
Windows package manager does not permit opting out of telemetry - ccmcarey
https://github.com/microsoft/winget-cli/issues/179
======
slim
On the topic of Microsoft is not less evil than before : today I needed to use
Teams, I was pleasantly surprised by the fact it supported a web client. I
tried to use it and got caught in a tunnel of dark ux. You go to the website,
click to sign in, get asked for your email and password, then verify your
email, then you discover that you actually signed up for something else and
now you can signup for teams. You follow the wizard again, then you are told
to use Skype because you are not a company. You restart and make sure to check
the box saying you are a company, then put your company info, it works! You
try to start a call, and you get told it does not work in firefox...

~~~
jdsully
Yea a lot of microsoft stuff doesn’t work in Firefox. They are the worst of
all the big companies at supporting it.

~~~
techsupporter
Which is hilarious since if you spoof your Firefox UA string to be Chrome or
Edgeium, all Teams features work properly in the browser.

~~~
ccmcarey
Yep. Google also offers a lot of "rich cards" in their search (interactive
things mostly) that are only available on Chrome .. unless you change the user
agent of another browser to Chrome, in which case it also works perfectly.

~~~
lou1306
IANAL but would not that be grounds for abuse of dominant position? Using
their dominance in web search to undercut competing browser vendors?

~~~
ccmcarey
Chrome accounts for ~70% of browser use. It is a majority, but it's not total
dominance.

For reference, IE accounted for ~96% of browser use when that whole antitrust
case was happening.

~~~
diablerouge
Ah, but the point was about using "their dominance in __web search __to
undercut competing browser vendors ".

In this case, ~90% of web searches go through Google[0]. So they are using the
fact that they are the number one web search engine to convince users to
switch to Google Chrome.

[0]: [https://www.statista.com/statistics/216573/worldwide-
market-...](https://www.statista.com/statistics/216573/worldwide-market-share-
of-search-engines/)

~~~
ccmcarey
Ah, true, thanks for pointing that out.

------
Voloskaya
That's not what I understand.

> diagnostic data collection (telemetry) is not enabled for private builds

> this data collection is covered by windows 10 privacy, You can find the
> windows 10 privacy statement and details of controlling the diagnostic and
> feedback settings here.

So if you build from source, you can disable it, and if you don't build from
source but install it from the store, then telemetry is controlled by the
central privacy settings in Windows 10.

Presumably this would be a problem only if you specifically don't want MS to
have telemetry from winget, but you also specicifically want them to have
telemetry on the rest of your OS, which would be... weird.

~~~
jeroenhd
You're technically correct for some use cases. For Windows 10 Enterprise
users, the official tool does allow you to disable telemetry by modifying the
system telemetry settings.

For Windows Home and Professional users, this is not the case. Disabling
telemetry is not possible because Microsoft have decided that there is a
minimum "required" amount of telemetry every OS installation _must_ send in
order to function.

If the telemetry description stated that _some_ Windows users are able to opt
out, they'd be correct.

It's just another example of Microsoft showing they couldn't give a rat's ass
about their customers' wishes and that you'll just have to deal with them
tracking everything you do.

And who knows? Maybe I do like to contribute to Microsoft about kernel
bluescreens so that Windows can get more stable, but do not wish to upload a
report every time I install or uninstall software? Why would it be strange
that I don't like to share some telemetry but not all telemetry?

~~~
Voloskaya
> For Windows Home and Professional users, this is not the case. Disabling
> telemetry is not possible because Microsoft have decided that there is a
> minimum "required" amount of telemetry every OS installation must send in
> order to function.

Yes but AFAIK, winget telemetry fits entirely under the optional category. No
metrics of winget fits under the "required" category that you cannot disable.

In other words, you can completly disable the telemetry of winget, which the
title of this article say you cannot.

~~~
ptx
How are you determining that all the winget telemetry is in fact getting
categorized as optional and can be disabled?

~~~
naikrovek
A Microsoft employee mentions this in the issue comments on GitHub.

~~~
ptx
Elsewhere in this discussion, a Microsoft employee working on the new terminal
was completely sure that the data it collected wasn't sent anywhere, until
they looked into it again and discovered that it actually was being picked up
by some part of the inscrutable telemetry machinery and sent off to Microsoft.

~~~
naikrovek
Yes, unless you turn it off or set telemetry collection to "basic".

Or if you build the tool yourself.

------
alkonaut
Are people worried about the actual contents of these kinds of telemetry, or
rather just annoyed by the fact that it's there at all?

The first position seems a bit odd for something that is open source (so
presumably you can verify what's being sent). I mean it might be bad to send
"I installed product X" or "I used the command X" to a remote server, but on
the other hand if I _really_ feel this is a problem would I ever even be using
the closed source binaries that the package manager installs, without worrying
more what _they_ might do, than what happened when the package manager ran?

Some times I get the feeling that the telemetry thing just became an
expression of annoyance with something else entirely, or just the current
state of affairs. It's like one of those cultural wars where every battle is
so symbolic that everyone forgot what the real issue was ("Why do we worry so
much about who uses which bathroom again dad?").

