Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Programming Google Privacy

Google's Go May Add Telemetry That's On By Default (theregister.com) 75

Russ Cox, a Google software engineer steering the development of the open source Go programming language, has presented a possible plan to implement telemetry in the Go toolchain. However many in the Go community object because the plan calls for telemetry by default. The Register reports: These alarmed developers would prefer an opt-in rather than an opt-out regime, a position the Go team rejects because it would ensure low adoption and would reduce the amount of telemetry data received to the point it would be of little value. Cox's proposal summarized lengthier documentation in three blog posts.

Telemetry, as Cox describes it, involves software sending data from Go software to a server to provide information about which functions are being used and how the software is performing. He argues it is beneficial for open source projects to have that information to guide development. And the absence of telemetry data, he contends, makes it more difficult for project maintainers to understand what's important, what's working, and to prioritize changes, thereby making maintainer burnout more likely. But such is Google's reputation these days that many considering the proposal have doubts, despite the fact that the data collection contemplated involves measuring the usage of language features and language performance. The proposal isn't about the sort of sensitive personal data vacuumed up by Google's ad-focused groups.
"Now you guys want to introduce telemetry into your programming language?" IT consultant Jacob Weisz said. "This is how you drive off any person who even considered giving your project a chance despite the warning signs. Please don't do this, and please issue a public apology for even proposing it. Please leave a blast radius around this idea wide enough that nobody even suggests trying to do this again."

He added: "Trust in Google's behavior is at an all time low, and moves like this are a choice to shove what's left of it off the edge of a cliff."

Meanwhile, former Google cryptographer and current open source maintainer Filippo Valsorda said in a post to Mastodon: "This is a large unconventional design, there are a lot of tradeoffs worth discussing and details to explore," he wrote. "When Russ showed it to me I made at least a dozen suggestions and many got implemented."

"Instead: all opt-out telemetry is unethical; Google is evil; this is not needed. No one even argued why publishing any of this data could be a problem."
This discussion has been archived. No new comments can be posted.

Google's Go May Add Telemetry That's On By Default

Comments Filter:
  • by Arethan ( 223197 ) on Friday February 10, 2023 @07:34PM (#63283479) Journal

    This is a great class held by Google. Lots of learnings in there.

    • It's also against the law in plenty of jurisdictions, where affirmative opt-in is required, and where minors cannot give legal consent.

      Doesn't affect me though - go has always been a shit language in my books ... both it and Google can go fuck themselves on this one.

      • by HiThere ( 15173 )

        Actually, I think I might rather like the language. But I find the toolchain unusable. This doesn't make me think more highly of it.

        • But I find the toolchain unusable.

          That's...definitely a reflection of you, not the toolchain. Even if you need a full IDE for some reason, there are several available.

          • by HiThere ( 15173 )

            FWIW, the IDE that I prefer is geany.
            OTOH, I prefer make over cmake, so my tastes are definitely not the prevailing ones.

            • I mean, if your argument is there are things that you don't like about the Golang toolchain, that is natural, I can accept that, and would be interested in hearing your experience. But if your argument is that it's completely unusable, something's wrong with you.
              • by HiThere ( 15173 )

                I'm not certain that I could use the go toolchain, as I didn't use it long enough. I didn't like the way it's tied into the internet, so I didn't bother fighting through the initial learning curve.
                (As an aside, I notice that Rust has the same kind of presumption of internet access, so this may be the current style of things. I prefer to import the source code that I want, and only use that code. This applies to languages, too. I want the thing to work well when not connected to the internet. Clearly Ja

                • I didn't like the way it's tied into the internet, so I didn't bother fighting through the initial learning curve.

                  afaik, if you have the libraries downloaded, you doesn't need internet access (like any other language). If it does, that is truly a breaking point, I agree.

                  • by HiThere ( 15173 )

                    IF you have the libraries downloaded, I don't believe (but didn't check) that you need the internet connection. You may need to specify particular versions that you've downloaded. But, IIUC, the toolchain itself wants to do the downloading. And wants to decide when to do it.
                    There were lots of other things that seemed to me misfeatures, and, in the end, I just didn't feel like fighting through them when there were alternatives that I liked better.

