[CJefferson]

I'll be honest, I don't really see the complaint here.

The telemetry goes to telemetry.dropbox.com. You get this telemetry because you have installed the Dropbox desktop app, which means Dropbox already has lots of access to your machine. If this telemetry just went back mixed with normal Dropbox communications (like most apps), would people even be aware of it?

There doesn't seem to be any discussion of what the telemetry actually is, just annoyance it exists.

[WhyNotHugo]

> I'll be honest, I don't really see the complaint here.

There is no explicit consent.

[sharken]

Exactly, as a paying user having the option to disable telemetry is not unreasonable.

Too bad Dropbox does not see it that way.

[bheadmaster]

I see a trend of software engineers that don't see users as someone who they are providing service to - they see them as just one element of a machine they're optimizing to make their software better. They feel that the engineering quest itself is the most important thing in the world, so they feel entitled to any and all data they are technically capable of collecting.

It's a shame. I wish more engineers would see things through Richard Stallman's eyes, and realize that software is supposed to serve its users, not its creators. But, as the saying goes: "It is difficult to get a man to understand something, when his salary depends on his not understanding it."

[weberer]

If you asked me which part of the company decided to shove telemetry in the product, my last guess would be the software engineers.

[rcxdude]

There is a reason it's popular: it's extremely useful for software development to a) have actual hard data on how your software is being used, and b) have a large selection of crash data for debugging rare issues. If it's not the software engineers who want it, it's the technical management who see the immense value in having it.

[weberer]

You're forgetting the monetary incentives. It allows companies to collect personal data of every user and sell it to "our partners" to build larger marketing profiles.

[bheadmaster]

I'm not sure.

There was an opt-out telemetry proposal in Go [0], which caused a huge backlash. The proposal authors were so focused on the benefits of the telemetry, that they did their best to invent all kinds of very convincing arguments why their telemetry is okay, useful, not intrusive, etc. etc. They completely ignored the ethics of the problem - that they are not entitled to users' data without consent.

It took a very dramatic reaction from the community to convince them that adding opt-out telemetry without users' explicit consent is a bad idea, no matter how "non-intrusive" and "helpful" it is.

[0] https://github.com/golang/go/discussions/58409

[intelVISA]

SWEs in those camps are mostly "just following orders" I've heard.

[Xeamek]

That depends what telemetry though. Assuming this telemetry is purely about app's performance and behavior and is trully anonymous(I know that's big assumption, for sake of the argument let's believe it is the case), taking away from devs informations about whether or not the app is working well, is indeed quite unreasonable

[senko]

Indeed, as a paying user I would also want an option to disable them reading the files off my disk.

To bad they just start scanning everything in ~/Dropbox.

[CJefferson]

But dropbox already has huge amounts of information about you, in particular the names, contents, and history of all of your files.

[zorked]

They have consent for that. It's not hard.

Also consent to store does not imply consent to read, process, make use of.

[NoZebra120vClip]

I keep searching xkcd, but all my efforts are frustrated, and this is as close as I get:

https://xkcd.com/908/

I distinctly recall a webcomic in the past few years lampooning cloud storage. There was a guy who said "hey, there's this guy down the street who lets me keep stuff on shelves in his garage." "What does he charge you?" "Nothing, he says it's just cool if I keep it there." and then the stuff is sold off or tampered with, the guy is irate, and the moral of the story is essentially "why did you trust a random guy with a garage to keep your stuff?"

[zamnos]

https://xkcd.com/1150/ ?

[NoZebra120vClip]

THANK YOU, zamnos! No wonder I couldn't find it. It was a current-events piece about a change in Instagram's TOS. Explanation here: https://www.explainxkcd.com/wiki/index.php/1150:_Instagram

[alkonaut]

It's polite to be transparent about telemetry, but it's not like there is a requirement in any regulation anywhere to ask for explicit consent (e.g. similar to how GDPR works when PII is involved)

[WhyNotHugo]

There might not be a hard legal requirement, but it's still a valid complaint.

There's no legal requirement for someone to be polite to a cashier at a supermarket, yet complaining when somebody is an asshole is still a valid complaint.

[krono]

You're mixing several things together here. Transparency is one of GDPRs cornerstones and very much not just nice to provide, but a deeply serious and non-negotiable hard requirement regardless of how you legitimise the data collection.

[alkonaut]

What I’m saying is that the GDPR is irrelevant unless there is data collected that counts as PII. Collecting non PII isn’t covered by the GDPR.

So yes there are two things: GDPR which is irrelevant here, and storage of non-PII which should be done transparently because it’s polite to be transparent, but not a regulatory requirement.

[marcosdumay]

Well, to be fair, if there is no PII, the telemetry isn't relevant at all and nobody should be concerned by it. (Except for the people that are concerned they will A/B test their software into exhaustion and optimize it into an abomination; but that's not a loud crowd.)

All the complaints are about them collecting PII. Even if they say they don't, the concern is that they could be lying, or change easily, and nobody would know.

[krono]

False, I will rephrase: it is a regulatory requirement under the GDPR to disclose the fact that you are collecting data, to provide a detailed and easily accessible specification of the information contents, a precise definition of how this data is processed and used, and your legal justification(s) for doing so, and to do so for each separate type or kind of collection involving individuals, regardless of whether this includes any PII or not.

The few exceptions that exist are only applicable in cases where there is no potentially identifiable data collected at all, which is obviously not the case here.

Here is a very accessible (although non-official) GDPR resource that I've come across: https://gdpr-info.eu/

Obligatory "I am not a lawyer" disclaimer :)

[alkonaut]

> it is a regulatory requirement to disclose the fact that you are collecting data

Not if the data isn't PII, no. Not in any way shape or form.

> The few exceptions that exist are only applicable in cases where there is no potentially identifiable data collected at all

The whole point of collecting "anonymous usage data" (which is what telemetry usually does) is that it shouldn't be possible to attribute to a physical person, and thus not be PII. As an extreme example, you could take the most typical form of telemetry: a feature usage count. When a feature is used, the telemetry collects a (+1) for that feature. The only long term stored data is the total count N for each feature across the entire user base. Of course there is no PII stored.

> which is obviously not the case here.

Why do you say that it's "obviously" not the case, when there is no indication about what data it is, other than the Dropbox representative saying precisely that there is no PII collected so the GDPR isn't relevant? There may be PII (in which case they are both at fault for not disclosing, and complete asshats for lying in the support forum). But it would be a pretty uninteresting discussion once one assumes that...

Obligatory "I'm not a lawyer either but I've implemented telemetry in software and had those implementations thuroughly analyzed by lawyers a couple of times"

[Tepix]

In particular, consent may be a requirement by the GDPR.

[alkonaut]

It's obvious from the discussion that the GDPR isn't an issue here as there is no PII involved (as should be the case with all telemetry)

[zamnos]

The GDPR lists IP addresses as PII, and not to be all "your IP address is leaking" but in order to send the telemetry, your computer's IP (or that of your VPN) is being sent to Dropbox, potentially to be logged.

[planede]

AFAIK, it's only an issue if it's actually logged. Also, pretty much all services need to know the IP address during a session. It's fine if it's only used for the purpose of providing the service and not logged.

[alkonaut]

That’s not a GDPR issue other than if stored. And remember this is an app that already must send requests to the same place in order to function at all.

[zamnos]

Yes but because your computer is sending its IP to Dropbox, you can't say, a priori, make the claim that the GDPR isn't an issue.