Require analytics opt-in rather than make it a blind default #142

Closed
bcardarella opened this Issue Apr 25, 2016 · 87 comments

Projects

None yet
@bcardarella

I'm not sure if this was discussed but there are going to be companies and government agencies that have a problem with data being sent out without explicit permission. I understand and appreciate the desire to collect the information but this introduces a problem for some people. Ideally this would have been an opt-in on upgrade and an opt-in on install.

@dunn
Member
dunn commented Apr 25, 2016

It was discussed, we made it opt-in for about a month during testing then sent out notifications to the mailing list and twitter a week before switching to opt-out.

@albus522

I would say the vast majority of your users are neither on your mailing list or pay any attention to your Twitter account. So you have notified a very small percentage of your users that you will be collecting their info. If someone else hadn't pointed out this change, I would never have noticed, and I would wager that is the majority case. Add my vote for reverting this change.

@kroofy
kroofy commented Apr 25, 2016

Regardless of how many users that have been made aware of this. The user should still have the option to actively make a decision during an install/update of brew.

This is too sneaky and opaque for the user.

@davesque

It kinda blows my mind that this isn't opt-in.

@erikj
erikj commented Apr 25, 2016 edited

Seems like it would be best if the interface queried the user and remembered their preference.

@DavidCWGA

At the very least, prompt the user before first sending data to Google.

@bfontaine
Member

@davesque The problem with opt-in is that you don’t get representative data.

@DavidCWGA

The advantage of opt-in is that you respect your users' choices and privacy.

@GrappigPanda

@kroofy
Incredibly opaque, how dare they link to the two files which directly implement sending off analytics. And sneaky! They've actively managed to keep this information to only two of the largest technical communities: reddit and hackernews--plus their thorough documentation of exactly how it works is not yet thorough enough.

Truly, what could we do to fix these roguish individuals and their wanton disregard for us: the users of a free product who have never contributed to the Homebrew project (with exceptions to dunn and bfontaine, every user above me has never made a contribution, including me). Y'all are ridiculous calm down and just set the envvar.

@jeroenh
jeroenh commented Apr 25, 2016

@bfontaine the problem with distributing information is that you can never take it back.

@jasonroelofs

@GrappigPanda Insulting people for being concerned doesn't help anyone. Very few users of Homebrew are even going to see this, much less know what's happening or that they are now sending statistics to some random Google Analytics account about what they do on their machine.

There are numerous companies and environments employing tens to hundreds of thousands of people in which security and secrecy is utmost such that any service that sends statistics outside of the walls of the company or group is strictly forbidden. With this kind of change, many people will suddenly start breaking these restrictions with no knowledge of what or why or when.

There's nothing wrong with opt-out, but this should be a message that shows up on brew update that's very explicit, very clear, and with instructions on what Homebrew now wants to do and how to opt out. As it stands right now, this change doesn't respect the privacy and needs of users of this tool.

@codingcampbell

When things like these come up, I wish projects would stop defaulting to Google Analytics in particular. If you need some anonymous usage info, fine, but does Google really need another vector into my life?

@bfontaine
Member

@codingcampbell If you have a good solution that doesn’t need more work on our side (i.e. we don’t want to manage another server), we’re all ears.

@GrappigPanda

@jasonroelofs I'm having a genuinely difficult time trying to digest what you've written.

If someone is breaching restrictions on sharing information by sending in an anonymous UUID with no other distinct markings to the data besides an OS version, then going to google.com is genuinely perilous. Your average blog is tracking much more information than homebrew is going to be, so heaven forbid if you ever need to consult the internet to figure out why a MySQL migration tool isn't working, or if you need to figure out how to install bcrypt on OS X, or any other reasonable internet search.

It's such a disingenuous thing to say.

@albus522

@GrappigPanda Your package manager is not your web browser. Also you can set your web browser to hide a lot of information.

@lacombar

At worst, you should ASK during installation whether or not the user want to collect analytics, with the default set to "NO". Then I would consider enabling it. No matter how transparent you are about this default opt-in, this is unacceptable.

@eknkc
eknkc commented Apr 25, 2016

While I think it would be better to have a prompt, defaulting to "yes" (because noone would opt in otherwise) to enable this, why is this a huge deal?

I mean, if you have strict policy about this kind of tracking, you should just firewall google analytics (heck, a hosts line would do it) globally. Other software that you've been using might be tracking you just as well, without announcing / documenting anything. At least we know what homebrew does.

It confuses me because if this is unacceptable, it means you trust every single binary you've been running. Teach me how, please.

@lacombar
lacombar commented Apr 25, 2016 edited

@eknkc because when I setup a new machine, I don't want to have yet another environment variable to setup. We all think about it today, but in a year, I'm gonna have forgotten all about this, and analytics are gonna get enabled because of the default opt-in... behind my back.

This is just a really pervasive and sneaky way to behave.

@thecosas

@eknkc Prompt on install/upgrade with a default to yes and instructions on how to opt out would probably be the best solution for all parties. Transparency, choice, and useful data for the volunteer developers which is representative.

