Storybook
A true telemetry gold nugget can be found in Storybook, a useful library for testing out components during frontend development:
Storybook collects completely anonymous data to help us improve user experience. Participation in this anonymous program is optional, and you may opt-out if you’d not like to share any information.
They have an unconventional definition of optional, where you actively have to opt-out. They are taking the opt-out organ donation approach here, hoping that it will increase the amount of data accidentally rendered to them. (at least organ donations save lives)
After a very comprehensive list of things that they gather about your environment (including a one way hash of your IP address, with only 32 bits of information for IPv4), they furthermore promise:
Access to the raw data is highly controlled, limited to select members of Storybook’s core team who maintain the telemetry. We cannot identify individual users from the dataset: it is anonymized and untraceable back to the user.
We have no way of verifying that, right? How do we know that the dataset is anonymized and untraceable? There are people working towards deanonymizing datasets, after all.
There is no link to a privacy policy on their website. No name of an entity that collects the data. But many promises.
Will this data be shared?
They don’t answer the question here, presumably the maintainers don’t feel the need: According to them the data is highly anonymized.
It’s not even pointed out where the data is shared. If I am a developer working from Japan, California, or the EU (or anywhere else with privacy regulation), will local privacy laws have my back here?
At every point we have to just take the developers word for it, with no way of verifying it. A paradox, given that Storybook is trying to be part of the larger open source and freedom-respecting software landscape.
How to opt-out
Answer: You can’t completely, if you only rely on setting disableTelemetry
in
the storybook configuration file. I found this out after my desktop firewall
asked me about a connection attempt to storybook.js.org
. Block this domain
fully if you don’t want storybook to phone home.
The solution is to set the environment var STORYBOOK_DISABLE_TELEMETRY
to
1
. There is one good attempt at unifying all the opt out flags at
Console Do Not Track, but the project has
very low traction. But even that just misses the point:
Don’t make me opt out
Don’t make me opt out. Don’t make me opt out. Ask for my consent. We are all software developers, we serve humanity. The more we do sudden and surprising things, the more we betray the trust of our users. There are developers working behind corporate firewalls. Some companies do not like it when tools are very chatty and could potentially leak corporate secrets.
Don’t fire telemetry pings and then tell the user “oh, btw, u can opt out of this? OK?”, buried among 100 other install and setup log messages.
I guess we have to update the principle of least astonishment to this:
[…] a component of a system should behave in a way that most users will expect it to behave, and therefore not astonish or surprise users. Except for privacy violations, then bless your heart.
It really says a lot about your attitude as a developer, and as a person, if you are completely OK with this behavior and don’t feel even a bit uncomfortable. A complete disregard to privacy and dignity of the individual. Maybe you think, while reading this, that I am exaggerating or making a slippery-slope argument?
And yes, it’s a slippery slope. Storybook did not have telemetry in the beginning. People start using it. Oh what, you’re unhappy we have telemetry now? It’s open source, so fork it and make your own Storybook. When you feel comfortable violating your users a tiny bit, it will be more comfortable in the future to violate them even more.
GDPR? Other privacy laws?
There is no informed consent going on here. Informed consent is one of the cornerstones of privacy law.
Summary
2023: The wider technology landscape is still a total shit show. Everyone is joining in, it is a free for all. Even cars track your sexual activity now.
Homebrew
I switched to MacPorts. MacPorts has opt-in analytics (like Debian’s popularity contest!). It works very well. Homebrew is a shit show.