Require user consent before sending any telemetry

[ghost]

VSCode doesn't ask for consent from the user when sending telemetry, it's an opt out. Even if you disable telemetry after installing VSCode, some data will already have leaked out, which is inconvenient for e.g. enterprise users (see #33184)

The TelemetryLogger API is a great step towards making it easier for the user to actually see what is being sent.

I propose:

• Inform the user that there is telemetry, what is being sent on that telemetry. Inform that extensions can send telemetry too.
• There's a doc page explaining that but it would show up for more people if it were in the VSCode GUI, at startup, possibly simplified.
• Ask for consent before sending any telemetry at all

When Atom added telemetry, they didn't ask for consent or even give a notice, and that was a whole scandal at the time.

Why should VSCode be any different? Specially with GDPR which you say you comply with but you really don't

P.S: I accidentally created this issue in the Dart VSCode extension repository. The maintainer replied and he said he agreed. I did not EVEN know that extension collected telemetry, so that's a sign there is margin for improvement.

[ghost]

@isidorn It's been a month and this is now the 12th most upvoted issue in the repository. Would you check it out when you can?

[nandlab]

I agree with @aitor-gomila. Telemetry has to be opt-in instead of opt-out.

The official Visual Studio Code Documentation (see Telemetry Information, GDPR and VSCode)
states:
"In addition to supporting the General Data Protection Regulation (GDPR), the VS Code team takes privacy very seriously."

And then:
"We expect our approach to evolve as we learn more about GDPR and the expectations of our users."

It looks like at this moment you do not state full compliance with the GDPR. Do I understand it correctly?

So the question is:
Does the VS Code completely support the GDPR?

As there are users who take their privacy very seriously, an official answer from Microsoft is kindly expected within two weeks, until the 3rd of June, 2023.

[nandlab]

Reminder

Hello VS Code team,

please be informed, that the question regarding GDPR compliance has not been answered yet.

Please give an answer within the next week until the 16th of June.

Thanks!

[ghost]

Perhaps some of us could start working on this?

[nandlab]

Perhaps some of us could start working on this?

@aitor-gomila What do you mean, providing a pull request? I do not see any intention from the maintainers to collaborate on this issue.

[ghost]

Perhaps some of us could start working on this?

@aitor-gomila What do you mean, providing a pull request? I do not see any intention from the maintainers to collaborate on this issue.

Well, I still have faith in that VSCode's team will understand this issue (they haven't rejected yet, they just haven't responded). However, we don't need maintainers support. VSCode is open source for a reason.

It shouldn't be hard. Disable telemetry by default (as it should be), and show a fullscreen prompt asking to enable it, describing all it does.

[nandlab]

VSCode is open source for a reason.

@aitor-gomila The official VSCode build which is available for download is NOT open source. Quote from the VSCode Readme:
"Visual Studio Code is a distribution of the Code - OSS repository with Microsoft-specific customizations released under a traditional Microsoft product license."

It shouldn't be hard. Disable telemetry by default (as it should be), and show a fullscreen prompt asking to enable it, describing all it does.

Afaik, the "Code - OSS" source is already telemetry-free, but Microsoft includes telemetry as a "Microsoft-specific customization" for their VSCode build. So this issue is more about the official build than the source.

See also the VSCodium project.

[ghost]

I know VSCodium, but the point is that if someone has written the code already, they will have no "ethical" reason to reject the feature.

[marcusobrien]

If MS has extended the VSCodium source with closed source, then what kind of license does the VSCodium have that allows MS to make it part of a closed source product ? I know some licesnses allow this, but just checking out of curiosity.

"No ethical reason to reject the feature"

I'm not sure how this can be done, if the MS part of the code enables telemetry by default, and the MS part is closed source, then how can someone create a feature to turn it off ?

[ghost]

The telemetry code is open source. It's just off by default in Code - OSS

The problem: It's enabled by default in Microsoft VS Code. Most users won't notice. Even the most advanced users who have the intention to manually disable it, it'll already have been sent.
Microsoft website explicitly states Visual Studio Code is open-source - or based in open source. This is misleading.

The solution: Implement all this code in Code - OSS, and send a PR to Microsoft.