@albus522

@eknkc I don't go around installing software I don't trust, especially software whose sole responsibility is installing other software. I also have software that has asked me for usage info and my answer is always the same. I trusted homebrew when I installed it. This action is a definite breach in trust.

If homebrew wanted every user to know what was changing it would have been part of the update and/or install process. That would have been the trustworthy way, and no one would be here having this conversation.

@NickCraver

This is how you turn a trusted project into an untrusted project. The fact that Homebrew is being open about implementation is great, but it's not being that open. When I updated earlier today (for dotnet CLI) I had no idea this was enabled until some outbound firewall logs alerted me. Then I found the Hacker News thread.

If we're saying Homebrew's being honest about it then let's actually be honest: you have very likely informed well under 1% of your userbase of this change. Users installing fresh are not being informed or afforded the chance to opt-out during install. Many users, even comfortable running brew commands they find on websites don't know how to opt out; they don't know how to set an environmental variable. Users upgrading are experiencing broken trust. Something they previously reviewed (as in my case) has, without so much as a console message, starting exporting their information.

I understand your need for analytics, but opting out should be trivial and the collection itself should be advertised to the user so they can do so.

@MikeMcQuaid
Member

Hi all I'm the maintainer who added this. I would have responded sooner but I've been on a plane for the last 10 hours. I'll post more ASAP when I get my laptop onto some wifi; on my phone now.

@DomT4
Contributor
DomT4 commented Apr 25, 2016

Can we please chill on the overzealous emoji use to every single comment here. We appreciate you have strong opinions and we're happy to discuss this further, but adding thumbs down emojis to people like Mike who's comment isn't any further than "I'll post later when I'm online, please bear with me" is a bit counterproductive.

Let's keep things civil and as calm as possible. Please bear in mind that Homebrew has a Code of Conduct that applies to how everyone talks to everyone else, whether that's us to you, you to us or you to each other.

If you'll give me two minutes before thumbing this post down to death like I've wandered onto Reddit by accident I'll leave a more personal opinion. Just want to try and keep the tone cool here so it can be discussed. Thanks.

@damieng
damieng commented Apr 25, 2016 edited

I don't speak for the brew team but metrics/telemetry are essential for making informed decisions about where to take your tools or product. Being off by default is useless - hardly anyone changes the default.

Something like an occasional (and at first use/upgrade) brew sends anonymous metrics to help improve this software. If you wish to opt-out type brew metrics off at the end of a brew console operation would seem to be a fair trade?

Not everyone can give back code/docs to a project but refusing to even allow telemetry be on by default seems like a very one-sided deal.

@NickCraver

@damieng I honestly don't think the metrics themselves are a point of contention. I don't think I've seen anyone object to collecting metrics. The objections center around collecting metrics without consent. brew metrics off would be a great addition - that's much saner than expecting all users to know how to set an environmental variable.

I hope everyone is onboard with showing notices (both in the installer and when upgrading). If someone objects to notifying the user this is happening at all, then we should have a very different discussion.

@gmcmillan

@DomT4 In what way is there overzealous emoji usage? People are using those emojies as a form of communication because it is an established feature in github and it is a quick way to show you are for or against a certain idea. It also prevents clutter with dozens/hundreds of people saying the exact same thing in written text. So I don't understand the hostility to the emojis in this case -- people are clearly communicating they don't agree with how this was implemented.

I have no problem with this feature as long as it's communicated to the user correctly and I don't believe it has in this case, which is why you guys are getting so much flack. Most people don't seem to have an issue with the collection, but with how it's communicated and enabled for users. I use homebrew a lot, but I never check homebrew twitter or the mailing list (and I highly doubt most users do) so I would have never known I was opted in to this.

Why wasn't this presented as an option at the command line for when the user next uses homebrew? That is the most obvious place I see where something like this should be presented to the user.

Homebrew collects anonymized statistics about your usage to better prioritize features and bugfixes. Staying opted-in would help us a ton in understanding your usage so we can make a better product for you, but we can understand if you want to opt-out.

Would you like to opt-in to the Homebrew analytics platform (powered by Google)? [yes/no]
@MikeMcQuaid MikeMcQuaid added a commit to MikeMcQuaid/install that referenced this issue Apr 25, 2016
@MikeMcQuaid MikeMcQuaid Notify about analytics more explicitly.
And avoid duplicating the message unnecessarily at the first
`brew update`.

References Homebrew/brew#142.
7f787a5
@NickCraver

Adding links to the original issue and PR as references/background:
Issue: Homebrew/legacy-homebrew#34101
PR: Homebrew/legacy-homebrew#50462

@MikeMcQuaid MikeMcQuaid referenced this issue in Homebrew/install Apr 25, 2016
Merged

Notify about analytics more explicitly. #42

@MikeMcQuaid MikeMcQuaid added a commit to MikeMcQuaid/brew that referenced this issue Apr 25, 2016
@MikeMcQuaid MikeMcQuaid Point to analytics documentation on brew update.
Make sure that users are notified on the first run of `brew update`
after we enabled analytics about how it works and how to opt-out. This
will be shown to all users who have not already seen this message from
`brew update` or through a new Homebrew installation.

