This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.
— rsc for the proposal review group

@rsc I didn't get a chance to ask this before the discussion was closed:

Uploaded reports only contain strings that are already known to the collection server: counter names, program names, and version strings repeated from the collection configuration, along with the names of functions in specific, unmodified Go toolchain programs for stack traces.

Why not assign every known string a number, and then use those numbers instead of sending strings? While sending the strings themselves is equivalent to the numbers, there's a "slippery slope" whiff I get from it. Publishing the known string index is another way to assure users that their privacy is being protected. There's an extra feeling of security knowing that only numbers are being sent.

@willfaught I actually think it would be less transparent, not more. Because instead of seeing the actual human-readable information that is sent, you get a bunch of cryptic numbers that you have to interpret. Even if it was increasing a "feeling of privacy", there is a good argument to be made that giving such a feeling without actually increasing privacy (which this wouldn't do) is a bad thing. This would be privacy theater, if you will. Combine that with the fact that this would be significantly more churn and work - you either have the mapping be automatic, in which case it might completely re-number everything on every Go release, or you have to manually keep it up to date whenever something changes - and this seems an overall pretty bad idea.

Thank you for:

allowing anyone to participate in this this conversation
listening to the community
making improvements based on public feedback

So far I see a thoughtfully and polished proposal with user privacy as a fundamental guideline.
Currently I'm prone to contribute and participate opting in, as this is a clear and reasonable way to help furthering the language development.

I trust the spirit of the proposal that safeguards the balance between privacy and functionality is preserved and never broken.

I'm making these comments as simple user who has chosen to use the language for work and personal use for many years now, not having any significant reason to doubt or question this choice.

Grateful for the work being done and the direction where the language is going.

I actually think it would be less transparent, not more. Because instead of seeing the actual human-readable information that is sent, you get a bunch of cryptic numbers that you have to interpret.

Most of the data sent will be counters/numbers anyway. The format is binary, if I remember correctly, so it can be mmap'ed. This wouldn't affect the human readability of the data either way.

Even if it was increasing a "feeling of privacy", there is a good argument to be made that giving such a feeling without actually increasing privacy (which this wouldn't do) is a bad thing. This would be privacy theater, if you will.

Avoiding a slippery slope isn't theater.

Combine that with the fact that this would be significantly more churn and work - you either have the mapping be automatic, in which case it might completely re-number everything on every Go release, or you have to manually keep it up to date whenever something changes - and this seems an overall pretty bad idea.

In my opinion, there isn't much widespread sympathy for having to do more work to do the right, best thing in terms of privacy. This change in direction happened because the community insisted that the Go team do the harder thing. Russ acknowledged that this change will require more work:

For all these reasons, I've revised the design to be opt-in (default off). Doing so does introduce at least two costs: first, we must run an ongoing campaign to educate users about opting in is a good choice for them, and second, with fewer systems reporting, the telemetry cost imposed on any particular user is higher.

So I don't think it's necessarily relevant how hard it is, not without a careful tradeoff analysis. And I doubt it would entail as much hassle as you make it out to be, once a process is in place. For instance, the index can be immutable, and added to over time and releases with an AST scan. There may indeed be a good reason not to do this, but I'm not convinced that this is one of them.

Most of the data sent will be counters/numbers anyway. The format is binary, if I remember correctly, so it can be mmap'ed. This wouldn't affect the human readability of the data either way.

Hi @willfaught, there is a binary file used for performance reasons, but as I understand it, the uploaded data is purposefully in human-readable JSON. From the design post:

Recall from above that the local, binary counter files are stored in /go/telemetry/local/. When a report is uploaded, the exact JSON that was uploaded is written to /go/telemetry/uploaded/, named for the day of the upload (2006-01-02.json). The aim of both these directories (including their naming) is to make the system’s overall operation as transparent as possible.

If the Go toolchain was to be underhanded about what it is doing, information could in theory be smuggled in a series of words or a series of numbers.

To reduce the chance of the Go toolchain doing something underhanded here, including regarding how it handles strings, I suspect someone opting in will need to rely at least in part on the Go toolchain being open source (and either look at the code themselves, or rely on the likelihood of others doing so, the reproducibility of toolchain builds, the code review process, etc.).

If someone crosses that threshold of trust and is willing to choose to opt in, I tend to agree with @Merovius that plain text strings are easier to understand and help with transparency more than a series of numbers.

Most of the data sent will be counters/numbers anyway. The format is binary, if I remember correctly, so it can be mmap'ed. This wouldn't affect the human readability of the data either way.

