⚠️ Github CLI now has telemetry spyware built in:

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Sun, 26 Apr 2026 14:06:21 GMT

darrel_miller@mastodon.social — Sun, 26 Apr 2026 14:06:21 GMT

@josepvives @nuclearplayer Yeah. I can see that some random anecdote from a Microsoft employee is not any kind of assurance. It is frustrating from my perspective because we have to jump through hoops to get any kind of useful data to be "data driven" in our product work but from the outside world we are perceived to be partying on everyone's private data. More transparency would be good for everyone.

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Sun, 26 Apr 2026 14:01:25 GMT

josepvives@mastodont.cat — Sun, 26 Apr 2026 14:01:25 GMT

@darrel_miller @nuclearplayer Sure. But the background issue is how the privacy guarantee can be audited externally. Statements are not enough

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Sun, 26 Apr 2026 12:17:44 GMT

dalias@hachyderm.io — Sun, 26 Apr 2026 12:17:44 GMT

@darrel_miller @nuclearplayer The "accept cookies mess" is not legal and is an attempt malicious faux compliance to misdirect user ire against regulation rather than against the companies putting nags in their faces.

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Sun, 26 Apr 2026 12:14:05 GMT

darrel_miller@mastodon.social — Sun, 26 Apr 2026 12:14:05 GMT

@nuclearplayer @dalias the "legitimate interests" GDPR clause for pseudonymous information does seem to make this a grey area, but IANAL and I am not trying to make a judgement on what GitHub did. I'm trying to learn about the objections. I understand the desire for consent but we can see from the "accept cookie" mess that users can just be coerced to consent via fatigue. I wish we had a standardized opt-out mechanism like DNT tried to do.

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Sun, 26 Apr 2026 11:57:39 GMT

darrel_miller@mastodon.social — Sun, 26 Apr 2026 11:57:39 GMT

@josepvives @nuclearplayer Sure it is technically a simple problem. But there are many processes in place that prevent that from happening. Accessing customer content is very tightly controlled. Privacy is something I care about and it is one of the reasons I chose to work at Microsoft rather one of the other big tech companies that do not have the same guardrails in place.

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Sun, 26 Apr 2026 11:43:27 GMT

josepvives@mastodont.cat — Sun, 26 Apr 2026 11:43:27 GMT

@darrel_miller @nuclearplayer i'm sorry, "in my experience" is no an relevant argument. The matter is can Microsot do and for what, and if it is accountable.

In big pkatforms, deanonymize it's easy and trivial.

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Fri, 24 Apr 2026 18:52:15 GMT

jumile@mas.to — Fri, 24 Apr 2026 18:52:15 GMT

@nuclearplayer Though the linked GH page says that the first two environment variables take precedence over the third, actual config setting.

Because reasons, I guess?

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Fri, 24 Apr 2026 15:29:10 GMT

w@11n.org — Fri, 24 Apr 2026 15:29:10 GMT

making it opt-out is entitlement. you're not asking me permission, you're telling me that you're taking it unless I stop you.

CC: @_aD@hachyderm.io

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Fri, 24 Apr 2026 15:17:37 GMT

darrel_miller@mastodon.social — Fri, 24 Apr 2026 15:17:37 GMT

@_aD @w I don't think anyone feels entitled. I think the product owners want to provide the best experience for their users and knowing how the product is used helps. For tools that primarily are clients for a backend service, then the service will know whenever a service call is made. I'm trying to fully understand the objection to capturing some additional usage information that doesn't make a service call. Is it the "slippery slope " problem?

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Fri, 24 Apr 2026 15:09:43 GMT

w@11n.org — Fri, 24 Apr 2026 15:09:43 GMT

because I will do my best to turn off and avoid as many of those things as I can for as long as I can, even if I have to accept what most people might call a degraded computing experience to do it, what remains is mine

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Fri, 24 Apr 2026 14:53:04 GMT

_ad@hachyderm.io — Fri, 24 Apr 2026 14:53:04 GMT

@w Why do you think it's your computer? *cries in Secure Boot, attestation and age verification laws*

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Fri, 24 Apr 2026 14:49:36 GMT

w@11n.org — Fri, 24 Apr 2026 14:49:36 GMT

why do you think you're entitled to know what happens on my computer?

