Readit News logoReadit News
Posted by u/segfault22 7 months ago
Performance and telemetry analysis of Trae IDE, ByteDance's VSCode forkgithub.com/segmentationf4...
Hi HN, I was evaluating IDEs for a personal project and decided to test Trae, ByteDance's fork of VSCode. I immediately noticed some significant performance and privacy issues that I felt were worth sharing. I've written up a full analysis with screenshots, network logs, and data payloads in the linked post.

Here are the key findings:

1. Extreme Resource Consumption: Out of the box, Trae used 6.3x more RAM (~5.7 GB) and spawned 3.7x more processes (33 total) than a standard VSCode setup with the same project open. The team has since made improvements, but it's still significantly heavier.

2. Telemetry Opt-Out Doesn't Work (It Makes It Worse): I found Trae was constantly sending data to ByteDance servers (byteoversea.com). I went into the settings and disabled all telemetry. To my surprise, this didn't stop the traffic. In fact, it increased the frequency of batch data collection. The telemetry "off" switch appears to be purely cosmetic.

3. What's Being Sent: Even with telemetry "disabled," Trae sends detailed payloads including: Hardware specs (CPU, memory, etc.) Persistent user, device, and machine IDs OS version, app language, user name Granular usage data like time-on-ide, window focus state, and active file types.

4. Community Censorship: When I tried to discuss these findings on their official Discord, my posts were deleted and my account was muted for 7 days. It seems words like "track" trigger an automated gag rule, which prevents any real discussion about privacy.

I believe developers should be aware of this behavior. The combination of resource drain, non-functional privacy settings, and censorship of technical feedback is a major red flag. The full, detailed analysis with all the evidence (process lists, Fiddler captures, JSON payloads, and screenshots of the Discord moderation) is available at the link. Happy to answer any questions.

kiitos · 7 months ago
In the OP screen share, they toggle various telemetry options on and off, but every time a setting changes, there is a pop-up that says "a setting has changed that requires a restart [of the editor] to take effect" -- and the user just hits "cancel" and doesn't restart the editor. Then, unsurprisingly, the observed behavior doesn't change. Maybe I'm dumb and/or restarting the editor doesn't actually make a difference, but at least superficially, I'm not sure you can draw useful conclusions from this kind of testing...

edit: to be clear I see that they X-out the topmost window of the editor and then re-launch from the bottom bar, but it's not obvious that this is actually restarting the stuff that matters

segfault22 · 7 months ago
Tested both ways, telemetry stays the same, the prompt is to restart IDE but i wanted to disable both Telemetry options before i do it.
Aurornis · 7 months ago
Thanks for watching and catching that. It seems like a major oversight for the core claim: That disabling telemetry doesn’t work. If a restart is required and the tests ignored the restart warning that would invalidate the tests.

Either way, it’s useful to see the telemetry payloads.

pmxi · 7 months ago
See the authors response. He or she says it doesn’t matter either way

https://news.ycombinator.com/item?id=44706580

barkingcat · 7 months ago
There's also the Eclipse VScode-look-alike-reimplementation called TheiaIDE

https://theia-ide.org/

It was rough a few years ago, but nowadays it's pretty nice. TI rebuilt their Code Composer Studio using Theia so it does have some larger users. It has LSP support and the same Monaco editor backend - which is all I need.

It's VSCode-with-an-Eclipse-feel to it - which might or might not be your cup of tea, but it's an alternative.

kookamamie · 7 months ago
> Try Theia IDE online

click

> Please login to use this demo

close tab

lastdong · 7 months ago
Agreed not the most well thought landing page, but the explore page gives a good insight of how it’s being used and what it looks like: https://theia-ide.org/theia-platform/

(Scroll down to Selected Tools based on Eclipse Theia)

Deleted Comment

bobajeff · 7 months ago
The feature that keeps me from moving off of vscode is their markdown support. In particular the ability to drag and drop to insert links to files and images *. Surprisingly, no other editor does this even though I use it all the time.