References Homebrew/install#42
References Homebrew#142
165fd7c
@MikeMcQuaid MikeMcQuaid added a commit to MikeMcQuaid/brew that referenced this issue Apr 25, 2016
@MikeMcQuaid MikeMcQuaid Point to analytics documentation on brew update.
Make sure that users are notified on the first run of `brew update`
after we enabled analytics about how it works and how to opt-out. This
will be shown to all users who have not already seen this message from
`brew update` or through a new Homebrew installation.

References Homebrew/install#42
References Homebrew#142
48342ce
@MikeMcQuaid MikeMcQuaid added a commit that referenced this issue Apr 25, 2016
@MikeMcQuaid MikeMcQuaid Point to analytics documentation on brew update.
Make sure that users are notified on the first run of `brew update`
after we enabled analytics about how it works and how to opt-out. This
will be shown to all users who have not already seen this message from
`brew update` or through a new Homebrew installation.

References Homebrew/install#42
References #142
421cd53
@MikeMcQuaid
Member
MikeMcQuaid commented Apr 25, 2016 edited

Hi all, I've managed to get to some wifi and power so I can comment here, thanks for your patience; I would normally have responded to this thread ASAP but I was literally on an ✈️ with no internet connectivity available.

Firstly, I figured actions would speak louder than words so I've opened and merged Homebrew/install#42 and #143. Every Homebrew user will now be told on first install or first brew update that we have enabled analytics and be pointed to the documentation that explains why and how to opt out.

Secondly, I apologise for the way that this has been communicated poorly. At every stage of the process I've tried to ensure that anonymity can be entirely preserved while using analytics and been careful in the data we gather so that it's not identifiable or private. If you haven't already I strongly encourage you to read through https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md and raise any specific concerns you have with the implementation so that we can close any unintentional anonymity gaps.

Thirdly, the reason I made this opt-out rather than opt-in is so we can gather a representative understanding of the way people use Homebrew. If this was opt-in we'd gather only a sampling of the type of people who opt-in.

Finally, I apologise again. I hear the discomfort here and I'm sorry that I was not able to move more rapidly on your concerns. Thanks for being part of the Homebrew community.

@NickCraver
NickCraver commented Apr 25, 2016 edited

@mikemcquaid The message is appreciated, but that shouldn't be "the fix". Opting out shouldn't require all of the effort still involved here. For most users, the steps will be:

  1. Opening a browser
  2. Go to that link
  3. Read a 5KB file (to the very bottom)
  4. (likely) Learn how to set an environmental variable
  5. Create a .bash_profile
  6. Set the variable

...and hope the process worked (there's no confirmation).

The bar is still far, far too high. There should be something akin to brew metrics off as pitched above. Only adding a URL is the equivalent of saying "go figure it out" to most users. And let's be honest, most will give up before getting through those steps.

@bcardarella

@mikemcquaid I appreciate the response but I don't think this solves the problem. My original concern is that software the automatically opts you into analytics can prevent companies and government agencies from allowing the use of homebrew.

@MikeMcQuaid
Member

@bcardarella I appreciate that but it's worth mentioning that the majority of software products now use analytics in some form. No analytics are now sent before the messages are communicated and you can opt-out before that. It would be very simple for those organisations to write an install script for Homebrew that ensured that analytics are disabled before installation takes place.

@bcardarella
bcardarella commented Apr 25, 2016 edited

@mikemcquaid you're missing the point: certain organizations prevent the usage of any software that opts-in to analytics. Even if there is a work around to opt-out.

@DavidCWGA

The fact that "everyone is doing it" shouldn't make it OK. Homebrew targets developers who should know better. The sheer amount of noise occurring here should tell you that users don't want this.

@NickCraver

I appreciate that but it's worth mentioning that the majority of software products now use analytics in some form.

I'm going to have to ask for a citation here, because I don't believe this to be accurate. Especially of projects on GitHub, how many are reporting analytics? Analytics are still fairly rare for most open source projects. In my experience, they're still very rare (as a percentage) for paid products as well.

@davb5
davb5 commented Apr 25, 2016

@bcardarella It's not even just certain organisations. I choose to use a tracker blocking extension in my browser because I know that environment is hostile towards user privacy. I don't expect to have to do this with mainstream terminal-based software like Homebrew.

@mikemcquaid I carefully vet software before installing on my machines (both personal and business). I do my research.

To introduce analytics with very little communication and with no affirmative agreement from end users is incredibly hostile.

It's very telling that you feel that opt-in wouldn't be as useful because many users wouldn't opt-in or agree for usage to be tracked. This is a sign that analytics isn't something that many end users feel comfortable with.

@MikeMcQuaid
Member

To introduce analytics with very little communication and with no affirmative agreement from end users is incredibly hostile.

I've admitted my mistake and merged a PR that will communicate this to all users (Homebrew/install#42).

@MikeMcQuaid MikeMcQuaid added a commit to MikeMcQuaid/brew that referenced this issue Apr 25, 2016
@MikeMcQuaid MikeMcQuaid More analytics tweaks.
Provide a single command that can be run to disable analytics, run it if
`HOMEBREW_NO_ANALYTICS` is ever set and remove the user UUID file in
that case too.

