I was increasingly getting upset about their extension marketplace, where there is an increased number of extensions starting to sell pro versions of the extensions we used for free.
This strikes me as a bit entitled. There’s a lot of work that goes into an extension like Gitlens, those developers shouldn’t be expected to work for free. No-one’s making anyone pay for anything, and it is an extension marketplace, after all.
It seems to me that this is one of the worst things to have come out of the era of App Stores and generalised open source access. At one point folks sometimes put cool hacks online. Lots of people now expect that these cool hacks be productised, have nice, informative READMEs and screenshots on their homepage, prompt support and fixes to major bugs, helpful authors who take time to involve the community in major decisions. Basically the kind of stuff that commercial vendors do with commercial software. But without paying commercial software fees.
That’s not open source ethics, that’s charity. I’m cool with people asking for charity but shaming people who don’t exclusively offer it, and when they also offer it, they don’t do it in the exact form that’s expected, is a little nasty. And I’m saying this with all the empathy and love of someone who used to save up for months to buy programming books 20+ years ago.
Regular reminder that life hacking one’s consumption habits will not change the world.
We will really buy hardware built in sweatshops, hand all our code to a company that contracts with the state, but the problem is that Microsoft looms at the keyboard shortcuts you use?
Microsoft telemetry running on your own computer is a more direct problem for you than sweatshops or Github existing, and you have more ability to change your own consumption habits to directly remove the opportunity for Microsoft to spy on you than to change how Github operates vis a vis a government or the working conditions of hardware factories in foreign countries whose languages and cultures you do not understand.
Unfortunately, for me anyway, the remote extensions from Microsoft are blocked from running in open source builds of vscode. Even if I bypass the vscode marketplace block, I’ve been unable to get the remote ssh extension to work.
I think there’s a tinge of paranoia that runs through the anti-telemetry movement (for lack of a better term; I’m not sure it’s really a movement). Product usage telemetry can be incredibly valuable to teams trying to decide how best to allocate their resources. It isn’t inherently abusive or malignant. VSCode is a fantastic tool that I get to use for free to make myself money. If they say they need telemetry to help make it better than I am okay with that.
I think the overly generic name does not help the situation. When people are exposed to telemetry like “we’ll monitor everything and sell your data”, I’m disappointed but not surprised when they block everything including (for example) rollbar, newrelic, etc.
But MS shot itself in the foot by making telemetry mysterious and impossible to inspect or disable. They made people allergic to the very idea.
I think the overly generic name does not help the situation. When people are exposed to telemetry like “we’ll monitor everything and sell your data”, I’m disappointed but not surprised when they block everything including (for example) rollbar, newrelic, etc
It’s a bit uncharitable to read “they blocked my crash reporting service” as “they must have some kind of misunderstanding about what telemetry means” (if that’s what you’re implying when you say you’re disappointed but not surprised that people block them).
I know exactly what services like rollbar do and what kinds of info they transmit, and I choose to block them anyways.
One of the big takeaways from the Snowden (I think?) disclosures was that the NSA found crash reporting data to be an invaluable source of information they could then use to help them penetrate a target. Anybody who’s concerned about nation-state (or other privledged-network-position actor) surveillance, or the ability of law enforcement or malicious actors impersonating law enforcement to get these services to divulge this data (now or at any point in the foreseeable future), might well want to consider blocking these services for perfectly informed reasons.
I believe that’s actually correct - people in general don’t understand what different types of telemetry do. A few tech people making informed choices don’t contradict this. You can see that for example through adblock blocking rollbar, datadog, newrelic, elastic and others. You can also see it on bug trackers where people start talking about pii in telemetry reports, where the app simply does version/license checks. You can see people thinking that Windows does keylogger level reporting back to MS.
So no, I don’t believe the general public understands how many things are lumped into the telemetry idea and they don’t have tools to make informed decisions.
Side-topic: MS security actually does aggregate analysis of crash reports to spot exploit attempts in the wild. So how that works out for security is a complex case… I lean towards report early, fix early.
You can see that for example through adblock blocking rollbar, datadog, newrelic, elastic and others.
I’m not following this argument. People install adblockers because they care about their privacy, and dislike ads and the related harms associated with the tracking industry – which includes the possibility of data related to their machines being used against them.
Adblocker developers (correctly!) recognize that datadog/rollbar/etc are vectors for some of those harms. The not every person who installs an adblocker could tell you which specific harm rollbar.com corresponds to vs which adclick.track corresponds to, does not imply that if properly informed about what rollbar.com tracks and how that data could be exploited, they wouldn’t still choose to block it. After all, they’re users who are voluntarily installing software to prevent just such harms. I think a number of these people understand just fine that some of that telemetry data is “my computer is vulnerable and this data could help someone harm it” and not just “Bob has a diaper fetish” stuff.