* https://code.visualstudio.com/Docs/languages/markdown#_inser...

newlisp · 7 months ago
It's also a good alternative to Obisdian if you don't need smartphone support.
chatmasta · 7 months ago
Obsidian supports this. (Or at least, it supports pasting an image from clapboard so I’m assuming drag and drop works too.)
pritambaral · 7 months ago
Interesting.

I belong to the class of people who believe in customising their tools as they please. So I'd have written an Emacs package to do this. But then again, this is Emacs, so someone's probably already done it. Oh, here it is: https://github.com/mooreryan/markdown-dnd-images

Sn0wCoder · 7 months ago
Thank you! The timing of this comment is perfect
barrenko · 7 months ago
But if I'm not wrong here, this is also just the VS Code / Electron still?
oaiey · 7 months ago
It is electron and monaco (the text editor itself), but there is a lot more to VS Code / Theia than this two parts.
v3ss0n · 7 months ago
Yeah , INSEAD of forking vscode which is not modification friendly they should justuse theia because it is maintained to be modular and allowed to be used like a Library to build IDEs of your choice.
v3ss0n · 7 months ago
Whoever disagreed and downvoted can you explain me why?
jeffbee · 7 months ago
Google Cloud Shell is also Theia. I think it is fairly popular.
bayindirh · 7 months ago
Eclipse (as in ecosystem) is fairly popular in Enterprise, but since it exposes all the knobs, and is a bona fide IDE which has some learning curve, people stay away from it.

Also it used to be kinda heavy, but it became lighter because of Moore's law and good code management practices all over the board.

I'm planning to deploy Theia in its web based form if possible, but still didn't have the time to tinker with that one.

fHr · 7 months ago
eclipse still is alive holy shit
andylynch · 7 months ago
Installing the VSCode extension pack for Java runs a headless version of Eclipse JDT under the hood, which isn’t quite what I think of as lightweight.

Deleted Comment

spyridonas · 7 months ago
Great analysis, well done ! Since you've already done VSCode, Trae, Cursor, can you analyse Kiro (AWS fork). I'm curious about their data collection practices.
cuuupid · 7 months ago
Anecdata but Kiro is much, much, much, much easier to put through corporate procurement compared to its peers. I'm talking days vs months.

This is not because it is better and I've seen no inclination that it would somehow be more private or secure, but most enterprises already share their proprietary data with AWS and have an agreement with AWS that their TAMs will gladly usher Kiro usage under.

Interesting to distinguish that privacy/security as it relates to individuals is taken at face value, while when it relates to corporations it is taken at disclosure value.

ameliaquining · 7 months ago
This seems perfectly rational. If you're already entrusting all your technical infrastructure to AWS, then adding another AWS service doesn't add any additional supply-chain risk, whereas adding something from another vendor does do that.
fjghajkhdfgjlk · 7 months ago
I would be interested to see a similar analysis of ByteDance's video editor, CapCut (desktop version). The editor itself is amazing, IMO it has the best UI of any video editing software I've used. Surely, it's full of telemetry and/or spyware, though, but it would be good to know to which extent. I couldn't find any such analysis.
cchance · 7 months ago
Am i the only one that finds

    System Information: Hardware specs, OS details, architecture
    Usage Patterns: Active time, session duration, feature usage
    Performance Metrics: Response times, resource consumption
    Unique Identifiers: Machine ID, user ID, device fingerprints
    Workspace Details: Project information, file paths (obfuscated)
Not to really bad that obtrusive? Like i don't really see anything there that i'd be offended in them taking?

user3939382 · 7 months ago
I don't want any program on my computer including the OS to make any network calls whatsoever unless they're directly associated with executing GUI/CLI interactions I have currently undertaken as the user. Any exception should be opt-in. IMHO the entire Overton window of these remote communications is in the wrong place.
tonyhart7 · 7 months ago
Yeah but this is industry standard

not saying this is good but everyone do this

Dead Comment

ipaddr · 7 months ago
I would not want to share these:

Unique Identifiers: Machine ID, user ID, device fingerprints Workspace Details: Project information, file paths (obfuscated)

Plus os details.

