Have you noticed that MS mostly stopped using EEE, and changed strategy to just ignore rules/laws/licenses, and wait to see what happens? We hear it frequently that "today's MS is not the same as the old MS", but I have my doubts.
This particular one just the latest. But the really big one (IMHO) is the one where they simply started to ignore EFF[0], when they were asking them about the copyright status of co-pilot.
If the court decides against EFF, that will have a lot of effect on the legality and enforcement of most of the OSS licenses (though I'm an armchair-lawyer, not even in the US). Fun times ahead.
[0]: if I remember well, it was EFF, who mentioned that MS stopped responding to them. I have found the lawsuit, but filed by not by the EFF. Google is more useless by the day.
> Have you noticed that MS mostly stopped using EEE,
No, I haven't. Notice that MS now loves Linux... provided you run it on Azure or as a component of Windows (WSL). They adopted Chrome...'s rendering engine and then abused their desktop OS market share to shove the result down people's throats. They don't have the leverage they once enjoyed, but the approach didn't change, at least not in general.
I think this is a tendency of all internationals mega corporations. Law is not homogenous around the world, and since you are consequently anyway in violation, you learn how to use that in your favor and ignore it for quite a while. And then, once its start to be annoying, you can finance an army of lawyers to delay or even change the law.
For one part it is quite reasonable to work like that, on the other side it is really unethically and bad for the society as a whole.
The current system highly incentivises
sufficiently large corporations to embrace the Nike principles: Break the rules, fight the law
The worst case scenario, if you lose a game stacked in your favour several times in a row, you pay a pittance, or performatively correct a now-obsolete injustice.
VScode telemetry will remain opt out because it yields very valuable information. Microsoft is not a democracy, and the outcry here is less than a rounding error, a footnote in some internal director’s morning agenda.
The issue with society or one of them, is thinking its acceptable for a corporation breaking law to feel spite, the guy was not talking to a person, was talking to a shitty corp breaking law
The requested deadline is likely done ahead of filing a complaint in Europe, to show they gave ample warning.
Also remember he's not talking to a human, but to a soulless corporation. He was as cordial as could be given the circumstances.
And finally, remember that it doesn't matter if a product Microsoft develops to increase their control over developers (via vendor lock-in, mindshare, and forced telemetry) happens to result in a decent free text editor for the user. No one owes them gratitude. This isn't charity.
P.S. Did you know VSCode lets extensions not respect the user's "no telemetry" choice? It's been an open ticket for like 4 years now, that MS have no intention to ever fix, even though all it would take is a simple VSCode Extension Store EULA change.
I've written to companies in the UK before with similar deadlines, it can be statutory - I am giving you notice that this communication starts the clock on the 30 day period I am required to allow you to give me a satisfactory resolution before I will escalate this case to the relevant authority.
Last time I had to use that sort of language was with a deranged ISP who had failed to deliver an internet connection, then decided to chase a debt for unpaid bills for this non-existent connection two years later.
Well, we are talking about GDPR. Setting a date to comply by is part of the enforcement of the GDPR afaik. I bet someone is setting points of a legal case, e.g. MS can say "oh no one explicitly stated a set date and GDPR" - now they cant use that excuse.
A user should be able to configure a program (or all programs) such that outgoing communication is not possible, logged or both. It really shouldn't be up to the program to decide what it wants to send as it could easily scan the entire hard drive on the users behalf.
When the owner of a device is using it, they should have the right to inspect all data on that machine in plain language and to inspect all communications to and from that machine (again in plain language.) They should have the right to stop any communications at any level they choose using plain language menus.
I'm not qualified to weigh in on the merits of the request, but asking a corporation to change something and then throwing in a bunch of legalese about compliance and GDPR seems like an excellent way to guarantee that the poor reviewer of the requests is not going to deal with it, let alone quickly.
At best, they raise it to their internal legal contact. The inhouse lawyer rapidly advises them to not respond in any written or recorded medium. Issue goes nowhere.
At worst, they realize that this is a hairball with "vaguely legal stuff" and decide to review some other issue instead for a more productive and less stressful day. Issue goes nowhere.
It is neigh impossible to send truly anonymous data as telemetry. As soon as you're using the internet, you're disclosing an IP address, which is PII. If you add anything to link two subsequent telemetry reports together, that thing is PII (e.g. a hash or a uuid). If the telemetry report is detailed enough that they become somewhat unique, it's PII.
