I disabled the telemetry feature before, but the latest vsc version reverts it to enabled automatically, holy creepy.
And the latest version introduces many other data collection ways. Search them in settings with the keyword "online", you will find them all. Don't know whether or not there are other hidden ways which are not shown in the setting page.
We have looked into this, and haven't found an intentional change that should change your opt-out settings. This shouldn't happen.
We have two theories:
1) Your settings file was deleted, which means that you would have lost all of your settings, and not just the telemetry setting. This can happen if the AppData or ~/Library/Application Support was cleaned up.
2) One of your installed extensions updated the settings either accidentally or on purpose. This would require further debugging, and a list of your installed extensions.
To help debug this further, it would be great help if you could open an issue on Github, https://github.com/Microsoft/vscode/, with more details about your OS, VS Code version and installed extensions, so we can figure out what happened.
Microsoft is a very big company and I have absolutely no doubt that the Windows team and the VSCode team hardly ever—if at all—talk.
I also question how 'evil' policies like this could propagate across company divisions to the point where they are actually implemented in code—in today's age where engineers have a lot of agency over what they do and often speak up—without someone leaking said policy.
Yes. The title is against site guidelines ("Otherwise please use the original title, unless it is misleading or linkbait; don't editorialize.") and it's incorrect; there's nothing silent about it.
The title is clearly correct. When you get that message, you have already been silently opted in. You must then to read the instructions and opt yourself out.
I’d argue this isn’t enough. They should explicitly ask, especially when you’re using the application to handle sensitive material such as unreleased code.
I agree the yes/no should be the question (always) and not any extra work to opt out.
That said, if usage data is the goal, then any personal info or content you work on being uploaded would be a critical bug, a bug of the kind that could just as (un)likely appear in any other part of the software regardless of whether telemetry is on. E.g the request to fetch extension listings could accidentally contain your info, or the git code could post your stuff suppose to go to a private repo to a public one through a bug.
I really don’t see why sensitive or personal info would be at risk with telemetry (of the acceptable kind ie feature use stats). If that is compromised by telemetry then it’s either a) a bug (see above) or b) they are deliberately being malware. And in that case - why even ask?
If you have trade secrets, it is incumbent on you to appropriately review the privacy policies and settings of tools before you run them on a machine with sensitive info.
This is why it is a great idea to use VSCodium. An open source fork of VSCode that removes telemetry and packages itself for all major operating systems.
Even though we do not pass the telemetry build flags (and go out of our way to cripple the baked-in telemetry), Microsoft will still track usage by default. After installing VSCodium, you must manually disable telemetry in your settings file to stop it from sending tracking data to Microsoft.
The instructions here and here help with disabling telemetry.
By the scare quotes around “advice” do you mean threats? Since VSCode is Free Software, what has VSCodium done that opens them to litigation from Microsoft?
I am so tired of having to do this with every shiny new thing. I get on board, stop paying attention for a few months, and then have to hunt down the latest third-party abstraction to enable a common sense security/maintainability/accessibility mindset. God bless them for fixing the problem, but this is just exhausting.
You could also just use a competent editor that isn't made by a company who 'needs' to collect 'telemetry' from all their users. Playing a game of cat and mouse is not going to convince MS to stop being evil.
I'm OK with Jetbrains getting my telemetry. I'm not OK with Microsoft, Google, Amazon etc getting it. JetBrains isn't going to try to make money off of my data and will actually use it to improve their product. The giants own search engines, try to make money off my data, try to bombard me with products elsewhere on the web based on my data, and have all been served NSLs numerous times so are under unknown orders from the gov to do who knows what with my data.
Unfortunately vscode hits that sweet spot that only Atom comes close to.
I know a lot of people don’t like things like this, but also remember not all data collection is malicious. If you look at what they actually collect it’s not pulling a bunch of personal info. They collect usage, perf and errors. As a product manager (not for vsc or MS) I use this type of telemetry all the time to make priorization decisions. It’s a balance, but my hunch is the team at MS uses this info exclusively to make the product better.
Of course, you should always be able to disable this sort of collection.
No, you should ALWAYS explicitly ask for user consent. You should explain exactly what kind of data is being collected and how it's used and ask them if they are fine with that. Anything else is unethical.
I'll happily enable certain kinds of data collection when a tool is transparent and it makes its data collection opt-in.
Even if we accept that scrubbing of personal data is possible, which is far from certain, that theoretically non-malicious traffic still provides camouflage for malicious traffic. If we insist on opt-in, then we can apply a very simple and fail-safe heuristic: any traffic the user didn't explicitly request is malicious. There's no need for slow and error-prone analysis.
And how in the world do you intend to distinguish traffic?
