[jiggawatts]

No answer is forthcoming from the VS Code team, because they know you won't like the answer.

Microsoft trawls their[1] endpoints mercilessly for every bit of telemetry that they possibly can, and they go out of their way to prevent customers from disabling this.

Windows 10 or 11 with Office requires something like 200+ individual forms of Microsoft telemetry to be disabled!

Notably:

- They keep changing the name of the environment variables[2] that disable telemetry. For unspecified "reasons".

- They've been caught using "typosquatting" domains like microsft.com for telemetry, because security-conscious admins block microsoft.com wholesale.

- Telemetry is implemented by each product group, which means each individual team has to learn the same lessons over and over, such as: GDPR compliance, asynchronous collection, size limiting, do not retry in a tight loop forever on network failure, etc...

- Customers often experience dramatic speedups by disabling telemetry, which ought not be possible, but that's the reality. Turning off telemetry was "the" trick to making PowerShell Core fast in VS Code, because it literally sent telemetry (synchronously!) from all of: Dotnet Core, PowerShell, the Az/AAD modules, and Visual Studio Code! Opening a new tab would take seconds while this was collected, zipped, and sent. Windows Terminal does the same thing, by the way, so opening a shell can result in like half a dozen network requests to god-knows-where.

[1] You thought, wait... that it's your computer!? It's Microsoft's ad-platform now.

[2] Notice the plural? It's one company! Why can't there be a single globally-obeyed policy setting for this? Oh... oh... because they don't want you to have this setting. That's right... I forgot.

Windows: https://learn.microsoft.com/en-us/windows/privacy/configure-...

PowerShell: https://learn.microsoft.com/en-us/powershell/module/microsof...

DotNet Core: https://learn.microsoft.com/en-us/dotnet/core/tools/telemetr...

Windows Terminal: https://github.com/microsoft/terminal/issues/5331

Az module: https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure...

Etc...

[tentacleuno]

> They've been caught using "typosquatting" domains like microsft.com for telemetry, because security-conscious admins block microsoft.com wholesale.

This seems interesting. Do you have any references for this? I would assume that the main use of such typo-squatting domains is a simple redirect, a la [0][1].

[0]: https://gogle.com [1]: https://gooogle.com

[rkagerer]

We need a "just say no" campaign that boycotts companies employing these slimy behaviours.

[shiroiuma]

I've been boycotting Microsoft for around 25 years now... But I've noticed most people, even in the tech world, don't mind supporting companies with slimy behavior.

[alkonaut]

Microsoft’s own telemetry solutions (AppInsights/LogAnalytics) seem perfectly capable of handing async/buffering/backoff etc.

I agree there should be a single place, at least in Windows to control Microsoft telemetry on a per app basis. It should be very easy to accomplish. On other platforms less so.

In a desktop product I do for work we had the dilemma of opt in/out and showing the query clearly and hiding it in settings. We ended up with the middle ground of showing it but having the checkbox checked (so uncheck to opt out). We were still worried this would leave too few opting in but it meant over 95% did.

For command line I’d be 100% happy with a note on first use describing that telemetry is enabled and how it is disabled. Leaving it disabled by default and requiring user action to enable is not realistic in such a situation.

[g-b-r]

A pre-enabled checkbox is invalid for obtaining gdpr consent

[alkonaut]

We are assuming here (incorrectly or not) that since no PII is transmitted or stored, the GDPR doesn’t come into play, and the consent is just asking for permission and not “gdpr consent”

Of course it’s impossible to actually transmit anything anywhere without including the source IP in the http header - a fact we are ignoring completely. But that’s similar to the topic of this discussion: Microsoft does exactly this under the same assumption, that non-PII data can be sent (even via http) without gdpr coming into play. Otherwise they couldn’t have it enabled by default. If there is a ruling that says otherwise then everyone will need to change.

It could also be that first party servers (Microsoft app talking to Microsoft servers) is acceptable and then everyone would route telemetry to their own servers.

[g-b-r]

I haven't checked how they handle it for VS Code, but you probably agreed to some term before using it, and they're probably relying on legitimate interest

My gdpr is quite rusty anyhow

[chx]

this is why o&o shutup is invaluable

[rkagerer]

Is it fairly effective these days?

[chx]

to the best of my knowledge, yes