zlacker

Why do people use obvious spyware when free software exists?

>>isatty+(OP)
Telemetry isn't the same thing as spying on the user. People use it because it's not actually spying on them.

>>isatty+(OP)
Eh, I don't know how you could tell it is "obvious" "spyware", unless you are referring to the fact that it comes from Bytedance.

>>charci+s1
It is literally spying on the user.

Unless you're somehow saying telemetry doesn't report anything about what a user is doing to it's home server.

>>isatty+(OP)
Because there’s a huge amount of money behind smearing free software

>>malfis+h2
In my mind, the difference is that spying does or can contain PII, or PII can be inferred from it, where telemetry is incapable of being linked to an individual, to a reasonable extent.

>>rs186+K1
Have Bytedance produced literally anything to that assumption unreasonable?

>>nomel+83
Every single piece of telemetry sent over the internet includes PII - the IP address of the sender - by virtue of how our internet protocols are designed.

>>jen20+v3
Amongst other things they do have a division that produces OKR tracking software. Just the weird story of another multinational I suppose.

>>charci+s1
Anonymized or not, opt-out telemetry is plain spying. Go was about to find out, and they backed out the last millisecond and converted to opt-in, for example.

>>nomel+83
In my mind, any feature collecting information about me, truly anonymized or not is spying if it's opt out.

>>nomel+83
I think "spying" implies "everywhere possible", including, outside the app

>>malfis+h2
Spying and telemetry is not something specific to Bytedance. Example: Google ? Or Microsoft ? Why is it a problem only when it is Bytedance or Huawei ? For the exact same activity

In fact the Chinese entities are even less likely to share your secrets to your governement than their best friends at Google

>>gpm+R3
At least spiritually not if the traffic is routed over a Tor circuit. :-)

>>isatty+(OP)
Well there's a middle ground - Sublime Text isn't free but it's fantastic and isn't sending back all my code/work to the Chinese Government. Sorry, "Telemetry"

>>gpm+R3
> includes PII - the IP address of the sender

Apple provides telemetry services that strips the IP before providing it to the app owners. Routing like this requires trust (just as a VPN does), but it's feasible.

>>rvnx+85
No one in the chain of comments you are replying to has mentioned anything about Google, and on HackerNews you will find the majority sentiment is against spying in all forms - especially by Google, Meta, etc.

Even if we interact with your rhetoric[1] at face value, there is a big difference between data going to your own elected government versus that of a foreign adversary.

[1] https://en.wikipedia.org/wiki/Whataboutism

>>isatty+(OP)
Yes, why do people use products from Microsoft, Apple, Google, Amazon, ...

>>cuuupi+U5
So you are implying at the end that it is better that your secrets (“telemetry”) go to your local agencies and to possible relatives or family who work on Gmail, Uber, etc ?

>>aleph_+b5
Unless you control most of the Tor nodes :-)

So many US universities running such nodes, without ever getting legal troubles. Such lucky boys

>>bayind+y4
Unfortunately opt-in telemetry is like no telemetry at all. Defaults matter.

>>nicce+78
No telemetry at all is a good thing to some (most?) people.

>>rvnx+85
> Why is it a crime only when it is ByteDance or Huawei ?

It should be a crime for Google as well.

"Whataboutism" is a logical fallacy.

https://en.wikipedia.org/wiki/Whataboutism

>>nicce+78
Surely that should be fortunately.

>>rvnx+85
My comment has nothing to do with a specific company but about telemetry and spying on the customer.

"What about Google" is not a logical continuation of this discussion

>>throwa+d6
Because the alternatives suck.

In this case, the software being analyzed is the alternative that sucks.

>>inetkn+r8
Telemetry can be implemented well. The software you use gets bugs fixed much faster since you get statistics that some bugs have higher impact than others. The more users software has, less skills they have in average to accurately report any issues.

>>malfis+h2
If anything it is spying on the application itself. This is limited in scope compared to spyware which is software which spies on users themselves.

>>gpm+R3
This is like saying every physical business is collecting PII because employees can technically take a photo of a customer. It's hard to do business without the possibility of collecting PII.

>>nicce+T9
> The software you use gets bugs fixed much faster since you get statistics that some bugs have higher impact than others.

Try talking to your users instead.

> The more users software has, less skills they have in average to accurately report any issues.

No amount of telemetry will solve that.

