Microsoft repackages apps with a telemetry .NET wrapper

[PlainName]

Some developers use telemetry to figure out how people use their software

Shouldn't that be done in-house, or at minimum with users that agree to be monitored?

But users do agree to it. That’s why software installers literally ask you whether you agree to share usage data or not.

No problem with those that do that, but those aren't what's under discussion here. With many apps you get told they will use telemetry and that's your lot. Others will offer you the option to opt out of some telelmetry but not all. And it should be opt in.

Any legitimate vendor makes it clear what is and isn’t collected. (For example, that your data itself won’t be shared.)

Unless 'anonymised'. Or shared with trusted partners. Or similar wishy-washy things.

Are you happy with your car telling the manufacturer where you went, what speeds you did where, how you used the brakes, your acceleration, where you were looking, how you flash the lights, etc? What time you go to work, the shops, hey - is that the place where Ms Periwinkle's car is parked and it's always 8pm to 10pm?

Completely different from usage statistics.

A correct analogy would be that it shares things like: what percentage of the time is your foot on the gas pedal? How many times do you use the brake on a typical drive? What’s the average length of your drives, in km and in minutes? What’s your acceleration style (jackrabbit starts or slow off the line)? How long is the car idle between drives?

Not sure I want anyone to know any of that! It's just a matter of degree, isn't it? Where one draws the line. And don't forget we are on about those not asking permission but just gobbling the stuff, because.

The stuff you list is more like if Word was sending not only that, but also uploading your documents and a live keyboard log.

I am absolutely aware that some companies, like Google and Meta (and the essentially scammers who make “free” phone apps whose main raison d’être is to collect user data), do collect and upload all kinds of sensitive personal data, like location logs, to use for commercial purposes.

Check up a little bit and you'll see that this is about those 'some companies'. Microsoft is definitely not an innocent in this.

[Marco]

Microsoft forcing telemetry on you is 'getting your panties in a twist'? That only seems innocuous compared to them not limiting it to the Store.

Could be worse, they could insert an online certificate check into your application (even though a certificate revocation list is easily possible and inherently superior for both privacy and security).

[madires]

From an EU point of view (GDPR) the rules for telemetry are quite clear. Telemetry can't be forced upon the user, i.e. the application has to run also when users deny the collection of telemetry data. Users have to be informed about all the details (what, why, how long stored, and so on).

[tooki]

Any legitimate vendor makes it clear what is and isn’t collected. (For example, that your data itself won’t be shared.)

Unless 'anonymised'. Or shared with trusted partners. Or similar wishy-washy things.

Sorry, I see the way my statement was ambiguous.

I didn’t mean “share with others”, I meant “the user sharing the data with the developer”, not the developer sharing it with third parties. And by “data itself” I mean things like your documents, as opposed to usage data.

So what I mean is that a proper opt-in system makes it clear that the software isn’t, for example, uploading your document to them.

[radiolistener]

What a myopic, hysterical, uninformed, and untrue claim.

There are definitely some uses for telemetry that are absolutely beneficial to the user: crash reports and usability research. Developers use crash reports to figure out what the most common application crashes are, so they can fix them.

We had telemetry system which was used for the system state monitoring (distributed machines and devices), but as developer I don't remember even one case where I worked with the bug or crash report obtained with telemetry. All this is usually done with usual logging and issue tracker. I remember that we had some experimental telemetry to collect logs, but it was never used in production due to security reason.

I don't see telemetry use case for bug fix and crash report analysis, especially if its not about private system, but about collecting data all around the world. It just will be flooded with false positive and not relevant data for bug fixing.

As operating system user I don't need that someone research usability on my machine. Such an attempt to justify telemetry looks like grant unlimited permission to some random unknown student to allow him to access your private home at any time and examine your genitals while you sleep. Just to research your usability...   

Telemetry is the way how criminals can buy all info about you and use it to make harm to you. So when you share your data through telemetry to some "very safe and secure" company, you're needs to be ready that all that data will be available for criminals and they will use it to make money and they will be absolutely indifferent if it causes you financial or health harm

[radiolistener]

Not sure I want anyone to know any of that! It's just a matter of degree, isn't it? Where one draws the line. And don't forget we are on about those not asking permission but just gobbling the stuff, because.

This is really going much more deep. What will protect you from some criminal who decide to use online access to your electric car computer to make some "small mistake in the firmware code" which leads to failure of brake and gas pedal and take remote control over the steering... and you get into a traffic accident. And there is no way to check what happens, because computer will have some seconds to clean all tails and log events. That is the price to allow internet access for your car computer...