That said, consent is not the only grounds on which you can process PII. Contract, legal obligation, vital interests, public task, or legitimate interests are also valid grounds. Of these, legitimate interests is the most applicable in this situation.
> MacAddressHash - Used to identify a user of VS Code. This is hashed once on the client side and then hashed again on the pipeline side to make it impossible to identify a given user. On VS Code for the Web, a UUID is generated for this case.
A hash of a hash is about as expansive as a hash and it still uniquely identifies a machine, tying telemetry events to a specific user's machine. Microsoft's own telemetry description generator calls the field "EndUserPseudonymizedInformation". Pseudonymisation is inherently not anonymisation.
This bullshit is why I keep my PiHole on for my dev environment.
what's the definition of truly anonymous? they don't know your name? or there isn't enough data to identify you? I've heard that in the US, birthday and postal zip code is enough to identify you in most of the country, but that could be considered anonymous.
if data of multiple users is aggregated, that is I think more of what people are thinking when they think "anonymous"
There is no such thing as truly anonymous. in order to send any data you need to connect to a server. at that moment you are in violatation of GDPR because you are exposing the users's IP which is protected by GDPR.
See the case where even linking to a CDN requires GDPR consent.
https://www.cpomagazine.com/data-protection/leak-of-ip-addre...
And before the army of those who don't understand GDPR comes up with "but then the whole internet can not work"; the crucial distinction comes in the answer to the question: "can this tool fulfill its purpose without this connection? if no, then it's essential to it's functioning and does not require consent, if the tool can fullfll it's purpose without this conection it's optional and does require consent.
GDPR makes a disticntion for connection that are required to fullfill the purpose of the tool and connections that are not essential. So VS code connection to a microsoft Server to let's say update download an extension is allowed and does not require consent becasue without that connection VSCode cannot fullfil its purpose of providing functionality.
Telemetry is not functionaliy and VSCode can execute it's purpose without this connection so that makes it subject to user consent requirement.
No answer is forthcoming from the VS Code team, because they know you won't like the answer.
Microsoft trawls their[1] endpoints mercilessly for every bit of telemetry that they possibly can, and they go out of their way to prevent customers from disabling this.
Windows 10 or 11 with Office requires something like 200+ individual forms of Microsoft telemetry to be disabled!
Notably:
- They keep changing the name of the environment variables[2] that disable telemetry. For unspecified "reasons".
- They've been caught using "typosquatting" domains like microsft.com for telemetry, because security-conscious admins block microsoft.com wholesale.
- Telemetry is implemented by each product group, which means each individual team has to learn the same lessons over and over, such as: GDPR compliance, asynchronous collection, size limiting, do not retry in a tight loop forever on network failure, etc...
- Customers often experience dramatic speedups by disabling telemetry, which ought not be possible, but that's the reality. Turning off telemetry was "the" trick to making PowerShell Core fast in VS Code, because it literally sent telemetry (synchronously!) from all of: Dotnet Core, PowerShell, the Az/AAD modules, and Visual Studio Code! Opening a new tab would take seconds while this was collected, zipped, and sent. Windows Terminal does the same thing, by the way, so opening a shell can result in like half a dozen network requests to god-knows-where.
[1] You thought, wait... that it's your computer!? It's Microsoft's ad-platform now.
[2] Notice the plural? It's one company! Why can't there be a single globally-obeyed policy setting for this? Oh... oh... because they don't want you to have this setting. That's right... I forgot.
> They've been caught using "typosquatting" domains like microsft.com for telemetry, because security-conscious admins block microsoft.com wholesale.
This seems interesting. Do you have any references for this? I would assume that the main use of such typo-squatting domains is a simple redirect, a la [0][1].
Microsoft’s own telemetry solutions (AppInsights/LogAnalytics) seem perfectly capable of handing async/buffering/backoff etc.
I agree there should be a single place, at least in Windows to control Microsoft telemetry on a per app basis. It should be very easy to accomplish. On other platforms less so.
In a desktop product I do for work we had the dilemma of opt in/out and showing the query clearly and hiding it in settings. We ended up with the middle ground of showing it but having the checkbox checked (so uncheck to opt out). We were still worried this would leave too few opting in but it meant over 95% did.