>>muppet+h5
And the other side of the middle ground, Grafana being AGPL but requiring you to disable 4 analytics flags, 1 gravatar flag, and (I think) one of their default dashboards was also fetching news from a Grafana URL.

https://github.com/grafana/tempo/discussions/5001#discussion...

(Yes, that's for Grafana tempo, but the issue in `grafana/grafana` was just marked as duplicate of this.)

>>philli+54
As in objective and key result? That’s… weird but ok!

>>rvnx+z7
Yes, naturally I trust my own elected government, or possible relatives/family, far more than I trust a foreign adversary

>>rs186+K1
The mere fact that disabling telemetry does not at all disable telemetry is enough for it to be called spyware.

>>isatty+(OP)
Ha ha, free software also has tons of telemetry, it just belongs to GitHub.

>>cuuupi+je
I'm sorry but why? Your government can use this data to actually hurt you and put you on the no-fly list, or even put you in prison.

But a foreign government is limited to what it can do to you if you are not a very high-value target.

So I try as much as possible to use software and services from a non-friendly government because this is the highest guarantee that my data will not be used against me in the future.

And since we can all agree that any data that is collected will end up with the government some way or another. Using forging software is the only real guarantee.

Unless the software is open source and its server is self-hosted, it should be considered Spyware.

>>charci+na
No, it's like saying a business that has a CCTV camera recording customers, and sending that data off site to a central location, where they proceed to proceed to use the data for some non-PII-related purpose (maybe they're tracking where in stores people walk, on average), are in fact sending PII to that off site location.

Distinguishing factors from your example include

1. PII is actually encoded and handled by computer systems, not the mere capability for that to occur.

2. PII is actually sent off site, not merely able to be sent off site.

3. It doesn't assert that the PII is collected, which could imply storage, it merely asserts that it is sent as my original post does. We don't know whether or not it is stored after being received and processed.

>>charci+s1
Any monitoring of my system without my explicit permission is spying.

>>nomel+R5
You said it's different from spying because there is no PII in the information. Now you're saying it's different because it's not given to app owners.

Why is it relevant whether they provide it to app owners directly? The issue people have is the information is logged now and abused later, in whatever form.

>>inetkn+wa
The PowerShell team at Microsoft added opt-out telemetry to track when it was launched so they could make the case internally that they should get more funding, and have more internal clout.

It’s easy to argue that if you are a PowerShell user or developer you benefit from no telemetry, but it’s hard to argue that you benefit from the tool you use being sidelined or defunded because corporate thinks nobody uses it. “Talk to your users” doesn’t solve this because there are millions of computers running scripts and no way to know who they are or contact them even if you could contact that many people, and they would not remember how often they launched it.

https://learn.microsoft.com/en-us/powershell/module/microsof...

>>jodrel+px
To take that logic to its extreme: I'm sure we could have amazing medical breakthroughs if we just gave up that pesky 'don't experiment on non-consenting humans' hang-up we have.

>>isatty+(OP)
As an asset who successfully infiltrated a rival country's tech company you want deniability. Bringing your own IDE does not look suspicious.

>>throwa+d6
> Yes, why do people use products from Microsoft, Apple, Google, Amazon, ...

I work at Apple, so I’m not concerned about being monitored—it’s all company-owned equipment and data anyway.

It was the same when I worked at Microsoft. I used Microsoft products exclusively, regardless of any potential privacy concerns.

Employees at Google and Amazon do the same. It’s known as “dogfooding”—using your own products to test and improve them (https://en.wikipedia.org/wiki/Eating_your_own_dog_food).

As for why people outside these companies use their products, it usually comes down to two reasons: a) Their employer has purchased licenses and wants employees to use them, either for compliance or to get value from the investment; or b) They genuinely like the product—whether it’s because of its features, price, performance, support, or overall experience.

>>jodrel+px
> it’s hard to argue that you benefit from the tool you use being sidelined or defunded because corporate thinks nobody uses it.

Let the corporation suffer then. With an open API, a third party will make a better one. Microsoft can buy that; corporations have a habit of doing that.

> “Talk to your users” doesn’t solve this because there are millions of computers running scripts

Why are you worried about the problems that scripts face? If the developer encounters issues in scripts, the developer can work to fix it. Sometimes that might mean filing a bug report... or a feature request for better documentation. Or the developer might get frustrated and use something better. Like bash.

