Also, when you run `dotnet restore`, you get the following message:

  Welcome to .NET Core!
  ---------------------
  Learn more about .NET Core @ https://aka.ms/dotnet-docs. Use dotnet --help to see available commands or go to https://aka.ms/dotnet-cli-docs.

  Telemetry
  --------------
  The .NET Core tools collect usage data in order to improve your experience.
  The data is anonymous and does not include command-line arguments. The data is collected by Microsoft and shared with the community.
  You can opt out of telemetry by setting a DOTNET_CLI_TELEMETRY_OPTOUT environment variable to 1 using your favorite shell.
  You can read more about .NET Core tools telemetry @ https://aka.ms/dotnet-cli-telemetry.

  Configuring...
  -------------------
  A command is running to initially populate your local package cache, to improve restore speed and enable offline access. This command will take up to a minute to complete   and will only happen once.

Sure its enabled by default, but at least they clearly notify you about it. So its strange that the author says: 'I’ve been using the dotnet core since well before then and I never knew about this.'

The author must not be used to the new spyware-by-default mentality coming from Microsoft.

Hard to believe, but they used to sell products a while ago and had no telemetry.

If you want to see how it's done properly, look at OmniGroup: their apps have toggleable telemetry and it's off by default.

@blub can you explain me how it's exactly "spying on you"?

There is difference between collecting information about how many people are using vs whether a particular person is using.

Collecting diagnostic information from windows application failures/how many failures etc are there ever since Windows 95 era.

Similarly, collecting information about how many people are using dotnet core build/test/publish is similar to how Google/Mozilla tracks how many users are running which version of their product and experience issues.

If Microsoft/Google/Mozilla or any other company uses that information to identify a specific person is "effectively spying on you". Until that's not there, the same functionality exists in almost every product. Just click bait article.

Spyware is software collecting information about someone without their consent.

Doesn't have to be malicious, doesn't have to be what's legally defined as personal information. The fact that many companies are doing it doesn't make it less inappropriate.

Reputable companies will clearly inform users and ask for their confirmation. Then they respect their choice.

Disreputable companies such as MS or Google take without asking, use dark patterns to trick users, default to always on, reset privacy settings, etc.

As someone who has removed my fair share of spyware infections I'll say "easy now".

I think I'll be happy the day EU and American consumer protection agencies start looking closer into Googles business.

I'd also applaud even more visible information about what exactly gets collected and sent (the old gds "Read very carefully - this is not the usual yadda yadda" would be a good start).

However IMO we shouldn't call legitimate telemetry "spyware". I thing that is what you call "crying wolf".

Mozilla asks you, whether you want to send the telemetry.

If you say no, it won't send anything.

No, the settings do not mysteriously reset themselves.

Firefox tracks users with Google Analytics in the add-on settings | https://news.ycombinator.com/item?id=14753546

  "Someone submitted a PR to Mozilla to fix this, and the Mozilla devs closed it"

Impossible to opt-out until about 2 weeks ago.

Come on, that was a bug in the new preferences pages.

The telemetry I was talking about is exactly the one, where you get a bar at the bottom during first launch. Try it, you will see it.

Perhaps this instance was an honest mistake.

The specifics of a custom deal with Google and the circling of the wagons (specifically opinions expressed by multiple Mozilla employees in an official capacity) prior to reversing course does not strengthen that case.

> If you say no, it won't send anything.

This simply wasn't true; I am glad that the implementation was fixed.

> The author must not be used to the new spyware-by-default mentality coming from Microsoft. Hard to believe, but they used to sell products a while ago and had no telemetry.

Yeah well you and the author's first clue should have been when you stopped paying for said products.

And in this specific case, it's really not spying, it reveals pretty much nothing about you and help them figure out what is used and what fails.

I use a ton of software I don't pay for which also doesn't spy on me.

Or are you making some weird accusations against the FSF and the GNU Project?

Give them time to find new "opportunities" to monetize...

https://news.microsoft.com/2017/07/19/dun-bradstreet-teams-u...

What use is off-by-default? Who turns telemetry on?

Debian pop-con is opt-in. http://popcon.debian.org/

Why? Defaults are important and the vast majority don't care (assuming correctly selected telemetry data) and the majority can't be bothered to change the default in either case.