~~~
falcolas
My purchase of a piece of software does not give that software provider carte
blanche access to what I do with that software. Unless I explicitly give my
approval (opt in), exfiltration of information from my system is an ethical
breach of my privacy if not a breach of data protection laws.

As for why this matters, you need only look at Hong Kong for that answer. And
even here in the US, many large companies are kowtowing to the Chinese
government and changing their products in the US to toe those lines.

~~~
haecceity
I bet you also want the software to work and not have bugs. Telemetry gives
devs information to prioritize and debug information fix the bugs.

~~~
cwhiz
You can...

1\. Make telemetry opt-in and ask the user to share data. This is what Apple
does

2\. Collect telemetry and give the user an option to share that data after a
crash or bug. Many companies do this.

3\. Make telemetry opt-out but be forthright with what information is sent and
why.

4\. Don't allow opting out of telemetry but be open and upfront with what is
being collected and why.

5\. Hide the fact that telemetry is being sent, hide what is being sent, and
don't allow the user to opt out.

~~~
m463
> Make telemetry opt-in and ask the user to share data. This is what Apple
> does

You should check - apple software still contacts the mothership constantly.

------
cessor
I find it outrageous; "Telemetry" is built into most new Microsoft software.
For example, they recently released a replacement for powershell and CMD,
called "Terminal 1.0", which also comes with some aggressive telemetry built
in:

[https://github.com/microsoft/terminal/blob/master/src/host/t...](https://github.com/microsoft/terminal/blob/master/src/host/telemetry.cpp)

This also applies to newer releases of powershell, aka PS Core. I haven't
tried either, but I guarantee you telemetry in both applications is not opt-in
but opt out using some obscure method, if that is even possible.

In any case, the claim that telemetry is necessary to improve anything related
to customer experience is ridiculous. Not only is a general data collection
unnecessary; it would be more efficient to run some experiments, and be it
some opt in A/B tests. Surveillance like the above is encroaching and can
easily be abused. The data collected are usually fine-grained enough to allow
for some nice fingerprinting of individual users. The potential for abuse is
high.

~~~
DHowett
I'm just gonna recycle the bits I've posted here _before_ about this exact
file :)

[1]
[https://news.ycombinator.com/item?id=22331345](https://news.ycombinator.com/item?id=22331345)

[2]
[https://news.ycombinator.com/item?id=19322398](https://news.ycombinator.com/item?id=19322398),
[https://news.ycombinator.com/item?id=19324538](https://news.ycombinator.com/item?id=19324538)

The file you've identified produces a local, opt-in event stream that does not
leave your machine unless you literally e-mail it to me. It's just got that
unfortunate word in the filename that means we're bad guys.

EDIT, upon closer inspection: when this is built as part of the Windows
product (which consumes source from this repository) those values may end up
in an event stream. In the interest of full disclosure, those events are:

1\. Part of the console host (conhost.exe) and covered by the Windows global
data collection settings

2\. Pertaining to (incomplete, but it's too early in the morning for me to do
a full review of this code):

2.a. The number of times each low-level console API was used

2.b. How the _legacy_ Find dialog is being used (long strings, short strings,
search direction, number of times)

2.c. Specific settings like font size, how many colors are configured, how big
the window and buffer are

~~~
saagarjha
I should put a disclaimer at the top of this saying that I'm just a regular
old Hacker News commenter who skimmed that file and really has no idea what
this code actually does, so I'm not trying to scaremonger because I saw
something sketchy without following up on it. However, that file seems
indicate that Terminal logs process connections. Is there a way that this
information might leave the device? Could it include arbitrary processes on my
system in that data?

