I haven't bothered because a) opt-out risks a backlash and b) opt-in affects the data so much it becomes useless (much smaller sample and probably self-selecting a certain type of user)
Skimming the comments here, it seems everybody assumes telemetry is always nefarious. I get the distrust of large corporations and other obvious bad actors - but the blanket cynicism for all telemetry here is kinda surprising. Have none of the developers here ever had a need for it themselves?
But you’re totally right - telemetry & crash dumps & analytics are helpful & great for devs who care about the customer UX and don’t use the data for advertising or anything other than fixing & writing good software, so it’s a real kind of tragedy of the commons that we can’t have safe, trustworthy, and pro-consumer telemetry.
I went from building a web app that used Google Analytics and some other kinds of anonymous telemetry (and using that data only for identifying functional software & site issues), to building driver software that absolutely cannot send data out, and I wish for telemetry all the time. Not only is it difficult to understand what users are doing, they usually don’t even know themselves and can’t tell me what happened when things crash. The result is that turnaround times for critical issues are in months, when it could be days or hours if we had crash dumps and analytics, the lack of automated reporting hurts users.
I’m not sure there’s a way to separate the good from the bad, to designate some kinds of telemetry as safe and to be able to trust it while disallowing the stuff we don’t want. If that were somehow possible, if anyone has ideas, I would love to help figure out how to make it a reality.
Selection bias is a real problem, but small sample sizes may be less troublesome than you expect.
For example, when estimating a value by taking the mean of several samples, the random error of your estimate will be proportional to `1 / sqrt(number_of_samples)`. Scaling from one sample to 100 will improve the precision of your estimate by one decimal place, but to find a second decimal place, you'd need to scale from 100 samples to 10,000.
Some of telemetry's bad reputation comes from the common practice of gathering and storing exhaustive data for every user, usually with only half-hearted anonymisation. Sampling a small fraction of users (perhaps 10% for small projects, 0.01% for huge projects) should capture many of the benefits of comprehensive telemetry, with less privacy risk.
It could also be used to prevent showing an opt-in notification at all even in software that requires opt-in.
This flag is sent by my browser when I connect to SOMEONE ELSE’s SERVER.
The internet only took off because the primary business model which ran on ads and derivative information that servers do to their users.
It’s not fun. It’s not private or secure. It’s not illegal (in most jurisdictions for most industries). The flag exists as a response to the de facto and de jure state of the world, not some fairytale scenario.
No? It took off before advertising was widespread as a primary or sole funding business model? Also there's literally nothing about advertising that requires data collection about users. Sure they love to do it, and they might even believe that it helps their profits in some way. But it's not inherent, they got along just fine with billboards and newspaper classifieds. TV ads never required personal information. Not did pre roll cinema ads, or radio adverts. Nobody was bemoaning in the streets that they couldn't possibly find anything to buy
quite the opposite I would argue:
https://nickyreinert.de/2020/2020-10-24-marketing-killed-the...
No, it's set in your command shell (e.g. bash) and tells CLI programs that support it to not connect to a server. It has nothing to do with browsers or ads. This is all very clear in the article.
Get off your high horse.
Arguable, on the other hand it did kill the internet. (or, almost so far, we'll see whether we rebound after decades of enshittification)
...and promptly, thoroughly ignored.
Perhaps the "DO NOT TRACK" name is somewhat of an established term, though.
*:analytics=1:google_analytics=0,syncthing:upgrade=1
Though if you just want a simple ENV var that handles this WHILE honoring the specification on this page: https://github.com/alloydwhitlock/do-not-track-cli
Plenty of people seem to genuinely believe that “personalized ads” are good for them.
No, in not making excuses for tracking and I do lots of stuff myself of avoid being tracked
I’m only responding to the false premise that there are no benefits. There are. You can just choose to believe they aren’t worth the cost. I believe they aren’t but I have friends who opt into all tracking and even register their presence with multiple apps. They believe they’ll make more positive connections
The biggest failure of DNT was browser makers - including Mozilla - removing it. It has zero performance impact (1 bit?) or development cost. As long as it was out there, when there was momentum against tracking, advocates had evidence of both demand for privacy and of trackers ignoring user wishes.
This evidence both still exists and is also completely useless for anything. The more important consideration, by far, is that the DNT flag was actively harmful to users in the real world because, if it was acknowledged at all, it was used maliciously to help fingerprint and track users. There is no reason for browsers to continue providing to their users a toggle that not only misleads them about what will happen with the setting enabled, but actively contributes to the opposite outcome because we live in a world where being evil is the norm.
I wouldn't have realized this was happening at all if it weren't for the obnoxious HF_TOKEN warning.
Example: the software crashes, and there is a crash handler that asks you if you want to send a crash dump. With DO_NOT_TRACK, the crash handler is disabled entirely, no question, no dump.
If it gets some adoption, that's probably how it will work. Those who have an financial interest in using tracking (ex: ads) probably won't support such an option.
Everyone proclaiming a "standard" is just adding to the long list of (unofficial) alternatives.
https://git.eeqj.de/sneak/consoledonottrack.com/src/branch/m...
Thankfully, the dotnet package installed by package manager on Arch Linux disables telemetry by default. I left the env set just in case.
But my trust towards "modern" software has lowered. I default to run CLI tools, especially those built in JavaScript or .NET with network disabled:
firejail --net=none
alias ilspycmd='ilspycmd --disable-updatecheck'
Any of those are using a dark pattern and before exploring new ways to opt out you should look for and spend your energy on an alternative which respects your freedoms upfront.
https://web.archive.org/web/20200613155957/https://consoledo...
Opt out should not be encouraged via an off switch. It should be eradicated, and the people who accepted money to write such malware should be plainly named so that such actions can be part of their professional reputation.
Is anyone maintaining a more complete list of those?
There is a reason none the existing methods use the word "TRACK". Although connecting home can be used for tracking it doesn't have to be.
If a tool uses connecting home for telemetry, implementing "DO_NOT_TRACK" would suggest it does track its users without the setting, even if it may not.
Rename it this to "DO_NOT_CONNECT_HOME" and it may be a useful standard.
Many of these tools are source available or supposedly open source, so it can't be that hard to take their tracking endpoints and call them in random order.
Its an ok solution, but will never be implement and doing it actively goes against the interest of those who would have to do implement it.
You just want local software to...send commands to your Cloud providers?
I think the only solution is to make it law that you can't track anyone for any reason without their consent, and can't sell consensual tracking data without an additional consent agreement. It would be a huge blow to the advertising industry, so it will never be made law, but it's the only thing that would work.
My point is that there *is* such a thing as software that tries to respect their users. I'm not the only one.
The only tool I have installed currently that does %/"($& like this is Deno (required for yt-dlp now). It phones happily home even if you wrap it into a wrapper script that forces the env variable (in no way I'll pollute my default environment with stuff like this):
$ cat /usr/local/bin/deno
#!/bin/sh
exec env DENO_NO_UPDATE_CHECK=1 /usr/local/packages/deno/latest/bin/deno "$@"
[0]: https://github.com/renovatebot/renovate/discussions/42932
export SEMGREP_SEND_METRICS=off export COLLECT_LEARNINGS_OPT_OUT=true export STORYBOOK_DISABLE_TELEMETRY=1 export NEXT_TELEMETRY_DISABLED=1 export SLS_TELEMETRY_DISABLED=1 export SLS_NOTIFICATIONS_MODE=off export DISABLE_OPENCOLLECTIVE=true export NPM_CONFIG_UPDATE_NOTIFIER=false
The proposed way just normalizes tracking.
It should be much more difficult to collect data than to opt out of collection.
I'm not a daily user of network namespaces, and would probably write a script to do the configuration within a shell (it works a bit like containers). The configuration is inherited by child processes, so you only have to do it once. Basically whitelist the urls you typically use, and maybe let the script popup a dialog asking you to allow access when the firewall catches a domain that is not in the whitelist yet.
The reason they will not adopt common env is that because they do not want it to be easy to turn off
I'd prefer TRACK_ME as an opt in.
Unfortunately big corporations can always find away to make regulators see no problem.
This is called opt out.
export ALLOW_TRACKING=telemetry,crash_dumps
And they do by burying it in the user agreement you probably agreed to.
Like it or not, it is your responsibility. I agree it shouldn’t be, but let’s be realistic.
They didn't opt out of my data, after all.
.. which is entirely different to the telemetry system where usage stats are reported. You can see that on data.syncthing.net. But again, thats a separate opt-in. The suggested env variable on the site won't turn that off.
Can someone expound on what they see as a problem?
In addition to the other response: crash dumps are difficult to anonymize, both because useful crash dumps include something like a minidump (or some other small alternative to a core file), and because even without that, any random information from a backtrace may be sensitive (e.g. a URL).
There's nothing wrong with saving a crash dump and giving the user control of whether to submit a bug report.
Your IP during connection exposes your rough location.
Crash logs rarely are completely anonymized so both together can additionally serve as a way to re-identify the user.
The only way to properly transmit telemetry data would be Tor. And no, even then I don’t want my tools to report back my use. It’s simply not required, and data minimization is part of my set of ethics, and I’m happy that EU/GDPR sees it the same way. Not all data that you think is worth something to you is morally right to collect. You send data somewhere, even just to check for updates - ask me first. I do not want my hammer to report back how many nails I hammered in. I don’t want my software to reach out to the world without my consent.
Users should never be opted in through usage alone of free or paid-for tooling to supply information that isn't part of the function of the tool. Where that is required for a service or product, you should opt-in explicitly, not implicitly.
https://web.archive.org/web/20200613155957/https://consoledo...
I abandoned the project. Opting out of telemetry tells developers that opting us in automatically without consent is OK. It’s not.
Spyware is spyware even if it has an off switch.
Patch it out. Fork it. Don’t use spyware. Name and shame developers that accept pay checks to build spyware for corporations. Make it an economically bad choice to accept such jobs by poisoning the google results for the names of people who do this. Make them ashamed.
The one thing you DON’T want to do is validate their unethical model by opting out when you never opted in.
Tech people could learn a lot from the BDSM community.
Tech companies regularly violate all 3 principles.
1) Opt-out instead of opt-in is an abusive practice, only you're not getting fucked by a strap-on without realizing it, you're getting profiled and manipulated for monetary and political gain.
2) You have no way to find out how your information is used. Ironic in an age where so many decisions affecting you are made by automated systems where the output can be traced back to individual inputs deterministically.
3) Even if you do your research (=spend your limited time alive by playing zero-sum games with no benefit for you) and opt-out, you can't take back what's already circulating out there.
And the solution is not that crazy - change laws so people own all data about them and all results of using said data, except specific well-defined cases.
Then if a company uses your data without your consent, it doesn't pay a probabilistic tax called fines, it is forced to give you a part of its income and a part of its own ownership.
We kind of need ublock origin on the operating system level - even more so as the new laws mandate age sniffing of everyone, tied to usage and access to the www (see the concomitant fight against VPN; that is the long road here, the "but but but the children!" is the lie, the cake, the carrot on the stick).
Ultimately one could ask "but the do not track thing is harmless" - the issue still is that I don't agree that my browser should betray me. Naturally since Google controls most browsers, can we trust Google? But, even aside from Google, can we trust other browsers? We need more diversity here again, but also more quality on every level. I consider the do_not_track as actually a you_will_be_marked and thus tracked.
Totally agree! I've built a product doing exactly this in my previous job. I'm building something new & similar now, but much better :-)