For command line I’d be 100% happy with a note on first use describing that telemetry is enabled and how it is disabled. Leaving it disabled by default and requiring user action to enable is not realistic in such a situation.
> people who request for software and websites to become nagware by asking for consent
What? Lol. How is this the users fault?
That's just dark patterns by companies to bend users into enrolling. It doesn't have to be like this. It could be opt-in under settings, like just about anything else.
Looks like the monthly “people absolutely lose their minds over VS Code telemetry”. The same people would then be complaining if VS Code crashed constantly from bugs that they also never report in place of no telemetry.
This rediculous false dichotomy of "if not for excessive telemetry it would be crashy" is so beyond reason. If it crashes just pop up the crash reporter and prompt the user with a button to send the crash report in. Done. No ethical issues there.
But no apparantly you think microsoft needs a constant faucet if your information to prevent crashes. Golly i wonder how developers managed before said faucets.
not_your_vase|2 years ago
This particular one just the latest. But the really big one (IMHO) is the one where they simply started to ignore EFF[0], when they were asking them about the copyright status of co-pilot. If the court decides against EFF, that will have a lot of effect on the legality and enforcement of most of the OSS licenses (though I'm an armchair-lawyer, not even in the US). Fun times ahead.
[0]: if I remember well, it was EFF, who mentioned that MS stopped responding to them. I have found the lawsuit, but filed by not by the EFF. Google is more useless by the day.
yjftsjthsd-h|2 years ago
No, I haven't. Notice that MS now loves Linux... provided you run it on Azure or as a component of Windows (WSL). They adopted Chrome...'s rendering engine and then abused their desktop OS market share to shove the result down people's throats. They don't have the leverage they once enjoyed, but the approach didn't change, at least not in general.
oaiey|2 years ago
For one part it is quite reasonable to work like that, on the other side it is really unethically and bad for the society as a whole.
blueboo|2 years ago
The worst case scenario, if you lose a game stacked in your favour several times in a row, you pay a pittance, or performatively correct a now-obsolete injustice.
VScode telemetry will remain opt out because it yields very valuable information. Microsoft is not a democracy, and the outcry here is less than a rounding error, a footnote in some internal director’s morning agenda.
jdjdjdhhd|2 years ago
bogantech|2 years ago
> Please give an answer within the next week until the 16th of June.
I wouldn't respond to them either out of spite
lnxg33k1|2 years ago
gettodachoppa|2 years ago
Also remember he's not talking to a human, but to a soulless corporation. He was as cordial as could be given the circumstances.
And finally, remember that it doesn't matter if a product Microsoft develops to increase their control over developers (via vendor lock-in, mindshare, and forced telemetry) happens to result in a decent free text editor for the user. No one owes them gratitude. This isn't charity.
P.S. Did you know VSCode lets extensions not respect the user's "no telemetry" choice? It's been an open ticket for like 4 years now, that MS have no intention to ever fix, even though all it would take is a simple VSCode Extension Store EULA change.
Nursie|2 years ago
Last time I had to use that sort of language was with a deranged ISP who had failed to deliver an internet connection, then decided to chase a debt for unpaid bills for this non-existent connection two years later.
xeyownt|2 years ago
blueboo|2 years ago
mjburgess|2 years ago
falqun|2 years ago
osigurdson|2 years ago
mostlysimilar|2 years ago
Sakos|2 years ago
RecycledEle|2 years ago
hn1986|2 years ago
tpush|2 years ago
justinclift|2 years ago
kjellsbells|2 years ago
At best, they raise it to their internal legal contact. The inhouse lawyer rapidly advises them to not respond in any written or recorded medium. Issue goes nowhere.
At worst, they realize that this is a hairball with "vaguely legal stuff" and decide to review some other issue instead for a more productive and less stressful day. Issue goes nowhere.
aaomidi|2 years ago
fhub|2 years ago
kvdveer|2 years ago
That said, consent is not the only grounds on which you can process PII. Contract, legal obligation, vital interests, public task, or legitimate interests are also valid grounds. Of these, legitimate interests is the most applicable in this situation.
jeroenhd|2 years ago
> MacAddressHash - Used to identify a user of VS Code. This is hashed once on the client side and then hashed again on the pipeline side to make it impossible to identify a given user. On VS Code for the Web, a UUID is generated for this case.