~~~
DHowett
Now that I'm at my desk, I'll have a look. Thanks for the disclaimer :)

~~~
DHowett
Alright, with fresh eyes:

When the console host (just C:\windows\system32\conhost.exe, not the new
Terminal) exits it emits the following information for processes that had
connected to it:

* How many ANSI/VT sequences they used

* How many of the above we understood

* How many of them we did not understand

* The executable stem name (ConsoleApplication1.exe, wsl.exe, cmd.exe)

* How many times we saw that executable

~1-5% of those entries make it into a data pipeline that I believe we stopped
looking years ago. These pipelines are usually(?) turned off by the OS, so
it's possible that these were rendered inert. Still, though, and because the
executable stem name might be a little more exposure than anyone's comfortable
with, I've filed
[https://github.com/microsoft/terminal/issues/6103](https://github.com/microsoft/terminal/issues/6103)
to yoink it.

(It's been a long time and I still don't know how to format things properly on
Hacker News :))

~~~
saagarjha
Thanks for looking into this, and I appreciate you filing an issue! (Hacker
News doesn't really do formatting, so I think that's the best you're going to
get.)

------
anonymousab
Telemetry seems to be a sore and curt topic with Microsoft. I've yet to see
anyone make headway on even just having a discussion about it with public
facing MS devs; it almost always gets a quick, rote toe-the-line response and
the discussion gets terminated or blackballed or ignored thereafter.

It has the airs of an internal mandate. I can't help but be deeply suspicious
of this behaviour.

~~~
floatingatoll
Based on the quality of today's conversation here on HN, I'm not inclined to
fault them for taking that approach publicly. We can't even discuss this topic
coherently ourselves. Our discussion here is filled with "this is my position"
statements that are presented as arguments contradicting another's position.

I think this post here today serves only as a rallying cry for "no telemetry"
extremists and contributes nothing interesting or curious or relevant to HN
that hasn't been covered in hundreds of framing-implied or framing-explicit
"telemetry is bad" posts prior.

~~~
catalogia
> _Based on the quality of today 's conversation here on HN, I'm not inclined
> to fault them for taking that approach publicly._

Oh yeah sure, Microsoft is the victim, cyberbullied by their own users. It's a
classic case of innocent naive corporations getting senselessly dogpiled by
mean common people, clearly that's the way this power dynamic is arranged.
Yeah, fucking right.

~~~
floatingatoll
For example.

------
nperez
I recently installed an Insider build of Windows so I could use WSL2 to run
some docker containers in a Linux environment.

The insider build requires that you enable full telemetry which includes
sending your visited websites to MS. I need WSL2 so I’m just avoiding doing
anything private on my personal computer for now.

I understand why the data is useful to them but I don’t think they understand
or care why this is an important issue to others

~~~
OberstKrueger
> I need WSL2 so I’m just avoiding doing anything private on my personal
> computer for now.

This is madness. It's hard to consider a machine your "personal computer" if
you're afraid of doing anything personal on it.

~~~
TeMPOraL
This is just a taste of what it means to have Operating System as a Service.
Which is where Microsoft is apparently heading.

~~~
thejynxed
Windows as a Service has been their stated goal since prior to the release of
Vista. Nadella has opted to go full speed ahead, with everything from Office
to the versions of Windows running on the Surface & Xbox being entirely SaaS.
I'm just waiting for the "You must subscribe" hammer to fall for Windows in
general.

------
shanemhansen
My .02 cents. To me the arguments I read here around "but product improvement
is hard so that justifies collecting the data" ring hollow. When your
convenience at work is balanced against someones right to privacy, there's no
middle ground. Privacy wins. You need active informed consent to phone home
for reasons not related to the proper functioning of the application.

I wish most applications offered 3 boxes:

1) Don't send telemetry

2) Send data needed to catch bad rollouts (think SRE style status code and
latency metrics).

3) Send anonymized data to help improve the product.

4) I want to be a beta tester/insider, you can capture my logs.

~~~
kgwxd
0) Don't compile the code responsible for the telemetry into the binary
because I don't trust the checkboxes will always be respected in code.
Especially after seeing an off-by-one error in the description :)

~~~
fsflover
-1) Open source the code, so people can check that you really do what you declare.

------
nojito
This whole bastardization of the word 'Telemetry' by the online community is
completely abhorrent.

It is _impossible_ to get proper usage feedback from your programs without
being swayed by the vocal minority community.

We always find posts online on how crappy software is, but how can software
improve if the majority of people actually using the software don't give
feedback at all?