It’s kind of infantilizing to imagine that most people “would really want to” give you their crash data but they’re just too stupid to know it, given how widely reported stuff like Snowden was.
You can also see it on bug trackers where people start talking about pii in telemetry reports, where the app simply does version/license checks. You can see people thinking that Windows does keylogger level reporting back to MS.
That some incorrect people are vocal does not tell us anything, really.
It’s kind of infantilizing to imagine that most people “would really want to” give you their crash data but they’re just too stupid to know it, given how widely reported stuff like Snowden was.
Counterpoint: Every time my app crashed, people not only gave me all data i asked for, they just left me with a remote session to their desktop. At some point I switched to rollbar and they were happy when I emailed them about an update before they got around to reporting the issue to me. So yeah, based on my experience, people are very happy to give crash data in exchange for better support. In a small pool of customers, not a single one even asked about it (and due to the industry they had to sign a separate agreement about it).
That some incorrect people are vocal does not tell us anything, really.
The bad part is not that they’re vocal, but that they cannot learn the truth themselves and even if I wanted to tell them it’s not true - I cannot be 100% sure, because a lot of current telemetry is opaque.
I don’t know how many customers you have or how directly they come in contact with you, but I would hazard a guess that your business is not a faceless megacorp like Microsoft. This makes all the difference; I would much more readily trust a human I can talk to directly than some automated code that sends god-knows-what information off to who-knows-where, with the possibility of it being “monetized” to earn something extra on the side.
Being enrolled in a study should require prior informed consent. Terms of the data collection, including what data can be collected and how that data will be used, must be presented to all participants in language they can understand. Only then can they provide informed consent.
Harvesting data without permission is just exploitation. Software improvements and user engagement are not more important than basic respect for user agency.
Moreover, not everyone is like you. People who do have reason to care about data collection should not have their critical needs outweighed for the mere convenience of the majority. This type of rhetoric is often used to dismiss accessibility concerns, which is why we have to turn to legislation.
If you make all your decisions based on telemetry, your decisions will be biased towards the type of user who forgot to turn it off.
a) using data obtained from monitoring my actions to “improve VSCode” (Meaning what? Along what metrics is improvement defined? For whose benefit do these improvements exist? Mine, or the corporation’s KPIs? When these goals conflict, whose improvements will be given preference?) is something I consider a good use in any case
b) that if this data is not being misused right now (along any definition of misuse) it will never in the future cross that line (however you choose to define it)
First step would be to get data about usage. If MS finds out a large number of VSCode users are often using the json formatter (just a example) i assume they will try to improve that : make it faster, add more options etc etc.
Mine, or the corporation’s KPIs
It’s an OSS project which is not commercialized in any way by the “corporation”. They are no comemrcial licenses to sell, with VSCode all they earn is goodwill.
will never in the future cross that line
Honest question, in what way do you think VSCode usage data be “missused” ?
i assume they will try to improve that : make it faster, add more options etc etc.
You assume. I assume that some day, now or in the future, some PM’s KPI will be “how do we increase conversion spend of VSCode customers on azure” or similar. I’ve been in too many meeting with goals just like that to imagine otherwise.
It’s an OSS project which is not commercialized in any way by the “corporation”
I promise you that the multibillion dollar corporation is not doing this out of the goodness of their heart. If it is not monetized now (doubtful – all those nudges towards azure integrations aren’t coincidental), it certainly will be at some point.
Honest question, in what way do you think VSCode usage data be “missused” ?
Well, first and most obviously, advertising. It does not take much of anything to connect me back to an ad network profile and start connecting my tools usage data to that profile – things like “uses AWS-related plugins” would be a decent signal to advertisers that I’m in the loop on an organization’s cloud-spend decisions, and ads targeted at me to influence those decisions would then make sense.
Beyond that, crash telemetry data is rich for exploitation uses, like I mentioned in another comment here. Even if you assume the NSA-or-local-gov-equivalent isn’t interested in you, J Random ransomware group is just successfully pretending to be a law enforcement agency with a subpoena away (which, as we discovered this year, most orgs are doing very little to prevent) from vscode-remote-instance crash data from servers people were SSH’d into. Paths recorded in backtraces tend to have usernames, server names, etc.
“This data collected about me is harmless” speaks more to a lack of imagination than to the safety of data about you or your organization’s equipment.