From the point of view of the press, it's very ugly that there is a proposal to improve VSCode privacy, and Microsoft avoids it.
If we implement it as a community, we have the power to decide the important things - those that corporations avoid. Express clearly what telemetry does, and a simple and concise way to disable it. Remember the cookie dialogs? They're horrible - because it's convenient for them that we accept them. This is the same. No regulation changes software. And if we have been given the power to shape open source - in my opinion, it's beneficial to do it.

BTW: I'm conscious the VSCode team is full of very good people, and I'm sure most of you will agree to this and more things. I didn't want to sound too harsh to you, you're just working for MS :)

[ghost]

Is the team aware about this issue @isidorn?

[nandlab]

@aitor-gomila

The solution: Implement all this code in Code - OSS, and send a PR to Microsoft.
From the point of view of the press, it's very ugly that there is a proposal to improve VSCode privacy, and Microsoft avoids it.

I see your point, we could give it a try. I would appreciate it if anyone creates a pull request with a telemetry consent dialog when VSCode is first started. If we are lucky the VSCode maintainers will merge it.

Unfortunately I am not familiar with the VSCode codebase and currently do not have the time to study it and contribute.

[ghost]

I am currently busy with other projects. I will study the possibility of implementing it myself when possible.
I would appreciate if some other dev joined me in a Liveshare session, or via git, in order to have a more plural and collective perspective to do it :)

[nandlab]

Second Reminder

Hello VS Code team,

on the 19th of May 2023 you have been asked whether you comply with the GDPR. On the 9th of June you have been reminded that the question is still open.

Until today, the 30th of July, you have not given any reply.

Some users take their privacy very seriously and for them GDPR compliance is a fundamental question.

Please give an answer within the next week until the 8th of July.

Thanks!

[nandlab]

Default

Hello VS Code team,

you were asked whether you comply with the GDPR on the 19th of May 2023.

You were reminded twice and given more than enough time for a response.

Until today, the 9th of July, you have not given any reply.

From now on you are in default.

It is concluded, that you do not respect the users privacy, do not comply with the GDPR and ignore any users objections against your negligent way of personal data processing.

[bartonip]

Microsoft gonna Microsoft

[felixfischer]

They must be sued. It's the only language they'll understand. Fines for GDPR violations can go up to 4 % of their total global turnover. That should make them notice.

[ralienpp]

Here's how you (and all of us) have to handle it, according to the GDPR:

1. Contact the DPO (data protection officer) of Microsoft and point them to this discussion. The contact details are here: https://learn.microsoft.com/en-us/compliance/regulatory/gdpr-data-protection-officer.

Data subjects may contact the data protection officer by filling
out the webform at https://aka.ms/privacyresponse.

The DPO can also be reached by post at:

Microsoft EU Data Protection Officer
One Microsoft Place
South County Business Park
Leopardstown
Dublin 18
D18 P521
Ireland
Telephone: +353 (1) 706-3117

In your message to the DPO, refer to art. 7(1) of the GDPR, which has this to say:

Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

Point out that you did not give consent for the data to be collected, nor were you asked about it. Per GDPR, they're supposed to be transparent about the way personal data are handled (see Art. 5). They ought to tell you: what personal data are collected, for what purpose, for how long the data are stored, with whom the data are shared (this could be buried somewhere deep in the UI). Give them ~2 weeks to respond. If you receive no feedback, then:

2. Contact your local DPA (data protection authority) and lodge a complaint (see art. 77 of the GDPR)

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

But step 0 would be to think about the situation and consider what data are collected. Are those personal data? Does Microsoft, perhaps, have a "legitimate interest" in collecting this information?

It is concluded, that you do not respect the users privacy, do not comply with the GDPR and ignore any users objections against your negligent way of personal data processing.

@nandlab no, it is not concluded yet. It might be the case, but the right course of action is to get there through the means the GDPR gives us. The regulation says you should contact the DPO, and eventually lodge a complaint with the DPA; it doesn't say that programmers on Github have to monitor issues and are responsible for handling privacy-related stuff. To play this game well, you have to play by the rules; let the DPO know about it - and if they're still silent, they might be more responsive if they get a call from a DPA ;-)

[kaixoo]

@isidorn given this issue has been going on for a year, and seeing its in the backlog (does that mean its accepted?), would you accept PRs from the community for this issue?