So what I mean is that a proper opt-in system makes it clear that the software isn’t, for example, uploading your document to them.

What will prevent to collect the data independently on that opt-in setting?
The same as it happens with MS?

[tooki]

So what I mean is that a proper opt-in system makes it clear that the software isn’t, for example, uploading your document to them.

What will prevent to collect the data independently on that opt-in setting?

Not sure what you mean.

Point is, a well written opt-in makes it CLEAR to the user who is reading it what will and will not be collected and uploaded, and what happens to it once uploaded, so that the user can make an informed decision on whether to click “allow” or “decline”.

The same as it happens with MS?

Meaning what? MS has multiple different telemetry systems with separate opt-ins, some for the user, some for the developer to see. This thread is about one where a developer wasn’t paying attention and got their panties in a twist over something they didn’t read when setting up their installer.

[radiolistener]

Not sure what you mean.

I mean the case when

a well written opt-in makes it CLEAR to the user who is reading it what will and will not be collected and uploaded, and what happens to it once uploaded, so that the user can make an informed decision on whether to click “allow” or “decline”.

But when user click on "decline", it still sends telemetry, just encrypted it and use more rare connections to hide telemetry activity from user.

[bd139]

Your reasoning is detached from the outcome.

That’s a rather lofty accusation.

I worked in the software industry for years, and at a usability agency. I have relevant, real-world experience with this, and am not the deluded simpleton you essentially accuse me of being.

I'm not making an accusation. I'm just stating that the data and the intent do not always end in the conclusion that people think that they do. That is mostly because people don't know how to do a proper analysis of anything really. This is not specific to this but the claims of a tangible outcome are vastly overstated.

I would suggest that the "usability agency" is a considerable bias as well based on my other comment. Literally there is no business if you tell the client not to touch something, so the default state is that a change must be made otherwise there is no report to make.

The reason that we stopped hiring agencies to run user studies for us is that at no point did anyone run a baseline analysis against a null hypothesis i.e. no change. I got into a hefty argument with a consultant over this who said that a change is 100% necessary, without providing any evidence and before the study was run. That is a complete lack of objectivity, intellectual and professional integrity in the industry.

The end game of two large, well known agencies being hired was that we had to roll ALL the changes back because it crippled clients.

This cost us a LOT of money. Try writing off a couple of million GBP and you'll see where the ROI is.

I literally gave a real-world example: the post-pasting popup menu in Microsoft software (Office, etc). Usage telemetry had shown that the “paste” command is very frequently followed by “undo”, because the result was not as intended. Then people would either use a Paste Special command, or paste it normally and follow it by manual reformatting. So they added the little popup that lets you change the pasted formatting in situ. I think this is a fantastic feature, and well-implemented: it makes it easy to recover from an unexpected result, yet doesn’t force any change to one’s workflow at all: you can also simply ignore it and fix the problem in the old ways.

Personally I think that's a shitty feature because it doesn't work like anything else in the rest of the OS or any other software. It's literally an edge case coded into the office UI runtime.

Compare to "Paste and Match Style" on macOS which is system wide.

I don’t disagree in principle with that statement, but maybe I’m just not quite as jaded as you.

It's not really jaded, but experienced.

Put it this way, who's the last person you go to for financial advice? Actually a financial advisor. Why? Well it turns out that they have two principal objectives (a) earning commission and (b) reaching sales targets. That gets you a mediocre outcome. What gets you the best outcome is developing an understanding of the domain and the problem and that comes from a proper study and analysis, not witchcraft and hope for a fixed price.

[Monkeh]

From an EU point of view (GDPR) the rules for telemetry are quite clear. Telemetry can't be forced upon the user, i.e. the application has to run also when users deny the collection of telemetry data. Users have to be informed about all the details (what, why, how long stored, and so on).

And yet you cannot use Windows without telemetry.

[madires]

Unfortunately the GDPR enforcement is slow, especially when the Irish DPC is involved.

[bd139]

From an EU point of view (GDPR) the rules for telemetry are quite clear. Telemetry can't be forced upon the user, i.e. the application has to run also when users deny the collection of telemetry data. Users have to be informed about all the details (what, why, how long stored, and so on).

And yet you cannot use Windows without telemetry.