    • by AmiMoJo ( 196126 )

      The sad thing is I actually read his blog post and he makes some decent points. Certainly worthy of debate. There won't be any though, only outage and instant rejection.

      For example, he proposes that all telemetry data would be published. Nothing hidden, all available to everyone. The actual data collected would be publicly discussed first, and limited to only what is necessary to generate particular stats. No PII, no tracking, just stuff like ratios of how often internal language features are used, to deter

      • Take all of that with a huge grain of salt. Even if it legitimately begins that way, it could very well simply be the leading edge of something worse. It's easy to make something seriously bad seem to be benign by only emphasizing the positives. But once that beach head has been established, the bad parts start to slowly appear.

        I have no idea if there is anything malignant hiding in this proposal, but my trust in Google is at an all time low.

      • by CoolDiscoRex ( 5227177 ) on Friday February 10, 2023 @09:24PM (#63283699) Homepage

        There won't be any though, only outage and instant rejection.

        Perhaps, but it is a well-earned first reaction, not to mention, the most rational one.

        If you are wrong in your outrage, then the project misses out on data that it went without to this point, and survived.

        If you assume good faith, on the other hand, and are wrong, the data of millions of people are irretrievably siphoned, with the bell unable to be unrung. Add to this the history of the entities involved, and knee-jerk outrage is really the only reaction that makes logical sense. I do not think a benefit of the doubt has really been earned.

        The risk is skewed overwhelmingly in one direction.

        As such, the reaction the most rational one, imho.

        • by AmiMoJo ( 196126 )

          The reaction is irrational because it ignores the obvious and best option: find out what is actually being proposed by reading TFA.

          The proposal doesn't rely on good faith, it explicitly ensures that everything is verifiable and rejectable later. If you don't trust them not to accept rejection, you reaction only ensues you can't have any influence at all, and won't stop them doing it anyway.

          Your supposedly rational response is actually the worst and least rational of them all.

      • Comment removed based on user account deletion
      • The sad thing is I actually read his blog post and he makes some decent points. Certainly worthy of debate. There won't be any though, only outage and instant rejection.

        As it should be, this IS outrageous and self-defeating.

        For example, he proposes that all telemetry data would be published. Nothing hidden, all available to everyone. The actual data collected would be publicly discussed first, and limited to only what is necessary to generate particular stats. No PII, no tracking, just stuff like ratios of how often internal language features are used, to determine how important they are.

        How would Google feel if all that data related to their developers was being sent to a different company they had no control over? Yea I thought so.

        We should at least entertain the idea.

        We should reject it outright with no further thought or discussion.

        • by AmiMoJo ( 196126 )

          See, this is what I'm talking about. You don't even know what he's arguing, and your point about "data related to their developers" is completely irrelevant because that's not what is being suggested at all.

          At least take the time to understand the very basic facts of what is being proposed here.

          • See, this is what I'm talking about.

            You see it's a bit like robbing a bank and being upset that people are not interested in intimate details of your excuse opting instead to call you a bank robber to your face without having first carefully studied your manifesto.

            You don't even know what he's arguing, and your point about "data related to their developers" is completely irrelevant because that's not what is being suggested at all.

            At least take the time to understand the very basic facts of what is being proposed here.

            In addition to above I did take a few seconds to look before posting. It seemed to roughly be about collecting counters for certain calls at granularity of once a week or so.

            If you do something like that the collector gets the IP of the sender along with usage data that can be used

    • How to alienate your software community - 101

      Funny because it's so true. But really, go has been doing this for years.

      I used to make wide use of a project called syncthing [syncthing.net], and it is, I think, a good indicator of go's problems. Syncthing is a peer-to-peer file transfer/synchronization program written in go. On the surface it looks really good, until you try and implement it. Because:

      1) Right off the mark you have to come up with your own way to daemonize it. It's a service that can't fork itself into the background. So every user has to come up w

    • Does nobody remember the fiasco when Audacity proposed the same thing?

    • These alarmed developers would prefer an opt-in rather than an opt-out regime, a position the Go team rejects because it would ensure low adoption and would reduce the amount of telemetry data received to the point it would be of little value.

      And people said that the Go team did not understand the position of the development community.

  • by theshowmecanuck ( 703852 ) on Friday February 10, 2023 @07:35PM (#63283481) Journal

    'nough said.

