Automatic Tracking of Users without Consent

Another item that is very significant and gets very little play at the moment is the automatic tracking of users without consent in 1.0 release. In my opinion this is very bad practice for any company.

All commands and interactions between serverless and users’ systems are currently sent for collection.

I understand this to be “anonymous” and that there is a mechanism to turn it off. However, I believe the default should be the turned-off of state. It should not be that people have to look through heaps of documentation, then, figure out the turn off command for each of their instances.

In short, this should be voluntary by default. An opt-in mechanism should be used so that this does not leave a sour taste in people’s mouth once they find out.

Also the status of the system should be easily discovered (i.e. data collection is on). Either through serverless info or other means.

I cannot see how automated hidden collection of user behavior will ever be a good thing from a user’s perspective.

While this question is more an opinionated question and imo does not belong here, I still feel the need to “answer” (read: respond to) this:

There is “good” and “bad” tracking. Stuff like email marketing automation would probably be filed under “bad” as long as it is not forum summaries and similar stuff that plays into keeping users in the loop. I am very, very sure that the data gathered and sent to serverless is not used for marketing automation. I understand this just as a general set to get a big and data driven 10k miles overview to make technological and executive decisions. Making data based decisions imo is an actually pretty smart move and I would all the time opt in (while I would prefer the current state, reason being automated setups that are else not tracked and considered in decisions).

There also is a point that I do not like and that I believe would need improvement: I would like to be able to read a page where I can see the exact data set that is gathered and a written promise about what the data will be used for – and for what not.

@kaiser I am little baffled. Can you direct me to a more appropriate forum where we can discuss core serverless features and their implementation. The tracking element is in serverless core. I do appreciate any guidance on this as it is important to clarify.

The issue is less that companies track data, but whether consent was obtained. There are quite a few alternatives. You could simply ask for volunteers. Display a command line message as part of processing. “Please help us make serverless better by enabling tracking!” etc
People can, then, choose. For example, if you wish to contribute, you should be able to do so. But, I wish to not send my data into the cloud by default because I am sceptical of the long term uses. Today this is a small young company. A bigger meaner company will come and take this data and will use it in different ways. What if they wish to analyze who has written certain functions and target you for special attention? Once companies feel they can do this, it normally expands and becomes bigger. Who controls this? Where is the policy, as you stated?

Nonetheless, my initial issue is simple: Just ask the user for permission, do not automatically start collecting.

@kaiser we are not tracking any personal data, so we wouldn’t even be able to use this for marketing automation (but very good point to bring up because that is definitely not what we’re trying to do with our built-in framework tracking). Here is also a more in-depth discussion of our tracking and reasons for it.

And as part of V1 we will also add a more comprehensive documentation about our tracking. Here is the pull request implementing the new tracking functionality: https://github.com/serverless/serverless/pull/2101

Documentation and notifications in the user commands will be handled in a separate PR.

I heard about the PR and it sounds like there are a few people concerned about the introduction of anything that tracks information where tracking is not optional.

Probably a good idea to open a wider discussion around how features like that should be submitted/handled.

Some folks will be put off using the framework if features like that are merged in without making them optional and most likely “off” by default.

@str3tch mentioned that you can opt out of tracking. In case it helps anyone else, you can see tracking options using sls tracking --help

We’ve also just merged in-depth descriptions on what we’re tracking, how and why: https://github.com/serverless/serverless/blob/master/docs/usage-tracking.md

And the first time we’re tracking something and creating an anonymous user id we’re also writing a message about it.

I’m one of those people who dislike it when companies track by default. I think it would be better to prompt the user during serverless create to enable tracking. You could also add a --tracking=true|false option to bypass the prompt. That way people are consciously opting in to tracking. Currently they need to read all of the documentation to realize that tracking is enabled unless they explicitly disable it. It just feels like it’s the wrong default.

Totally understand the feeling, I wrote more about why we’re tracking by default: https://github.com/serverless/serverless/pull/2101

We’re also now printing a message the first time we’re tracking and when the anonymous user id is created so everyone really knows whats happening and there are no surprises.

I have no problem with the tracking and would have opted in if asked.

However, I am disgusted to find out I am being tracked without my consent. Very sour taste. Makes me wonder what other secret things are happening.

This needs to be fixed.

@geofftech You can opt out of the anonymous tracking with the serverless slstats --disable command

If you are curious about what is tracked, you can checkout the https://github.com/serverless/serverless/blob/master/lib/Serverless.js#L83 & https://github.com/serverless/serverless/blob/master/lib/classes/Utils.js#L121