Again I am making a huge assumption about correctly selected telemetry data here but opt in mechanisms won't get even 10% of the data they currently do.

Defaults should respect the user first. Consent has to be given, not taken as a default.

Sure ask up front explicitly but don't in passing invoke the first capture before consent has been taken. That's a shitty tactic.

Collecting basic usage data is not disrespecting the user.

It is when you know you can't persuade them you have a good-enough reason to need it, so instead you don't even try.

In your opinion. Mine differs.

That's not quite correct. More is collected, but the docs are still being updated. [0]

The other things being collected are:

* Geographical location

* Operating system and version

[0] https://github.com/dotnet/docs/pull/2706/files

> For reference, they collect

That's not all that matters. IMO the real decision is: do you /trust/ MS ? Do you trust that they anonymize collected data and that they won't secretly change collected data? Do you trust future MS with that information.

> I'm actually OK with this to be honest

That's perfectly fine if you trust them. Many people don't. Personally I wouldn't trust any dev tool that uploads my usage.

>That's not all that matters. IMO the real decision is: do you /trust/ MS ? Do you trust that they anonymize collected data and that they won't secretly change collected data? Do you trust future MS with that information.

You don't need to trust them. The telemetry code is open source AND they release the aggregate data it collects for anyone to use/inspect.

If it's completely open, how do they keep it from being spammed?

> do you /trust/ MS ?

Why do you have to trust MS? You can read the source code to check for yourself whether sensitive information is sent. You don't have to take Microsoft's word for it.

> That's not all that matters. IMO the real decision is: do you /trust/ MS ? Do you trust that they anonymize collected data and that they won't secretly change collected data? Do you trust future MS with that information.

Bear with me. This seems like the wrong question, but not for the reason you might expect. Rather, I think that it might be wrong because, even if Microsoft acts in completely good faith, it is damn near impossible to anonymise collected data properly [obligatory citation of the 'anonymised' AOL search data]. It doesn't matter whether I trust someone to do something if they (probably) can't do it.

So I assume you don't use web apps.

These tools are not web apps. They work entirely on a local machine. Their fundamental mode of operation is not to run on a remote machine.

Thanks. As I was scanning through the article, this is exactly what I was looking for but couldn't quite see for all the salt.

And, the 'secret' environment variable to disable it is actually printed in the text of the last (installation successful) dialog of the install wizard, at least on OSX for the 2.0.0 preview...

do you actually inspect every github commit, that this won't change?

It already has. [0]

[0] https://github.com/dotnet/docs/pull/2706/files

One of the items added:

> +- Geographical location†

I feel like that's one of the pieces of information I'd expect a new opt-in or notification to appear for at the very least. Did that happen?

well even if they do that now, there is no guarantee that a future release will remove notifications.

just look at the automotive industry in germany. if you give them trust, they probably will do shady stuff, no matter how good their initial behavior was.

never trust a company.

Well, as long as you make sure that the project name doesn't give away anything that could compete with a Microsoft product or that would leak information about some confidential product you are working on...

It's not just independent devs that are using .net. And the name of the company appears often in the assembly.

So this is yet another case of someome blowing something completely out of proportions and spending their time working on something completely useless that will never benefit them.

"Out of proportions" for now. Nothing stops them from changing this later, updating the small print saying "oh we changed that" and blaming you for not checking for changes to their EULA regularly.

If this is your fear how do you use any software?

MS could update your OS to do anything tomorrow, Canonical could hide some literal malware in any number of packages for Ubuntu tonight, Intel could write a backdoor into your machine in it's next microcode update.

And OSS doesn't fully prevent this either. GCC could add some kind of nefarious exploit in the next version of it's compiler (knowingly or otherwise). Just take a look at the underhanded c competition for just how scary easy it is to hide exploits in plain sight!

I can't even fathom the amount of work it would be to personally review every line of code that goes into your machine from the microcode up to the newest NPM module (even if it were all open and it was possible to do). At some point you need to trust someone else.

That's why betrayals of trust - such as adding spyware that takes data without the user's informed consent ("opt-out") - are such a big problem.

You're right - there isn't enough time to audit everything, so we have to rely on trust. "Relying on trust" means instead of reviewing code, you have to review trustworthiness.