Opt-Out Telemetry Shit Show

Published: September 13, 2023, updated: January 6, 2025

Storybook

You can find a true telemetry gold nugget in Storybook (link to privacy policy), a useful library for testing out components during frontend development:

Storybook collects completely anonymous data to help us improve user experience. Participation in this anonymous program is optional, and you may opt-out if you’d not like to share any information.

They have an unconventional definition of optional, where you actively have to opt-out. They’re taking the opt-out organ donation approach here, hoping that it increases the amount of data sent to them by accident. (at least organ donations save lives)

They list all the things that they gather about your environment. This includes a one way hash of your IP address, with only 32 bits of information for IPv4. They furthermore promise:

Access to the raw data is highly controlled, limited to select members of Storybook’s core team who maintain the telemetry. We cannot identify individual users from the dataset: it is anonymized and untraceable back to the user.

I have no way of verifying that, right? How do I know that the dataset is anonymized and untraceable? People are working towards deanonymizing datasets, after all.

I couldn’t find a link to a privacy policy on their website. No name of an entity that collects the data. But many promises.

Data sharing

Is storybook sharing my data?

They don’t answer that here. Presumably the maintainers don’t feel the need: according to them the data is highly anonymized.

The Storybook maintainers also don’t point out with whom they share my data. Maybe I’m a developer working from Japan, California, or the EU, or anywhere else with privacy regulation. Does local privacy laws have my back here?

At every point I have to just take the developers word for it. There’s no way of verifying any of this. This doesn’t make sense to me. I though Storybook was part of the larger open source and freedom-respecting software landscape.

How to opt-out

Answer: you can’t entirely. Only relying on setting disableTelemetry in the storybook configuration file doesn’t work. I found this out after my desktop firewall asked me about a connection attempt to storybook.js.org. Block this domain fully if you don’t want storybook to phone home.

The solution is to set the environment var STORYBOOK_DISABLE_TELEMETRY to 1. One good attempt at unifying all the opt out flags is Console Do Not Track, but the project has low traction. But even that just misses the point:

Don’t make me opt out

Don’t make me opt out. Don’t make me opt out. Ask for my consent.

Writing software means providing a service to society. The more developers do sudden and surprising things, the more developers betray the trust of their users. Some developers work behind corporate firewalls. Some companies don’t like it when tools are chatty and may leak corporate secrets.

Don’t fire telemetry pings and then tell the user “oh, btw, u can opt out of this? OK? ,” buried among 100 other install and setup log messages.

I guess someone has to update the principle of least astonishment to this:

[…] a component of a system should behave in a way that most users will expect it to behave, and […] not astonish or surprise users. Except for privacy violations, then bless your heart.

It says a lot about your attitude as a developer, and as a person. This kind of telemetry should make you feel uncomfortable. It treads on the privacy and dignity of individuals. Maybe you think, while reading this, that I am exaggerating or making a slippery-slope argument?

And yes, it’s a slippery slope. Storybook didn’t have telemetry in the beginning. People start using it. Oh what, you’re unhappy that Storybook has telemetry now? It’s open source, so fork it and make your own Storybook. When you feel comfortable violating your users a just for a bit, it will be more comfortable in the future to violate them even more.

About GDPR and other privacy laws

There’s no informed consent going on here. Informed consent is one of the cornerstones of privacy law.

Summary

2023: the wider technology landscape is still a total wasteland. Everyone is joining in this free for all. Even cars track your sexual activity now.

Homebrew

I switched to MacPorts. MacPorts has opt-in analytics (like Debian’s popularity contest!). It works well. Homebrew is a dump.

Tags

I would be thrilled to hear from you! Please share your thoughts and ideas with me via email.

Back to Index