References Homebrew#142.
f7ab9c9
@MikeMcQuaid
Member

The bar is still far, far too high. There should be something akin to brew metrics off as pitched above. Only adding a URL is the equivalent of saying "go figure it out" to most users. And let's be honest, most will give up before getting through those steps.

@NickCraver I've added a single command that you can run to the documentation in #146 and made it so if you set the opt-out variable once then it will set the git config such that analytics will remain disabled. I'm not going to be able to do much more than this tonight as I've been up for >18 hours after taking a transcontinental flight.

@davb5
davb5 commented Apr 25, 2016

I've admitted my mistake and merged a PR that will communicate this to all users (Homebrew/install#42).

I see that, but my point (and I believe that of a number of others here) is that you're still not requiring affirmative agreement. It's still an opt-out (enabled by default, requiring the user to take action to disable rather than agree to enable it).

I think that many here, myself included, would rather see it turned off by default.

Debian seem to have got this right with their popcon prompt.

@MikeMcQuaid MikeMcQuaid added a commit to MikeMcQuaid/brew that referenced this issue Apr 25, 2016
@MikeMcQuaid MikeMcQuaid More analytics tweaks.
Provide a single command that can be run to disable analytics, run it if
`HOMEBREW_NO_ANALYTICS` is ever set and remove the user UUID file in
that case too.

References Homebrew#142.
41592df
@MikeMcQuaid MikeMcQuaid added a commit that referenced this issue Apr 25, 2016
@MikeMcQuaid MikeMcQuaid More analytics tweaks.
Provide a single command that can be run to disable analytics, run it if
`HOMEBREW_NO_ANALYTICS` is ever set and remove the user UUID file in
that case too.

References #142.
df489cf
@MikeMcQuaid
Member

I've merged Homebrew/install#42 #143 #146 which is all I'm going to be able to do tonight. I really need to go get something to eat and then πŸ’€ (and 😭) but will check this thread again tomorrow. Thanks to most people in this thread for keeping it civil and thanks for using Homebrew.

@davb5
davb5 commented Apr 25, 2016

I'm not going to be able to do much more than this tonight as I've been up for >18 hours after taking a transcontinental flight.

I appreciate that you're trying to triage this. Most people are just upset that it came out of no-where (for those of us who don't follow the repo or Twitter feeds closely, which most of us have agreed wasn't a reasonable communications channel for this).

Something as integral as a package manager can't, by its very nature, be easily sandboxed. And to become (and remain) the dominant package manager on a platform, Homebrew needs to have the complete trust of its users.

With the current climate of privacy-hostile applications, platforms, operating systems and governments, default-on telemetry gathering of any sort isn't really acceptable.

As a developer, I completely understand the drive to gather metrics. After all, they help us make our products better. They help us figure out more easily what users need. However I don't think it's unreasonable to be pushing a privacy-first ethos in our industry.

Metrics are valuable, but not at the expense of user trust. Debian Popcon seems to strike a good balance (default highlighted option on the install prompt is "off", IIRC).

@achikin
achikin commented Apr 26, 2016

@GrappigPanda hi there! I have contributed, I don't read twitter, hackernews and reddit. And I have something I can't share legally.

@zmwangx
Contributor
zmwangx commented Apr 26, 2016 edited

I find it kind of funny that there are still people arguing about opt-in and whether analytics should be done. Do you realize that when you clone and/or fetch brew.git and/or homebrew-core.git, GitHub collects analytics? And when you download bottles, Bintray collects analytics? You can argue that GitHub is the first-party (I doubt it), but Bintray is definitely a third party. These are analytics that are already in place. If analytics turns you away, you should be gone by now.

To answer a few specific questions:

Especially of projects on GitHub, how many are reporting analytics?

How many projects on GitHub require internet connectivity beyond initial install? And how do you avoid analytics when you are connecting to any kind of server?

certain organizations prevent the usage of any software that opts-in to analytics. Even if there is a work around to opt-out.

Why would your organization's ridiculous policy prevent Homebrew from being improved?

Just my two cents.

@NickCraver
NickCraver commented Apr 26, 2016 edited

How many projects on GitHub require internet connectivity beyond initial install?

Most do not. Most have no reason to. Just go find any major project list and go down it. Here's the currently trending for example: https://github.com/trending

Why would your organization's ridiculous policy prevent Homebrew from being improved?

This is an absolutely terrible way to have a conversation. It's not a ridiculous policy and many high-security environments (I've been involved in quite a few) have such a policy. Calling it "ridiculous" creates a needlessly bad and adversarial environment that helps no one.

@davb5
davb5 commented Apr 26, 2016

Do you realize that when you clone and/or fetch brew.git and homebrew-core.git, GitHub collects analytics?

There's a difference here. I understand how the Git protocol works. I know exactly what data it transmits. I looked into this before I started using it. My Git client wasn't updated to include transmission of extra metrics without my knowledge. I had the information required to make in informed choice about using Git.

Homebrew, however, introduced metrics collection and transmission without affirmative consent. When I first started using it, this wasn't the case. I done my research, cleared it for use on my personal and work machines. This changed, and extra data was transmitted in a default-on manner, with no warning.

Essentially, Homebrew began behaving contrary to established conventions.