  • by iggymanz ( 596061 ) on Friday February 10, 2023 @07:41PM (#63283499)

    that a language lead would even consider such a thing a pretty good idea means the project is run by those with no common sense whatsoever.

    • that a language lead would even consider such a thing a pretty good idea means the project is run by those with no common sense whatsoever.

      Never trust anyone to be honest when their paycheque depends on them being lying ass-wipes (I'm paraphrasing here, but you get the idea).

      • What are you talking about? I don't understand where all this hate is coming from.. they proposed a change to an open source toolchain. They openly describe what they want.. if it is implemented you can literally see exactly how it works... How can you say because of those actions they are not honest people?

        It's not like they want to exploit some technically illiterate end users to spy on their every action.. it's literally developers who can be expected to know how things work and could even look exactly a

        • by lowvisioncomputing ( 10234616 ) on Saturday February 11, 2023 @11:43AM (#63284815) Homepage Journal

          Making spying on users the default is a BS techbro move. The dev defending it is thinking with his job security, not his head.

          And he's already said why they want it to be the default - if users had to opt in, almost nobody would. So fuck him, just like he wanted to fuck over users.

          • by AmiMoJo ( 196126 )

            It is, but they aren't proposing spying on anyone. All they want to do is gather some basic stats on the use and performance of certain language features, so they can see where to put effort in for maximum returns and developer benefit.

            • Still no reason not to make it opt-in instead of opt-out, same as every other respectable project. But this is a Moz developer - I expect crap like this from them from now on, as they drift off into obscurity.
    • by Opportunist ( 166417 ) on Saturday February 11, 2023 @04:23AM (#63284157)

      It's Google. Their business basically consists of raping your privacy. They gave you a programming language for free, waited for adoption levels to be sufficient that a lot of people can't easily back out anymore without having to rewrite a lot of code, then start to add the privacy raping part.

      If you look down the line of Google products, you will find this pattern. Any halfway successful Google product follows it. The Google graveyard is filled with products that either failed to reach an adoption level where the potential data mined doesn't warrant the adding of the privacy raping part or that turned out that they couldn't sensibly be data mined. Every single Google product has this "feature".

      The ones that don't are still trying to reach a market saturation where it becomes viable. If they can't get there -> Google Graveyard.

      • Nothing is free. If a company backs something it is to make money on it. Anyways, there is enough history on Google to know that they will abandon anything at the drop of a hat. We did not adopt Go purely because Google was behind it.
    • by AmiMoJo ( 196126 )

      Why? It's actually quote common already.

      For example, Visual Studio Code is the most popular IDE by far, and it's got a lot of telemetry in it.

      There are projects that scan thousands of open source repositories to gain insight into how languages are used. Many open source apps include telemetry to help the developers identify and debug problems.

      While I agree that making it opt-out is the wrong decision, the basic idea of collecting some non-identifying and very general statistics, and making them public so ev

      • Others doing evil thing doesn't make an evil thing good.

        Spying on people and eating up their bandwidth is wrong.

        You don't know right from wrong. Very telling you use Visual Studio as example, a tool for writing Windows garbage, Window the infrastructure that spies on people, is unreliable and attacks malware like manure brings flies.

        Stay in your containment zone, Microsoft shill. Anyone with a brain wants nothing you have to offer.

        • by AmiMoJo ( 196126 )

          Again, TFA notes that the bandwidth "eaten up" would be a few kilobytes a year at most.

          I see you don't know what Visual Studio Code is either. The reason it's so popular is that it's cross platform and big with Linux and web developers. It's actually kinda weak for doing Windows development, lacking a lot of the stuff that Visual Studio has.

          This is why we should discuss this. Most of the comments are like yours - ignorant.

          • I see you don't know what Visual Studio Code is either, it's advertised with the lie of being free and open source yet requires accepting proprietary closed licenses to download and use.

            Another Microsoft trap.

            There is no discussion possible with the evil and ignorant such as yourself. Educate your ignorant self.

  • So safe. (Score:5, Funny)

    by The Evil Atheist ( 2484676 ) on Friday February 10, 2023 @07:43PM (#63283503)
    I'm so glad we have a safe programming language that safely tracks your usage patterns. Because if it's not a memory error, then it's safe.

