Google's Go may add telemetry that's on by default Russ Cox, a Google software engineer steering the development of the open source Go programming language, has presented a possible plan to implement telemetry in the Go toolchain. However many in the Go community object because the plan calls for telemetry by default. These alarmed developers would prefer an opt-in rather …
If you actually read the blog posts detailing the proposal, you'll see they are very much NOT suggesting collecting that level of detail. Only course-grained information like operating system version (e.g. Windows 8, but not which service pack, or gcc version 9 but not which minor version or build). That can inform important decisions like what to continue maintaining support for. It's also coarse enough to prevent fingerprinting. I'm not saying the proposal is without trade-offs, but it's sad to see a knee-jerk reaction to the word "telemetry" from people who haven't even investigated what exactly is being proposed.
A culture which is so resistant understanding another persons perspective or agency that the idea of consent becomes and alien concept.
I wonder if they would get invited to more parties if they stopped using that line of logic. "We can't give people the option to choose because everyone hates the idea and no one will let us if we ask"
Blinded by the "look! it's free!" most people didn't understand that software products created as side products of the surveillance industry must support the main business - that from which real money comes from. Meanwhile paid for products have been almost killed because you can't compete in the minds of many with something that is "free".
So these developers should blame no one but themselves for allowing Google & C. to reach this dominant position - they will shove down people's throats whatever they like, and there will be little or no alternatives. The IT world is rotting among the ads and surveillance pollution - but unless people are ready to pay again for software - and vote with their money what features are acceptable and which are not, there's no solution.
> I wonder if they would get invited to more parties if they stopped using that line of logic. "We can't give people the option to choose because everyone hates the idea and no one will let us if we ask"
Ah, the classic Jacob Rees-Mogg argument https://youtu.be/eLqfyv2XuU8
So you want to improve your software. You don't have a marketing/testing group dedicated to getting users into a lab and observing how your software is actually used. In fact you don't even have a dedicated group collating problem reports to divine problem areas that need attention. All you have is people loudly griping at you demanding effort in directions that will directly benefit only 'some' users. Who can know if fixing XYZ before SRQ will best benefit users, and without breaking some feature you didn't know was still in use?
Now if adding a useful tool - telemetry - takes a non-trivial amount of work - very likely - then doing so without any assurance of return actually damages the project by using resources for naught. So the opt-in / opt-out decision is simply how to get a benefit from the new feature, or else just not do the feature.
Though perhaps without the telemetry, the slow drip-drip of confusion and inefficiency will cause those resources to rust away anyway?
It seems that, yes, the GO language users will get to pick how easily the language developers will be supporting them. Wonder how the GO language developers will like being appreciated so nicely.
Nothing you say is in and of itself wrong. But the straw man you so slyly prop up belies the fact that the devs needs to be fully in control of this slurpage; if the devs decide they want all that stuff, then they must actively set it up and control it. And that is the quintessential semantic underlying "opt-in".
You know, its funny that all those so adamant about force feeding slurpage into Go have yet to identify what the defaults are. In the article, there was some noise about having to set up a server to receive this telemetry. But if the devs are not fully aware of this (or can't be arsed to deal with it), then where does all the unsolicited slurpage go? Someplace chocolatey, I wot.
However did people cope before the lazy and intrusive option of telemetry came along? I assume that no one managed to write good code at all and delivery features without focus groups, without feedback and forums, hell without even knowing what the pain points were without writing in the language themselves...?
"Without the telemetry, the slow drip-drip of confusion and inefficiency will cause those resources to rust away anyway?" - because that stopped Rossum writing Python since 1990, and Java never evolved beyond version one in 1995, and C of course is stilll primitive and inefficient (ok bad choice).....
But we will take the easy way and slurp the data, and hey it's the users data but they are just scummy users, we are the *developers* so we are gods and rockstars and get to do what we can... I wonder how the users will feel about their data being stole away - no - the one thing I can be sure of is that the Chocolate Factory never even considered what the users feelings were. Just how much they can screw them over.
You want to try this - go ahead. I'll be doing what I do to all the data slurping - writing an app to poison the well and truly trash the data that you get from me - beause it will bear no resemblence to reality.
This post has been deleted by its author
This post has been deleted by its author
Typical modern techbro -- reinvents The Wheel, claims its all modern and wonderful (except that it appears to be square with an offset axle "to improve the user experience").
Of course we use telemetry in our prototype code. We've been doing it for decades. We just don't need to tell Big Brother all about it -- and we remove it before we make production versions.
You have confused two different sets of developers here:
The compiler developers want the telemetry on the functions being used in the compiler.
To do that they need telemetry from developers using the compiler in the real world on their own projects.
So the developers who are crying out for the data are not the set of developers who would need to enable it. Theres no logical disconnect here, just two different groups of people, both called "developers". I have no problem with people adding telemetry to their own code. [ though the argument of "how do you know its not sending dat about what it is compiling?" is valid ]
> “developers have been crying out for the ability to see what functions in their code are being used, and it’ll be really useful for them…"
Citation needed...
