Microsoft repackages apps with a telemetry .NET wrapper

[madires]

https://twitter.com/WithinRafael/status/1781743054296432772:

The Microsoft Store team has started quietly wrapping apps, like EarTrumpet, with some malware-looking .NET executable wrapper (with my app's name of course) chock full of telemetry and other code. They also target netfx 4.7.2 when my app targets netfx 4.6.2, wtf?

[RoGeorge]

Similar they do with the VScode, the rumor is.  They only add the telemetry in the binaries.

    When we [Microsoft] build Visual Studio Code, we do exactly this. We clone the vscode repository, we lay down a customized product.json that has Microsoft specific functionality (telemetry, gallery, logo, etc.), and then produce a build that we release under our license.

    When you clone and build from the vscode repo, none of these endpoints are configured in the default product.json. Therefore, you generate a “clean” build, without the Microsoft customizations, which is by default licensed under the MIT license

Source:  https://vscodium.com/#why-does-this-exist

[SiliconWizard]

Nice.

[Perkele]

Similar they do with the VScode, the rumor is.  They only add the telemetry in the binaries.

    When we [Microsoft] build Visual Studio Code, we do exactly this. We clone the vscode repository, we lay down a customized product.json that has Microsoft specific functionality (telemetry, gallery, logo, etc.), and then produce a build that we release under our license.

    When you clone and build from the vscode repo, none of these endpoints are configured in the default product.json. Therefore, you generate a “clean” build, without the Microsoft customizations, which is by default licensed under the MIT license

Source:  https://vscodium.com/#why-does-this-exist

Just a heads-up warning - add-ons in VSCodium can't be installed from directly Store, you need to download and install them manually.

[radiolistener]

it turned to malware/spyware manufacturer, so it's better to avoid their new products because it's like Trojan horse...

[RoGeorge]

This is not a surprise from them, remember the keylogger from Microsoft, in Windows 10?
https://www.pcworld.com/article/423165/how-to-turn-off-windows-10s-keylogger-yes-it-still-has-one.html

It was all official, a keylogger and more (speech input spyware) inside Windows, for telemetry and such, and you were agreeing with that in the EULA.  With reassurements that the collected data is anonymous and for your own good, of course.  So, not for spying, only to give you a "better experience" in the future. 

[tooki]

If you scroll down the Twitter thread, you’ll see that it’s clarified that it is NOT modifying the executable, it’s simply the wrapper for Microsoft Store installers. Talk about getting panties in a twist over nothing…

[PlainName]

getting panties in a twist over nothing…

Microsoft forcing telemetry on you is 'getting your panties in a twist'? That only seems innocuous compared to them not limiting it to the Store.

[Karel]

It's interesting to watch how, despite all the complains, people are still addicted to windows.
Reminds me to the apalog of the boiling frog... 

[tooki]

getting panties in a twist over nothing…

Microsoft forcing telemetry on you is 'getting your panties in a twist'? That only seems innocuous compared to them not limiting it to the Store.

Honestly? No, I don’t think it’s a big deal. Software developers use telemetry for a lot of good, legitimate purposes, and by and large Microsoft has proven to be quite good about not using it for nefarious purposes. (I would not extend the same trust to Google or Meta, for example.) I worked in the software industry for a while, and having “seen how the sausage is made”, so to speak, installation telemetry does not give me the heebie jeebies the way a lot of other modern tracking does.

[tooki]

It's interesting to watch how, despite all the complains, people are still addicted to windows.
Reminds me to the apalog of the boiling frog... 

Few people are “addicted” to Windows. People use it because it does what they need, and more specifically, because it runs the applications they need. Tons of applications (including many best-of-breed programs) are sadly Windows-only. That’s what stops me from being a full-time Mac user. I wish application availability were equal across all 3 of the major platforms, but it’s not. Each has strong areas and weak ones in regard to application availability.

[bd139]

Telemetry is fine but Microsoft's approach to telemetry is akin to punching someone in the face and saying afterwards that there's instructions on how to say no in a filing cabinet in the basement of the local library while telling you to accept your face punching, shut up and calling you a peon.