I'm very privacy conscious. But I do understand that many people don't care one way or another about privacy, analytics or usage tracking. The issue here is that the software broke the trust I had with it and took that choice away from me (by not advertising the changed behaviour and making the opt-out obvious).

It all comes down to communication, user choice, and pro-privacy, conservative defaults.

@freels
freels commented Apr 26, 2016 edited

FWIW, Apple asks users to opt-in to the submission of anonymous usage data. If Apple can sacrifice potential inaccuracy in usage data in order to respect user privacy, I don't see why homebrew cannot as well.

@zmwangx
Contributor
zmwangx commented Apr 26, 2016

@NickCraver

How many projects on GitHub require internet connectivity beyond initial install?

Most do not. Most have no reason to.

Exactly. But Homebrew does. And with every project legitimately requiring internet connectivity, you can't avoid analytics. apt-get, pacman, PyPI, npm, etc. are all capable of collecting analytics info (I don't know if they use it or not) when you connect to their servers. (Not for all commands, I know, but granularity is not the point of debate here.) The reason Homebrew does this differently through Google Analytics is because it does not have its own central server for distribution.

@davb5

I understand how the Git protocol works.

And you probably also understand how HTTP and curl work. You read analytics.sh and analytics.rb, you see what is being sent by curl and what is not, done.

Homebrew, however, introduced metrics collection and transmission without affirmative consent.

If you read my comment carefully you'll realize that I didn't say consent is not needed. I'm all for the idea of an yes/no prompt upon initial install or update after shipping the analytics feature. What I found ridiculous is that there are people who want to overturn the decision of collecting analytics, or want to make it opt-in (which will render it completely useless, because most people wouldn't realize there's such an option). Read my first sentence again:

I find it kind of funny that there are still people arguing about opt-in and whether analytics should be done.

@ntpd
ntpd commented Apr 26, 2016 edited

What I found ridiculous is that there are people who want to overturn the decision of collecting analytics, or want to make it opt-in (which will render it completely useless, because most people wouldn't realize there's such an option).

debian

Debian's popularity-contest is opt-in (defaulting to "no"), yet still collects a large amount of useful data.

@zmwangx
Contributor
zmwangx commented Apr 26, 2016 edited

@ntpd Homebrew installation process is often (if not mostly) automated. If you make it opt-in, then installing Homebrew non-interactively β€” either through the install script without connecting stdin to a tty or through git clone β€” will totally skip the opt-in prompt.

@davb5
davb5 commented Apr 26, 2016

@NickCraver Let's keep it civil. I've read your comments thoroughly. I think we're arguing semantics here. A yes/no prompt on installation is opt-in. If you say that you're in favour of that, then you're in favour of opt-in. Opt-in doesn't mean a silent default-off and an expectation that the user will dig around to find out how to enable analytics. Opt-in could mean a prompt on install (or first interactive run for existing users), with "no" selected by default, as per Debian's Popcon.

I do agree with the reservations people have with Google Analytics. As valuable as it is, Google do have a unique position where they could very easily correlate analytics events across app/device boundaries (using IP addresses, for instance). This means users have to put a lot of trust in Google that they'll obey their own privacy settings.

@ntpd has it right. Popcon does the analytics thing in the most respectful (default-off) and informative way. For the most part, I don't object to popcon on personal machines (restrictions in varies enterprise environments are different). Popcon's hosted by Debian themselves, and the data is public. I get as much from Popcon as I put it, and it respects my decision to leave it off (by default).

@zmwangx
Contributor
zmwangx commented Apr 26, 2016

@ntpd Also, your opt-in data is definitely skewed. Those just represent package popularity among popularity-contest users. "Large amount" doesn't imply accuracy.

@ntpd
ntpd commented Apr 26, 2016

@zmwangx Most systems won't have the command line tools installed, as a result brew will almost never be installed without the user being present. Installation additionally requires a root password, which is requested interactively as part of the process.

@DomT4
Contributor
DomT4 commented Apr 26, 2016

@freels I'm sitting on a longer comment till later because it's 1:59am and I'd like to sleep at some point this evening, but Apple isn't a perfect example here.

If you run the betas every single update usage data is re-enabled regardless of your previous setting, and Spotlight regardless of stable/devel/beta status (unless you disable Spotlight suggestions) regularly sends back a semi-anonymous profile to Apple explicitly including some search terms.

Homebrew, at this point, is still not 1.0. This is noted in brew --version.

@zmwangx
Contributor
zmwangx commented Apr 26, 2016 edited

@ntpd

Installation additionally requires a root password, which is requested interactively as part of the process.

Many people install Homebrew as part of a bootstrap process, where you could type your admin password once and walk away. And as I said there's also the git installation that totally bypasses any sort of interactive prompt.

@ntpd
ntpd commented Apr 26, 2016 edited

Many people install Homebrew as part of a bootstrap process, where you could type your admin password once and walk away.

I'd like to see some examples of it being used in this way, but the simple solution is that the brew installation can use a --nointeraction parameter which defaults analytics to the safe option of False when a user is not able to consent.

@davb5
davb5 commented Apr 26, 2016

If you make it opt-in, then installing Homebrew non-interactively, either through the install script without connecting stdin to a tty or through git clone, you don't get that prompt at all.