[https://xkcd.com/1172/](https://xkcd.com/1172/)

~~~
m0xte
Seeing as you posted this comment twice, here's my reply again:

No. I hope this burns to read.

Software never improves because incompetence is the norm. Not because we
didn't have a magical data collection unicorn available.

Competent software companies ran user panels, had decent quality control,
didn't steamroll their communities, didn't market loudly over user dissent and
certainly didn't shut down their issue tracking to even their top tier
partners.

That was Microsoft 10 years ago. That is Microsoft today. But you know,
Telemetry solves all these problems doesn't it? No.

The real answer to your question: ask and listen. People will gladly tell you.
Do not just take the data otherwise you end up with a set of poorly selected
metrics which do not represent user opinion and a lot of pissed off customers
who don't want to or can't tell you due to legislation and data protection.

Edit: to back up my point, Microsoft closed down Connect with over 30 issues
open from me and our account manager left to go and work for a competitor
because he was fed up of dealing with that kind of shit and couldn't even get
basic issues from a Gold partner actually escalated to anyone. We had a ticket
open for 7 years against clickonce where IE9 broke it completely for about
15,000 users.

As for community steamrolling, this is a repeat of this one again:
[https://github.com/dotnet/sdk/issues/6145](https://github.com/dotnet/sdk/issues/6145)

Edit 2: I have removed some irrelevant stuff. This story goes on forever. I
have so many anecdotes from dealing with MSFT pre and post OSS glory that I
concentrate all my effort on staying as far away as possible.

~~~
CJefferson
I think you are underestimating the hardness of tracking the many users of
Windows, and different bugs they might have.

Microsoft have a team of people who look at crash reports, and categorise the
results (see for example
[https://devblogs.microsoft.com/oldnewthing/20050412-47/?p=35...](https://devblogs.microsoft.com/oldnewthing/20050412-47/?p=35923)
, just a quick thing I found).

Having the ability to track the crashes of millions of machines, to find
patterns in which drivers are crashing which applications, seems like an
impossible thing to replace.

~~~
tomc1985
Yes but those crash reports used to have a send/don't send button

~~~
kevingadd
The average user has no idea what those buttons do and will click whatever
makes the popup go away, which will be either 'yes' or 'no' at random

~~~
SiNiquity
It's like a consent form for a medical procedure. At the end of the day,
you're not a medical professional. Is the average person really informed when
they do or don't provide their consent?

Nevertheless, consent is still paramount. Removing consent on the basis that
most users are incapable of being informed is a poor excuse.

~~~
eitland
Also, as someone who's been doing tech support since 1995, people here either
wastly overestimate the dumbness of others or they just happen to have
unusually dumb colleagues, friends and whatnot.

Most people aren't really stupid, rather bad software make them look stupid
and bad tech support shifts the blame to the users.

------
cowmix
While I love WSL2, my biggest beef with the install process is I had to turn
on almost every crap privacy-busting feature back on. I had 'decrapified' my
Windows 10 install previously and the WSL2 reversed almost all that.

~~~
AndrewGaspar
That's probably a function of WSL2 currently only being available in Insider,
no? If you want to use pre-release builds, I think it's fair to expect that
you need to enable telemetry.

~~~
guug
> If you want to use pre-release builds, I think it's fair to expect that you
> need to enable telemetry.

I wouldn't.

------
jjordan
When it comes to things like this, it feels like old "Linux is a cancer"
Microsoft is battling the new multi-platform open-source Microsoft for whether
the company should be evil or not.

~~~
seemslegit
There is no new Microsoft - this is the "embrace, extend, extinguish"
Microsoft of always, betting that the forkable nature of open source will not
matter in practice, so far correctly.

------
Wowfunhappy
Since it’s open source, I wonder if anyone will be willing to maintain a
branch that has all the telemetry removed, but is otherwise basically
unchanged and so can connect to the normal repositories.

~~~
Bedon292
Don't think that is even necessary, is it? The private builds of it share no
telemetry. Just need someone to build it and share their build I think.

------
tinfoil10
Tin foil hat here. The person posting this is the lead maintainer of
Chocolatey, a long standing 3rd party Windows package manager.