How do you intend to tell the difference between Atom's and VSCode's Git(hub) integration, app updater, package manager, telemetrics or an exploitation? The difference between a Signal, WhatsApp or Telegrams' messages and their telemetrics?
Your proposed heuristic only works for applications that would not otherwise have any network traffic, and even then, only if you do on-machine per-process network monitoring. Once it has any valid traffic what-so-ever (which is the case for basically any modern GUI application), then you quickly descend into needing to disassemble binaries locate the cause.
Opt-in vs. opt-out is about privacy and rights, not about security. Malicious companies whose traffic are a security breach and things down those lines are problems that belong in an entirely different discussion, whose root-cause is much deeper than opt-in vs. opt-out.
Also, regarding scrubbing: A stack-trace and error message is far from private identifying information. No harm done in sharing it.
If I select a git command from a GUI, that's an explicit request by the user.
>app updater, package manager
If something legitimately requires background network activity, and security updates might qualify, it should go in Crontab. The system should have exactly one package manager, and apps should not re-implement their own.
None of this makes any sense unless you're manually authorizing all connect()/write() calls, manually monitor network traffic and correlate it in real-time with user actions, or have some form of surveillance software to automatically do this for you. All of these seem extremely improbable.
Otherwise, on the network, git fetch and telemetrics to github will be indistinguishable (except if you start doing opaque data pattern analysis). There's also no automatic correlation on the network.
On the machine itself, the closes you could get is something like Little Snitch, which still won't be able to help at all, as permitting Atom to speak to Github on port 443 will permit everything while disallowing will block everything, and it's also designed to be a manually populated whitelist, rather than a constant authorization system.
> If something legitimately requires background network activity, and security updates might qualify, it should go in Crontab. The system should have exactly one package manager, and apps should not re-implement their own.
First of all, eww. Nothing is worse than updates running on a crontab, causing shit to break because it updated automatically.
Also, welcome to 2018. Everything outside Linux bundle their own updater, and on Linux, flatpak and other newfangled things bypass most package managers (even with dnf's flatpak integration, it's still not going through any yum repos).
Internet access is still pretty variable throughout the world (or even within countries that can have good speeds, like the US). Anything randomly uploading megabytes is going to cost somebody an unreasonable amount of money so there should be consent.
I agree. Most telemetry gathering is not malicious. But I always disable it simply because I use a lot of software. Telemetry from all of it would just be a big outgoing stream of data all the time.
Two products that opt you into telemetry collection, how is it not relevant?
Every time I install anything I check through all the preferences / settings options and opt out of any of these things. There's been few cases where I just leave it all on.
Unless it's otherwise known, I think it's safe to assume that every not-tiny application contains phone-home spyware these days. It's not long ago when that wasn't the case, and many users had application firewalls that would alert (and block by default) such attempts. I'd say Win10 was probably the "breaking point" for such behaviour being normalised.
I'm one of those (probably tiny minority) who inspect the binaries of closed-source applications before using them, and will reject those containing networking-related functionality if the application should have no reason to do so.
Funny, I just caught Win10 sending info about me opening and closing services.msc, and sending my taskbar searches to office and onedrive. Couple of Windows Firewall rules stopped it.
You can see it all in Wireshark, there’s a ton of it.
sending my taskbar searches to office and onedrive.
Do toolbar searches return results from Office and OneDrive? Do you use either? Do you have all of your Office documents and OneDrive files downloaded locally?
Along these lines for linux. I've got some hacky scripts set up on my computer so that everything runs in a network namespace with only a loopback device (i.e. no internet) unless I start it by typing `net command` (like `sudo command` but for internet). I could post them if people are interested.
When I first installed vscode, I assumed this was the case and yep, there it was buried in preferences. Disable all of it, including automatic updates. When you want to update, uninstall and install again fresh. Then disable again. Repeat.
You're free to attach your name to the bell if you want for whatever reason. Only landlords are now not allowed to attach your name to the doorbell by default in Austria, and apparently they weren't allowed to do so since 1980 but it's only being enforced now.
When Microsoft bought GitHub I didn’t think about GitHub Enterprise revenue. I thought about all of the language package managers that use GitHub’s APIs for downloading repos.
I guess this might be a precursor to the type of behavior we can expect to see with the GitHub acquisition.
Secondly, is there anyone out there that has a solid emacs step by step guide that might be able to replicate the functionality of vscode? I haven't had time to look at it but I think the time has come where I can't put it off any longer.
is this at all surprising given that we're talking about the company that made windows? did we forget that for a while it would silently put telemetry in your binaries?
And the latest version introduces many other data collection ways. Search them in settings with the keyword "online", you will find them all. Don't know whether or not there are other hidden ways which are not shown in the setting page.