I think this is fine. Homebrew is a community project. Many people here object to default-on analytics. Let's respect that and leave metric collection off by default. I wish more projects, platforms and operating systems would do this. Data collection shouldn't be a default throughout our lives. The day I can't even install a package without telling Google about it is the day that data collection has gone too far.

@NickCraver

Exactly. But Homebrew does. And with every project legitimately requiring internet connectivity, you can't avoid analytics.

This is not correct. There are proxies, blockers, anonymizers, and even Tor. All remote analytics are easily avoided and to some degree inherently are in large environments due to so many users coming from a single source.

@lacombar
lacombar commented Apr 26, 2016 edited

@mikemcquaid please get rid of the HOMEBREW_NO_ANALYTICS logic altogether, and only opt-in.

@lacombar

@zmwangx you can't avoid NSA spying either, though it doesn't make it right.

@ilovezfs ilovezfs locked and limited conversation to collaborators Apr 26, 2016
@DomT4
Contributor
DomT4 commented Apr 26, 2016

To clear confusion up a little this is likely not permanently locked, but this managed to reach the point last night where the CoC was getting trampled over. Since there was no maintainer "on station" to keep tabs on the situation locking was a reasonable step to ensuring things didn't deteriorate further in the meantime.

Please bear with us until that changes and we can be around to respond more than fleetingly. PRs were merged overnight to attempt to improve the situation.

If this actually needs saying, emailing maintainers sniping emails to their personal accounts at 5 in the morning isn't going to fly. Personal attacks and other malicious communications don't actually help us resolve anything here.

@xu-cheng xu-cheng unlocked this conversation Apr 26, 2016
@joshmanders

I'm gonna go against the grain and say thanks to the Homebrew team for being as transparent as possible about the data collected, and I will be keeping analytics turned on to help improve one of the most important pieces of software in my ecosystem.

@tylerault

How to get what you want without being creepazoids:

  • Prompt for opt-in on install/upgrade, defaulting to "in".
  • Start your prompt with something positive, like: "Help us improve Homebrew by..."

You'll get analytics from a majority of users, and appease users with privacy/security concerns. You may get somewhat skewed usage info away from the latter group, but that seems a small price for the respect of your user base.

Side note: I'm genuinely amazed the team is surprised that this move upset people in the programming community. Esp. the way it was executed. After Snowden and the FBI/Apple case... and this is a package manager... we're not exactly the least paranoid crowd.

@MikeMcQuaid
Member

Hi all, so we've had some time to think, chat and sleep and here's what's the current state of affairs:

We will:

  • continue to work on the software you use for free in our evenings and weekends on top of our jobs and try to make it better for you (as described by the docs: the analytics are there to make this free tool better)
  • modify the analytics implementation to improve privacy, implementation and messaging where people have reproducible cases or questions. A good example of a request: #145
  • consider moving to another analytics platform not run by Google if people have suggestions for one that is hosted and freely available for Homebrew to use

We will not:

  • be changing analytics to opt-in (in the near future, perhaps ever)
  • be letting people abuse maintainers (this includes name calling) anywhere, spam the repository or generally derail. We will block you from the Homebrew organisation temporarily if that happens and permanently if necessary. This is not censorship; you can say whatever you like on your own GitHub repository or blog: not here.
  • be motivated to work on Homebrew when people are abusive. If we are not motivated to work on Homebrew: Homebrew will not exist any more. The majority of people complaining have made no contributions to Homebrew.

Thanks for using Homebrew but if you feel these are unacceptable for you then there are other OS X package managers you can use instead. If you decide to stop using Homebrew (I notice some people in this thread already have said that on Twitter) please do not post again in this issue.

@bcardarella

I sense a hostile fork coming

@joshmanders

@bcardarella

I sense a hostile fork coming

Because the maintainers won't tolerate abuse towards them? Good luck.

@bcardarella

@joshmanders no, because the collection of analytics is a hard stop for certain use cases.

@damieng
damieng commented Apr 26, 2016

But as has been pointed out it's now simple to opt-out. Given the people complaining haven't contributed much (anything?) to brew over it's multi-year history I imagine the fork wouldn't be up to much.

@joshmanders

@bcardarella is the work necessary to opt-out so hard you're actually willing to fork and maintain an alternate homebrew? Extra good luck.

@MikeMcQuaid
Member

@bcardarella If people want to do so then good luck to them (they will need it).

@davb5
davb5 commented Apr 26, 2016 edited

Because the maintainers won't tolerate abuse towards them? Good luck.

I feel like I'm missing something here. Things got particularly heated but I didn't see any outright abuse. Was this off-channel somewhere else?

The majority of people complaining have made no contributions to Homebrew.

For some people, this is their contribution. I haven't contributed to Homebrew otherwise. I am, however, a user. I felt that taking part in the discussion might help make Homebrew better for everyone - the privacy-conscious and those who want more metrics in order to further improve the tool.

be changing analytics to opt-in (in the near future, perhaps ever)

I really hope you'll reconsider. A package manager is a critical piece of code. I has to be completely bulletproof, in terms of both performance and behaviour. It's so vital to most users that it isn't worth tinkering with. I think there would be just as much backlash if Chocolatey, OneGet or apt-get started calling home with anonymised metrics.

