Discover more from hrbrmstr's Daily Drop
Drop #244 (2023-04-20): Opt Out Thursday
Taming VS Code Telemetry; Sidelining Sidewalk; Your (Mostly) Global Opt Out Easy Button
The rate at which we're losing autonomy over our data, our compute platforms (which includes all your personal glowing rectangles), and even the bandwidth we pay for is bonkers. To my EU readers, I'm sorry to inform you that GDPR is just another Potemkin village setup to both placate citizens and be an auxiliary EU revenue stream. The only thing it really has done is subject the rest of us to annoying (and useless) “consent” popups that almost no organization really takes seriously.
There are lots of things we all need to opt out of, and keep ensuring we stay opted out of.
One is “telemetry”. “Telemetry” refers to the automatic collection and transmission of data from a software application back to its developers. This data can be used to improve an application by providing insights into usage patterns, identifying bugs, and monitoring performance. However, privacy advocates argue that this practice can lead to potential misuse of user data, particularly if it's not anonymized or if the users aren't adequately informed about the data being collected.
Telemetry is not the only thing to be concerned about when it comes to “opting out” of you being the product.
Today, we'll cover both telemetry tribulations, and other privacy/human productization problems across three separate domains most Drop readers likely have some connection to, and offer some help to claw back some control.
NOTE: I am a bit “direct” with EU readers in this edition.
Fear not, though, it’s merely just tough 💙.
Taming VS Code Telemetry
Since I, rightfully, beat up on Microsoft yesterday, I might as well keep punching today.
Visual Studio Code (VS Code) collects telemetry data to “help improve the product by understanding usage patterns, debugging issues, and prioritizing new features”. The data collected includes information about the use and performance of the application, crash reports, and other error information for when VS Code misbehaves unexpectedly.
What does it collect? Well, you can either run:
code --telemetry | jq
at the comamnd line, or gaze upon the majesty that is the ~39,000 line JSON file from my recent export. Yes,
3 9 , 0 0 0 lines of JSON that describes parameters Microsoft can choose to collect values from whenever they want. I bet there's an MS Program Manager in charge of just that JSON export.
VS Code extensions can also collect their own telemetry data. Extension authors are provided with guidelines to ensure1 their extensions conform to VS Code telemetry requirements and “best” practices. To see what data any given extension collects, you can refer to the extension's documentation or contact the extension author for more information, since Microsoft did not see fit to make that a foundational component of their kit.
To disable telemetry in general, you can fire up VS Code's “settings”, search for “telemetry” and be as safety-minded as you like. For a specific extension, you may need to check the extension's settings or documentation for instructions on how to disable telemetry, since they don't have to abide by the core API and can just about snoop on you whenev. If one happens to use the same telemetry settings as VS Code, it will inherit your core settings.
I highly recommend following the guidance here and occasionally review the telemetry events in VS Code as they are sent to the mothership. It will be eye-opening.
To save you some time, you can disable telemetry globally by adding the following lines to your user settings:
"telemetry.enableCrashReporter": false, "telemetry.enableTelemetry": false
but, I'd run some network capture software to see what each of the 147,000 extensions you're using are also collecting.2
Amazon Sidewalk is a low-bandwidth, shared network that aims to extend the working range of devices such as Amazon Echo, Ring, and various smart home gadgets. By pooling together a small portion of users' home Wi-Fi bandwidth, Sidewalk creates a connected mesh network that enhances the functionality of devices even when they are outside their normal Wi-Fi range.
The section header is a map of Sidewalk's coverage, which you can interact with. Type “03901” (roughly where I live in rural Maine), and you'll see that — despite us de-Amazonifying our home a few years ago — enough neighbors have Amazon devices that there's better Sidewalk coverage than I get with Verizon 5G.
Sidewalk utilizes a “small” portion of your home Wi-Fi bandwidth (up to 500 MB per month) to create a shared network with nearby Sidewalk-enabled devices. This network helps maintain the connectivity of devices like smart lights, pet trackers, and other IoT devices, even when they are at the edge of their regular Wi-Fi coverage.
Amazon devices — which include Ring devices — come with Sidewalk enabled by default.
If you don't have the Alexa app installed, do so, and poke around in Settings (it's likely changed since the last time I fired it up years ago). Somewhere in or near “account settings” will be “Amazon Sidewalk”, and you can see how much of your bandwidth it let others use without your express consent.
While Sidewalk had some safety designs built in, they are likely imperfect, since it seems nobody can code safely these days. Any data transmitted over this shared Sidewalk network could potentially be accessed by malicious actors and lead to privacy concerns. Scores of researchers are working on breaking Sidewalk security as I type. It's just a matter of time before some exploit becomes public.
You can (and likely should, though I won't judge) theoretically disable your participation in Sidewalk in the same, aforementioned settings area. But, if the corporate overlords of Amazon have a bad quarter, rest assured they'll do whatever it takes to raise profits to ensure they get their nice bonuses. In other words, that “disable” toggle button is really just another Potemkin village waiting for the facade to collapse.
Your (Mostly) Global Opt Out Easy Button
Pi-hole is a powerful, open-source network-wide ad/tracker/malicious stuff blocker that acts as a DNS sinkhole, filtering out advertisements, trackers, and even malware domains for all devices connected to your network. By using Pi-hole, you can enhance your online privacy and improve your browsing experience across various devices, including TVs, IoT gadgets, smartphones, and computers.
At its core, Pi-hole is a lightweight DNS-level ad blocker that intercepts requests for advertisements and trackers before they reach your devices. It runs on a Raspberry Pi, a small and affordable computer, or any other system that supports Docker. Once set up, it filters out unwanted content for all connected devices, without the need for additional software or browser extensions.
Follow one of the numerous guides that come up in a Kagi search (you do use Kagi instead of Google/DDG/Bing, right?) to get it setup.
Now, hold on a second before you close that tab/app! We are not done.
There is nothing stopping any network-enabled browser, IoT device, TV, audio player, watch, fitness tracker, etc. from standing up a dedicated (unattributed) server sporting one or all of those protocols, and thoroughly ignoring your network-wide Pi-hole configuration. Nothing. Nada.
If the EU readers I offended in the intro are still reading, that includes y'all! Organizations will gladly continue to pay fines and keep bribing EU officials to keep doing what they are doing. That includes using tactics and techniques like this to keep tabs on you, even if the settings screen doesn't show any “We use DoH/DoT/DoQ” verbiage and there's no mention of those protocols in twisted mazes of “documentation”.
So, please do run a Pi-hole (I do!), but don't fully believe you've made yourself 100% safe from prying telemetry eyes.
While there was a twang of despair to this Drop, each of the steps I've advised will provide some protections between deliberate, interstitial corporate greed attempts. It is 100% better than nothing, and we may eventually get honorable government representatives (across all global regions) who do actually care about us, and wrest control from greedy corporate overlords. Until then, all we can do is our best to keep what is our, ours. ☮
guidelines do not ensure anything; if they did, no vehicles would ever have an accident due to crossing over one; and, all the U.S. political ethics violations over the past 7 years would not have happened.
yep, i’m aware there are forks of VS Code sans telemetry, but that was beyond the scope of this issue