Oh also I reported that the opt-out didn't work in their debian packages a few years back. Guess what? Well they fixed the issue and deleted my ticket and then they deleted by 10 year old github account when I complained about it for a TOS violation.

That's where you stand. Happy Mac owner. At least the cage works properly and is trying to get the asshats out.

[tooki]

Telemetry is fine but Microsoft's approach to telemetry is akin to punching someone in the face and saying afterwards that there's instructions on how to say no in a filing cabinet in the basement of the local library while telling you to accept your face punching, shut up and calling you a peon.

From skimming the Twitter thread, nothing was hidden, the developer just wasn’t paying attention to things when packaging their app for the MS Store.

[radiolistener]

Telemetry is fine

No, it's not fine. It's a big danger and large security hole. There is no good purpose for telemetry, it is needed only for malicious purposes, like collecting your private data, selling it and share to ad spammers, scammers and criminals, all without your consent.

You know how they doing it, first they collecting your private data and convince you that this is completely 100% safe, they said that it will be stored it in a very secure and super duper protected storage facility. Then one day it will be stolen by some anonymous hackers and appears on paid black web database. And they said "oh sorry, shit happens, we will work better to avoid it in future"... So, all your private data appears available for all criminals all around the world and none responsible for that...

Some of them even don't hide that they collecting and share your private data, they just said that this data will be collected and shared anonymously, but they don't tell you that it will include a lot of unique ids which allows to de-anonymize your private data very easily.

[SiliconWizard]

[tooki]

There is no good purpose for telemetry, it is needed only for malicious purposes

What a myopic, hysterical, uninformed, and untrue claim.

There are definitely some uses for telemetry that are absolutely beneficial to the user: crash reports and usability research. Developers use crash reports to figure out what the most common application crashes are, so they can fix them.

Stable software benefits the user.

Some developers use telemetry to figure out how people use their software: which features actually get used the most? How do people access them (toolbars? Menus? Keyboard shortcuts? Right-click menus?) Which commands get used in what combinations? For example, knowing which commands are often followed by “undo” tells you it’s an error-prone feature. Microsoft’s use of usability telemetry has directly resulted in lots of usability improvements, for example the handy little menu that appears after pasting to let you format the pasted data. Knowing which features are used and how can help guide what features get prioritized for development.

Usability benefits the user.

[helius]

Of course corporations want to make believe that their spyware (ahem, "telemetry") is the equivalent of a usability study, but it plainly is nothing of the kind. Collecting statistics—on which buttons are clicked most often—doesn't yield any useful information if there is no experimental control. Data without a control is just worthless junk (see most papers in econ and nutrition for examples).

The UI changes that they justify on the basis of this worthless junk are also, you guessed it, worthless. But everybody already knew that if they are remotely familiar with user interfaces in the pre-2005, and compare to what dreck is pushed out these days. There are other reasons for the widespread UI failure ("responsiveness" and touchscreens are a large component) but reliance on uncontrolled UX data collection is surely a major factor.

[bd139]

Regarding my comment about telemetry being fine, yes it is fine. But if it is constrained properly and the user consents to it.

If someone does a proper analysis then it is a powerful tool for making decisions. That requires some formal framework, proper collection methodology, thinking and statistical analysis around it. And that requires people who are formally qualified to do an analysis in that space (consider RSS / IMA members)

BUT the general approach of the technology industry is to collect everything, hope there is something useful in it and fabricate some official looking outcome from it without publishing your methodology. At the same time, creating a privacy violating dragnet and covering that with marketing. That is NOT ok. And that is Microsoft's approach. In fact their approach seems to be measuring what a completely helpless and powerless set of users will put up with.

It's important to distinguish the two. No absolutes are good for anyone.

[bd139]

Of course corporations want to make believe that their spyware (ahem, "telemetry") is the equivalent of a usability study, but it plainly is nothing of the kind. Collecting statistics—on which buttons are clicked most often—doesn't yield any useful information if there is no experimental control. Data without a control is just worthless junk (see most papers in econ and nutrition for examples).