    It's safe, because that's the way it's designed. And we know that "designed to be safe" automatically means something is safe. And we know that if something is designed to work a certain way, then it's okay. Don't question the design itself, because it's okay as long as it supposedly works according to its design.

    We should all flock to any language that calls itself safe because there's nothing more trustworthy than something that says it's trustworthy.
    • Hey, don't knock it. We all know the best way to improve security is to build something that sends data to other computers by default.
  • Youre caught with your hand in the cookie jar.

    The cookies are bad for you. So I'm going to save you from yourself by doing EVERYTHING. You do NOTHING. You cant get a better deal than that. You'd actually be crazy to NOT agree.

    Amirite?
  • Since I don't use Go, I am all in favor of baking this into a language and see what the end result really is like. Do programmers really move away from it? Or will a large number decide they benefit from the tracking and want it left in, because they would have added analytics anyway?

    Not every language has to be the same... the more variety the better.

    • Ponder this: You invested a nontrivial amount of time learning a language. Do you now drop it because of that change?

      Either you don't know about it, then you don't know about it. Or you do know about it and disable the whole telemetry bull. Either way, this won't affect the number of people using it. Aside of maybe the handful purists who will now oppose it on principle.

  • It was a draft proposal, to see if it was sane. The answer was, of course, "No"

    To be precise, "No, change it to opt-in. That's sane".

  • I was considering learning a new language, either Go or Rust. I was leaning towards Rust, and no I'm certain I don't want to use Go.
  • Problem is, you have to make your case why opting in benefits the end user or the language as a whole.

    Note that "because Google would really like the data" is not a good example of making an effective case for opting in.

    • If Opt-in results in low adoption, most of the time it means that there's no benefit in it for the user or it's even detrimental to the user's interests.

  • by Somervillain ( 4719341 ) on Friday February 10, 2023 @08:28PM (#63283575)
    If you're not the customer, you're the product. Google is an advertising business who dabbles in making software tools. This is a reminder to carefully consider your language and framework choice. They make their money by mining and selling your data. I never thought they'd do something this stupid as spying on you with a low-level language, but here we are.

    I've long warned about using products from Google and Facebook because they have no interest in your success. My prior concern is that both are known for breaking backwards compatibility willy nilly...think Google's Angular nightmare. I was burnt heavily by Google's Puppeteer changing all their APIs for some reason. Google doesn't care if your old code works...but I bet your employer does and doesn't want to spend hundreds of thousands of dollars to rewrite perfectly good software every time some Googler gets bored and wants to break all their APIs

    For all of it's unsexiness, J2EE code written 20 years ago still runs on the latest versions of the servers. (should you be running 20 year old EJBs?...well, for your sake, I hope you're not...but that's how seriously the Java EE maintainers take your business needs) .

    My first Java programs written in 1996, back when I was learning from a giant hernia-inducing 5lb hardcover book with a 3" spine still run on Java 19...no change needed..they can also be recompiled with the latest version, no changes needed. Why? Because Sun Microsystems, like Microsoft, is in the business of selling professional software tools...not selling my data. It was designed for long-term investment and complex business logic that is complicated and really important to get right, not a quick prototype that gets major rewrites every 2 years .

    Ask the pain of anyone who used the first version of Angular. You're getting a handout from a company who earns no money from you and has no interest in your project succeeding...it rarely matters in the first 3 years, but if you build something worth keeping that actually makes money, maintenance becomes an issue. What happens when your company's investment is 10 years old? What happens when you leave or get promoted or change roles? When you think about things from the perspective of those paying your salary, you really need to carefully consider these factors and Google and Facebook are notorious abusers of them.

    I know a division in my company wrote security-sensitive code in Go. Now they have to carefully ensure all their code isn't leaking sensitive data to Google. All these years, I've been warning them about Google accidentally breaking something out of carelessness...not doing something that jeopardizes their operations and security compliance certification on purpose...and pretending its for the benefit of the open source community.
  • Illegal in the EU (Score:4, Interesting)

    by gweihir ( 88907 ) on Friday February 10, 2023 @09:16PM (#63283691)

    Collection of any data that is tied to people (and storing an IP is enough for that) needs to be default-off. By law.

    But I welcome that they try this. Now I can permanently remove Go from the list of tech I intended to look at.

