top | item 47064563

(no title)

Lammy | 11 days ago

> How does Tailscale make money?

They spy on your network behavior by default, so free users are still paying with their behavioral data. See https://tailscale.com/docs/features/logging

“Each Tailscale agent in your distributed network streams its logs to a central log server (at log.tailscale.com). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”

They know what you're doing, when, from where, to where, on your supposedly “private” network. It's possible to opt out on Windows, on *nix systems, and when using the non-GUI client on macOS by enabling the FUD-named “TS_NO_LOGS_NO_SUPPORT” option: https://tailscale.com/docs/features/logging#opt-out-of-clien...

It is not currently possible to opt out on iOS/Android clients: https://github.com/tailscale/tailscale/issues/13174

For an example of how invasive this is for the average user, this person discovered Tailscale trying to collect ~18000 data points per week about their network usage based on the number of blocked DNS requests for `log.tailscale.com`: https://github.com/tailscale/tailscale/issues/15326

discuss

jzelinskie|11 days ago

I'd love to have someone else chime in on this because I did some spelunking and am not sure if this comment is true.

I checked my DNS logs and saw zero attempts to resolve `log.tailscale.com` having ran tailscale for many years (I added it to a blocklist anyway). From their admin panel, it appears "networking logging" requires paying for Premium[0], so it's not being used for free users (or Personal Pro).

Also, from looking at some source code (because the docs don't include this), I discovered you can disable logging for the macOS App Store client by doing:

     echo "TS_NO_LOGS_NO_SUPPORT=true" > ~/Library/Containers/io.tailscale.ipn.macos.network-extension/Data/tailscaled-env.txt

[0]: https://login.tailscale.com/admin/logs/network

nickburns|11 days ago

Pretty much this. DNS, SNI, and otherwise plaintext traffic sniffing. That together with user/device 'fingerprinting' (a much more amorphous concept), and that's why such-and-such thing you were just talking about with so-and-so pops up on your screen/feed/whatever, sometimes only minutes later.

I highly doubt any of this can actually be opted-out of. How else would they stay in business?

namtim|11 days ago

The `TS_NO_LOGS_NO_SUPPORT` option opts out of all log collection, and says in the name why it is collected in the first place. Tailscale has support for all users, including free, and having access to logs has to be how they can provide free support. Having quick access to logs reduces the time it takes to handle tickets, so they can help more people quickly and don't need to limit support to only paying users.

The core client code is open source, feel free to inspect it yourself.

snailmailman|11 days ago

They specifically avoid sending traffic through tailscale servers whenever possible. That’s how the free tier stays free. Most connections are direct, P2P.

The traffic that does go through their servers is encrypted, and bandwidth limited on the free plan. Any snooping on client behavior would have to be done client side, and the clients are all open source. To some extent the coordination server might be able to deduce some metadata about connections; but definitely not snoop all plaintext traffic.

I think they do have some “service detection” which can basically port-scan your devices to make services visible in the web UI. But that is easy to disable. And premium/enterprise tiers can intentionally log traffic statistics.

db48x|9 days ago

That’s misleading; you have to pay extra to get access to that feature.