Hacker News new | past | comments | ask | show | jobs | submit login
VSCode silently opts you in to data collection (visualstudio.com)
154 points by alangibson on Oct 13, 2018 | hide | past | favorite | 88 comments

I disabled the telemetry feature before, but the latest vsc version reverts it to enabled automatically, holy creepy.

And the latest version introduces many other data collection ways. Search them in settings with the keyword "online", you will find them all. Don't know whether or not there are other hidden ways which are not shown in the setting page.

Hi It's Kenneth from VS Code.

We have looked into this, and haven't found an intentional change that should change your opt-out settings. This shouldn't happen.

We have two theories:

1) Your settings file was deleted, which means that you would have lost all of your settings, and not just the telemetry setting. This can happen if the AppData or ~/Library/Application Support was cleaned up.

2) One of your installed extensions updated the settings either accidentally or on purpose. This would require further debugging, and a list of your installed extensions.

To help debug this further, it would be great help if you could open an issue on Github, https://github.com/Microsoft/vscode/, with more details about your OS, VS Code version and installed extensions, so we can figure out what happened.



I’d file a bug. This is almost certainly not intentional.

yeah just like for every large Windows update your default browser accidentally gets reset to MS Edge

totally a bug

Microsoft is a very big company and I have absolutely no doubt that the Windows team and the VSCode team hardly ever—if at all—talk.

I also question how 'evil' policies like this could propagate across company divisions to the point where they are actually implemented in code—in today's age where engineers have a lot of agency over what they do and often speak up—without someone leaking said policy.

This is just a conspiracy theory.

Or perhaps a result of tying team bonuses and promotions to "increased coverage", whatever that means for each product.

Not necessarily malicious - just myopic.

Yeah, they've done alot of work recently adding an entire settings UI so it may have broke in that change.

https://imgur.com/a/wii2zVT is what everybody gets when starting VSCode for the first time.

Yes. The title is against site guidelines ("Otherwise please use the original title, unless it is misleading or linkbait; don't editorialize.") and it's incorrect; there's nothing silent about it.

The title is clearly correct. When you get that message, you have already been silently opted in. You must then to read the instructions and opt yourself out.

I’d argue this isn’t enough. They should explicitly ask, especially when you’re using the application to handle sensitive material such as unreleased code.

I agree the yes/no should be the question (always) and not any extra work to opt out.

That said, if usage data is the goal, then any personal info or content you work on being uploaded would be a critical bug, a bug of the kind that could just as (un)likely appear in any other part of the software regardless of whether telemetry is on. E.g the request to fetch extension listings could accidentally contain your info, or the git code could post your stuff suppose to go to a private repo to a public one through a bug.

I really don’t see why sensitive or personal info would be at risk with telemetry (of the acceptable kind ie feature use stats). If that is compromised by telemetry then it’s either a) a bug (see above) or b) they are deliberately being malware. And in that case - why even ask?

It's user-hostile, business-unfriendly, and completely intentional.

Which information that VSCode sends as part of the telemetry are user- and business-hostile?

I was referring to the content of the notification dialog.

They should explicitly ask, especially when you’re using the application to handle sensitive material such as unreleased code.

Do you think that VSCode’s telemetry uploads your code to Microsoft?

If you have trade secrets, it is incumbent on you to appropriately review the privacy policies and settings of tools before you run them on a machine with sensitive info.

Except even if that was enough, people upgrading were just auto-opted back in (AFAICT). It definitely happened to me!

This is why it is a great idea to use VSCodium. An open source fork of VSCode that removes telemetry and packages itself for all major operating systems.


After installing VSCodium, you must manually disable telemetry in your settings file to stop it from sending tracking data to Microsoft.


Even though we do not pass the telemetry build flags (and go out of our way to cripple the baked-in telemetry), Microsoft will still track usage by default. After installing VSCodium, you must manually disable telemetry in your settings file to stop it from sending tracking data to Microsoft.

The instructions here and here help with disabling telemetry.

Good first issue for a new contributor?

That makes me wonder why they didn't just go all the way? Was there "advice" from MS to not do so?

By the scare quotes around “advice” do you mean threats? Since VSCode is Free Software, what has VSCodium done that opens them to litigation from Microsoft?

Not in the legal sense but more like a "if you would like to remain on good terms with the community, we really appreciate you doing X" sort of thing.

What does that even mean?

There are no strict limits on paranoia... Maybe Satya Nadella threatened to literally murder everyone involved with VSCodium.

So what they write here [1] about the OSS version with stripped telemetry is not correct then?


I am so tired of having to do this with every shiny new thing. I get on board, stop paying attention for a few months, and then have to hunt down the latest third-party abstraction to enable a common sense security/maintainability/accessibility mindset. God bless them for fixing the problem, but this is just exhausting.

You could also just use a competent editor that isn't made by a company who 'needs' to collect 'telemetry' from all their users. Playing a game of cat and mouse is not going to convince MS to stop being evil.

To be fair, this is an industry-wide disease. Jetbrains now tracks you too.

