Why is there no way to opt-out of this?

[SleepyBandit]

If there is, then I've not come across any documentation. I work with Government organizations and their adoption of modern solutions is highly determined by privacy concerns and compliance. Any requests to API endpoints outside their network can be a game-stopper for use. The fact that this is not only calling a public endpoint but also sending tracking information (although limited) is enough to scare them away from anything that uses it (which is most of the pnp libraries for SPFX)

Why is there no way to easily opt-out or turn this off within a solution? If there is, can we please get proper documentation on how?

[estruyf]

Hi @SleepyBandit, there is currently no opt-out mechanism, as we need this telemetry to prove its usage. Although I understand the requirement and can be implemented in any future releases of the controls.

[SleepyBandit]

Thanks for the response. I can appreciate and understand the need to prove usage for Microsoft internal purposes but it cuts off a large number of government or security cautious customers from being able to use pnp libraries in their development because of their organization's strict security rules.

In today's day-and-age where privacy and security are on the minds of everyone, tracking should at a minimum allow for opting out and preferably be opt-in. The bigger concern is how does this follow compliance requirements for things like GDPR or other privacy laws popping up since the data being transmitted to Microsoft can be argued as information that can identify the person (or machine) making the request.

[estruyf]

We use our own proxy just to be sure that we filter out the data that we don't want to know. Here you can see what a event record looks like: https://github.com/pnp/telemetry-proxy-node - with this data, we cannot identify the person.

[SleepyBandit]

Thanks, I had previously seen that event example and part of what is written there is what concerned me.

The IP address is collected for GEO-Location data but just not logged in Application Insights. According to my understanding of Data Protection Acts like GDPR its a slippy slow to collect IP's since although that alone isn't considered personal data but when combined with other information collected it can be used to build a profile of an individual, even if that individual's name is unknown. In that situation it would qualify as personal data protected by the law. If Microsoft is collecting it and are found to not actually be deleting that information or worse, logging it separately somewhere else, then that could open a big can of worms for Microsoft. Not saying that is what is happening, but that's a lot of risk to take on for little benefit on collecting the data to begin with.

Anyway, I'm just trying to provide extra justification for why opting out / turning this off should be allowed. I may end up forking the PnP libraries I want to use and starting a telemetry-free version if nothing is done to address this soon.

[estruyf]

Working on v2 which will support the opt-out functionality. This is now available in the property controls latest beta version.

[trueleader]

The optOut() functionality is working since a while: I think this issue can be closed

[estruyf]

Thanks @trueleader that is indeed true and issue will be closed.