Make telemetry Data opt-in

[furti]

• VSCode Version: 1.22.1
• OS Version: Windows 10

Steps to Reproduce:

1. Start VS Code 1.22.1 for the first time
2. Now a notification pops up that tells me, that telemetry data is collected and I can opt-out

Does this issue occur when all extensions are disabled?: Yes

1. I am not sure about this but I don't think collecting telemtry data by default will conform to the General Data Protection Regulation of the EU that becomes effective in May 2018. It would be better to disable it per default and tell the user to enable it if he want's to share data with you.

2. When I checked the privacy policy linked in the notification popup (https://privacy.microsoft.com/en-us/privacystatement) I can't find anything about the data collected by vs code. This is a very important information. This can be a big showstopper for using vscode in some companies, wen data is sent and nobody knows what data this is.

[kieferrm]

@furti thanks for bringing this up. As you can imagine GDPR is a big deal for a company like Microsoft. All products have been working with legal counsel to achieve compliance. Our current understanding is that our notification is a correct implementation of GDPR. All of our code that sends telemetry is Open Source right here in this repo and it is annotated with which events and properties we send. Look for __GDPR__ comments in our code.

[furti]

@kieferrm thank you for your answer. Maybe the opt-out is a correct implementation of GDPR. I'm not a lawyer 😄
But forcing people to scan your code for comments, and furthermore to learn how your code is structured and how it works, is definitely not transparent at all.

For example I did a quick search for GDPR in your code and randomly selected a file (workspaceStats.ts:342)

                          /* __GDPR__
				"workspce.tags" : {
					"${include}": [
						"${WorkspaceTags}"
					]
				}
			*/
			this.telemetryService.publicLog('workspce.tags', tags);

I don't even know what workspace tags are. So I have to invest half an hour, an hour, maybe two to fully understand what data is sent in this case. The search for GDPR found 60 occurences in your code. So I have to invest about a week to fully understand what data is sent by your application. And for the next version i will have to do the same. Maybe there is something new or something changed.

And the people who decide such things in a company mostly don't code at all. So it isn't even possible for them to understand the data sent by the application by scanning the code.

At least an human readable version of the data collected by you should be available.

[Thf772]

Opt-out is not valid for GDPR. It is one of the reasons invoked in the massive lawsuits Microsoft and other GAFAM companies are currently facing.

[ramya-rao-a]

With #54001, we are rolling out a feature in the next update where one can take a look at all the telemetry events and their payload in the product in real time. You can try it out in the latest Insiders or wait for the next update to the stable version.