From https://research.swtch.com/telemetry-design:

... the local, binary counter files are stored in /go/telemetry/local/. When a report is uploaded, the exact JSON that was uploaded is written to /go/telemetry/uploaded/, named for the day of the upload (2006-01-02.json).

I think this is saying the counter files are locally compact, but emitted as JSON. In the original thread someone made the point that plaintext is a good clue to someone who is sniffing traffic what's going on, that made sense to me. In a wonky way, a set of plaintext strings is already a set of unique numbers in this kind of scenario.

I see. It's hard to judge the readability of {"foo": 12} vs. {"46": 12} without knowing what foo might be, but if the string index is published, people can work out for themselves that {"46": 12} means {"error_when_build_stdlib": 12}. Most of the time, nobody is going to be looking at these, especially if they have numbered keys, so optimizing their readability doesn't seem that important. It would be trivial to write a little tool people could use to translate the string IDs in what was sent into the strings themselves, if they want to know.

I think the bigger concern—bigger than the malicious sending of personal data strings—is the accidental sending of personal data strings. Nobody wants "home_video_of_[embarrassing thing].mov" or "[embarrassing thing]website.com/go-foo/bar" accidentally sent to the Go team. And perhaps no one will file an issue to fix it either, out of embarrassment, when the problem is discovered. Not sending any strings at all rules out that possibility entirely.

By design only strings that are explicitly requested by the telemetry server will be sent to the telemetry server. Of course we can't stop anyone from modifying the Go tools to send other strings, but it hardly seems likely to happen by accident.

@willfaught publishing numbers instead of strings is a false sense of security. It accomplishes nothing. Who does it protect from when the strings are public and can be consulted anytime by anyone? Users would be more comfortable reading and understating right there what is being sent instead of cross-referencing that is a burden for the user an no burden for any would-be malicious actors.
As it is, with the change to the Opt-in Mechanism, this is a very good balanced approach.

@willfaught

And I doubt it would entail as much hassle as you make it out to be, once a process is in place. For instance, the index can be immutable, and added to over time and releases with an AST scan.

Note that one class of strings are counter names and the counter names might be a full stack trace (function names and line number offsets). The space is large. So, no, I don't think I'm overstating the hassle.

And, again, I think this actually worsens the privacy and transparency of the design and makes it easier to abuse, if anything. I agree that doing extra work might be worth it, if it improved privacy - but in this case, it's a lose-lose, you'd have to do extra work to make things worse.

Note that one class of strings are counter names and the counter names might be a full stack trace (function names and line number offsets). The space is large. So, no, I don't think I'm overstating the hassle.

Ah, I see, then the string space might indeed be very large. Makes sense.

For those who might be interested, if users will be able to inspect the reports:

The counter files are stored in the directory <user>/go/telemetry/local/, where <user> is the user configuration directory, as reported by os.UserConfigDir. […]

(From https://research.swtch.com/telemetry-design#counting.)

By the way. Is there a reason why it's in ~/go/ as opposed to in whatever $GOPATH is set to? Nevermind, I misread that.

By the way. Is there a reason why it's in ~/go/ as opposed to in whatever $GOPATH is set to?

It's not ~/go/, it's a directory under user config, the same place env config (go env -w) is stored.

Have all concerns about this proposal been addressed?

Based on the discussion above, this proposal seems like a likely accept.
— rsc for the proposal review group

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.
— rsc for the proposal review group

Change https://go.dev/cl/562715 mentions this issue: cmd: update golang.org/x/telemetry and its dependencies

Change https://go.dev/cl/562735 mentions this issue: cmd/go: add telemetry counters for flag names and subcommand

Change https://go.dev/cl/564555 mentions this issue: cmd/go: add file with list of all counters we collect

Change https://go.dev/cl/568257 mentions this issue: cmd/go: call telemetry.Start at the beginning

Change https://go.dev/cl/570679 mentions this issue: cmd/compile: increment counters for passed in flag names

Change https://go.dev/cl/570736 mentions this issue: cmd/go: change some counter names

Change https://go.dev/cl/582695 mentions this issue: cmd/internal/telemetry: add NewStackCounter functions

Change https://go.dev/cl/584276 mentions this issue: cmd/link: add telemetry support

Change https://go.dev/cl/585235 mentions this issue: cmd: add telemetry for commands in cmd

Change https://go.dev/cl/586138 mentions this issue: cmd/go: add telemetry for a predefined set of GOROOT values

@matloob with the 1.23 release, is this done?

Yes.