Now, if I had a need of telemetry in my app, I would go and add something to activate it. I would not expect this to phone home by default. I would not expect my app to contain much more logic than I coded into it, and would definitely object to having phone home features and non-core related functionality that I didn't explicitly put there or expect to be there, getting added in behind my back...
if you make it always on or even worse unable to be stopped or blocked.
I would not put it beyond Google to make Go apps talk to 'Big Brother' and if it can't acks from the mothership the app stops working.
The vast majority of us hate the telemetry that MS has put into Windows. We have been very vocal about it. Surely Google has seen the resistance? Nah. Google is Big Brother and what Big Brother says goes. You will obey...
I'll stick with developing in C and where a GUI is needed, I'll use Lazarus thank you very much.
The vast majority of us hate the telemetry that MS has put into Windows. We have been very vocal about it. Surely Google has seen the resistance? Nah. Google is Big Brother and what Big Brother says goes. You will obey...
Cox knows this, and makes the very point, although uses Amazon collecting page turns as an example-
https://research.swtch.com/telemetry-intro
When you hear the word telemetry, if you’re like me, you may have a visceral negative reaction to a mental image of intrusive, detailed traces of your every keystroke and mouse click headed back to the developers of the software you’re using. And for good reason!
Yep. In large part due to the behaviour of Cox's employer in hoovering up every piece of personal and private data they can possibly get their hands on, by a variety of deceptive and often illegal means. But it's fine*..
IP addresses exposed by the HTTP session that uploads the report are not recorded with the reports.
The Go team at Google would run a collection server. Each week, with 10% probability (averaging ~5 times per year) the user’s Go installation would download a “collection configuration” to find out which counter values are of interest to the server and at what sample rate.
To which the obvious answer would be "Go fsck yourself". It's all about the phrasing. IP addresses, or other personal identifiers should just be "not recorded". Problem comes with the qualifier "with the reports", because that means AlphaGoo collects all that stuff, records it, correlates it, flogs it to advertisers etc etc. And I'm sure Cox really meant to say HTTPS, not HTTP.
One possible solution is to keep AlphaGoo far, far away from the collection server, because Google does evil, and can't be trusted. So have the collection server running in a trusted domain, independent from AlphaGoo. That would allow Go to comply with Data Retention Directives, and provide at least a veneer of trust.
*Pun intended because AlphaGoo regularly gets fined for privacy violations. But carries on doing it anyway because although the fines sound large in their intial press releases, they're just an Opex. The fact that Big Tech hasn't changed it's behaviour at all would appear to demonstrate the value they see in mass privacy invasion exceeds the fines. How else are their AIs and algorithms going to push ads or content we're just not interested in, unless they can get TIA on their 'customers'?
"These alarmed developers would prefer an opt-in rather than an opt-out regime, a position the Go team rejects because it would ensure low adoption and would reduce the amount of telemetry data received to the point it would be of little value TO GOOGLE."
This is either transparently dishonest, or incredibly stupid, or a bit of both.
Either option satisfies developers who want the telemetry data more than they want privacy, and that's between them and their userbase.
Only opt-out satisfies Google, however, because they've built a global empire on the concept of monetizing and managing ignorance.
Pretending that this choice is for the benefit of users and developers is absurd.
Definitely on-brand though. Points for consistency.
having done some big 4 work,
Many people view the Go team considering collecting data as a sign that the Go team is not necessarily more trustworthy than its parent company
Fiduciary dependency i.e. getting your salary from the larger company does in fact yes make you their "bitch". thus given the volume of money they have, means that by choosing to increase or decrease the flow thereof they do in fact cause a situation of "not more trustworthy than the party you get the money from". Please do change your auditors mind that giving someone more money gives them more freedom and makes them more trustworthy. Call me when done. Also hold your breath until this becomes == true.
Others, particularly in the ad industry, but in other endeavors as well, see opt-in as an existential threat. They believe that they have a right to gather data and that it's better to seek forgiveness via opt-out than to ask for permission unlikely to be given via opt-in.
Well, yeaaaahh! Of course those fuckheads would think that. But perhaps I missed where such a right was conferred upon ad-slingers (or for that matter, anyone) in the first place.
Anyone? Buehler?
"What, allow you mopes to slurp any of my data, and sell it indiscriminately to all and sundry? Fuck yeah! Where do I sign?" said nobody to anyone ever....
You should click on the link and read the entire thread. GDPR was raised and, unless I missed the reply(ies), not replied to at all by rsc or the other snoper-champion.
Its as if they've been instructed that they're adding opt-out telemetry and they now have to sell that to the userbase or they'll get laid off...
Imagine if every company who currently harvests metadata had to pay government tax or levy on every uncompressed byte transferred, and a second yearly charge for every byte of metadata stored or archived. I wonder how much that would reduce global telemetry. I suspect that it would be taxed out of existence.
