Ask HN: Should open-source projects allow disabling telemetry?

I've [argued](https://benconrad.net/posts/230717_fundingOpenSource/) that oss developers need to have real world use information in order to ship good software. Contra some here, I think oss developers that don't understand how users use their software can't maintain or improve it.

justinclift · 2 years ago

Bear in mind that some of the people reading this comment are OSS developers, potentially even ones who write software you're personally using. ;)

> I think oss developers that don't understand how users use their software can't maintain or improve it.

For trivial improvements, that's definitely not the case.

For example, if someone files a GitHub issue saying "please add new menu shortcut XYZ". That's the kind of thing which doesn't directly need in depth understanding of how users are using the software.

More major features though will indeed benefit from understanding how users use it. That's not really a case for telemetry though, rather it's a case of having a wide enough user base that users ask for changes/features/fixes themselves.

Sometimes the users asking for changes/features/fixes is us ourselves. ;)

You are very definitely "in the wrong".

If you want to discuss this in more depth I'll be happy to elaborate and give you ethical guidance, but presently that's probably just adding to the noise.

igorzij · 2 years ago

Thanks! I'm glad we asked. Felt uneasy either way. Also would appreciate any pointers, perhaps someone you know has written on ethics of it?

nonrandomstring · 2 years ago

YVW. I'll have a think about some other sources, especially plain speaking non-academic takes on the ethics that help developers see the issues. For now this one is a good general overview [0].

The big one with telemetry, is unintended side effects due to correlation and deanonymisation - which is actually dead hard to anticipate - very easy to get wrong like rolling your own cryptography :)

The other, around consent and defaults, is that even if your telemetry is perfectly anonymous, benign and beneficial to the end user, you may trigger a security alert and over-zealous investigation and reporting. This can have a massive impact on your reputation, as happened to Audacity. It's really not worth taking the risk.

Hope that helps.

[0] https://www.emerald.com/insight/content/doi/10.1108/S2398-60...

wkat4242 · 2 years ago

Telemetry should always be opt-in. Especially for FOSS.

We shouldn't have to pay with our privacy.

Be aware that the EU is working to make opt in mandatory too. But you won't be their target of course, it'll be the truly evil companies like Microsoft, Meta and Google.

> Give people the “more privacy” button and most are going to press it. Is there a happy medium?

This should really tell you enough. If you already know users don't want to share the info if you would ask them, you're doing the wrong thing by withholding the option.

The big techs spend so much money developing dark patterns exactly for this reason.

viraptor · 2 years ago

"We feel like it’s a fair ask" - exactly - it's a fair ask, so the user should decide. Nobody can force you to change your mind, but if you don't, prepare for forks with the option disabled.

Also, the issue is not really about that - it's about the submitted data not being anonymised. That's the bare minimum you should be doing regardless of the information being opt-in/out.

asadotzler · 2 years ago

The user can decide, by not using the software.

Sure, but for opensource it also means the user can maintain a forked version. It's up to the project to decide if they prefer to fight over privacy, have a fractured community, and possibly custom patched packages in some distributions - or do they explicitly ask about telemetry instead.

And in practice, do you gain enough from active collection to justify the fight? What about instead searching GitHub for digger being used in the public pipelines and building stats from that?

nusl · 2 years ago

The software should give you an immediate notice before you use it at all, then, and make you agree explicitly. That way they can say no. Otherwise you’re just abusive.

calamari4065 · 2 years ago

That's not a choice, that's an ultimatum.

andymoe · 2 years ago

You are in the wrong PR wise probably. Generally I think providing a way to opt out has become the path many projects take.

Anyway, their main beef appears that you are not properly anonymizing the telemetry.

Thanks! This is helpful. None of us at Digger have led or maintained significant OSS projects before - so discovering things as we go

bcon · 2 years ago

I would straight-up uninstall your project and take any measures possible to remove myself from your platform (if any) if I discover an underhanded change like this.

A medium? Ask people. FOSS is different. There is a level of expected transparency and trust along with it that you can’t get back when broken. Changes like this are a very easy way to break that trust. Trust is everything here.

I expect to be tracked by commercial tools for the most part, but I still try to control how.

How would you feel if a trusted tool changed something you deem important without telling you? Generally a response is feeling betrayed.

The fact that someone skilled enough took time out of their lives to make this PR means that it matters enough to seriously reconsider.

eternityforest · 2 years ago

I think they should always allow it, just simply because... if you don't you might lose users, they might fork it and make a privacy-first version, then we get more fragmentation.

FOSS has so much fragmentation trouble already.

mtmail · 2 years ago

You should allow disabling it. The wording "allows collecting anonymised usage and debugging data" in the documentation doesn't make it clear enough that the data is send to the company servers.