Hacker News new | past | comments | ask | show | jobs | submit login

I find it outrageous; "Telemetry" is built into most new Microsoft software. For example, they recently released a replacement for powershell and CMD, called "Terminal 1.0", which also comes with some aggressive telemetry built in:


This also applies to newer releases of powershell, aka PS Core. I haven't tried either, but I guarantee you telemetry in both applications is not opt-in but opt out using some obscure method, if that is even possible.

In any case, the claim that telemetry is necessary to improve anything related to customer experience is ridiculous. Not only is a general data collection unnecessary; it would be more efficient to run some experiments, and be it some opt in A/B tests. Surveillance like the above is encroaching and can easily be abused. The data collected are usually fine-grained enough to allow for some nice fingerprinting of individual users. The potential for abuse is high.

I'm just gonna recycle the bits I've posted here before about this exact file :)

[1] https://news.ycombinator.com/item?id=22331345

[2] https://news.ycombinator.com/item?id=19322398, https://news.ycombinator.com/item?id=19324538

The file you've identified produces a local, opt-in event stream that does not leave your machine unless you literally e-mail it to me. It's just got that unfortunate word in the filename that means we're bad guys.

EDIT, upon closer inspection: when this is built as part of the Windows product (which consumes source from this repository) those values may end up in an event stream. In the interest of full disclosure, those events are:

1. Part of the console host (conhost.exe) and covered by the Windows global data collection settings

2. Pertaining to (incomplete, but it's too early in the morning for me to do a full review of this code):

2.a. The number of times each low-level console API was used

2.b. How the legacy Find dialog is being used (long strings, short strings, search direction, number of times)

2.c. Specific settings like font size, how many colors are configured, how big the window and buffer are

I should put a disclaimer at the top of this saying that I'm just a regular old Hacker News commenter who skimmed that file and really has no idea what this code actually does, so I'm not trying to scaremonger because I saw something sketchy without following up on it. However, that file seems indicate that Terminal logs process connections. Is there a way that this information might leave the device? Could it include arbitrary processes on my system in that data?

Now that I'm at my desk, I'll have a look. Thanks for the disclaimer :)

Alright, with fresh eyes:

When the console host (just C:\windows\system32\conhost.exe, not the new Terminal) exits it emits the following information for processes that had connected to it:

* How many ANSI/VT sequences they used

* How many of the above we understood

* How many of them we did not understand

* The executable stem name (ConsoleApplication1.exe, wsl.exe, cmd.exe)

* How many times we saw that executable

~1-5% of those entries make it into a data pipeline that I believe we stopped looking years ago. These pipelines are usually(?) turned off by the OS, so it's possible that these were rendered inert. Still, though, and because the executable stem name might be a little more exposure than anyone's comfortable with, I've filed https://github.com/microsoft/terminal/issues/6103 to yoink it.

(It's been a long time and I still don't know how to format things properly on Hacker News :))

Thanks for looking into this, and I appreciate you filing an issue! (Hacker News doesn't really do formatting, so I think that's the best you're going to get.)

Thank you for your reply.

I am not sure what you are trying to do with your clarification here, but I feel even worse about Terminal and your employer.

> ~1-5% of those entries make it into a data pipeline that I believe we stopped looking years ago.

Can you elaborate? What does that mean. 1 - 5 % of what exactly? Of all records collected? Of the records on my machine? I thought those were localized traces, do they end up on MS servers or not? What criteria are used to reduce the data? You believe that "we stopped looking years ago". What does that even mean? You not sure what confidence interval "believe" accounts for, but the error term is a bit high for my taste. And as for "we stopped looking years ago": I feel offended. You must think that I am very naive (that extends to all readers here, but I will only speak for myself here).

The code is clearly labeled telemetry, yet you claim that this is soley about local traces. If I am to believe that to be true, that makes me distrust your software even more, because then it must be of very poor quality. How do you fix bugs quickly, given that you engineers can't differentiate "local traces" from "telemetry". The latter literally means "to measure from afar". The fact that you opened a GH issue about this makes me want to believe you; the fact that it's locked doesn't; but hey, that's your dev process and community work -- I won't judge that.

As for your next argument: "It's the OS'es fault". I don't care whether the OS vacuums all my data and sends it to your employer, or whether you personally break into my house to exfiltrate my harddrive: I don't want you to obtain my data in any way. This makes it even worse -- the application you're responsible for appears to passively creates some sort of profilable data, which the OS exfiltrates. This does not remove you from the responsibility.

Also: Please consider the bigger issue here. I really want Terminal to be a great piece of software. I would consider myself a Windows fan, if it wasn't for the ongoing disrespect of my privacy; Windows is unmatched in terms of stability and consistency and a proper terminal has been missing.

Your employer claims to gather data as to improve the software I use in my interest; despite the fact that I (and many others) keep telling them that they are REALLY interested in retaining the right to privacy, individualism and secrets.

This is about trust. You keep breaking it. I don't trust you, and I don't trust your employer. When I tell you and your peers so, your answers are evasive (GH issues is not the right place), hazy (oh THAT is done in another component), bureaucratic (look at all these legal statements), irresponsible (it's the OS), or otherwise elusive (that thing clearly labeled Telemetry doesn't do telemetry, because @architechture). You don't understand the problem and you don't really care. I believe you stopped looking at that "pipeline" years ago.

Months ago I opened an issue on GitHub asking them if we could get an option to disable / toggle telemetry at https://github.com/microsoft/terminal/issues/5331.

It seemed reasonable considering VSCode is also a Microsoft product with an explicit telemetry option that you can opt out of.

Within 15 minutes the issue was closed and the idea of adding a telemetry option was dismissed by a contributor.

Kind of scary to use something so integral to your day to day as a developer is having that much data being sent out to Microsoft. It's partly why I stick with wsltty (which is equally as fast and has no telemetry).

It's too late to edit my original post but since I posted this, a contributor added more comments to the issue.

It turns out that as long as you have Basic telemetry settings in Windows then the Terminal app doesn't send anything out to Microsoft by default.

This comment goes into more details on what is exactly collected and sent to Microsoft if you use "Enhanced" telemetry (which you don't need to use): https://github.com/microsoft/terminal/issues/5331#issuecomme...

Maybe I don't understand all the way, but I see this line of code in there:

`TraceLoggingUInt32(_rguiTimesApiUsed[GetConsoleAliases], "GetConsoleAliases"),`

Is that sending Microsoft all of my bash/zsh aliases? And what about `TraceLoggingUInt32(_rguiTimesApiUsed[GetConsoleTitle], "GetConsoleTitle"),`

If it works how most other Terminals I have used - that is going to send the name of the program I am running or host I am connected to to Microsoft. I think that is pretty invasive if you ask me.

I dunno. The name "_rguiTimesApiUsed" (and that it's a "uint32") suggests that it's a count of times an API was used, not the raw data that went through that API.

EDIT: I put together a list of what happens in this file in a sibling comment.

Telemetry is also built into every web application you interact with. The lessons learned in this space are shifting to non-browser based applications it seems. Sucks.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact