VSCode deprecates Enable Telemetry, auto-enrolls you in Telemetry?
VSCode has deprecated "Enable Telemetry" and now auto-enrolls you into their new Telemetry option even if you've disabled all the previous telemetry settings.
Screenshot https://imgur.com/a/nxvH8cW
The changes apply to the most recent version of vscode (version 1.61.0 released Oct 7).
188 comments
[ 2.4 ms ] story [ 296 ms ] threadThere are other threats and reasons, that others more versed in this can explain, but that is the one I can speak to.
That is only realistic on linux. Everything else us just something you've rented.
Besides, you can always go for independent vscode clone. I don't know how good it is as i haven't tried it myself. I just know it exists.
- That data is collected
- That you or your device can be identified from data
- That data does not have an expiration
- How the data is used (eg: multi-use, for troubleshooting, for marketing)
There are multiple ways to democratize knowledge, but most ideal is having companies just be upfront and teaching engineers why it's important to stress building notifications and/or levers for these kinds of capabilities.
But let's note that this is not the case here. You can still opt out. If they are just resetting your old settings silently, however, then this is not a nice move and it will annoy exactly the people that care.
That kind of behavior bis frowned upon in this establishment
We've gone too long without a reckoning as software authors in this regard. You are not entitled to do whatever you wish with someone else's hardware because of a click through. Those that continue to do so will be (in my case) blacklisted from running on my network.
Right now, maybe. Or maybe more. Are you happy agreeing to it without being told? Being auto-enrolled without being told? What about if they add more later and don't feel the need to tell you as you didn't make the effort to opt out so must be happy with the tracking?
> Why is this so bad in comparison to any other web application or many other apps these days?
Because others do it doesn't make it right. People rail against web properties using what is seen as overly invasive telemetry/fingerprinting/profiling dark patterns too.
> but what exactly is the hidden danger here?
More information stored about you in more places, from whence it can leak further or dubious authorities can demand it be released, is a common fear in such cases for privacy campaigners and campaigners in general within the reach of certain governments.
(if people downvoting would like to let me know why, I'd be genuinely interested to know your counter point(s), otherwise I'm just going to assume that what I have said is true and you don't like it)
You are not enrolled into the auto telemetry yet, the deprecated options are still respected for now. The new telemtry has the levels of on, crash and off. Useful if I want not to contribute my device info, but still help them with issues with the software itself.
Looks like it should be "forever" according to this comment:
https://github.com/microsoft/vscode/issues/134660#issuecomme...
But telemetry is one of those things that you can never trust a company about once it's in. Especially a company with a history of both mandatory telemetry and "oops didn't mean to ;)" telemetry-related setting resets.
https://github.com/VSCodium/vscodium
Builds of VS Code with telemetry stripped out
Connecting to them this way brings them to their knees. That and seeing a host of new high memory processes doesn't give me warm fuzzies about the security risks on important remote systems.
And Atom over sshfs, and crawling the whole project before showing a window is a deal breaker for me
haven't tried this yet: https://github.com/VSCodium/vscodium/blob/master/DOCS.md#pro...
Why aren't the Atom people working on VSC instead?
https://github.com/atom/atom/graphs/contributors
Looks like the original contributors have mostly moved on to other projects, and activity is significantly diminished, but it's an open source project and they've not gone out of their way to block the community from continuing.
Why does Visual Studio still exist?
Why does Sublime Text still exist?
Why does Notepad++ still exist?
Does Atom exist if you never need it again or the project is never maintained?
One option if it's just like 1 file at a time is to use WinSCP with Sublime as your default editor and just open the file, edit, close, but again, obviously not great.
I haven't used it in years but I recall it mostly working.
In fact, you are. It runs the plugins on the remote system. Which, while nice for UX, made me upgrade my blog's droplet from 1GB to 2GB memory ($5/month -> $10/month). But I figured it's worth it because it lowers the barrier of entry to writing, and anything to make the process of writing as painless as possible is worth it (and I'm still publishing once/week so I guess it's paying off)....
I'm not saying this justifies dark patterns, and I have no firsthand knowledge of whether Microsoft is exclusively using this data for legitimate purposes. If it were me I'd enable it by default but make it clear and easy to disable for those who care. That said: I don't think the knee-jerk assumption that this is a wholly evil thing is justified.
Exactly. Telemetry can be a useful like you said and should be clear to users when they are being opted into it. Especially if someone has disabled all telemetry, they should be prompted to enable it or configure it with the new settings. If you silently re-enable it on their device when they already went thru the trouble of disabling it (and not expecting the settings to change day-to-day), you'll get some knee-jerk assumptions and reactions, whether your intentions where noble or not.
I once asked, seriously, whether there was any guarantee that enabling telemetry in a Microsoft developer product would not result in sending code we were working on back to Microsoft, inadvertently or otherwise. No-one could give me a clear confirmation that it would not. The responses were about 20% "we trust Microsoft, they'd obviously never do this" and about 80% silent downvotes.