I'm not completely against analytics (though I do have reservations). I just don't think it should be a default-on situation. At the very least, a Y/N prompt (as many, many other platforms offer) would be a compromise.

continue to work on the software you use for free in our evenings and weekends on top of our jobs and try to make it better for you

I think that most of us commenting here were doing so in our free time, because we all want to make the tool better.

With the way this was snuck in with no real notification, the acknowledgement that making it opt-in would turn off many users (that's a red flag in itself) and the response here (essentially "my way or the highway") I'm really disappointed.

@MikeMcQuaid
Member
MikeMcQuaid commented Apr 26, 2016 edited

Was this off-channel somewhere else?

@davb5 Yes.

I really hope you'll reconsider.

We will not.

A package manager is a critical piece of code. I has to be completely bulletproof, in terms of both performance and behaviour. It's so vital to most users that it isn't worth tinkering with.

I don't understand the point here?

For some people, this is their contribution.
I think that most of us commenting here were doing so in our free time, because we all want to make the tool better.

While I appreciate that: the tool does not get better without pull requests.

With the way this was snuck in with no real notification, the acknowledgement that making it out-in would turn off many users (that's a red flag in itself) and the response here (essentially "my way or the highway") I'm really disappointed.

Please don't use quote marks when you aren't going to quote me. Last night I added a message that every Homebrew user will see on update. If you don't see that as any sort of compromise, I'm really not sure what else to say.

@wlewis-sst

[We will not] be motivated to work on Homebrew when people are abusive. If we are not motivated to work on Homebrew: Homebrew will not exist any more. The majority of people complaining have made no contributions to Homebrew.

Not that abuse is justifiable, but have you considered that your own actions may be abusive? Personally, I felt violated when I saw homebrew connecting to Google without notice and without my permission. Now that you have given notice, I still feel abused because you are not asking us for permission. You're assuming it.

Please, please, please ask permission. The default can be yes. But if you don't ask, you're being abusive.

@zmwangx
Contributor
zmwangx commented Apr 26, 2016 edited

I wasn't able to reply to a few comments directed at me yesterday after the issue was locked. Since then Mike has made it very clear and final, so I'll make one final comment as a courtesy to people who replied to me, and unsubscribe from this issue.

@ntpd

I'd like to see some examples of it being used in this way

I do. Since I don't use other people's bootstrapping scripts, I can't seem to give a good example right now where Homebrew is installed non-interactively, but git-cloning is definitely an important channel of installation β€” many of us don't like curl pipe into interpreter, let alone giving it root privilege. If you just want an example of Homebrew installation as part of a bootstrapping process, thoughtbot/laptop is one (I just took a closer look and although they set up /usr/local for Homebrew manually, they still run the installation script interactively, which is rather weird β€” they could very well just install via git).

but the simple solution is that the brew installation can use a --nointeraction parameter which defaults analytics to the safe option of False when a user is not able to consent.

FYI, you don't need an option. Just run the install script with stdin redirected to /dev/null, and it will skip all the interactive prompts. Still, analytics should be opt-out. The decision has been made anyway.

@davb5

Many people here object to default-on analytics. Let's respect that and leave metric collection off by default.

Many people? I see 115 people upvoting this issue, and even upvoting doesn't mean they object to default-on analytics. It could mean they didn't like how the rollout process was executed, and honestly it could have been better, but (1) it happened; (2) it has already been improved. What do you expect more?

Internet forums have a magnifying effect where a few users complaining (especially passionate ones leaving many comments) could feel like "many people".

@NickCraver

This is not correct. There are proxies, blockers, anonymizers, and even Tor. All remote analytics are easily avoided and to some degree inherently are in large environments due to so many users coming from a single source.

Sure. But how is calling home with an anonymous UUID any different? What's the harm when your UUID behind your anonymized IP can't be matched to you as an individual? Also, server logs can't be erased on your part, but calling home with analytics can be disabled.

@lacombar

you can't avoid NSA spying either, though it doesn't make it right.

This is such a straw man argument on every single level, it's impossible to reply.


Again, this will be my last comment, so even if you come back at me, you won't hear anything from me again on this thread. Sorry.

@davb5
davb5 commented Apr 26, 2016 edited

Please don't use quote marks when you aren't going to quote me.

@mikemcquaid, If I was quoting verbatim, I'd have used GFM quote syntax. Like this...

if you feel these are unacceptable for you then there are other OS X package managers you can use instead

The "essentially" qualifier there was to signify that I was summing up, not directly quoting. I'm sure absolutely no-one was confused by this.

If people were being abusive off-channel then that's absolutely unacceptable. It's disappointing that some people have resorted to that. I understand the frustration from both sides here.

While I appreciate that: the tool does not get better without pull requests.

Whether creating PRs or not, I think using the tool and encouraging others to do so (to the point that it has become one of the primary package managers on OSX) means that we all have a vested interest in how the platform is developed.

Would a PR asking "is this OK, Y/N" on first interactive run be merged? Or would it be a waste of time?