A hash of a hash is about as expansive as a hash and it still uniquely identifies a machine, tying telemetry events to a specific user's machine. Microsoft's own telemetry description generator calls the field "EndUserPseudonymizedInformation". Pseudonymisation is inherently not anonymisation.
This bullshit is why I keep my PiHole on for my dev environment.
fsckboy|2 years ago
if data of multiple users is aggregated, that is I think more of what people are thinking when they think "anonymous"
cowl|2 years ago
And before the army of those who don't understand GDPR comes up with "but then the whole internet can not work"; the crucial distinction comes in the answer to the question: "can this tool fulfill its purpose without this connection? if no, then it's essential to it's functioning and does not require consent, if the tool can fullfll it's purpose without this conection it's optional and does require consent.
GDPR makes a disticntion for connection that are required to fullfill the purpose of the tool and connections that are not essential. So VS code connection to a microsoft Server to let's say update download an extension is allowed and does not require consent becasue without that connection VSCode cannot fullfil its purpose of providing functionality.
Telemetry is not functionaliy and VSCode can execute it's purpose without this connection so that makes it subject to user consent requirement.
butz|2 years ago
jiggawatts|2 years ago
Microsoft trawls their[1] endpoints mercilessly for every bit of telemetry that they possibly can, and they go out of their way to prevent customers from disabling this.
Windows 10 or 11 with Office requires something like 200+ individual forms of Microsoft telemetry to be disabled!
Notably:
- They keep changing the name of the environment variables[2] that disable telemetry. For unspecified "reasons".
- They've been caught using "typosquatting" domains like microsft.com for telemetry, because security-conscious admins block microsoft.com wholesale.
- Telemetry is implemented by each product group, which means each individual team has to learn the same lessons over and over, such as: GDPR compliance, asynchronous collection, size limiting, do not retry in a tight loop forever on network failure, etc...
- Customers often experience dramatic speedups by disabling telemetry, which ought not be possible, but that's the reality. Turning off telemetry was "the" trick to making PowerShell Core fast in VS Code, because it literally sent telemetry (synchronously!) from all of: Dotnet Core, PowerShell, the Az/AAD modules, and Visual Studio Code! Opening a new tab would take seconds while this was collected, zipped, and sent. Windows Terminal does the same thing, by the way, so opening a shell can result in like half a dozen network requests to god-knows-where.
[1] You thought, wait... that it's your computer!? It's Microsoft's ad-platform now.
[2] Notice the plural? It's one company! Why can't there be a single globally-obeyed policy setting for this? Oh... oh... because they don't want you to have this setting. That's right... I forgot.
Windows: https://learn.microsoft.com/en-us/windows/privacy/configure-...
PowerShell: https://learn.microsoft.com/en-us/powershell/module/microsof...
DotNet Core: https://learn.microsoft.com/en-us/dotnet/core/tools/telemetr...
Windows Terminal: https://github.com/microsoft/terminal/issues/5331
Az module: https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure...
Etc...
tentacleuno|2 years ago
This seems interesting. Do you have any references for this? I would assume that the main use of such typo-squatting domains is a simple redirect, a la [0][1].
[0]: https://gogle.com [1]: https://gooogle.com
rkagerer|2 years ago
alkonaut|2 years ago
I agree there should be a single place, at least in Windows to control Microsoft telemetry on a per app basis. It should be very easy to accomplish. On other platforms less so.
In a desktop product I do for work we had the dilemma of opt in/out and showing the query clearly and hiding it in settings. We ended up with the middle ground of showing it but having the checkbox checked (so uncheck to opt out). We were still worried this would leave too few opting in but it meant over 95% did.
For command line I’d be 100% happy with a note on first use describing that telemetry is enabled and how it is disabled. Leaving it disabled by default and requiring user action to enable is not realistic in such a situation.
chx|2 years ago
theknocker|2 years ago
[deleted]
charcircuit|2 years ago
Condition1952|2 years ago
guappa|2 years ago
_xivi|2 years ago
What? Lol. How is this the users fault?
That's just dark patterns by companies to bend users into enrolling. It doesn't have to be like this. It could be opt-in under settings, like just about anything else.
It all about power play.
lloydatkinson|2 years ago
LightHugger|2 years ago
But no apparantly you think microsoft needs a constant faucet if your information to prevent crashes. Golly i wonder how developers managed before said faucets.