I'm OK with Jetbrains getting my telemetry. I'm not OK with Microsoft, Google, Amazon etc getting it. JetBrains isn't going to try to make money off of my data and will actually use it to improve their product. The giants own search engines, try to make money off my data, try to bombard me with products elsewhere on the web based on my data, and have all been served NSLs numerous times so are under unknown orders from the gov to do who knows what with my data.

Unfortunately vscode hits that sweet spot that only Atom comes close to.

I thought jetbrains telemetry is opt in and not opt out. Is that no longer the case?

Iirc I got a popup asking about it at every update for a while (which means every month or so), until I eventually gave in.

I had no idea this existed. Thanks!

Holy moly true pro tip. Thanks good person!!!

I know a lot of people don’t like things like this, but also remember not all data collection is malicious. If you look at what they actually collect it’s not pulling a bunch of personal info. They collect usage, perf and errors. As a product manager (not for vsc or MS) I use this type of telemetry all the time to make priorization decisions. It’s a balance, but my hunch is the team at MS uses this info exclusively to make the product better.

Of course, you should always be able to disable this sort of collection.

No, you should ALWAYS explicitly ask for user consent. You should explain exactly what kind of data is being collected and how it's used and ask them if they are fine with that. Anything else is unethical.

I'll happily enable certain kinds of data collection when a tool is transparent and it makes its data collection opt-in.

I'm a privacy advocate, but I'm 100% okay with on-by-default error collection, as long as the logging is scrubbed of personal data.

Usage analysis is different, and should be opt-in.

Even if we accept that scrubbing of personal data is possible, which is far from certain, that theoretically non-malicious traffic still provides camouflage for malicious traffic. If we insist on opt-in, then we can apply a very simple and fail-safe heuristic: any traffic the user didn't explicitly request is malicious. There's no need for slow and error-prone analysis.

And how in the world do you intend to distinguish traffic?

How do you intend to tell the difference between Atom's and VSCode's Git(hub) integration, app updater, package manager, telemetrics or an exploitation? The difference between a Signal, WhatsApp or Telegrams' messages and their telemetrics?

Your proposed heuristic only works for applications that would not otherwise have any network traffic, and even then, only if you do on-machine per-process network monitoring. Once it has any valid traffic what-so-ever (which is the case for basically any modern GUI application), then you quickly descend into needing to disassemble binaries locate the cause.

Opt-in vs. opt-out is about privacy and rights, not about security. Malicious companies whose traffic are a security breach and things down those lines are problems that belong in an entirely different discussion, whose root-cause is much deeper than opt-in vs. opt-out.

Also, regarding scrubbing: A stack-trace and error message is far from private identifying information. No harm done in sharing it.

>Git(hub) integration

If I select a git command from a GUI, that's an explicit request by the user.

>app updater, package manager

If something legitimately requires background network activity, and security updates might qualify, it should go in Crontab. The system should have exactly one package manager, and apps should not re-implement their own.


If I turn it on, I'll remember I turned it on.

None of this makes any sense unless you're manually authorizing all connect()/write() calls, manually monitor network traffic and correlate it in real-time with user actions, or have some form of surveillance software to automatically do this for you. All of these seem extremely improbable.

Otherwise, on the network, git fetch and telemetrics to github will be indistinguishable (except if you start doing opaque data pattern analysis). There's also no automatic correlation on the network.

On the machine itself, the closes you could get is something like Little Snitch, which still won't be able to help at all, as permitting Atom to speak to Github on port 443 will permit everything while disallowing will block everything, and it's also designed to be a manually populated whitelist, rather than a constant authorization system.

> If something legitimately requires background network activity, and security updates might qualify, it should go in Crontab. The system should have exactly one package manager, and apps should not re-implement their own.

First of all, eww. Nothing is worse than updates running on a crontab, causing shit to break because it updated automatically.

Also, welcome to 2018. Everything outside Linux bundle their own updater, and on Linux, flatpak and other newfangled things bypass most package managers (even with dnf's flatpak integration, it's still not going through any yum repos).

Internet access is still pretty variable throughout the world (or even within countries that can have good speeds, like the US). Anything randomly uploading megabytes is going to cost somebody an unreasonable amount of money so there should be consent.

I agree. Most telemetry gathering is not malicious. But I always disable it simply because I use a lot of software. Telemetry from all of it would just be a big outgoing stream of data all the time.

How is VSCode different from Firefox? Both have telemetry enabled by default, and both allow to opt out of it[1].

[1] https://www.mozilla.org/en-US/privacy/firefox/

How is VSCode different from Firefox? Both have telemetry enabled by default

Yep. So does Google Chrome, Apple macOS, Apple iOS, Canonical Ubuntu, and an uncountable number of programs, apps, and websites.

But VSCode is a Microsoft product, so it gives us an opportunity to do some serious pearl clutching and collectively lose our shit.

The issue isn't that it's MS. The issue is that it is opt-out, not opt-in. Has nothing to do with who's pulling the shenanigans.

Firefox is also opt-out.

It's not silent though.