    • by AmiMoJo ( 196126 )

      But they aren't collecting any data that can be tied to people, or IP addresses. So by your own logic, there is no reason to not use Go.

      It's frightening how easy you are to manipulate with FUD. One Slashdot story, and they can be sure you won't RTFA, and the technology is dead to you. I've noticed this happens quite a lot of Slashdot. Very easy to use against your competitors.

  • by istartedi ( 132515 ) on Friday February 10, 2023 @09:31PM (#63283705) Journal

    Networking isn't even a part of the C standard library, let alone the language and Google wants fucking TELEMETRY in Go, which I'm given to understand is supposed to be a systems language???

    You know, Rust is by no means the ideal language; but if you want to use something like "telemetry" to improve the project, they've got the right idea. The Rust team routinely pulls Rust code from F/OSS repositories, compiles it, and checks for anything that might be a problem with Rust. This, by definition, is opt-in since you've already put your source on a public repository under licenses that don't restrict the field of endeavor.

    Night and day. Based on this alone, I'd chose Rust over Go if those were the only options.

    • The language itself is different from the toolchain used to compile/build/debug/etc its code, which is where TFA says they're planning to put this telemetry. Toolchains frequently have all sorts of libraries as part of their design. The fact that programs built using that language/toolchain may or may not include a standard set of features is completely irrelevant.
  • Look, I get it, I really do. Telemetry can absolutely be an important tool that helps improve the product and ultimately benefits end users, if used correctly and ethically (and at this point you'd be stupid to trust Google not to have ulterior motives). And I get why opt-out telemetry makes sense, you want to a) gather enough data to ensure the results are statistically valid, and b) not bias your results to only those who actively choose to opt in.

    But there has to be a better way to handle this. I've
    • Re:I get it... (Score:4, Insightful)

      by Opportunist ( 166417 ) on Saturday February 11, 2023 @04:15AM (#63284145)

      The problem with the whole telemetry-to-improve-user-experience thing is that there is no reason to trust Google any further than I can throw their board members.

      If a reputable company that doesn't have a track record of raping people's privacy asked, this may be a completely different matter. But this is akin to a convicted pedo applying as a babysitter. It's simply common sense to say NO.

  • It's already hurt me professionally, but I refuse to use Go. I hated the language, I hated the goals and the lack of unsafe capabilities. I hated the lack of generics and the magic and fluff that the language could do, but you can't. And, I hated Google.

    It feels nice being right, but in this instance, wish I wasn't. Adding another reason to my list.
  • May? ...Pssshh.

    And everybody knows it.

  • May be it's time for go to go.

  • by Opportunist ( 166417 ) on Saturday February 11, 2023 @04:13AM (#63284139)

    If "Opt out" results in a low adoption, chances are good that the only reason people leave it active is because they don't know that it exists. Because if it's Opt-In and you really want people to use it, and they don't outright oppose it, you could simply ask them to turn it on, advertise it and try to sell it as the best thing since sliced bread.

    But yeah, I can see how "do you want us to spy on you?" is a really hard sell.

  • Does *any* other programming language have telemetry baked in?
    For the others, how can they possibly improve?

  • People at Google have become so used at enriching themselves by spying on every aspect of people's life, that now they genuinely feel that they are entitled to others' data, that it's something that justly belongs to them, for them to do anything that they fancy.

    That's the only explanation I can give for seeing them *getting offended* at people requesting not to be spied without consent.

  • I understand why it would be opt-out, and I understand the reason for building it in, but if it is opt-out then you have the open choice! A project of GO's scale requires some type of feed back system, because it's simply too vast, varied, and massive to not have one. I hate analytics, but I understand them, and this might be a rare case where it's a good idea for the good for a great project.
  • Data collection will increase across the board at google in attempts to bring in more money by increasing their spying
  • is spreading like wildfire, apparently.
    Judging by the tone of many of the comments.

    Just a wee note: You are free to use duckduckgo. No one is forcing you to search with google.
    You are free to use a privacy-enhanced browser with do not track defaults and a proxy for good measure too.

    If only your life was important enough for anyone to give a shit about tracking you in particular.
    That's something you should aspire to.

The last person that quit or was fired will be held responsible for everything that goes wrong -- until the next person quits or is fired.

Working...