Tool-spying on users getting worse

Back in March this year I wrote a blog post ‘Your tools shouldn’t spy on you’. I still feel pretty much the way I felt then.

Today Microsoft has released some of the telemetry data along with announcing their plans for future telemetry collection.

I wrote a comment for that blog post of theirs. It’s currently awaiting moderation, but I figured I should post it here too so I can keep a record of what I said.

I pretty much stopped using dotnet in March when I found out it was collecting this telemetry. I believe it's wrong that tools spy on their users:

Spying is a good word for what's happening here. There's no guidance when you install, no prompt to ask you if this is all OK, just the sneaky sending of data that you may not even know about. If all you did was install and run the tool, you wouldn't know it was send data to Microsoft. It's hidden away unless you're a fan of technical blogs.

Despite someone's Github issue - - (over a year old and still running), despite someone else's Pull Request - - switching telemetry off by default, we are in the situation where Microsoft now seems intent on making the tool's spying even worse, all while talking about community engagement.

Because now, as well as gathering data whenever you run the tool, it's going to capture and pass on a token to uniquely identify your computer. And what's worse is this token can be discovered by anyone on your LAN. Worse still, the plan is for this data to be made public.

Want to know what your former colleague was doing before they left the company last month? Just find out their computer's MAC address (from their network card), compute the SHA256 of it, and then you can search this data Microsoft is making public and see the commands they ran and when, right down to their typos. See? You can spy too now! (How soon until this telemetry is evidence in a lawsuit, I wonder.)

'The data collected does not contain personal information.'?
And then there's the opt-out mechanism. To stop the tool opening network connections I didn't ask it to, or sending data I don't want it to, I have to specify an environment variable. To ensure that's done, I need to put that in the user initialisation of every shell of every user of every machine and every container that might possibly be running dotnet. And if I make one slip-up, the tool spies on me again.

But the problem is not the identifying token. The problem is not the publishing of the data. The problem isn't the poor opt-out mechanism (for users who didn't opt in in the first place!) The problem isn't even the opting everyone in by default.

The problem is the normalisation of this spying. The drip drip drip of taking more information, combined with making it hard to configure the tool so it doesn't spy on you. The problem is having to monitor everything about the tool because you can't trust it. The problem is the attitude that says "We know you don't want us collecting this information, so we're not even going to ask you about it when you install."

Without asking the user if it's OK, there's no informed consent. Taking data without informed consent is bad. Publishing data without informed consent is bad. It annoys me that I have to state these things.

I suppose that in the end it all comes down to the question I asked in March: "Would you prefer a tool you can just trust, or a tool that may have better features but that you constantly have to check to verify isn’t doing anything it shouldn’t?" I'd prefer a tool I can trust. Since March, dotnet has not been my preference. I prefer my tools Private By Default.

Tags: Clueless Idiocy
Created by on Logo15659OpinionatedGeek Ltd.Logo15659