Make telemetry Data opt-in

[furti]

• VSCode Version: 1.22.1
• OS Version: Windows 10

Steps to Reproduce:

1. Start VS Code 1.22.1 for the first time
2. Now a notification pops up that tells me, that telemetry data is collected and I can opt-out

Does this issue occur when all extensions are disabled?: Yes

1. I am not sure about this but I don't think collecting telemtry data by default will conform to the General Data Protection Regulation of the EU that becomes effective in May 2018. It would be better to disable it per default and tell the user to enable it if he want's to share data with you.

2. When I checked the privacy policy linked in the notification popup (https://privacy.microsoft.com/en-us/privacystatement) I can't find anything about the data collected by vs code. This is a very important information. This can be a big showstopper for using vscode in some companies, wen data is sent and nobody knows what data this is.

[kieferrm]

@furti thanks for bringing this up. As you can imagine GDPR is a big deal for a company like Microsoft. All products have been working with legal counsel to achieve compliance. Our current understanding is that our notification is a correct implementation of GDPR. All of our code that sends telemetry is Open Source right here in this repo and it is annotated with which events and properties we send. Look for __GDPR__ comments in our code.

[furti]

@kieferrm thank you for your answer. Maybe the opt-out is a correct implementation of GDPR. I'm not a lawyer 😄
But forcing people to scan your code for comments, and furthermore to learn how your code is structured and how it works, is definitely not transparent at all.

For example I did a quick search for GDPR in your code and randomly selected a file (workspaceStats.ts:342)

                          /* __GDPR__
				"workspce.tags" : {
					"${include}": [
						"${WorkspaceTags}"
					]
				}
			*/
			this.telemetryService.publicLog('workspce.tags', tags);

I don't even know what workspace tags are. So I have to invest half an hour, an hour, maybe two to fully understand what data is sent in this case. The search for GDPR found 60 occurences in your code. So I have to invest about a week to fully understand what data is sent by your application. And for the next version i will have to do the same. Maybe there is something new or something changed.

And the people who decide such things in a company mostly don't code at all. So it isn't even possible for them to understand the data sent by the application by scanning the code.

At least an human readable version of the data collected by you should be available.

[Thf772]

Opt-out is not valid for GDPR. It is one of the reasons invoked in the massive lawsuits Microsoft and other GAFAM companies are currently facing.

[ramya-rao-a]

With #54001, we are rolling out a feature in the next update where one can take a look at all the telemetry events and their payload in the product in real time. You can try it out in the latest Insiders or wait for the next update to the stable version.

[bakman2]

Is there an update available on this subject, or does it remain a balancing act until the EU comes knocking at the door ?

I cannot use this software in the EU as it is not GDPR compliant.

Trying to hide behind some code-comments is the very reason why GDPR was introduced.

Opt-in is the only legal way + clear and concise statements what you are collecting and people specifically agree with that or not.

It can be fixed within 1 minute, but the reluctance is very telling.

[cbluth]

For those interested in an alternative without telemetry: https://github.com/VSCodium/vscodium

[ibnesayeed]

Telemetry is a big concern for many (including me), it should certainly be an opt-in feature, if at all. Not only the core product, but all the add-ons should be using some uniform guidelines and their telemetry controls should be visible in one place, all being opt-in. Currently, every add-on (including the official ones from MS) can have its own data collection going on while the user has disabled it in the core product.

By making it opt-out, MS can already collect installation and first time boot related statistics along with the stats of how often telemetry was opted out. I don't think GDPR lawyers would be happy about it, neither am I as a user.

The user base of VS Code has become so big already that even the opt-in mechanism will give MS big enough sample to learn an overall trend and reliable statistics for product enhancement, but they seem to be too greedy about collecting stats from every single source they can.

[cocowalla]

At the very least I think what telemetry is collected needs to be much clearer. It's not good enough to say 'trawl through the source code!', or 'enable it first and watch as we hoover up your data!' - it should be clearly set out in the readme, or in the docs.

[ulfklose]

Does disabling Telemetry in the settings completely opt-out from telemetry data collection?

[meadowsys]

would love to see some progress on this (it has been quite a while since any activity has happened on this issue)

[ghost]

It's been 4 years already, with no progress. One would expect otherwise given the "privacy is important" claim. Is there any issues stopping this?

[mrchonky]

It's been 4 years already, with no progress. One would expect otherwise given the "privacy is important" claim. Is there any issues stopping this?

Yea the issue is Microsoft wants to sniff your nutsack. @kieferrm suck my big fat nuts

[mrchonky]

@kieferrm is there a contact email where we can send our data voluntarily? I'd love to personally send you my SSN, blood type, credit card #, and more. Cheers