@damieng
damieng commented Apr 26, 2016 edited

I think people should also remember that whenever you install a package today over http(s) via whatever mechanism (brew, fink, apt-get) whoever is running the server hosting that package has your IP address and knows what you downloaded from them.

You don't give them permission and they certainly haven't written any formal policies about what they do with the data but chances are it is logged to disk (80% of the web runs on either Apache, IIS or Nginx and all log access by default) that could be further analyzed.

@davb5
davb5 commented Apr 26, 2016

I think people should also remember that whenever you install a package today over http(s) via whatever mechanism (brew, fink, apt-get) whoever is running the server hosting that package has your IP address and knows what you downloaded from them.

I think the difference is that the party involved here has access to a lot more of our data. It's the "creepy factor" as much as anything else. It's not just the Homebrew admins grepping through server logs, it's our data being shared with a third party without our affirmative consent. Which may indeed be illegal under various jurisdictions data protection legislation.

As @zmwangx has said, I don't think we're getting anywhere further here. People are getting frustrated and upset about this change, the way it was rolled out and communicated, and the way people (on both sides of the debate) have acted.

If the decision has been made and we refuse to budge on it, I think we'll have to just leave it here. It's not worth going back and forth and upsetting each other further.

@nemesit
nemesit commented Apr 26, 2016

Just remove this feature entirely, it's not like it'll be ever anonymous (you can trust google all you want but they are the ones who anonymize what they receive), or make it run on your own server.

@bfontaine
Member

@davb5 If nobody submitted PRs Homebrew would be dead by now, whatever its users count is. There are a lot of examples in OSS of people who didn’t like some piece of software and went to write their own; even Homebrew is one of them (Max Howell didn’t like MacPorts so he wrote Homebrew).

@nemesit We don’t want to manage yet another server.

@agh
agh commented Apr 26, 2016

RE: #142 (comment)

@mikemcquaid Respect your comments above. Wanted to suggest you look at Piwik for analytics. Honestly doesn't bother me that you're opt-out, or using Google Analytics, I think the adaptations you've made to make it easy to disable are sufficient and satisfactory. Obviously others may disagree. πŸ‘

@nemesit
nemesit commented Apr 26, 2016

and your users don't want analytics (most of them) I guess that's also the reason why it is opt out instead of opt in in the first place ;-p

@joshmanders

Being opt-out vs opt-in doesn't mean "your users don't want analytics (most of them)" it means that most are satisfied with default configuration and do not go any farther as to customize. I know I don't. So even though I had been alerted to this via this discussion, I would have never known, and most likely had never enabled it despite wanting to help improve the software.

They've fixed some issues regarding it. If running a simple command to disable analytics is too troublesome for you, by all means, uninstall homebrew and manually install all these packages yourself.

I don't understand why you keep arguing about this. The team has expressed it's not going to change, so either accept it and move on, or don't accept it, and maintain your own fork with that one thing removed.

You're making a mountain out of a ant hill.

@nemesit
nemesit commented Apr 26, 2016

being opt out means "we don't want to ask our users whether they want to opt in because we know the majority would not opt in"!

@MikeMcQuaid
Member

I think we've taken this issue as far as it can. I appreciate all the feedback and thoughts here and will keep it in mind going forward.

@MikeMcQuaid
Member

I don't understand why you keep arguing about this. The team has expressed it's not going to change, so either accept it and move on, or don't accept it, and maintain your own fork with that one thing removed.

This.

@clshrock
clshrock commented Apr 26, 2016 edited

Glad to find this out now. You guys burned bridges today and yesterday.

Explicitly, convention over configuration embodies the understanding that the default behavior should be the safest and most user-friendly. Your decisions and then your handling of the feedback betray that you value your own motives ahead your users. I hope the future will lead to different outcomes.

@joshmanders

Your decisions and then your handling of the feedback betray that you value your own motives ahead your users.

Oh yes, wanting to provide a better product to their users is their own motive. Such a horrible act, have you no shame?!

Seriously, just disable it if you don't want it. It's not hard.

@clshrock
clshrock commented Apr 27, 2016 edited

Seriously, just disable it if you don't want it. It's not hard.

I am very glad that you can at least disable it. But like it was posted previously, it is yet another project that values taking what they want by default without asking first.

And now, to continue using homebrew, not only will I have to maintain that setting and verify that it is being honored in all future versions, but you have proven that I now must audit your software for future actions because I cannot trust that you have my best interest at heart.

It is further unfortunate that you refuse to consider the slight against your users that we are communicating has occurred.

You could have decided to save analytics data locally and then ask periodically if the user would like to submit the data to help you out. But no, you force opt-out only internet analytics on everyone and then get incensed when there is push-back from your users.

@MikeMcQuaid
Member

And now, to continue using homebrew, not only will I have to maintain that setting and verify that it is being honored in all future versions, but you have proven that I now must audit your software for future actions because I cannot trust that you have my best interest at heart.

If you feel that way: please use another package manager.

On which note it seems I cannot leave this thread open so I'm locking it. Do not open new threads on this topic.

@MikeMcQuaid MikeMcQuaid locked and limited conversation to collaborators Apr 27, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.