You get a little banner at the bottom of the start page on first run and a button to go straight to the preferences option.

It's not silent though.

Neither is VSCode. How is Firefox morally superior than VSCode in this regard then?

"VSCode silently opts you in to data collection"

Sure seems that way. Never had any prompts about it.

The title of this post is FUD.

Look for the comment here that says

https://imgur.com/a/wii2zVT is what everybody gets when starting VSCode for the first time.

(It’s the 2nd highest top level comment at the moment.)

I don't see why Firefox is relevant? It's still a shame that they are both like that though.

Two products that opt you into telemetry collection, how is it not relevant?

Every time I install anything I check through all the preferences / settings options and opt out of any of these things. There's been few cases where I just leave it all on.

Unless it's otherwise known, I think it's safe to assume that every not-tiny application contains phone-home spyware these days. It's not long ago when that wasn't the case, and many users had application firewalls that would alert (and block by default) such attempts. I'd say Win10 was probably the "breaking point" for such behaviour being normalised.

I'm one of those (probably tiny minority) who inspect the binaries of closed-source applications before using them, and will reject those containing networking-related functionality if the application should have no reason to do so.

Emacs doesn't try to 'phone home' and it's the very definition of a 'not-tiny' app. Neither does (neo)vim.

It’s the very definition of a ‘not-tiny’ app from 1995...

In the context of Electron apps, no emacs is in the running.

It's still very much improved, maintained, and used today. Electron 'apps' are now the gold standard? lol.

"The gold standard" is an odd way to put it, but, yes? Emacs' bloat cannot compare.

Not every app is an Electron app.

What kind of inspection do you do? I assume something more involved than strings(1)?

Opening it in a hex editor is one of the things I do, yes. I also inspect imports too. If the code is obfuscated, that's another reason for rejection.

Funny, I just caught Win10 sending info about me opening and closing services.msc, and sending my taskbar searches to office and onedrive. Couple of Windows Firewall rules stopped it.

You can see it all in Wireshark, there’s a ton of it.

sending my taskbar searches to office and onedrive.

Do toolbar searches return results from Office and OneDrive? Do you use either? Do you have all of your Office documents and OneDrive files downloaded locally?

why not use something like Little Snitch or even TripMode to add opt-in functionality for all apps trying to make network connections?

Along these lines for linux. I've got some hacky scripts set up on my computer so that everything runs in a network namespace with only a loopback device (i.e. no internet) unless I start it by typing `net command` (like `sudo command` but for internet). I could post them if people are interested.

I remember ZoneAlarm was quite popular on Windows but I suspect most users these days either don't know or don't care.

When I first installed vscode, I assumed this was the case and yep, there it was buried in preferences. Disable all of it, including automatic updates. When you want to update, uninstall and install again fresh. Then disable again. Repeat.

Has everyone already forgotten about GDPR?

Is this personally identifiable information? If not, then the GDPR has nothing to do with it.

> Stop using sha256(MAC address) for telemetry machine ID #8688


Having names besides the bell in a apartment building is forbidden. GDPR is fun ...


Read the article before spouting nonsense.

You're free to attach your name to the bell if you want for whatever reason. Only landlords are now not allowed to attach your name to the doorbell by default in Austria, and apparently they weren't allowed to do so since 1980 but it's only being enforced now.

At least they changed the code names, it used to be "telemetry.optIn = true", showing how little they understand the term opt-in.

Any reason why Microsofts own extensions are not able use the global settings disabling telemetry?


The package they are using “vscode-extension-telemetry” actually does use the global setting. https://github.com/Microsoft/vscode-extension-telemetry/blob... Third-party extensions can read that setting too so they can respect the global choice.

Because then they don't get to hoover up as much of your data.

I have Emacs, why bother with other limited editors? Emacs can do what they do + far, far more so...

When Microsoft bought GitHub I didn’t think about GitHub Enterprise revenue. I thought about all of the language package managers that use GitHub’s APIs for downloading repos.

... extensions may be collecting their own usage data and are not controlled by the telemetry.enableTelemetry...

wtf. So it's like whack-a-mole.

Nothing new here, VSCode had this for a long time. Also I don't find anything wrong with shipping software with data collection on by default.

If someone wants to try to explain to me why the collection of application telemetry is bad, that'd be great.

It's not inherently bad. Collecting telemetry on an opt-out basis, as opposed to opt-in, is.

Is there a plug-in that pops a big red warning when telemetry is turned on? That's woul be very useful.

I guess this might be a precursor to the type of behavior we can expect to see with the GitHub acquisition.

Secondly, is there anyone out there that has a solid emacs step by step guide that might be able to replicate the functionality of vscode? I haven't had time to look at it but I think the time has come where I can't put it off any longer.

is this at all surprising given that we're talking about the company that made windows? did we forget that for a while it would silently put telemetry in your binaries?

it would silently put telemetry in your binaries?

What do you mean?

For a while VS code would do that but they claimed it was an accident. https://www.geeks3d.com/20160610/vs2015-how-to-remove-window...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact