NHacker Next
- new
- past
- show
- ask
- show
- jobs
- submit
login
Rendered at 21:22:28 GMT+0000 (Coordinated Universal Time) with Vercel.
I haven't bothered because a) opt-out risks a backlash and b) opt-in affects the data so much it becomes useless (much smaller sample and probably self-selecting a certain type of user)
Skimming the comments here, it seems everybody assumes telemetry is always nefarious. I get the distrust of large corporations and other obvious bad actors - but the blanket cynicism for all telemetry here is kinda surprising. Have none of the developers here ever had a need for it themselves?
But you’re totally right - telemetry & crash dumps & analytics are helpful & great for devs who care about the customer UX and don’t use the data for advertising or anything other than fixing & writing good software, so it’s a real kind of tragedy of the commons that we can’t have safe, trustworthy, and pro-consumer telemetry.
I went from building a web app that used Google Analytics and some other kinds of anonymous telemetry (and using that data only for identifying functional software & site issues), to building driver software that absolutely cannot send data out, and I wish for telemetry all the time. Not only is it difficult to understand what users are doing, they usually don’t even know themselves and can’t tell me what happened when things crash. The result is that turnaround times for critical issues are in months, when it could be days or hours if we had crash dumps and analytics, the lack of automated reporting hurts users.
I’m not sure there’s a way to separate the good from the bad, to designate some kinds of telemetry as safe and to be able to trust it while disallowing the stuff we don’t want. If that were somehow possible, if anyone has ideas, I would love to help figure out how to make it a reality.
That's what I do in my apps. And it turns out, that actually increased the quality of the bug reports I got, because users were more invested and willing to cooperate.
People only bother when something has made them really angry about something and need to vent.
This is why default analytics is the correct option. It gets the average people who don't care about forums and usually won't even bother to change many of the settings. The crowd who doesn't open HN first thing in the morning.
> the blanket cynicism for all telemetry here is kinda surprising
Who's providing the telemetry/analytics if not one of same large corporations?
Many devs say they care about user privacy, but very few seem to care enough not to farm surveillance out to a 3rd-party they have no control over.
Erm. It would be me? The idea was that the app (not a web app btw) would send back data about which features were being used (to a server I control) so I could build up a picture of how often various features were being used relative to other features. Nothing remotely personally identifiable.
That's one I have not heard before
Useless for what
Targeting a certain "type of user" perhaps
"I get the distrust of large corporations and other obvious bad actors - but the blanket cycnicism for all telemetry here is kind surprising"
There is effectively no way for a user to determine whether an actor is "bad" or "good" and that definition may vary depending on the user
The user cannot verify how the data might be used or where it might be transferred. As such, there is almost zero incentive for the data collector not to engage in malfeasance (as the user defines that term); deterrents are lacking
Perhaps there is irony in criticising "blanket" cynicism whilst arguing for "default" telemetry. Both suffer from the same "one size fits all" error
https://factorio.com/blog/post/fff-231
Here, the developer is trying to infer user reasoning and intent
Curiously, he omits the possibility that users would prefer not to send the data
When in fact this is exactly what users indicate they prefer
He pretends that "Don't send" is ambiguous, for example, that despite clicking "Don't send" users actually don't care if data is sent
But there is nothing here that indicates users wanted to send data or that they do not care
Software developers can obviously do whatever they want and they can act against the interests of users
This includes ignoring or explaining away the preferences of their users ("Don't send") and engaging in speculation about user reasoning and intent
The developer here seems dismissive of users' reasons for clicking "Don't send", even though he does not know the reasons and can only speculate. At the same time he expects readers to take his reasons for collecting crash logs as justified. Then he unilaterally decides to remove user choice (the "Don't send" button) and substitute his own choice (send data) as a default
Perhaps lack of developer pre-release testing and quality control is relevant to this discussion. Alas, the problem is framed as one of data collection and user consent where the "solution" is making data collection surreptitious and making "consent" uninformed, implied
Perhaps because only way to get large sample size is to target users who are unaware of "defaults", i.e., remove choice
Perhaps when forced to make a choice ("opt-in"), users will not choose to share data (unless the developer uses dark patterns to manipulate the choice)
Why is that
No offense, but if that's the case, you are very new to the discussion. It's been pretty well-documented that opt-out provides orders of magnitude more useful reports than opt-in.
For the best example: Factorio, a game with an almost-exclusively-technical playerbase and extremely well-regarded and community-friendly dev team, which already had a ton of people writing good bug reports on the forums, [fixed 12 crash-causing bugs](https://factorio.com/blog/post/fff-231) within two days after making crash reports automatic and opt-in.
And if it has that much impact for Factorio, you can imagine how much bigger the impact is for non-technical software.
Though if you just want a simple ENV var that handles this WHILE honoring the specification on this page: https://github.com/alloydwhitlock/do-not-track-cli
Plenty of people seem to genuinely believe that “personalized ads” are good for them.
Depending on the study, 0.16% to 7% want to get tracked.
https://noyb.eu/sites/default/files/2025-07/Pay_or_Okay_Repo...
Yes. I know my two thoughts are in conflict, for the advertisers. Too bad for them. Figure it out.
Advertisers are the scum of the Earth, as someone with ADHD who doesn't ever consent to my attention being stolen in that way. I really don't care what their opinion is, since they're intruding into my headspace without permission
No, in not making excuses for tracking and I do lots of stuff myself of avoid being tracked
I’m only responding to the false premise that there are no benefits. There are. You can just choose to believe they aren’t worth the cost. I believe they aren’t but I have friends who opt into all tracking and even register their presence with multiple apps. They believe they’ll make more positive connections
Exactly. From my experience: the times I've found an ad relevant and worth clicking is about one-to-a-gazillion. Maybe relevance is higher for others but that still doesn't necessarily translate to real value. (ie. your life was improved in any way)
Also, this all presumes the targeting actually works and the current sea ads for shoes I just bought disagree with that. It's all just spam.
The biggest failure of DNT was browser makers - including Mozilla - removing it. It has zero performance impact (1 bit?) or development cost. As long as it was out there, when there was momentum against tracking, advocates had evidence of both demand for privacy and of trackers ignoring user wishes.
This evidence both still exists and is also completely useless for anything. The more important consideration, by far, is that the DNT flag was actively harmful to users in the real world because, if it was acknowledged at all, it was used maliciously to help fingerprint and track users. There is no reason for browsers to continue providing to their users a toggle that not only misleads them about what will happen with the setting enabled, but actively contributes to the opposite outcome because we live in a world where being evil is the norm.
According to https://www.didomi.io/blog/global-privacy-control-gpc-2026 it must also be honored in 11 other states but I'm not familiar enough with the specifics regarding those.
But isn't DNT deprecated in most browsers? Maybe I misremember.
Microsoft knows that; they rendered DNT meaningless:
Browsers only removed it once it was clear that the advertising industry was going to refuse to honor it
Perhaps the "DO NOT TRACK" name is somewhat of an established term, though.
*:analytics=1:google_analytics=0,syncthing:upgrade=1
I wouldn't have realized this was happening at all if it weren't for the obnoxious HF_TOKEN warning.
Example: the software crashes, and there is a crash handler that asks you if you want to send a crash dump. With DO_NOT_TRACK, the crash handler is disabled entirely, no question, no dump.
If it gets some adoption, that's probably how it will work. Those who have an financial interest in using tracking (ex: ads) probably won't support such an option.
Everyone proclaiming a "standard" is just adding to the long list of (unofficial) alternatives.
https://git.eeqj.de/sneak/consoledonottrack.com/src/branch/m...
Any of those are using a dark pattern and before exploring new ways to opt out you should look for and spend your energy on an alternative which respects your freedoms upfront.
Thankfully, the dotnet package installed by package manager on Arch Linux disables telemetry by default. I left the env set just in case.
But my trust towards "modern" software has lowered. I default to run CLI tools, especially those built in JavaScript or .NET with network disabled:
firejail --net=none
alias ilspycmd='ilspycmd --disable-updatecheck'
Unfortunately big corporations can always find away to make regulators see no problem.
This is called opt out.
Is anyone maintaining a more complete list of those?
https://web.archive.org/web/20200613155957/https://consoledo...
