want to change (vocal minorities and all that)? Curious if anybody who does
opt-in telemetrics has stats on first-time downloads vs telemetry enables.

> Security. In the sense of "enable only needed features, to reduce attack
> surface".

I’d assume that the attack surface here is pretty small (HTTPS request via the
standard mechanism, ignore the response). If .NET HTTPS APIs are broken, we’ve
got bigger problems. At the end of the day, everything is a cost/benefit, and
it seems like this is something pretty hard to get wrong + pretty large
tangible benefit for the project.

------
cafxx
My first reaction was "if you're really worried about accidental/malicious
exfiltration I'm sure you're running your servers WITHOUT unfiltered outbound
access to the internet, RIGHT?"

~~~
api
You're right, but at the same time you should not have to. Software should be
secure by default.

~~~
cafxx
Software is _buggy_ by default. That alone is enough to require you to not run
with unfiltered access, if you really care about minimizing security risks.
And if you do it (and you should) then this story doesn't affect you.

I agree though that transparency about data collection is important,
especially for building trust.

------
Ice_cream_suit
Leaks data from production servers to a Microsoft run network.

What fun....

"Behavior The telemetry feature is on by default.

You can opt-out of the telemetry feature by setting an environment variable
DOTNET_CLI_TELEMETRY_OPTOUT (e.g. export on OS X/Linux, set on Windows) to
true (e.g. “true”, 1). Doing this will stop the collection process from
running."

~~~
Rohansi
Is running dev tools (compilers etc) on production servers a thing? I have
always built on my machine (or build server) and then deployed to production.

~~~
tren
That's the way to do it, use a build server, deploy with something like
Octopus to production.

------
jacobmischka
Fear mongering, it's relatively benign telemetry. Also needs (2016).

~~~
dang
Thanks, we added the year.

~~~
pmontra
It started in 2016 but it's not over. There are comments from a few minutes
ago, maybe because of this HN thread, and tales of things that went wrong
recently. Example: a failed HIPAA inspection.

I'd take the year away, not to make people think it's not relevant anymore.

~~~
dang
Ok, we've taken it out.

------
j_s
Yes, that is correct. Not sure what triggered this renewal of the campaign on
the part of the opposition. Maybe this post on today's Microsoft discussion
(re: Windows Phone abandoned)?
[https://news.ycombinator.com/item?id=15434859](https://news.ycombinator.com/item?id=15434859)

Microsoft/.Net Foundation added telemetry to the dotnet command line last year
|
[https://news.ycombinator.com/item?id=14836737](https://news.ycombinator.com/item?id=14836737)
(Jul 2017)

~~~
cjsuk
I’ve been at it for a while. I’ve learned that if you want something to change
you don’t let it go.

~~~
socrates666
... that's not absolutely right. There is way more than simply "don't let go."

------
mmgutz
It's mind-boggling that people here are equating smartphones, browsers to
development utilities. This is not something I would expect in Go, node, ruby
... but it's OK because it's .NET build utilities? How is that FUD?

------
quickben
To all the posters saying it's harmless. What's your stance on your source
code being uploaded on crashes while you develop your app with new IP in it?

~~~
Gaelan
Do you have any evidence that this occurs? It doesn't seem to appear in MS's
documentation.

~~~
jabot
If you have a debug build the source is included automatically (as debug
information).

MS reserves the right to look at memory dumps and crashed binaries "to improve
the customer experience" or something...

Take these two things together, and... you lose your source code :-(

~~~
Quarrelsome
if you genuinely fear this then go build tons of drivel and make it crash
giving them too much to look at. The idea that MS are busy analysing arbitrary
crashing code really suggests they have more time on their hands than sense.
Getting people to read code is expensive as fuck.

~~~
socrates666
I can analyze the data and discern real from false information pretty quickly.
The thing about massive amounts of data is that patterns emerge pretty
readily.

~~~
Quarrelsome
patterns are lossy abstractions though. That arrogance might bite ya one day.

------
wjd2030
This title is very misleading... The code is open source. And it is NOT spying
on the user. I understand an opt-in model is typically preferred. This title
is about as click-bait-esque as it gets though.

------
chris_wot
"FYI: Microsoft

The fact that this is an opt-out vs. opt-in and the opt-out procedure is based
upon an env. var. just caused dotnet to fail an externally conducted HIPAA
privacy/security audit at a genome testing lab in the backyard of your main
campus.

Lucky for us, we were able to convert the runtime to use Mono and get a
temporary pass, but this killed the future CIL-based projects with the lab's
management..."

Ouch!

~~~
erk__
Would you no be able to build a version with the telemetry disabled?

~~~
sundvor
Yeah, not exactly super hard to find the info:

[https://github.com/dotnet/cli/pull/2145](https://github.com/dotnet/cli/pull/2145)

"There is a way to opt-out of the telemetry gathering process by setting an
environment variable DOTNET_CLI_TELEMETRY_OPTOUT. Doing this will stop the
collection process from running. "

------
youdontknowtho
I know that this subject is super important to some people on this site, but
it literally tells you when you execute the command how to turn it off.

Also, the thread seems to have people from MS (the core team) actively
soliciting feedback and wanting to work with users. They published a blog post
before they started collecting telemetry, so it wasn't unannounced.

There are lots of ways that this could be worse. Maybe we shouldn't slap their
hand when they are doing a pretty good job?

I can see how this is still completely unacceptable if you are a privacy
maximalist, but most people aren't.

~~~
socrates666
There is no real evidence that something substantive is coming out of this
feature. It definitely seems to be doing more harm than good.

~~~
youdontknowtho
What do you base that on?

------
hoodoof
I'm sure this recently discussed on HN.

------
throw2016
Maybe we should change the name of the industry from software to spyware.

------
yahna
.NET core collects telemetry. This isn't really any different than loads of
other applications, but it's microsoft instead of google so booo hiss evil
evil evil.

------
bitmapbrother
From the people that brought you Gmail man these hypocrites never cease to
amaze. The telemetry they're sending back from their OS wasn't enough so now
they're sending telemetry from their language tools - unless, of course, the
user proactively turns it off which they probably never do because their not
directly told about the data collection.