Actually you can. If you have Windows 2021 LTSC IoT Enterprise Edition with a specific carefully configured GPO, the blessing of three wizards, cast some runes upon a dead chicken, you will get no telemetry until the next time you run windows update.

[Infraviolet]

"Actually you can..."
There might be a simpler way, Windows locked away inside a VM, with some very strict firewalling of any potential telemetry which was trying to escape the VM performed by a trustworthy Linux host OS. That would be a solution for anyone needing to run a program on Windows which wasn;t Wine compatible (unfortunately not that great a fraction of Windows exe programs are Wine compatible, I'm lucky with the few legacy Windows programs I use).

[radiolistener]

Actually you can.

Unfortunately Windows has a lot of different telemetry subsystems and some of them are hardcoded into kernel DLL's and cannot be removed or disabled. It has a bunch of hardcoded IP's and DNS addresses to collect the data, so it even hard to configure firewall to block them all.

I would say that Windows is a great modular spyware system which supports some operating system functions 

But you can still run it without telemetry if you turn off ethernet cable and wifi adapter   

[SiliconWizard]

I would say that Windows is a great modular spyware system which supports some operating system functions 

Yes! This is probably an hyperbole though! MS is only doing this to improve your user experience. Don't you want your experience to be improved?

[Karel]

I would say that Windows is a great modular spyware system which supports some operating system functions 

Yes! This is probably an hyperbole though! MS is only doing this to improve your user experience. Don't you want your experience to be improved?

Yes, I want my experience to be improved. That's why I moved away from ms windows.
Not just at home, also at work (including some colleagues).

[bd139]

"Actually you can..."
There might be a simpler way, Windows locked away inside a VM, with some very strict firewalling of any potential telemetry which was trying to escape the VM performed by a trustworthy Linux host OS. That would be a solution for anyone needing to run a program on Windows which wasn;t Wine compatible (unfortunately not that great a fraction of Windows exe programs are Wine compatible, I'm lucky with the few legacy Windows programs I use).

That is literally what I'm doing. I have an EC2 instance in AWS running windows server. There is a SG configured so it can only service RDP. Software is pushed to it over remote folders.

[tooki]

Your reasoning is detached from the outcome.

That’s a rather lofty accusation.

I worked in the software industry for years, and at a usability agency. I have relevant, real-world experience with this, and am not the deluded simpleton you essentially accuse me of being.

I'm not making an accusation. I'm just stating that the data and the intent do not always end in the conclusion that people think that they do. That is mostly because people don't know how to do a proper analysis of anything really. This is not specific to this but the claims of a tangible outcome are vastly overstated.

You didn’t say “people”, you said me, so it’s hard to not see this as you basically calling me incompetent or stupid.

I would suggest that the "usability agency" is a considerable bias as well based on my other comment. Literally there is no business if you tell the client not to touch something, so the default state is that a change must be made otherwise there is no report to make.

That’s on you. If a client wants to test the existing state, an agency will do it. If you weren’t getting this, it’s because you neglected to ask for it — or more likely didn’t want to pay for it when offered.

The reason that we stopped hiring agencies to run user studies for us is that at no point did anyone run a baseline analysis against a null hypothesis i.e. no change. I got into a hefty argument with a consultant over this who said that a change is 100% necessary, without providing any evidence and before the study was run. That is a complete lack of objectivity, intellectual and professional integrity in the industry.

Then you were dealing with a REALLY shitty agency. The one I worked at absolutely did not work like that.

Many of our projects began with testing the status quo to figure out where the problems are. (One memorable example was a health insurance company’s enrollment forms: an old lady was doing the test and got to the question “have you consumed cannabis products within the past 60 days?” to which she said out loud “no, but I could use some right about now!” 😂)

Don’t extrapolate to the entire industry; there ARE honest players. Just avoid the ones in any way affiliated with big management consulting companies!

I will also add that a LOT of the usability experience I got was at the software company, where it was all being done for the benefit of our own end users.

Personally I think that's a shitty feature because it doesn't work like anything else in the rest of the OS or any other software. It's literally an edge case coded into the office UI runtime.

Jeez Louise you’re rigid!

TONS of software uses custom controls to do useful things. Done well — like here — they are unobtrusive and doesn’t interfere with existing workflows.

On Windows, the basic UI widgets are MUCH dumber than those on macOS, so Windows developers are more or less forced to use custom widget extensions or third-party widget libraries to get more advanced behavior.

Compare to "Paste and Match Style" on macOS which is system wide.