Opt out should not be encouraged via an off switch. It should be eradicated, and the people who accepted money to write such malware should be plainly named so that such actions can be part of their professional reputation.
If you try to create a standard and almost no one implements it, it’s not a standard and it went nowhere. Its stated goal wasn’t achieved, and the fact its domain and webpage have been abandoned makes that abundantly clear.
There is a reason none the existing methods use the word "TRACK". Although connecting home can be used for tracking it doesn't have to be.
If a tool uses connecting home for telemetry, implementing "DO_NOT_TRACK" would suggest it does track its users without the setting, even if it may not.
Rename it this to "DO_NOT_CONNECT_HOME" and it may be a useful standard.
Many of these tools are source available or supposedly open source, so it can't be that hard to take their tracking endpoints and call them in random order.
Its an ok solution, but will never be implement and doing it actively goes against the interest of those who would have to do implement it.
I think the only solution is to make it law that you can't track anyone for any reason without their consent, and can't sell consensual tracking data without an additional consent agreement. It would be a huge blow to the advertising industry, so it will never be made law, but it's the only thing that would work.
https://techcrunch.com/2019/07/24/researchers-spotlight-the-... | https://www.eff.org/deeplinks/2023/11/debunking-myth-anonymo...
Not every company will do it well. Simpleanalytics.com seems to be one of the better ones.
But it’s still way better than the alternatives which don’t even try to be anonymous.
You just want local software to...send commands to your Cloud providers?
https://web.archive.org/web/20200613155957/https://consoledo...
I abandoned the project. Opting out of telemetry tells developers that opting us in automatically without consent is OK. It’s not.
Spyware is spyware even if it has an off switch.
Patch it out. Fork it. Don’t use spyware. Name and shame developers that accept pay checks to build spyware for corporations. Make it an economically bad choice to accept such jobs by poisoning the google results for the names of people who do this. Make them ashamed.
The one thing you DON’T want to do is validate their unethical model by opting out when you never opted in.
My point is that there *is* such a thing as software that tries to respect their users. I'm not the only one.
The only tool I have installed currently that does %/"($& like this is Deno (required for yt-dlp now). It phones happily home even if you wrap it into a wrapper script that forces the env variable (in no way I'll pollute my default environment with stuff like this):
$ cat /usr/local/bin/deno
#!/bin/sh
exec env DENO_NO_UPDATE_CHECK=1 /usr/local/packages/deno/latest/bin/deno "$@"
[0]: https://github.com/renovatebot/renovate/discussions/42932
export SEMGREP_SEND_METRICS=off export COLLECT_LEARNINGS_OPT_OUT=true export STORYBOOK_DISABLE_TELEMETRY=1 export NEXT_TELEMETRY_DISABLED=1 export SLS_TELEMETRY_DISABLED=1 export SLS_NOTIFICATIONS_MODE=off export DISABLE_OPENCOLLECTIVE=true export NPM_CONFIG_UPDATE_NOTIFIER=false
The proposed way just normalizes tracking.
It should be much more difficult to collect data than to opt out of collection.
Can someone expound on what they see as a problem?
In addition to the other response: crash dumps are difficult to anonymize, both because useful crash dumps include something like a minidump (or some other small alternative to a core file), and because even without that, any random information from a backtrace may be sensitive (e.g. a URL).
There's nothing wrong with saving a crash dump and giving the user control of whether to submit a bug report.
Users should never be opted in through usage alone of free or paid-for tooling to supply information that isn't part of the function of the tool. Where that is required for a service or product, you should opt-in explicitly, not implicitly.
Your IP during connection exposes your rough location.
Crash logs rarely are completely anonymized so both together can additionally serve as a way to re-identify the user.
The only way to properly transmit telemetry data would be Tor. And no, even then I don’t want my tools to report back my use. It’s simply not required, and data minimization is part of my set of ethics, and I’m happy that EU/GDPR sees it the same way. Not all data that you think is worth something to you is morally right to collect. You send data somewhere, even just to check for updates - ask me first. I do not want my hammer to report back how many nails I hammered in. I don’t want my software to reach out to the world without my consent.
I'm not a daily user of network namespaces, and would probably write a script to do the configuration within a shell (it works a bit like containers). The configuration is inherited by child processes, so you only have to do it once. Basically whitelist the urls you typically use, and maybe let the script popup a dialog asking you to allow access when the firewall catches a domain that is not in the whitelist yet.
I'd prefer TRACK_ME as an opt in.
The reason they will not adopt common env is that because they do not want it to be easy to turn off
We kind of need ublock origin on the operating system level - even more so as the new laws mandate age sniffing of everyone, tied to usage and access to the www (see the concomitant fight against VPN; that is the long road here, the "but but but the children!" is the lie, the cake, the carrot on the stick).
Ultimately one could ask "but the do not track thing is harmless" - the issue still is that I don't agree that my browser should betray me. Naturally since Google controls most browsers, can we trust Google? But, even aside from Google, can we trust other browsers? We need more diversity here again, but also more quality on every level. I consider the do_not_track as actually a you_will_be_marked and thus tracked.
Totally agree! I've built a product doing exactly this in my previous job. I'm building something new & similar now, but much better :-)
Tech people could learn a lot from the BDSM community.
Tech companies regularly violate all 3 principles.
1) Opt-out instead of opt-in is an abusive practice, only you're not getting fucked by a strap-on without realizing it, you're getting profiled and manipulated for monetary and political gain.
2) You have no way to find out how your information is used. Ironic in an age where so many decisions affecting you are made by automated systems where the output can be traced back to individual inputs deterministically.
3) Even if you do your research (=spend your limited time alive by playing zero-sum games with no benefit for you) and opt-out, you can't take back what's already circulating out there.
And the solution is not that crazy - change laws so people own all data about them and all results of using said data, except specific well-defined cases.
Then if a company uses your data without your consent, it doesn't pay a probabilistic tax called fines, it is forced to give you a part of its income and a part of its own ownership.
export ALLOW_TRACKING=telemetry,crash_dumps
And they do by burying it in the user agreement you probably agreed to.
Like it or not, it is your responsibility. I agree it shouldn’t be, but let’s be realistic.
They didn't opt out of my data, after all.
.. which is entirely different to the telemetry system where usage stats are reported. You can see that on data.syncthing.net. But again, thats a separate opt-in. The suggested env variable on the site won't turn that off.
It could also be used to prevent showing an opt-in notification at all even in software that requires opt-in.
The first denotes an abstract policy, the second an action that has been done to you in which you were a passive participant. And this is all about our lack of agency.
You may prefer that we speak of abstract policies. But to say "there is no" about an otherwise sensible phrase implies that you think that we have agreed to stay within some fixed set of terminology. I didn't think that we had.
If so put you in by default but you have the option to go out it’s opt-put
So this is either opt-out or not a option at all
Human language does not work like that.
You have to turn it on = Opt-In
You have to turn it off = Opt-Out
Just because the option was added later on doesn’t change that.
Or tell me what’s the difference for me between Opted-In by default and Opt-Out
This flag is sent by my browser when I connect to SOMEONE ELSE’s SERVER.
The internet only took off because the primary business model which ran on ads and derivative information that servers do to their users.
It’s not fun. It’s not private or secure. It’s not illegal (in most jurisdictions for most industries). The flag exists as a response to the de facto and de jure state of the world, not some fairytale scenario.
No? It took off before advertising was widespread as a primary or sole funding business model? Also there's literally nothing about advertising that requires data collection about users. Sure they love to do it, and they might even believe that it helps their profits in some way. But it's not inherent, they got along just fine with billboards and newspaper classifieds. TV ads never required personal information. Not did pre roll cinema ads, or radio adverts. Nobody was bemoaning in the streets that they couldn't possibly find anything to buy
quite the opposite I would argue:
https://nickyreinert.de/2020/2020-10-24-marketing-killed-the...
No, it's set in your command shell (e.g. bash) and tells CLI programs that support it to not connect to a server. It has nothing to do with browsers or ads. This is all very clear in the article.
Get off your high horse.
Arguable, on the other hand it did kill the internet. (or, almost so far, we'll see whether we rebound after decades of enshittification)
...and promptly, thoroughly ignored.