Man, the privacy critics really come out of the woodwork every single time "opt-out" is mentioned, regardless of the actual facts for a specific situation. The developers explicitly state they set the anonymous IP address flag. There is nothing that links back to you as a person. Are you really concerned that the developers know which packages a random, unknown person has installed?
Crying "opt-in" to every single little thing that has ever tracked you for non-nefarious reasons completely detracts from the cases where tracking is nefarious. Homebrew is not tracking for ads. They are not tracking for anything worth selling to a 3rd party. They're not - and are incapable of - linking this to any other database that does contain personally identifiable information. There's no "profile" worth anything to anybody except the developers, who are trying to get some very basic information completely detached from any identity.
>> You will be notified the first time you run brew update or install Homebrew.
>> to opt-out of Homebrew's analytics you may set HOMEBREW_NO_ANALYTICS=1 in your environment
They went to the lengths to document this. And to notify you when you run the software. You have the opportunity to opt-out of something that is completely harmless. There is no valid reason to be crying foul over this. Of all the tracking that goes on with our internet connections, this should by far be the least of anyone's concerns.
I have uBlock Origin installed in Chrome. With all the ad networks and analytics scripts blocked. Google Analytics does not run in my browser. And yet, I am not even slightly opposed to homebrew's use of it. It's actually anonymous, unlike how many developers use GA in the browser (tracking IP addresses, custom fields like user ids that link back to the site's database, etc). God speed, homebrew devs.
If all this is true then why even go to the trouble of supporting opt out?
The support for opt out acknowledges (implicitly) that the choice to upload data is rightfully the user's own prerogative. Then paradoxically enables the feature by default anyway and places the switch behind some esoteric opt out commands.
Because they're not stupid and knew that the first thing out of naysayers' mouths would be "why is there no opt-out?!", which then gets followed up with "it shouldn't even be opt-out, it should be opt-in!". They tried to get out in front of the matter by even bothering to document the use of analytics, and implementing an opt-out mechanism at all. Unfortunately the nefarious ways in which intrusive analytics are used on the web has completely ruined the concept of gathering the most basic analytics in any situation.
They could have just added the analytics without saying anything. Which then leads to a) someone discovering the outgoing analytics request and reporting it on sites like HN, b) them having to defend the use of analytics and PR-fake-apologizing for not disclosing its use up front, c) implementing an opt-out, and then d) dealing with HN reports about it being opt-out instead of opt-in.
The privacy implications of analytics gets blown way out of proportion every time the subject is brought up. There is a huge difference between gathering basic information a la homebrew, and the way the large ad networks track and share your information across every damn website you browse. Yet there is this vocal group of people who treat them equally.
You might not support or use Google in any way. There are such people. They use DDG and go to extraordinary lengths to prevent any assistance to Google. I'm not one of those people, but the ability to turn off the feature is reasonable.
Some folks don't trust Google. There might be a case down the road where the U.S. government required access to the data due to National Security. Given how they handled the San Bernadino iPhone incident, it's not like this won't ever happen.
Others believe that Google will use the data for their own ends. In the same way other don't want Googke to become more powerful, others will be concerned that Google uses analytical data like this for their own commercial purposes, and it's not known what this might be.
It also would be a PR nightmare if this wasn't added, even though the data is anonymised to the Homebrew guys. Perception is important also. Not to mention the fact that it doesn't hurt to add this option to Homebrew.
Personally, I'll just leave it on as I don't subscribe to any of the above views, but I'm imaginative enough to see potentially legitimate concerns. :-)
If you can't verify that Google are actually anonymizing the data then you can't claim this is "completely harmless". I don't trust Google and this requires me to. Is that unreasonable to you?
That doesn't follow. The fact that many websites do this doesn't prove that it isn't malicious. It may not be (it probably isn't), but that has little to do with the complaints made about the change.
Since more people downvoted you than upvoted you, that proves that when most websites do something, it can't be malicious when an application on your computer does it. I think?
Not even your IP address is recorded. It's physically impossible for this to be malicious. There are no real privacy advocates complaining here, only people who post "it must be opt-in!" as an instant reaction to just reading the term "opt-out". Most of the complaints are probably from people who have never even used homebrew. The submission headline contains the phrase "Google Analytics", which attracts the people who always come to criticize the tool rather than actually analyzing how the tool is being used in each case.
> It's physically impossible for this to be malicious.
It's "physically impossible for Google to read the IP header addresses if the pack data contains "&aip=1"? The IP is still logged with Google, according to their own documentation[1]:
When present, the IP address of the sender will be anonymized.
So-called "anonymized" data can be re-correlated with the original values. DJB's gave a great description[2] of this problem, right after he started working for Verizon[3]:
Hashing is magic crypto pixie-dust, which takes personally identifiable
information and makes it incomprehensible to the marketing department.
When a marketing person looks at random letters and numbers they have no
idea what it means. They can't imagine that anybody could possibly
understand the information, reverse the hash, correlate the hashes, track
them, save them, record them.
>> The IP is still logged with Google, according to their own documentation
Not quite[1]. The full IP never makes it to disk. It's true that "anonymous IP" isn't as anonymous as I'd have expected. Only the last octet of an IPv4 address is removed. Considering homebrew's use specifically, not just looking at GA in general, I think this is acceptable.
The full IP makes it to Google. We don't know what Google actually does with the packets they receive; we only know what they say.
> Only the last octet of an IPv4 address is removed.
Really? Wow. They aren't even pretending to anonymize addresses with a hash. Given that there is certainly more than 8-bits of identifying data in the other data sent to GA, a unique identifier can easily be recovered. Also, the bits they mask are the least interesting part of the address. They are preserving the network part of the address, which probably gives them the AS number.
> Considering homebrew's use specifically, not just looking at GA in general
That's the point - homebrew is choosing to add data to GA, which cannot be considered in isolation. The problem with GA isn't that they collect data from any particular site. Knowing that you occasionally visit ${website} might be interesting, but it's of limited value and relevancy. A list of people that visit ${political_opponent}'s website might be very interesting, but most of the time nobody is going to care. Knowing that you installed some software isn't interesting in most cases.
All of those situations change when someone can aggregate the data. Consider all those data points combined with the other websites that send data to GA, gmail, when you loaded the Javascript, fonts, etc hosted by Google. Add in all the data that is sent to Google from Android devices, Chrome, Nest, and every other product that Google (err, "Alphabet") is involved in. In aggregate, just the timestamps and partial address information will produce surprisingly accurate profile of your life. This gets scary when you start to do an actual pattern-of-life analysis and correlate "anonymized" data back to real names.
Yes, but those are websites. Some degree of tracking is vital to the functioning of many websites. e.g. No cookies, no sessions (generally speaking). Furthermore, it is expected that a lot of websites are tracking you.
I feel pretty safe in saying that most developers do not expect a command-line tool to phone home without saying, especially if this behavior was introduced in an update for a tool which didn't do that historically (and without any notification of the change).
Considering the popularity of this tool, it's a bit shocking that the core dev team of Homebrew didn't seem to anticipate that people would be upset by this. It really knocks my trust in and willingness to depend on this project.