> there are millions of computers running scripts and no way to know who they are or contact them

Why do they matter to you, or a corporation then?

> they would not remember how often they launched it.

If your users aren't interacting with you for feature requests and bug reports, then either you don't have users or you don't have good enough reachability from the users to you.

>>nicce+78
Exactly. What users do on their computers is their own data. It's up to them to share it or not.

>>gpm+tq
I was giving a purely physical, analog example.

>>inetkn+3M
>Let the corporation suffer then.

Corporations provide value to others. It's not just the corporation that is missing out.

>>jodrel+px
This is a systemic problem on Microsoft's side, it's not an upside of telemetry.

To be clear, I consent to send telemetry from some of the tools I use and deploy.

Their common pattern? They wait a bit, and ask nicely about whether I want to participate. Also, the dialog box asking the question defaults to off.

I read the fine print, look a the data they push, ponder and decide whether I'm cool with it or not.

Give me choice, be upfront and transparent. Then we can have a conversation.

>>charci+ZU
Corporations provide value to their shareholders. The things they sell and their customers are the product. They care about neither.

>>charci+KU
If you imagine the CCTV camera in my example is a film-video-camera and the processing happening off site is happening in a dark room and not on a computer... my more accurate version of your analogy is also analog.

>>inetkn+3M
> "use something better. Like bash."

Bash isn't better.

> "Why are you worried about the problems that scripts face? Why do they matter to you?"

because I write and run such scripts.

> "Let the corporation suffer then"

Microsoft wouldn't suffer, PowerShell users would suffer.

> "sometimes that might mean filing a bug report... or a feature request for better documentation. "

In this scenario the PowerShell team has been defunded or sacked. Who will the bug report go to? Who will implement the feature request?

> "If your users aren't interacting with you for feature requests and bug reports, then either you don't have users or you don't have good enough reachability from the users to you."

Users are interacting with Microsoft for feature requests and bug reports. There are a thousand open issues on https://github.com/powershell/powershell/ and many more which were closed "due to inactivity". What difference does that make if Corporate doesn't want to fund a bigger team to fix more bugs unless it can be shown to benefit a lot of customers not just "a few" devs who raise issues?

>>Eisens+fB
The parent said "talk to your users instead of telemetry" and I said "there are scenarios where telemetry can get information that you cannot get by talking to users". How did you go from that to "experimenting on non-consenting humans"?

To take your logic to its extreme, you have a disease and are prescribed pills, and the pharmaceutical company says "we will track when you take the pills - unless you don't want us to?" and you would prefer the researchers get shut down for not knowing whether anyone actually takes the pills, and an unlimited number of people die from treatable diseases that don't get cured.

>>jodrel+Rd2
> Bash isn't better.

It is, by virtue of running on Linux.

> because I write and run such scripts.

'kay. Learn how to do Engineering and the software will come just fine. You don't need telemetry to tell you anything about scripts. You need good error reports for your users to send to you instead.

> Microsoft wouldn't suffer, PowerShell users would suffer.

So what you're saying is that Microsoft doesn't care about its users. PowerShell users should use products from better companies then.

> In this scenario the PowerShell team has been defunded or sacked. Who will the bug report go to? Who will implement the feature request?

Why were they sacked?

Oh, right, because they didn't interact with their users.

Who will the bug report go to? Clearly it's the same as before: nobody. That's a Microsoft problem.

> What difference does that make if Corporate doesn't want to fund a bigger team to fix more bugs unless it can be shown to benefit a lot of customers not just "a few" devs who raise issues?

If Corporate doesn't want to fund bugfixes and features for people who actually file bug reports and talk to you, then that's poor behavior of corporate. Why do you want to contribute to the decline of your users privacy?

>>jodrel+ef2
> I don't understand how you got from "there are scenarios where telemetry can get information that you cannot get by talking to users, here is one example" to "experimenting on non-consenting humans". What is the connection?

The connection is clear if your salary doesn't require you to not understand it.

Developers don't opt-in to telemetry? Maybe it's because they don't want to enable that telemetry, your experiments be damned.

Use proper engineering to demonstrate that your scripts work instead of demanding that users be your free software test team.

>>muppet+h5
Another middle ground is CudaText, it is free and without telemetry.

>>jodrel+ef2
You said 'but we wouldn't have a lot of improvement without telemetry'. I am saying that we could have a lot of improvement in a lot of things if we wanted. We could have breakthroughs in medicine if we allowed human experimentation. The question is, where is that that line? Your argument doesn't address that, it just tries to justify something that people think it morally wrong by stating that we get use from it.