If my business could be facing considerable damages for violating confidentiality agreements if something like that ever happened and sensitive information did leak, that's just not a convincing response. Microsoft have been pushing mandatory telemetry, mandatory and automatically deployed user-hostile updates and radical changes in data usage like GitHub Copilot. You'd have to be crazy to give them any benefit of the doubt in this area now. If they want phone-home on and they promise they're not going to take anything they shouldn't, we want to see the technical measures and legally actionable documentation to back that up.
No. Make it clear and easy to ENable for those who care.
As for this change, I've seen it myself, and I think it's just poor design, nothing evil. They are just refactoring telemetry control and fucked up with porting over existing preferences because it's not a 1:1 thing.
That rests on some very specific assumptions; consider that, statistically, the "restore" feature of backup software is almost never used.
In other words, just because a feature is used rarely doesn't mean it isn't important to keep around. So much of what's wrong with software these days can be attributed to this "A/B test everything, the data never lies" approach to design.
Design by focus group where the focus group is the users who left telemetry on/unblocked.
There's no coherent threat model here. There are a million different ways to shoot yourself in the foot and compromise your codebase before we even begin to consider what Microsoft can do with the knowledge of what buttons you press sometimes.
MS have a history of being hostile to open source, but have been able to launder their image somewhat.
My threat model is Microsoft selling bogus "productivity enhancement" features to customers, pushing duplicated features, collecting data on costumers to acquire business sensitive information, and using marketshare as leverage to strangle better products.
https://github.com/VSCodium/vscodium/blob/master/DOCS.md#how...
The top of the log file for the remote extension always says this:
"
*
* Visual Studio Code Server
*
* Reminder: You may only use this software with Visual Studio family products,
* as described in the license https://aka.ms/vscode-remote/license
*
"
At that point, why not copy what people do with android? Just run a dummy "vpn" on your system that null-routes traffic going to microsoft-controlled domains or IP blocks. By no means a perfect solution for sure, but a really good one in practice.
You have remember to clear the telemetry cache and reconnect your system to microsoft to get updates from time to time.
Are they crazy? How is this legal?
Test if for yourself if you must.
I tested with Wireshark. It does respect your previous setting if it is more restrictive.
They're transforming the control of telemetry to a different option. The problem is that the new option doesn't default to being based on your old telemetry opt-out value, it just defaults to "on" as if you just downloaded VSC. And this leads people to reading all kinds of evil intent into it.
But it's probably not. We've all worked on big complicated products at big, slow companies, right? This is just bad design.
Either their engineers are incompetent, and accidentally chose the evil thing, or they intentionally planned it to happen this way.
The Vscodium project [0] exists and provides builds directly from the source.
This version has none of the user-hostile behavior! It also makes you realize Microsoft’s new round of EEE overreach when you see that the maintainers have to provide the extensions through their own repository and the default C# debugger doesn’t work for licensing reasons (everything else works perfectly).
Don’t trust Microsoft. Use the code they give you (which is generally fine), not their proprietary products (which are generally very much not fine).
[0]: https://vscodium.com
They’re still working on making them official.
Isn't it also the case that pylance doesn't work and has some form of DRM to prevent it from being used with the open source version? I'm not saying that as a reason not to use the open source version, just wondering if Microsoft has already rounded the corner on that second "E" in EEE.
Keeping a laptop cool and quite while running slack and vscodium is a task in itself. I guess I would create a CI Pipeline and just commit via git
(I installed VS Code to see what the fuss was about and the first thing I wanted to do was hide the tabs because tabs are a useless eyesore in a text editor. But when I searched for a way to hide them, I read that it wasn't possible. Madness. I'll never understand how tech enthusiasts can enjoy using software that provides them with so little control.)
While the repo itself cannot lock you in, theses can.
I think GitHub might actually be best suited for personal projects. Projects aimed at others is now making contributors accept GitHub's proprietary ToS, vendor lock-in, and whatever experimental ways they plan to scan and profit from your code by offering it for "free".
Link: https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...
From Wikipedia:
>"Embrace, extend, and extinguish" (EEE),[1] also known as "embrace, extend, and exterminate",[2] is a phrase that the U.S. Department of Justice found[3] that was used internally by Microsoft[4] to describe its strategy for entering product categories involving widely used standards, extending those standards with proprietary capabilities, and then using those differences in order to strongly disadvantage its competitors.
If there's any confusion around this messaging it's because this discussion literally happened 2 days ago. I'll reopen https://github.com/microsoft/vscode/issues/134660 to make sure we clear up confusion.
If either are 'off', it's sending no data. The new one also allows you to only send error logs, so the truth table would be more complex.
> @john-aws It does respect your prior settings. If you disabled telemetry before it will still be disabled even though telemetryLevel is set to "on" by default. We always take the most restrictive of the two settings. You can confirm this by setting Log level to trace and seeing no telemetry is flowing in the output channel. The old setting will never be completely removed to prevent enablement of people who previously disabled telemetry but it is deprecated so we recommend setting this new setting to "off" and removing the older settings from your settings.json
So the truth table would look like this :
The new telemetry level can be set to Off, Error, On.The actual code is on github[2] and looks like this :
[1] https://github.com/microsoft/vscode/issues/134660#issuecomme...[2] https://github.com/microsoft/vscode/blob/be75065e817ebd7b625...