But of course that would never happen, because far too many three and four-letter acronym agencies around the world piggyback on the metadata harvesting by commercial metadata aggregators to get around pesky little things like laws that should technically be preventing them from carrying out such action themselves.
I just want them to pay me for my data with cash money, not free tools. Free or paid, they slurp the data regardless, so evidently it's worth something. These companies are worth probably in the trillions, truth be told, so MV wants to wet his beak to the tune of 10,000 a year licensing fee for access to my data. Doesn't mean you'll get any, because I'll still do my best to stop the slurpage, but if you do succeed in getting it, you'll have a license allowing you to use it. If you don't want to pay the licensing fee, keep your fingers out of my life.
They do not pay taxes and would be immune to this. But you would be cutting down on the metadata that is available to them. They can legally buy metadata that is for sale, that is illegal for them to gather directly. So the tax money they currently spend could in theory be put to more productive uses, but they will probably still spend that money on other things (If you do not go over budget this year, you will probably have your budget cut the next year).
so far. but for how long?
We know that Google is hell bent on spying on every aspect of our lives. Having this sort of telemetry inside millions of apps would be like bees to a honey pot... far too tempting to ignore.
I don't trust google a micron.
We're slowly inching towards Ken Thompson's login programme hack (see https://www.industrialcybersecuritypulse.com/threats-vulnerabilities/throwback-attack-ken-thompson-lays-the-foundation-for-software-supply-chain-attacks/ ) for details. His was just a demo... Google's version might not be.
Telemetry like this would almost guarentee the removal of these tools from "regulated" industries like fintech, medical, inteligence. There is often a legal requiement to ensure information is not "leaked". Plus i wouod not want my code to end up in somebodies language model to provide thier next generation of AI chat, its curious that google is ramping up its efforts in that area just as this hits.
Perhaps a telemetry blocking tool is called for, simular to adblockers.
"developers would prefer an opt-in rather than an opt-out regime, a position the Go team rejects because it would ensure low adoption"
Yes.
That's because users don't want it. "What", they might ask, "the fuck is in it for me"?
If you think you can persuade them of the "benefits" then make that argument.
I suspect, though, that you'd have to actually pay them. That might do it for some of them, perhaps.
-A.
My employer got rid of Java - Oracle were (for a small app) demanding $400 per 'potential' user per year. With over 200k employees, Oracle wanted $80,000,000 /year.
So we rewrote it in another language and abandoned Java altogether.
Go will die a death if it has enforced telemetry or even enabled-opt-out telemetry.
I'll assume those calling for default telemetry are naïve, not malevolent.
They could well see only positive outcomes from having telemetry, and have designed safeguards to assure that the gathered data are handled appropriately.
However, I'll put my evil hat on. What if someone with less than wholesome intent got hold of the capability? What can the end-user do to protect themselves?
It's much like the organising instinct of the Dutch Government. It made a great deal of sense to record the religion of residents in the central records. Unfortunately, this was before the Second World War, and the unexpected invasion by people with no compunction in using the available data to segregate people by religion and treat them differently caused no end of problems, despite attempts at mitigation.
The way to prevent unfortunate accidents is to make them not possible in the first place. Don't gather the data, and if you do, give individuals the ability easily to opt out. It could tun out to be important.
More modern examples include the processing of Internet-search queries and browsing histories of people resident in U.S. states that have significant controls on abortion.
Telemetry and data gathering are immensely powerful tools. It's always a good idea to consider how they could be misused, and sometimes the only solution is not to play the game.
who outside the FAANGs have a big enough plant that the "computers are cheap, developers are expensive" rubric is no longer true. Because Go was developed specifically because Google deploys systems in lots of 100k, and at that scale, it's not the computers that are cheap. Go is absolutely punishing to develop in because the business problem it solves is not developer time.
And if you are stuck using K8s, I'm sorry. Maybe the programming skills you gain will make you attractive to G.
"Telemetry, as Cox describes it, involves software sending data from Go software to a server to provide information about which functions are being used and how the software is performing. He argues it is beneficial for open source projects to have that information to guide development."
Obviously, that cannot be done locally. [Sarcasm]
(I used profiling tools extensively in my earlier life.)
Just have one set of environment variables which apply to all apps and can be overridden per-machine, per-user or per-app. If the variable does not exist, then it’s on, if it exists, go by what is specified. We already have ISO standards describing the terminology and its meaning, so we can use that.
For example:
export TELEMETRY_PERSONALIZED=0
export TELEMETRY_PSEUDONYMIZED=0
export TELEMETRY_ANONYMIZED=0
export TELEMETRY_AGGREGATED=1
Means software can only grab data which can never be used to identify me as it is purely aggregated. If I trust a certain developer more, I can choose to allow more by setting some or more of the others to 1 as well as part of running other apps.
Folks who want to opt-out all apps can then just set 0 for all of the above centrally.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