The UI changes that they justify on the basis of this worthless junk are also, you guessed it, worthless. But everybody already knew that if they are remotely familiar with user interfaces in the pre-2005, and compare to what dreck is pushed out these days. There are other reasons for the widespread UI failure ("responsiveness" and touchscreens are a large component) but reliance on uncontrolled UX data collection is surely a major factor.

That's mostly because the user studies are invalid.

What is considered:

1. If we do change X then outcome Y happens.
2. If we do change P then outcome Q happens.

What should have been considered but is never done is a control option:

1. Leave my shit alone and stop pissing around with it.

This is normally isolated from user studies because people don't consider that as a valuable outcome because it does not generate work and people value work more than leaving shit alone and stop pissing around with it.

[bd139]

There is no good purpose for telemetry, it is needed only for malicious purposes

What a myopic, hysterical, uninformed, and untrue claim.

There are definitely some uses for telemetry that are absolutely beneficial to the user: crash reports and usability research. Developers use crash reports to figure out what the most common application crashes are, so they can fix them.

Stable software benefits the user.

Some developers use telemetry to figure out how people use their software: which features actually get used the most? How do people access them (toolbars? Menus? Keyboard shortcuts? Right-click menus?) Which commands get used in what combinations? For example, knowing which commands are often followed by “undo” tells you it’s an error-prone feature. Microsoft’s use of usability telemetry has directly resulted in lots of usability improvements, for example the handy little menu that appears after pasting to let you format the pasted data. Knowing which features are used and how can help guide what features get prioritized for development.

Usability benefits the user.

Your reasoning is detached from the outcome.

Yes crash reports and usability reports are good data sources.

Do they benefit the user? That depends on the sausage factory in the middle of the process.

I have never seen an outcome that is user beneficial from a usability study. I posit that they are run by people who have no idea what they are doing.

As for the other point, my day job for the last couple of years has been running the reliability engineering team for a very large fintech. If you think that a crash dump results in a viable outcome for end users even 5% of the time then you are naive. Most of the time it is just noise. We get thousands of them an hour. And that is considered normal. Even if we do perform a causal analysis on a statistically common one, finding an engineer who can actually understand or solve the problem in a complex distributed system is an uphill battle as well.


The general theme in the thread above is there aren't a lot of people who know what they are doing. They are all making appropriate looking dances though and people who don't know what they are doing look at those and think they might know what they are doing. It's not turtles, but incompetence from the top to the bottom.

And that's why we shouldn't trust, not because the idea is bad, but the competence is bad.

[PlainName]

Some developers use telemetry to figure out how people use their software

Shouldn't that be done in-house, or at minimum with users that agree to be monitored? Are you happy with your car telling the manufacturer where you went, what speeds you did where, how you used the brakes, your acceleration, where you were looking, how you flash the lights, etc? What time you go to work, the shops, hey - is that the place where Ms Periwinkle's car is parked and it's always 8pm to 10pm?

[bd139]

Some developers use telemetry to figure out how people use their software

Shouldn't that be done in-house, or at minimum with users that agree to be monitored? Are you happy with your car telling the manufacturer where you went, what speeds you did where, how you used the brakes, your acceleration, where you were looking, how you flash the lights, etc? What time you go to work, the shops, hey - is that the place where Ms Periwinkle's car is parked and it's always 8pm to 10pm?

That's a bad straw man. You can't draw similarities between different topical studies.

Most operational telemetry in the IT space is classified as "VALE" - Volume, Availability, Latency, Errors. That does not apply well to cars as you can probably imagine 

[tooki]

Of course corporations want to make believe that their spyware (ahem, "telemetry") is the equivalent of a usability study, but it plainly is nothing of the kind. Collecting statistics—on which buttons are clicked most often—doesn't yield any useful information if there is no experimental control. Data without a control is just worthless junk (see most papers in econ and nutrition for examples).

I worked in usability for years.