Yep, it’s a great feature. But it can’t work everywhere. The document object models of the Office apps are WAY more complex than even macOS’s basic widgets. macOS and windows both use RTF as their basic formatted text format. Word, for example, does not. It’s a stylesheet-based system with nested stylesheets which apply to different levels of document structure, so merging them requires intimate knowledge of said structure. An OS-level command can’t do that.

I don’t disagree in principle with that statement, but maybe I’m just not quite as jaded as you.

It's not really jaded, but experienced.

I’m experienced, too.

You’re jaded from negative experiences. You accuse me of having bias, but so do you. I’m sorry you had very bad experiences with agencies, but not all are like that. Some are comprised of good, honest people who do good work that truly benefits their clients.

FWIW one reason I left the computer and usability industry entirely is because I got jaded — about clients. Too many times, after properly studying the problem, we’d design and test a really good solution, but the client would then not implement it as designed (often because they didn’t want to put in the effort on their backend systems to actually support the interaction design they’d been seeking). The half-baked implementation then would introduce new problems, which the client would tolerate for a few years before undertaking another website redesign, throwing out all prior work and starting over again rather than improving the implementation. So as a usability engineer, I rarely got to see my actual designs implemented, just pale, unsatisfying ghosts of them.

Put it this way, who's the last person you go to for financial advice? Actually a financial advisor. Why? Well it turns out that they have two principal objectives (a) earning commission and (b) reaching sales targets. That gets you a mediocre outcome. What gets you the best outcome is developing an understanding of the domain and the problem and that comes from a proper study and analysis, not witchcraft and hope for a fixed price.

Well what you’re describing isn’t a financial advisor, it’s a broker or salesperson, who at a big financial firm may well have the title of “financial advisor”.  But there exist independent financial advisors, and their advice, as I understand it, can be quite good precisely because they aren’t selling you any of the products they advise you to buy (or not). The flip side is that their services aren’t free.

You get what you pay for: a free financial analysis or free usability review is basically a way to get you in the door so money can be made on you some other way. It sounds to me like you may not have a good feel for this.

[radiolistener]

Too many times, after properly studying the problem, we’d design and test a really good solution, but the client would then not implement it as designed

That is not because your clients are stupid, on the contrary they are not implemented your ideas because they have experience and knowledge in their business area, which allows them to apply proper decision and this is why their business is still alive. 

You can say that your solution is really good when it was accepted and implemented by someone and its result shows the real improvement.

But when many of your solutions are rejected and not implemented, you can't say that these are "really good solution", because there is no evidence for that. It's just your personal subjective opinion.

Theory without practice is empty and practice without theory is blind.

[tooki]

Too many times, after properly studying the problem, we’d design and test a really good solution, but the client would then not implement it as designed

That is not because your clients are stupid, on the contrary they are not implemented your ideas because they have experience and knowledge in their business area, which allows them to apply proper decision and this is why their business is still alive. 

You can say that your solution is really good when it was accepted and implemented by someone and its result shows the real improvement.

But when many of your solutions are rejected and not implemented, you can't say that these are "really good solution", because there is no evidence for that. It's just your personal subjective opinion.

Theory without practice is empty and practice without theory is blind.

Another undeservedly cocky reply from you…

I’m not hypothesizing about why they didn’t implement it; they told us. (Usually, the people pushing the usability initiatives aren’t the development teams. They are equally disappointed by the outcome.)

 And we weren’t guessing about it being a good solution, we tested them. (Normal practice for good usability engineering is to do tests with “prototypes” made in special software to do quick mock-ups.)

[radiolistener]

Another undeservedly cocky reply from you…

There is nothing cocky, I just tell you what I think. It's pretty clear from my point of view. I don't see the reason to claim that your solution which is rejected by experienced clients (with a deep knowledge in their business area) is "really good solution" for these clients.

It looks like cheap marketing spam like "Believe me bro, our product is really good product and you're very needs it!" from the manufacturer of useless junk-goods. They usually also showing some useless colorful pictures with nice graphs and numbers, trying to hypnotize you with that. Or showing you prototypes hastily generated in some cheap form builder or Photoshop, for the same goal... I also notice that such marketing guys very like Apple products for some unknown reason, they're just crazy about it.

I’m not hypothesizing about why they didn’t implement it; they told us. (Usually, the people pushing the usability initiatives aren’t the development teams. They are equally disappointed by the outcome.)