Although the point is reasonable (why NOT just provide an opt out, like .NET
SDK?), it seems to me that there is a potential ulterior motive in dragging
down winget.

~~~
ocdtrekkie
Probably because the .NET SDK is a separate program, and winget is being
slipped into a default component app of Windows 10.

I am irritated about Windows 10's telemetry policy, but it makes sense for
component applications to obey the system telemetry configuration rather than
each one having their own settings.

------
Animats
Opt out of Windows.

My last Windows 7 machine broke down, and the few Windows programs I needed to
run are now running under Wine on Linux.

I've never used Windows 10 except in a store demo. Decided I didn't want it.

------
wintermutestwin
Why do we use MS's terminology for it (telemetry) when it is essentially theft
of private and sensitive data?

From what I have gathered, they are snarfing up my browsing data and what
applications I have installed. I don't have the time or energy to jump through
the hoops to figure out how to stop this blatant invasion of my privacy. On
top of that, I've read that win10 shows ads in the actual OS. That is so
beyond unacceptable that I am stuck on an unsupported OS (7)

As a result, I now have only two windows7 boxes - one for gaming and one that
I use as a front end for some specialized audio hardware. Each box is
dedicated to that purpose and is relegated to a subnet. 20 years ago, 90% of
my computing was on windows - now it is <10%. Soon, I'll get another mac to do
all my audio work on and, eventually, I'll relegate my gaming to Linux
available titles.

------
CawCawCaw
Ha... here's an experiment you can try on Windows, assuming you haven't
previously taken steps to debloat the system.

1\. Run procmon.exe /noconnect from Sysinternals

2\. Filter -> Drop Filtered Events

3\. Ctrl-L, Add Filter -> 'Path' Contains 'Telemetry' then 'Include' and Add

4\. Press OK and then Ctrl-E (Start Capture)

5\. Leave it running for a few minutes

------
underko
The assumption that windows package manager does not permit opting out of
telemetry seems to be wrong.

The whole issue is not stating how to opt out and someone assumed that it
means it is not possible. However, based on the updated readme
[https://github.com/microsoft/winget-
cli#datatelemetry](https://github.com/microsoft/winget-cli#datatelemetry)
there was a way to opt-out from the beggining, just not documented.

Yes, it should have been clarified from the start, but I think it's positive
the option was always there and they managed to clarify how to opt-out in mere
7 hours.

------
arh68
Half-serious startup idea: Telemetry Escrow, where I send data to Escrow, can
inspect what it is, then Microsoft pays per datum. Escrow holds all
historicals / some samples, depending on tier.

 _Does the data have value?_ , after all? How much..

------
jannes
Here is Microsoft's privacy dashboard:
[https://account.microsoft.com/privacy/](https://account.microsoft.com/privacy/)

It lets you delete at least some of the data. Although I don't know if it
includes the data from the package manager.

Here you can contact their Data Protection Officer if you would like to ask:
[https://www.microsoft.com/en-
GB/concern/privacy](https://www.microsoft.com/en-GB/concern/privacy)

------
fartcannon
According to a recent post, we spend 34 years of our lives staring at screens.
If Microsoft wants 34 years of data on each of us, let's collectively bargain
on a value for it.

------
nromiun
Anybody else really turned off by the unnecessary amount of internet access in
these new CLI tools? It's not just telemetry. Some tools will just access the
internet even when they don't need to (my favourite is checking for a new
version with every command). I like the CLI because it is so minimal and
transparent (compared to GUI). But that seems to be changing these days.

------
thrower123
I wouldn't mind the Windows telemetry, if it ever seemed like they were using
it to actually fix things that suck. However, it's been almost ten years since
the Start Menu search has worked at all, and wonky multi-monitor and
settings/control panel settings dichotomies persist.

Some have posited that this official package manager will be a death blow to
Chocolatey, but I doubt it.

------
brenden2
I don't use Windows, and the only Microsoft product I have installed is VS
Code (with telemetry explicitly disabled), but in spite of that about 10% of
all the blocked DNS requests according to my pi-hole are to Microsoft's
telemetry servers at watson.telemetry.microsoft.com.

------
enitihas
I thought everyone knew it was the pseudo official Microsoft policy to extract
as much data as possible. I mean if you use windows, you must be anyways used
to something like this.

------
TeddyDD
Well, you are using Windows (basically a spyware), why do you pretend that you
care about privacy?

------
narag
Is this package manager in the default installation? How do I find out if I
have it?

~~~
ccmcarey
It's a new package manager, currently just in preview.

Discussed on HN a few days ago -
[https://news.ycombinator.com/item?id=23236218](https://news.ycombinator.com/item?id=23236218)

------
HeadsUpHigh
Sounds like someone forgot to turn the pretend button on.

------
iphone_elegance
Eh, looking at the code it's pretty benign

------
towndrunk
So what exactly is it sending back to MS?

------
anonymousiam
Good example of a use case for Pi-Hole.

------
mycall
Could Pi-hole stop it?

~~~
hedora
Microsoft adds new telemetry domains on a regular basis, so it would be a cat
and mouse game.

I imagine if a large percentage of machines used DNS black holes, they’d move
to DoH with a pinned certificate.

------
jeroenhd
I would have expected Microsoft to stalk their users like always and go for an
opt-out instead of an opt-in (which, by the way, is legally required according
to the GDPR but national privacy offices seem unwilling to actually take
Microsoft to court).

What's sad is that Microsoft actively lied in its description and privacy
statement by stating it's possible to opt out of tracking. This is not
possible for Windows 10 Home and Pro users. Advertising that opting out is
possible when it's not is a blatant lie.

------
wereHamster
> Um no, you need to allow opting out of telemetry.

Entitled people is what drives developers away from projects.