I'd rather none.

maven29 · 7 months ago
How do you do abuse detection for free-tier without these?
macintux · 7 months ago
I always want the choice to be mine.

I was interested in learning Dart until the installer told me Google would be collecting telemetry. For a programming language. I’ve never looked at it again.

FuturisticGoo · 7 months ago
It can be disabled btw. And no telemetry is collected on first run.

I keep it disabled for both Dart and Flutter.

ragequittah · 7 months ago
As a somewhat paranoid person I find this level of paranoia beyond me. Like do you own a car? Or a phone? A credit card? Walk around in public where there's cameras on every block? I don't agree with it at all but the world we're living it makes it impossible to not be tracked with way more than (usually anonymized) telemetry data.
pigbearpig · 7 months ago
Seems like a lot, especially after checking "disable telemetry"
dontdoxxme · 7 months ago
"file paths (obfuscated)" -- this is likely enough for them to work out who the user is, if they work on open source software. They get granular timing data and the files the user has edited, which they could match with open source PRs in their analytics pipeline.

I suspect they aren't actually doing that, but the GDPR cares not what you're doing with the data, but what is possible with it, hence why any identifier (even "obfuscated") which could lead back to a user is considered PII.

bhaney · 7 months ago
Yes, you're the only one.
ivanjermakov · 7 months ago
Imagine your text editor sending network data to unknown resources and there is no way to disable that
Natthaphon · 7 months ago
Honestly, I found this whole thread kind of strange. There’s nothing here beyond what most connected IDEs — or even basic office software — already collect by default.

It feels like the goal was more about grabbing attention than raising a real issue. But sure, toss “ByteDance” and “data” into a headline and suddenly it’s breaking news. I'm just tired of this kind of "Big News"- it's boring.

lordofgibbons · 7 months ago
I'm not sure if you were being sarcastic, but I honestly don't think how it could possibly get any more intrusive without directly uploading files.
drewbitt · 7 months ago
They don't want telemetry ever disabled, even for a minority of people who do toggle it off. Why?
imglorp · 7 months ago
Disabling telemetry might be interpreted as a self-indicated signal of "I have something to hide", so they jack up the snooping.
sejje · 7 months ago
Or "I'm a power user" of sorts. Probably a very small minority of users fiddle that setting.

Dang said a similarly small minority of users here do all the commenting.

HPsquared · 7 months ago
I suspect many (or all) VPNs probably do secret logging. People will do their most interesting secret activities on those.
qiine · 7 months ago
almost as if it was a trap... ;p
ethan_smith · 7 months ago
It's a dark pattern called "placebo controls" - giving users the illusion of choice maintains positive sentiment while maximizing data collection, and avoids the PR hit of admitting telemetry is mandatory.
msgodel · 7 months ago
Telemetry toggles add noise to the data at the very least. IMO it's part of the reason you're actually better off with no client-side telemetry at all. Obviously they see it the opposite way.
viraptor · 7 months ago
That's assuming this is intended behaviour rather than just a bug that they don't care about fixing.
yard2010 · 7 months ago
Occam's razor. Not Hanlon's.
asciii · 7 months ago
Great write up OP!

Your analysis is thorough, and I wonder if their reduction of processes from 33 to 20...(WOW) had anything to do with moving telemetry logic elsewhere (hence increased endpoint activity).

What does Bytedance say regarding all this?

hollowonepl · 7 months ago
I so much like the fact that I've come back to TUI (helix editor) recently.

I'm trying ZED too, which I believe as a commercial product comes with telemetry too.. but yeah, learning advanced rules of a personal firewall always helpful!

garettmd · 7 months ago
How are you finding it compares to just using [Neo]Vim with all the plugins and custom configs? What improvements does it offer?