FWIW, it gives you a warning and the chance to disable analytics before sending any analytics. https://docs.brew.sh/Analytics
> Homebrew gathers anonymous aggregate user behaviour analytics using Google Analytics (until our in-progress migration to our own InfluxDB). You will be notified the first time you run brew update or install Homebrew. Analytics are not enabled until after this notice is shown, to ensure that you can opt out without ever sending analytics data.
That is a very simplifying view of the legal situation and that's not helpful at all.
First, it only applies if you collect PII - depending on what they collect, they might not be subject to the GDPR at all.
Second, informed consent is only one of the options that allows collection and storage of PII. There are various other reason that allow collection and storage of PII, among them "Legitimate interest". For example, it is considered legitimate to store webserver logs containing PII (IP Addresses) for purposes of fraud analysis, unauthorized system access etc. Whether a specific collection of data is legitimate under those clauses depends on the specifics of a case (who has access, what's the exact purpose, how long you store, ...) - ask a lawyer if you need an assessment.
Depending on what they log and how they log, they may be either in the clear or in a bad place, but it's definitely not as simple as "the law requires no logging".
I don't think that's true - AFAICT there's no EU law banning analytics. EU law just restricts storing & processing _personal_ data (GDPR) and storing unnecessary data on machines without consent (ePrivacy/'cookie law').
If you want to log fully anonymized data, without persistent tracking ids and without leaking personal data to 3rd parties en route (so no "send it to Google and they promise to anonymize the IP afterwards") then you're all good (but IANAL!).
The only reason you see all those cookie notices and GDPR consent requests is because so few companies are willing to accept even the tiniest tradeoff in their metrics to protect their users' privacy.
I think it’s not cool when orgs track telemetry with opt out. But it’s not cool like when you’re at a party and you go off and fart in the corner as no one’s there and then a few seconds later someone walks by and smells it.
Continuing the analogy, telemetry with no opt out is like farting silently amongst a group of people. And tracking identified user requests while selling data is like slapping each person at the party while farting in their face.
And I guess opt in telemetry is like holding in your fart and people notice and might feel some discomfort at your discomfort.
You forgot 3) Complain at different intensities, up to the shaming, about the unethical dark patterns employed by the software, no matter whether it is open source or not, to make authors of the software aware, that what they do is not welcome by their users.
I use Little Snitch to alert on any outbound connections and make a decision. The google stuff immediately got a permanent blackhole for Homebrew. Anything I'm uncertain of I'll give a short-term approval (30mins) to not break anything. After a couple of rounds of execution (and sometimes some trial & error) you can usually work out which requests are essential and which are some notifications/tracking thing.
eesmith|3 years ago
> Homebrew gathers anonymous aggregate user behaviour analytics using Google Analytics (until our in-progress migration to our own InfluxDB). You will be notified the first time you run brew update or install Homebrew. Analytics are not enabled until after this notice is shown, to ensure that you can opt out without ever sending analytics data.
macintux|3 years ago
orangepurple|3 years ago
nicbou|3 years ago
Xylakant|3 years ago
First, it only applies if you collect PII - depending on what they collect, they might not be subject to the GDPR at all.
Second, informed consent is only one of the options that allows collection and storage of PII. There are various other reason that allow collection and storage of PII, among them "Legitimate interest". For example, it is considered legitimate to store webserver logs containing PII (IP Addresses) for purposes of fraud analysis, unauthorized system access etc. Whether a specific collection of data is legitimate under those clauses depends on the specifics of a case (who has access, what's the exact purpose, how long you store, ...) - ask a lawyer if you need an assessment.
Depending on what they log and how they log, they may be either in the clear or in a bad place, but it's definitely not as simple as "the law requires no logging".
pimterry|3 years ago
If you want to log fully anonymized data, without persistent tracking ids and without leaking personal data to 3rd parties en route (so no "send it to Google and they promise to anonymize the IP afterwards") then you're all good (but IANAL!).
The only reason you see all those cookie notices and GDPR consent requests is because so few companies are willing to accept even the tiniest tradeoff in their metrics to protect their users' privacy.
st3fan|3 years ago
Rafert|3 years ago
sandstrom|3 years ago
I'm fairly sure that an open-source piece of code that you download and install yourself isn't in scope.
prepend|3 years ago
I think it’s not cool when orgs track telemetry with opt out. But it’s not cool like when you’re at a party and you go off and fart in the corner as no one’s there and then a few seconds later someone walks by and smells it.
Continuing the analogy, telemetry with no opt out is like farting silently amongst a group of people. And tracking identified user requests while selling data is like slapping each person at the party while farting in their face.
And I guess opt in telemetry is like holding in your fart and people notice and might feel some discomfort at your discomfort.
notpushkin|3 years ago
darkwater|3 years ago
I tend and prefer to assume good-will WRT telemetry in well-known and independent opensource projects.
vetinari|3 years ago
predmijat|3 years ago
glenngillen|3 years ago