Looks like you're just fooling yourself and don't notice it. Usually companies have policy to never criticize products from other companies. Instead, they just use some soft language that allows them to politely refuse the offer.

But it doesn't means that your rejected solution is really good for them. Really good solutions are accepted, not rejected...

Just don't fool yourself...  Sorry if it hurts you, but it should be pretty obvious...


PS: But I can understand your point of view very well, that collecting telemetry is very useful for the user, if you're working for some secret services from three letters or something like that... In this case I won't argue with you   


For me, telemetry is a showstopper issue. If I see that application sends telemetry, I don't want to use it. And it doesn't matters what is the reason for that telemetry.

[tooki]

Another undeservedly cocky reply from you…

There is nothing cocky, I just tell you what I think. It's pretty clear from my point of view. I don't see the reason to claim that your solution which is rejected by experienced clients (with a deep knowledge in their business area) is "really good solution" for these clients.

It looks like cheap marketing spam like "Believe me bro, our product is really good product and you're very needs it!" from the manufacturer of useless junk-goods. They usually also showing some useless colorful pictures with nice graphs and numbers, trying to hypnotize you with that. Or showing you prototypes hastily generated in some cheap form builder or Photoshop, for the same goal... I also notice that such marketing guys very like Apple products for some unknown reason, they're just crazy about it.

I’m not hypothesizing about why they didn’t implement it; they told us. (Usually, the people pushing the usability initiatives aren’t the development teams. They are equally disappointed by the outcome.)

Looks like you're just fooling yourself and don't notice it. Usually companies have policy to never criticize products from other companies. Instead, they just use some soft language that allows them to politely refuse the offer.

But it doesn't means that your rejected solution is really good for them. Really good solutions are accepted, not rejected...

Just don't fool yourself...  Sorry if it hurts you, but it should be pretty obvious...

Please stop. I’m not the idiot you and bd139 seem to think I am. You don’t know the process, and you don’t know the industry. The explanations here are only super-simplified, and it’s not my job to spell out every damned detail of the process. At some point, just accept that I was a competent industry professional who knows what he is talking about.

Anyhow, the clients didn’t reject the solutions. They (typically the customer experience team at the client company, who we worked with closely) accept the solution and then gives it to their developers to implement, and then the development team doesn’t implement it as designed. Sometimes this is because the customer experience team did not involve the development team early enough. Other times, the dev team was involved and cooperative but then couldn’t complete it for some reason. Reject ≠ not implement properly. As I said from the beginning, the issue was poor implementations.

And also, you say “experienced clients” — well, no, they came to us because they needed our expertise in usability engineering. They are experts in their own business, not in ours. So we worked closely to design good solutions for their customers. These days it’s mostly website and app design, of course.

Prototypes are not “hasty”, they’re carefully designed to work like the real thing, despite not having the real back-end systems behind them. These are interactive prototypes, not photoshop images. At this stage, it’s not about pixel perfection, it’s about interaction design, so they may not match the graphic design completely. (Sometimes, you deliberately make them very visually unpolished precisely to stop people from worrying about pixel perfection; the software lets you output it in “sketch” mode that looks hand-drawn. Still clickable interactive, though.)

[radiolistener]

And also, you say “experienced clients” — well, no, they came to us because they needed our expertise in usability engineering. They are experts in their own business, not in ours. So we worked closely to design good solutions for their customers. These days it’s mostly website and app design, of course.

I see it differently. They just interested what your company can propose them. Then when they realize that your solution cannot help them, they decided to not implement it. I'm sure they analyzed it very carefully and some experienced personnel make that decision. Simply saying they decided that this solution is not good for them.

I know how it is implemented in large well known companies. Believe me, their decision is not based on random thought of one person.

[PlainName]

decision is not based on random thought of one person

'Musk'

 

[tooki]

And also, you say “experienced clients” — well, no, they came to us because they needed our expertise in usability engineering. They are experts in their own business, not in ours. So we worked closely to design good solutions for their customers. These days it’s mostly website and app design, of course.

I see it differently. They just interested what your company can propose them. Then when they realize that your solution cannot help them, they decided to not implement it. I'm sure they analyzed it very carefully and some experienced personnel make that decision. Simply saying they decided that this solution is not good for them.

I know how it is implemented in large well known companies. Believe me, their decision is not based on random thought of one person.

You aren’t listening (again): the situations I am talking about is where they did choose to implement it.

They just then end up implementing it poorly because the people doing the implementing aren’t the same ones making the decision.