>>jodrel+ef2
Medical research and consent doesn't work like this. If you track your patients without their consent, or you share their data without their explicit consent, you'll land in very hot water, which will cook you even before you can scream.

Similarly, a medical trial will take a very detailed consent before you can start.

Your opt-out telemetry is akin to your insurance sending you powered and Bluetooth enabled toothbrushes out of the blue to track you and threaten to cancel your insurance if you don't use that toothbrush and send data to them.

Or as a more extreme example, going through an important procedure not with the known and proven method but with an experimental one, because you didn't opt-out and nobody bothered to tell you this. In reality, you need to sign consent and waiver forms to accept experimental methods.

>>guessm+yH
Hmm. Are you aware that I was responding to this comment?

> Why do people use obvious spyware when free software exists?

So, even though the poster was referring to ByteDance when they said "obvious spyware", I was feigning incomprehension in order to ask the question, how do we differentiate ByteDance from what Microsoft, Apple, Google, Amazon (and the rest) do.

It's a real question - why do technical people, who arguably should know better, and can do something about it - continue to use these data-harvesting and user-selling platforms? The answer is obvious when it's the case of an employee of those companies, I grant you that.

My apologies if you feel your response did address that, and I missed it. If so, please help me see what I missed.

>>throwa+d6
If we are talking about telemetry…. Seriously all these products are sending telemetry data

>>kriswo+ap4
And the Snowden revelations happened, which programmers and sysadmins and etc saw, and then... continued as before, in the large majority of cases. It'd be baffling, if it wasn't so easily explained by the usual mixture of self-interest and moral cowardice.

>>Capric+pv
Which has clear logically consistency, at the app owner level, which is the context of my reply.

If the app owner can't obtain PII, I don't believe the app owner is spying.

Is Apple spying?

> Routing like this requires trust

It depends on if you trust them, and their privacy policy. If they're functioning as a PII stripping proxy, as they claim, then I would claim no, to the extent of what's technically possible. I would also claim that a trustworthy VPN is not spying on you. YOMV.

>>Bigano+qe
That's only after you read this article. The question is how do you know it's spyware even before you install it. At least it's not clear for me from github README file that I would be knowningly installing spyware.

>>charci+X9
Those who collect PII, anonymized or not, are collecting information for one or more legitimate purposes, and that same information lends itself to ends which can reasonably be construed as spying when it is inevitably exposed to those who desire to spy. Those app developers can’t plausibly deny knowing that this information sharing will occur or is exceedingly likely to occur, and by making such data collection opt-out, app developers knowingly are acting on behalf of spies, despite having no intention to directly spy themselves. If you are an app developer with opt-out telemetry or an end user of an app so developed, who is the spy or doing the spying is a distinction without a difference to my view.

>>inetkn+Af2
> "Use proper engineering to demonstrate that your scripts work instead of demanding that users be your free software test team."

This telemetry is not about demonstrating that scripts work, as I have said to you multiple times.

>>Eisens+7p2
> "You said 'but we wouldn't have a lot of improvement without telemetry'."

I did not say that. Within the context of Microsoft's internal funding, maybe, but we could have the same improvement by Microsoft throwing more money at the PowerShell team without this telemetry. The core thing I said was that the information the telemetry gets cannot be got by "talk to your users" not that the telemetry leads to amazing improvements.

It is still difficult for you to make the case that someone choosing to download PowerShell can be "not consenting" (and before you reply saying "PowerShell ships with Windows", the PowerShell which has telemetry does not [yet] ship with Windows).

>>bayind+BU2
> "Medical research and consent doesn't work like this."

Yes, I agree that person's comparison to non-consensual medical research is stupid.

> "Your opt-out telemetry is akin to your insurance sending you powered and Bluetooth enabled toothbrushes out of the blue to track you and threaten to cancel your insurance if you don't use that toothbrush and send data to them."

More akin to your insurance company making a public RFC where you can discuss the coming telemetry, then you choosing to ask your insurance for an optional toothbrush, being able to opt out of telemetry if you want to, the insurance company documenting how to opt out[1], you being able to edit the toothbrush source code to remove the telemetry entirely with the insurance company's approval because it's MIT licensed, and absolutely nothing happening to you if you opt out.