No, telemetry is not a substitute for usability studies, it is complementary to them, because they show real-world usage, which is often quite different from the studies. As for the statistical significance, it isn’t perfect since some users (which are likely to be more tech-savvy ones) opt out, but due to the sheer scale, it still produces tons of useful information.

I don’t know how you would make a control group for this; it’s not comparative analysis. It’s simple quantitative data: what gets used the most, and what sequences get used.

[tooki]

Your reasoning is detached from the outcome.

That’s a rather lofty accusation.

I worked in the software industry for years, and at a usability agency. I have relevant, real-world experience with this, and am not the deluded simpleton you essentially accuse me of being.

Yes crash reports and usability reports are good data sources.

Do they benefit the user? That depends on the sausage factory in the middle of the process.

Sure, that’s fair.

I have never seen an outcome that is user beneficial from a usability study.

Hold on, we aren’t talking about usability studies. We are talking about usage data, which is used to inform subsequent usability design.

I literally gave a real-world example: the post-pasting popup menu in Microsoft software (Office, etc). Usage telemetry had shown that the “paste” command is very frequently followed by “undo”, because the result was not as intended. Then people would either use a Paste Special command, or paste it normally and follow it by manual reformatting. So they added the little popup that lets you change the pasted formatting in situ. I think this is a fantastic feature, and well-implemented: it makes it easy to recover from an unexpected result, yet doesn’t force any change to one’s workflow at all: you can also simply ignore it and fix the problem in the old ways.

I posit that they are run by people who have no idea what they are doing.

Every industry and specialty has people who are incompetent and people who are competent. You can’t just dismiss all usability research as “run by people with no idea what they’re doing”.

As for the other point, my day job for the last couple of years has been running the reliability engineering team for a very large fintech. If you think that a crash dump results in a viable outcome for end users even 5% of the time then you are naive. Most of the time it is just noise. We get thousands of them an hour. And that is considered normal. Even if we do perform a causal analysis on a statistically common one, finding an engineer who can actually understand or solve the problem in a complex distributed system is an uphill battle as well.

The ratio depends entirely on the product, of course. At the small software company I worked at, where the software could generate a crash report as a precomposed email (user still had to actively send it), the trace went straight to the dev team, which knew exactly what it meant and could take action if necessary.

I don’t doubt for a second that in complex, larger systems the ratio of useful reports is smaller. But if you ask me, even if just 5% result in a bug being fixed, that is a good thing. I fail to see how it’s better than nothing.

The general theme in the thread above is there aren't a lot of people who know what they are doing. They are all making appropriate looking dances though and people who don't know what they are doing look at those and think they might know what they are doing. It's not turtles, but incompetence from the top to the bottom.

And that's why we shouldn't trust, not because the idea is bad, but the competence is bad.

I don’t disagree in principle with that statement, but maybe I’m just not quite as jaded as you.

[tooki]

Some developers use telemetry to figure out how people use their software

Shouldn't that be done in-house, or at minimum with users that agree to be monitored?

But users do agree to it. That’s why software installers literally ask you whether you agree to share usage data or not. Any legitimate vendor makes it clear what is and isn’t collected. (For example, that your data itself won’t be shared.)

Are you happy with your car telling the manufacturer where you went, what speeds you did where, how you used the brakes, your acceleration, where you were looking, how you flash the lights, etc? What time you go to work, the shops, hey - is that the place where Ms Periwinkle's car is parked and it's always 8pm to 10pm?

Completely different from usage statistics.

A correct analogy would be that it shares things like: what percentage of the time is your foot on the gas pedal? How many times do you use the brake on a typical drive? What’s the average length of your drives, in km and in minutes? What’s your acceleration style (jackrabbit starts or slow off the line)? How long is the car idle between drives?

The stuff you list is more like if Word was sending not only that, but also uploading your documents and a live keyboard log.

I am absolutely aware that some companies, like Google and Meta (and the essentially scammers who make “free” phone apps whose main raison d’être is to collect user data), do collect and upload all kinds of sensitive personal data, like location logs, to use for commercial purposes. But not all software companies do, and it’s unfair to extrapolate the true offenders into being typical of the entire industry.