Please continue to push back against moves towards forced telemetry. Some of us work in sensitive environments, others wish for privacy. For those of us that work in sensitive environments we could simply firewall the program to stop talk back, but that will likely break many other things. Currently we have a level of trust that strikes a good balance between over the top strict security and permissive security where there are few issues because Code is trusted from a trusted domain. Forcing telemetry is likely to have Cybersecurity teams flag the app at an enterprise level and start to introduce headaches as they start to try and curb information leak.
Windows 10 alone has something like 200 individual settings for disabling its various forms of telemetry. Office adds several dozen more. Dotnet itself has telemetry, then PowerShell on top of that. VS Code and Visual Studio both send telemetry.
On and on, and on... and then some more, and on... and ON and ON and...
There's just no end to it.
As administrators, it's like playing whack-a-mole against a thousand moles that are breeding exponentially.
We don't want to play this game any more.
There's also the very detailed page on the website detailing this as well as how to see all telemetry events that are sent in real time in the output panel and even how to print out a report of all events that get sent with their classification (code --telemetry).
https://news.ycombinator.com/newsguidelines.html
Edit: you've been posting a ton of unsubstantive and flamebait comments, most if not all of which are on this same theme, and you've been doing it for a long time. We ban accounts that do that sort of thing, so please don't do it any more. (No, we don't care about $BigCo. We care about keeping discussion here out of the shallow-flamewar end of the pool.)
Edit 2: I just noticed https://news.ycombinator.com/item?id=28814819 - appreciated.
I really wish I could use stronger language though....
Personally, I'm not interested in messing around with that kind of nonsense. I don't want to engage a lawyer just to find out if I can safely run some software and in the modern world where we're dealing with things like personal data and sensitive business information (including code and clients' proprietary information used to write it) an organisation with Microsoft's recent track record on privacy isn't going to get the benefit of the doubt.
Remove it. Then champion removing it from the rest of MS’s products. If you must spy to learn your market, you should not be in that market.
I still hold onto a Sublime Text license waiting for the day MS shows it’s true purpose of making VS code free. Has this day come?
"If I've been called here, I can safely assume whatever's been done's been done wrong, otherwise I would not've been called here, cause I'm definitely not the cheapest option"
Though, if possible, consider using GNU/Linux whenever possible - distros like Debian have historically had little controversies around them, even package popularity metrics are presented as a choice to you during install time: https://popcon.debian.org/
Certain other distros like Ubuntu have a bit more controversy surrounding them, for example, the snaps package mechanism which takes away the user's control over updates by default, though that's more of a security hole and a stability risk, rather than aggressive telemetry related (unless it's introduced by the package creators, a la Audacity's plans that were later rolled back https://github.com/audacity/audacity/pull/835).
Of course, if you truly care about your privacy and open software, you might as well use a fully GNU distribution, such as Trisquel, though there are factors like hardware compatibility and software availability which could pose challenges in such cases: https://trisquel.info/
Windows comes in many flavours. The most "just stop it, okay?" version is the Long Term Servicing Channel (LTSC).
It's like the Windows you used to like, back in the XP days. No Xbox gaming bar or Minecraft. Minimal (no?) telemetry. No forced updates every 6 months that break things randomly.
In my line of work we used it a lot for things like virtual desktop fleets with thousands or even tens of thousands of instances Why? Because the "normal" builds would every now and then just 'decide' to force update themselves despite our best efforts to stop that. All at once. On an ephemeral environment, where the machines would reset on boot, and then try to apply the forced update again. And again, over and over...
Some Microsoft manager wanted their KPIs met, so they just.. rammed something through. Fuck everyone running a VDI fleet, a billboard, a kiosk, a test environment, or anything that needs any kind of stability at all. Big man at Microsoft needs a bonus for that new Tesla!
This was common practice in our line of business. LTSC or failure, those are the options.
Meanwhile, Microsoft, whenever they turned up to a customer site, would just keep harping on about how LTSC is not intended for users, how it's "bad", and how the six-monthly releases provide Enhanced Experiences(tm) or whatever. They would stop just short of calling us unprofessional in front of our customers. Just.
It was the most absurd thing to watch happen. The disconnect between Microsoft and their customers is almost comical now...
I really hate it too. But it seems so be so heavily anchored in their strategy that I don't expect them to lighten up about it.
* They implemented proprietary sync protocols
* They obfuscate how 'settings' are saved - no, the settings.json is not what the editor uses and they hide stuff in the internal sqlite db they use
* Capping open versions of the product
* And finally, inserting proprietary "licensed" stuff and code that purposefully breaks if you're not licensed
I was using Vscodium occasionally and despite it being very easy to use, I'm going to uninstall it now and just focus on emacs and neovim. I do not even trust vscodium since the original codebase comes from tainted origins.
vscode will still try sending data to those servers but won’t be able to reach them. Little overhead.