HACKER Q&A
📣 hidden-spyder

Could the telemetry collected by VSCode be used maliciously?


As a user of VSCode, I've more than once come across complains by people that it has unnecessary telemetry.

I was wondering what the worst use one could hypothetically put the data to.

On a separate note, VSCodium is a fork of VSCode that strips the telemetry. [1]

[1]: https://vscodium.com/

  👤 btown Accepted Answer ✓
You can learn more about the types of telemetry events and log specific outputs from your own session here: https://code.visualstudio.com/docs/getstarted/telemetry#_out...

IMO, assuming good faith adherence to the current message scopes, Microsoft could at best learn that numerous developers from a specific office building (well, not nowadays, I suppose) are using a certain type of technology requiring a certain type of extension. But I don't think there would be any actionable intelligence.

That said, any extension developer could add their own telemetry which could log keystrokes, or otherwise exfiltrate data. You give tremendous trust to the developers of any extension you add to an IDE.

👤 JMTQp8lwXL
I care somewhat about telemetry, but the path to avoiding it must be simple. In VSCodium's case, it's not quite there.

If VSCodium wanted greater market share, the first thing they'd do is clean up the extensions story. Today, there's a laundry list of things you must do to use extensions:

https://github.com/VSCodium/vscodium/blob/master/DOCS.md#ext...

An IDE with no extensions is quite valueless to me, and resolution isn't frictionless.

👤 siproprio
I used to like vs code, and it made me productive. These days, every day that passes, I find something that surprises me. Things go from annoying changes to to grab "beginners" attention, to finding out hidden states or configuration where the developers say they purposefully designed something to make it difficult for users to change and understand.

Today I'm outraged when I needed to change my terminal in a workspace setting, and I found out they had a prompt that is designed for people to not notice, and the code is obfuscated to prevent people from understanding it.

👤 1680168l
. . . easily. Know that I'm speaking from a place of ignorance, but technically, any information VSCode has access to is up for grabs. And all you can do is 'disable telemetry' (which is of course not a functionality you can verify via the MIT-licensed GitHub repo).

On the other hand, it depends on just how involved Microsoft is with its telemetry programs. They could have algos that dynamically decide which apps on which machines or groups of machines are going to monitor and report on which information today. Or, they could have every program on most machines collect and send the same type of information for months on end.

To the end user, it doesn't matter; there is no grounds for trust in their judgment on the matter of telemetry. If they want your code, they could easily make that happen.