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Fri, 24 Apr 2026 14:24:58 GMT

aeris@firefish.imirhil.fr — Fri, 24 Apr 2026 14:24:58 GMT

@darrel_miller@mastodon.social @nuclearplayer@fosstodon.org It's basically false. This is all PII, and not "pseudonymous" data.
(And from GDPR point of view, pseudonymous data are still PII. Only anonymous one are out of scope. Which is not the case here. And so still targeting ppl and not only app)

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Fri, 24 Apr 2026 14:18:34 GMT

dalias@hachyderm.io — Fri, 24 Apr 2026 14:18:34 GMT

@darrel_miller @nuclearplayer This term "product owners" says everything we need to know about how GitHub is wrong on this.

GitHub is NOT the "product owner" of my computer or anything running on it. I am.

They are the "product owner" of the service running on their website, but this still does not entitle them to collect personal information without consent, regardless of whether it is "pseudonymous"/"anonymous". This is a basic principle of data protection anyone familiat with relevant law and ethics should be aware of.

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Fri, 24 Apr 2026 05:28:01 GMT

stevenodb@mastodon.social — Fri, 24 Apr 2026 05:28:01 GMT

@nuclearplayer the original post was deleted?

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Thu, 23 Apr 2026 15:08:09 GMT

nuclearplayer@fosstodon.org — Thu, 23 Apr 2026 15:08:09 GMT

@darrel_miller How about they ask for permission first? Why is that concept so hard to grasp for Microsoft?

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Thu, 23 Apr 2026 13:57:37 GMT

danni_storm@hachyderm.io — Thu, 23 Apr 2026 13:57:37 GMT

@iain Ah thanks for clearing that up for me. That makes more sense.

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Thu, 23 Apr 2026 12:48:14 GMT

darrel_miller@mastodon.social — Thu, 23 Apr 2026 12:48:14 GMT

@nuclearplayer And as a Microsoft employee, my experience has been that we are extremely careful about not logging any information that directly identifies users and any customer created content. It isn't lip service to privacy. I've seen projects delayed while we scrub logs because a developer accidentally logged the name of some artifact that they should not have.

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Thu, 23 Apr 2026 12:42:21 GMT

darrel_miller@mastodon.social — Thu, 23 Apr 2026 12:42:21 GMT

@nuclearplayer I would think the important thing is what data is being collected, not the the fact that any data is being collected. If that remote site is collecting end user identifiable information, that should be as big a problem as if a local tool is doing it. What is good about a "source-open" collecting the telemetry is that you can see and verify what is being collected. You can't with a remote service.

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Thu, 23 Apr 2026 12:39:18 GMT

darrel_miller@mastodon.social — Thu, 23 Apr 2026 12:39:18 GMT

@nuclearplayer When you call an API or make a git request to some remote repo, there are going to be logs of that activity on that remote site. We acknowledge that site owners need some visibility into what is happening on their service. However, when it comes to code that is downloaded and executed on a local machine there seems to be an expectation that the code owners no longer have any rights to see how that code is executing. Help me understand why the rules are different.

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Thu, 23 Apr 2026 12:35:12 GMT

darrel_miller@mastodon.social — Thu, 23 Apr 2026 12:35:12 GMT

@nuclearplayer I'm going to put on my lead lined suit here and ask a question because I genuinely want to learn. This issue comes up time and time again. The GitHub CLI telemetry provides product owners with information about how their product is used. You can see what it captures here https://cli.github.com/telemetry It is pseudonymous data. There is no user identifying data there. So yes the telemetry is spying on what the app is doing, but not on which user is doing it.

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Thu, 23 Apr 2026 10:15:16 GMT

justin@toot.io — Thu, 23 Apr 2026 10:15:16 GMT

@nuclearplayer better to just #GiveUpGitHub

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Thu, 23 Apr 2026 09:26:42 GMT

ringods@hachyderm.io — Thu, 23 Apr 2026 09:26:42 GMT

@nuclearplayer Let's all switch to @andrewnez 's Forge CLI

Forge

A unified CLI for GitHub, GitLab, Gitea, Forgejo, and Bitbucket.

Andrew Nesbitt (nesbitt.io)

Reply to ⚠️ Github CLI now has telemetry spyware built in: on Thu, 23 Apr 2026 09:03:05 GMT

tyil@fedi.tyil.nl — Thu, 23 Apr 2026 09:03:05 GMT

@nuclearplayer@fosstodon.org

Run gh config set telemetry disabled to disable it.

Better yet, stop using Github!