netlify still connects to telemetry server when user does not consent to telemetry!

[sneak]

Bug

- What is the current behavior?

I ran netlify --telemetry-disable on a fresh install (rm -rf ~/.netlify) and it connected to cli.netlify.com:

- If the current behavior is a bug, please provide the steps to reproduce.

1. install netlify cli via yarn/npm
2. run netlify --telemetry-disable

- What is the expected behavior?

Expected: I'm not spied on.

Actual: Your app violates my consent.

- Local Environment Information

Paste the results of netlify status --verbose and netlify version here

sneak@nostromo:~$ netlify status --verbose
Not logged in. Please log in to see site status.

Login with "netlify login" command
sneak@nostromo:~$

sneak@nostromo:~$ netlify version
netlify-cli/2.32.0 darwin-x64 node-v13.1.0
sneak@nostromo:~$

Dear Netlify

Dear Netlify:

I use and really like your service. I was happy to hear you guys raised some money recently. I was deeply disappointed to see that you have telemetry enabled in your app; I disabled it on all my systems using it but apparently it's still spying on me.

This sort of spying is deeply unethical. You are not entitled to silently spy on your users simply because they didn't realize that your app is spyware. You are not entitled to assume consent just because you mentioned on your webpage that your apps will silently spy on your users. This makes your app malware.

"We're going to silently spy on you unless you read our whole website, notice that it's a spyware app, and then disable the spyware part" is not an ethical business practice. You must OBTAIN CONSENT from your users to use their personal data. You may not assume consent.

What you're doing now is unethical and abusive. That’s simply not affirmative consent. Imagine if you tried that in life! “Anyone who stays in this room after 5pm is consenting to be groped! Proceed at your own risk.” Don't be that creep. Please don't ship spyware.

Note that fixing only this bug (the issue of sending telemetry when the user explicitly opts out) is not a complete solution. You must stop spying on your users unless they have explicitly agreed to permit you to their usage information.

Best,
-@sneak

PS: "everyone else is doing it" is not an acceptable excuse for unethical behavior.

PPS: "but the collection is anonymous!" is not an excuse either: transmitting a user's IP to your telemetry server leaks that user's location, which is a violation of their privacy. IPs uniquely identify many, many users, and SNI is not yet encrypted.

[Omeryl]

I get there's probably a bug here, but I'd say that the entire "Dear Netlify" section is just .. not required here. It's a lot of noise, and makes some unfair accusations.

[Omeryl]

I tried doing the exact same thing, rm -rf'ing my netfify config folder and using Little Snitch 4 to monitor the process.

I replaced the API_URL in src/utils/telemetry/request.json with a requestbin. It looks like it sends the following data:

{
    "event": "cli:user_telemetryDisabled",
    "anonymousId": "e4b0355f-2838-4ff6-93a0-641479aec90d",
    "properties": {}
}

Presumably, this could be used to purge all previous analytical data. I haven't done any more validation past this, though.

Honestly, unlike the tone of this issue, I think it's pretty harmless and if it's being used the way I think it is I do not mind it.

[erquhart]

The cli has to connect to Netlify to work, hence the call to cli.netlify.com. If you disable telemetry, we don’t use telemetry.

_{Sent with GitHawk}

[sneak]

@erquhart: Your first statement is false: The connection the CLI is making here to the telemetry server is not when performing any API action, only disabling telemetry. The command I ran, netlify --telemetry-disable, does not need to connect to Netlify to work.

Your second statement, "If you disable telemetry, we don’t use telemetry" is also false. This bug is a report of its falsehood. Disabling your spying still sends spying data to netlify that the user has requested spying be disabled, as shown above in the comment by @Omeryl.

It's one thing to assume consent and silently spy; you at least can make the (invalid) excuse of "everyone spies on their users these days! assuming consent is fine!".

It's another thing entirely to actively receive a revocation of consent, and then proceed to send a telemetry event in direct violation of that.

Please don't spy on your users.

[erquhart]

Going to look into that call to the server, it's either accidental or we're using it to disable some sort of server side telemetry. I'll update when I get more info - in the meantime, if you're concerned about the impact of this, please run a fork and disable that line until this is resolved. Apologies for the confusion here.

[Omeryl]

Alternatively, in the meantime, it seems if you set "telemetryDisabled": true, in your config and don't run --disable-telemetry you'll be fine as well.

[sneak]

Please consider #737 as then the application can know from the first line that the user wishes to not be spied on (via consuming a standard env var, see https://consoledonottrack.com).

It sidesteps bugs (or at least what I hope is a bug) like "sending telemetryDisabled event whilst in the process of registering the user doesn't want to send events".

[erquhart]

@Omeryl good point - and since that approach is documented and does bypass this call, we'll go ahead and get a release out with the call excluded. @sneak thanks for raising this.

[sneak]

Why not disable telemetry by default for all installs, and then when a user in an interactive session does a netlify init or netlify login, just ask them for their consent that you send their data away?

You could even do something like make it the default when a user hits enter:

transmit usage data to Netlify? [Y/n]: _

Doing so silently and without any sort of notification or time window in which a user can cancel and not transmit is unethical and presumptuous, and, in my personal opinion, super rude. A lack of consent withdrawal is not indication of affirmative consent. For example: I never consented to any of this tracking data being collected, but it's been spying on me and sending you my data for months.

[erquhart]

The CLI provides an alternative interface for interacting with the Netlify service. When signing up to the service, you agree to Netlify's terms of use and privacy policy as indicated in the self serve subscription agreement. Disabling the tracking call when disabling telemetry should be sufficient to close this issue - PR opened.

[sneak]

Nothing quite like being told that I consent to something when I actually don’t.

[cohunter]

Netlify may use, distribute and disclose Customer Data in order to provide the Services to Customer and to maintain the associated Customer website projects. Netlify shall have the right to use and analyze Customer Data to administer, improve, customize, enhance and develop its products and services, including the Services. Upon termination, Netlify will make all Customer Data available to Customer for electronic retrieval for a period of thirty (30) days, but thereafter Netlify may, but is not obligated to, delete stored Customer Data.

Netlify shall have the right to collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services and related systems. Netlify will use such data to administer, improve and develop its products and services, including the Services; and Netlify may share aggregated information and non-identifying information with third parties.

That was seriously buried in the terms. It may legally excuse it, but certainly goes against reasonable expectations.

If this is how netlify operates, you can trust I’ll no longer be able to recommend your services.

It really isn’t that hard to ask the user for consent at first use.

[sneak]

Why bother having an option to disable telemetry if you legitimately believe that every single person using the tool has already consented to such spying by having a Netlify account?

[ZorudaRinku]

Man, nothing like asking your users just to paint a picture of having control over it to literally not do anything.

[Smit-tay]

I think I have the solution.
Stop using the product.
Learn how to use scp (or sftp)

[chrisjohnson]

Nothing quite like being told that I consent to something when I actually don’t

But you did? You agreed to their terms. That you did not read those terms that you agreed to, wherein you gave consent, is on you. Why is it the world's responsibility to bend to your whim?

The tone here is not useful at all. You aren't correct in your assumptions and you are painting people in an unnecessarily bad light just because you didn't take the time to read what you were agreeing to