My favorite take on turning off telemetry was how mozilla saw essentially zero users of a feature, so they turned it off, then a certain linux distribution stopped having sound in mozilla. Turned out the distro had turned off telemetry by default, so their users suffered. Seen near the end of this presentation: https://www.youtube.com/watch?v=myHH89j0JQU Note that I think mozilla has done a better job at data governance around telemetry simply by being so open.
Another alternative to VS Code proprietary code and telemetry could be https://theia-ide.org/, maintained by the Eclipse Foundation, which indeed uses the same https://open-vsx.org/ extension marketplace.
This strikes me as a bit entitled. There’s a lot of work that goes into an extension like Gitlens, those developers shouldn’t be expected to work for free. No-one’s making anyone pay for anything, and it is an extension marketplace, after all.
It seems to me that this is one of the worst things to have come out of the era of App Stores and generalised open source access. At one point folks sometimes put cool hacks online. Lots of people now expect that these cool hacks be productised, have nice, informative READMEs and screenshots on their homepage, prompt support and fixes to major bugs, helpful authors who take time to involve the community in major decisions. Basically the kind of stuff that commercial vendors do with commercial software. But without paying commercial software fees.
That’s not open source ethics, that’s charity. I’m cool with people asking for charity but shaming people who don’t exclusively offer it, and when they also offer it, they don’t do it in the exact form that’s expected, is a little nasty. And I’m saying this with all the empathy and love of someone who used to save up for months to buy programming books 20+ years ago.
Regular reminder that life hacking one’s consumption habits will not change the world.
We will really buy hardware built in sweatshops, hand all our code to a company that contracts with the state, but the problem is that Microsoft looms at the keyboard shortcuts you use?
Microsoft telemetry running on your own computer is a more direct problem for you than sweatshops or Github existing, and you have more ability to change your own consumption habits to directly remove the opportunity for Microsoft to spy on you than to change how Github operates vis a vis a government or the working conditions of hardware factories in foreign countries whose languages and cultures you do not understand.
Unfortunately, for me anyway, the remote extensions from Microsoft are blocked from running in open source builds of vscode. Even if I bypass the vscode marketplace block, I’ve been unable to get the remote ssh extension to work.
Is there any proof that the telemetry data is NOT put to good use to improve VSCode ?
I think there’s a tinge of paranoia that runs through the anti-telemetry movement (for lack of a better term; I’m not sure it’s really a movement). Product usage telemetry can be incredibly valuable to teams trying to decide how best to allocate their resources. It isn’t inherently abusive or malignant. VSCode is a fantastic tool that I get to use for free to make myself money. If they say they need telemetry to help make it better than I am okay with that.
I think the overly generic name does not help the situation. When people are exposed to telemetry like “we’ll monitor everything and sell your data”, I’m disappointed but not surprised when they block everything including (for example) rollbar, newrelic, etc.
But MS shot itself in the foot by making telemetry mysterious and impossible to inspect or disable. They made people allergic to the very idea.
It’s a bit uncharitable to read “they blocked my crash reporting service” as “they must have some kind of misunderstanding about what telemetry means” (if that’s what you’re implying when you say you’re disappointed but not surprised that people block them).
I know exactly what services like rollbar do and what kinds of info they transmit, and I choose to block them anyways.
One of the big takeaways from the Snowden (I think?) disclosures was that the NSA found crash reporting data to be an invaluable source of information they could then use to help them penetrate a target. Anybody who’s concerned about nation-state (or other privledged-network-position actor) surveillance, or the ability of law enforcement or malicious actors impersonating law enforcement to get these services to divulge this data (now or at any point in the foreseeable future), might well want to consider blocking these services for perfectly informed reasons.
I believe that’s actually correct - people in general don’t understand what different types of telemetry do. A few tech people making informed choices don’t contradict this. You can see that for example through adblock blocking rollbar, datadog, newrelic, elastic and others. You can also see it on bug trackers where people start talking about pii in telemetry reports, where the app simply does version/license checks. You can see people thinking that Windows does keylogger level reporting back to MS.
So no, I don’t believe the general public understands how many things are lumped into the telemetry idea and they don’t have tools to make informed decisions.
Side-topic: MS security actually does aggregate analysis of crash reports to spot exploit attempts in the wild. So how that works out for security is a complex case… I lean towards report early, fix early.
I’m not following this argument. People install adblockers because they care about their privacy, and dislike ads and the related harms associated with the tracking industry – which includes the possibility of data related to their machines being used against them.
Adblocker developers (correctly!) recognize that datadog/rollbar/etc are vectors for some of those harms. The not every person who installs an adblocker could tell you which specific harm rollbar.com corresponds to vs which adclick.track corresponds to, does not imply that if properly informed about what rollbar.com tracks and how that data could be exploited, they wouldn’t still choose to block it. After all, they’re users who are voluntarily installing software to prevent just such harms. I think a number of these people understand just fine that some of that telemetry data is “my computer is vulnerable and this data could help someone harm it” and not just “Bob has a diaper fetish” stuff.
It’s kind of infantilizing to imagine that most people “would really want to” give you their crash data but they’re just too stupid to know it, given how widely reported stuff like Snowden was.
That some incorrect people are vocal does not tell us anything, really.
Counterpoint: Every time my app crashed, people not only gave me all data i asked for, they just left me with a remote session to their desktop. At some point I switched to rollbar and they were happy when I emailed them about an update before they got around to reporting the issue to me. So yeah, based on my experience, people are very happy to give crash data in exchange for better support. In a small pool of customers, not a single one even asked about it (and due to the industry they had to sign a separate agreement about it).
The bad part is not that they’re vocal, but that they cannot learn the truth themselves and even if I wanted to tell them it’s not true - I cannot be 100% sure, because a lot of current telemetry is opaque.
I don’t know how many customers you have or how directly they come in contact with you, but I would hazard a guess that your business is not a faceless megacorp like Microsoft. This makes all the difference; I would much more readily trust a human I can talk to directly than some automated code that sends god-knows-what information off to who-knows-where, with the possibility of it being “monetized” to earn something extra on the side.
ooof that’s reading way too much into it. I just don’t want to watch ads. And as for telemetry, I just don’t want the bloat it introduces.
The onus is not on users to justify disabling telemetry. The ones receiving and using the data must be able to make a case for enabling it.
Obviously, you need to be GDRP-compliant too; that should go without saying, but it’s such a low bar.
Copy-pasting my thoughts on why opt-out telemetry is unethical:
If you make all your decisions based on telemetry, your decisions will be biased towards the type of user who forgot to turn it off.
This presumes that both:
a) using data obtained from monitoring my actions to “improve VSCode” (Meaning what? Along what metrics is improvement defined? For whose benefit do these improvements exist? Mine, or the corporation’s KPIs? When these goals conflict, whose improvements will be given preference?) is something I consider a good use in any case
b) that if this data is not being misused right now (along any definition of misuse) it will never in the future cross that line (however you choose to define it)
First step would be to get data about usage. If MS finds out a large number of VSCode users are often using the json formatter (just a example) i assume they will try to improve that : make it faster, add more options etc etc.
It’s an OSS project which is not commercialized in any way by the “corporation”. They are no comemrcial licenses to sell, with VSCode all they earn is goodwill.
Honest question, in what way do you think VSCode usage data be “missused” ?
You assume. I assume that some day, now or in the future, some PM’s KPI will be “how do we increase conversion spend of VSCode customers on azure” or similar. I’ve been in too many meeting with goals just like that to imagine otherwise.
I promise you that the multibillion dollar corporation is not doing this out of the goodness of their heart. If it is not monetized now (doubtful – all those nudges towards azure integrations aren’t coincidental), it certainly will be at some point.
Well, first and most obviously, advertising. It does not take much of anything to connect me back to an ad network profile and start connecting my tools usage data to that profile – things like “uses AWS-related plugins” would be a decent signal to advertisers that I’m in the loop on an organization’s cloud-spend decisions, and ads targeted at me to influence those decisions would then make sense.
Beyond that, crash telemetry data is rich for exploitation uses, like I mentioned in another comment here. Even if you assume the NSA-or-local-gov-equivalent isn’t interested in you, J Random ransomware group is just successfully pretending to be a law enforcement agency with a subpoena away (which, as we discovered this year, most orgs are doing very little to prevent) from vscode-remote-instance crash data from servers people were SSH’d into. Paths recorded in backtraces tend to have usernames, server names, etc.
“This data collected about me is harmless” speaks more to a lack of imagination than to the safety of data about you or your organization’s equipment.
That point is irrelevant, since it’s impossible to prove that microsoft is NOT misusing it now and that they will NOT misuse it in the future.
No, so should we blindly trust Microsoft with our data, or be cautious?
My favorite take on turning off telemetry was how mozilla saw essentially zero users of a feature, so they turned it off, then a certain linux distribution stopped having sound in mozilla. Turned out the distro had turned off telemetry by default, so their users suffered. Seen near the end of this presentation: https://www.youtube.com/watch?v=myHH89j0JQU Note that I think mozilla has done a better job at data governance around telemetry simply by being so open.
Another alternative to VS Code proprietary code and telemetry could be https://theia-ide.org/, maintained by the Eclipse Foundation, which indeed uses the same https://open-vsx.org/ extension marketplace.
Another commie.