-
Notifications
You must be signed in to change notification settings - Fork 28.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Require user consent before sending any telemetry #176269
Comments
@isidorn It's been a month and this is now the 12th most upvoted issue in the repository. Would you check it out when you can? |
I agree with @aitor-gomila. Telemetry has to be opt-in instead of opt-out. The official Visual Studio Code Documentation (see Telemetry Information, GDPR and VSCode) And then: It looks like at this moment you do not state full compliance with the GDPR. Do I understand it correctly? So the question is: As there are users who take their privacy very seriously, an official answer from Microsoft is kindly expected within two weeks, until the 3rd of June, 2023. |
Reminder Hello VS Code team, please be informed, that the question regarding GDPR compliance has not been answered yet. Please give an answer within the next week until the 16th of June. Thanks! |
Perhaps some of us could start working on this? |
@aitor-gomila What do you mean, providing a pull request? I do not see any intention from the maintainers to collaborate on this issue. |
Well, I still have faith in that VSCode's team will understand this issue (they haven't rejected yet, they just haven't responded). However, we don't need maintainers support. VSCode is open source for a reason. It shouldn't be hard. Disable telemetry by default (as it should be), and show a fullscreen prompt asking to enable it, describing all it does. |
@aitor-gomila The official VSCode build which is available for download is NOT open source. Quote from the VSCode Readme:
Afaik, the "Code - OSS" source is already telemetry-free, but Microsoft includes telemetry as a "Microsoft-specific customization" for their VSCode build. So this issue is more about the official build than the source. See also the VSCodium project. |
I know VSCodium, but the point is that if someone has written the code already, they will have no "ethical" reason to reject the feature. |
If MS has extended the VSCodium source with closed source, then what kind of license does the VSCodium have that allows MS to make it part of a closed source product ? I know some licesnses allow this, but just checking out of curiosity. "No ethical reason to reject the feature" I'm not sure how this can be done, if the MS part of the code enables telemetry by default, and the MS part is closed source, then how can someone create a feature to turn it off ? |
The telemetry code is open source. It's just off by default in Code - OSS The problem: It's enabled by default in Microsoft VS Code. Most users won't notice. Even the most advanced users who have the intention to manually disable it, it'll already have been sent. The solution: Implement all this code in Code - OSS, and send a PR to Microsoft. From the point of view of the press, it's very ugly that there is a proposal to improve VSCode privacy, and Microsoft avoids it. BTW: I'm conscious the VSCode team is full of very good people, and I'm sure most of you will agree to this and more things. I didn't want to sound too harsh to you, you're just working for MS :) |
Is the team aware about this issue @isidorn? |
@aitor-gomila
I see your point, we could give it a try. I would appreciate it if anyone creates a pull request with a telemetry consent dialog when VSCode is first started. If we are lucky the VSCode maintainers will merge it. Unfortunately I am not familiar with the VSCode codebase and currently do not have the time to study it and contribute. |
I am currently busy with other projects. I will study the possibility of implementing it myself when possible. |
Second Reminder Hello VS Code team, on the 19th of May 2023 you have been asked whether you comply with the GDPR. On the 9th of June you have been reminded that the question is still open. Until today, the 30th of July, you have not given any reply. Some users take their privacy very seriously and for them GDPR compliance is a fundamental question. Please give an answer within the next week until the 8th of July. Thanks! |
Default Hello VS Code team, you were asked whether you comply with the GDPR on the 19th of May 2023. You were reminded twice and given more than enough time for a response. Until today, the 9th of July, you have not given any reply. From now on you are in default. It is concluded, that you do not respect the users privacy, do not comply with the GDPR and ignore any users objections against your negligent way of personal data processing. |
Microsoft gonna Microsoft |
They must be sued. It's the only language they'll understand. Fines for GDPR violations can go up to 4 % of their total global turnover. That should make them notice. |
Here's how you (and all of us) have to handle it, according to the GDPR:
In your message to the DPO, refer to art. 7(1) of the GDPR, which has this to say:
Point out that you did not give consent for the data to be collected, nor were you asked about it. Per GDPR, they're supposed to be transparent about the way personal data are handled (see Art. 5). They ought to tell you: what personal data are collected, for what purpose, for how long the data are stored, with whom the data are shared (this could be buried somewhere deep in the UI). Give them ~2 weeks to respond. If you receive no feedback, then:
But step 0 would be to think about the situation and consider what data are collected. Are those personal data? Does Microsoft, perhaps, have a "legitimate interest" in collecting this information?
@nandlab no, it is not concluded yet. It might be the case, but the right course of action is to get there through the means the GDPR gives us. The regulation says you should contact the DPO, and eventually lodge a complaint with the DPA; it doesn't say that programmers on Github have to monitor issues and are responsible for handling privacy-related stuff. To play this game well, you have to play by the rules; let the DPO know about it - and if they're still silent, they might be more responsive if they get a call from a DPA ;-) |
@isidorn given this issue has been going on for a year, and seeing its in the backlog (does that mean its accepted?), would you accept PRs from the community for this issue? |
VSCode doesn't ask for consent from the user when sending telemetry, it's an opt out. Even if you disable telemetry after installing VSCode, some data will already have leaked out, which is inconvenient for e.g. enterprise users (see #33184)
The
TelemetryLogger
API is a great step towards making it easier for the user to actually see what is being sent.I propose:
When Atom added telemetry, they didn't ask for consent or even give a notice, and that was a whole scandal at the time.
Why should VSCode be any different? Specially with GDPR which you say you comply with but you really don't
P.S: I accidentally created this issue in the Dart VSCode extension repository. The maintainer replied and he said he agreed. I did not EVEN know that extension collected telemetry, so that's a sign there is margin for improvement.
The text was updated successfully, but these errors were encountered: