The editorial argues that the technical difference between opt-in and opt-out is a single boolean, but the trust difference is enormous. It frames opt-out telemetry as 'surveillance you haven't consented to' versus opt-in as 'product research you've volunteered for,' citing a long history of developer tools that have burned trust by choosing the same default.
Submitted the telemetry disclosure page to Hacker News where it reached 356 points and 273 comments, indicating strong community agreement that this change warranted scrutiny. The high engagement signals widespread developer concern about the opt-out default.
The editorial contends that a hashed machine identifier combined with OS, shell environment, and command usage patterns creates a fingerprint that is 'trivially re-identifiable' for most developers. It argues the term 'pseudoanonymous' is doing heavy lifting to obscure what is effectively individualized tracking under a privacy-friendly label.
The editorial stresses that gh is not a random npm package — it's embedded in CI/CD pipelines, GitHub Actions workflows, automation scripts, and corporate build servers across millions of machines. An update that silently starts sending data to Microsoft's telemetry endpoints from inside corporate build pipelines raises serious security and compliance concerns that go beyond individual developer preferences.
GitHub's telemetry disclosure page documents exactly what is collected — command names, execution duration, OS, architecture, shell, and a hashed machine ID — and explicitly states it does not collect repository names, file contents, user data arguments, or authentication tokens. The public documentation and opt-out mechanism represent GitHub's position that this is a reasonable, bounded data collection practice.
GitHub quietly updated its CLI tool — `gh`, the official command-line interface used by millions of developers — to collect pseudoanonymous telemetry data. The change, documented at cli.github.com/telemetry, means that every invocation of `gh` now sends usage data back to GitHub's servers by default.
The telemetry collects what GitHub describes as "pseudoanonymous" data: command names and subcommands executed, execution duration, operating system and architecture, shell environment, and a hashed machine identifier. GitHub explicitly states it does not collect repository names, file contents, arguments containing user data, or authentication tokens. The term "pseudoanonymous" is doing heavy lifting here — a hashed machine identifier combined with OS, shell, and command patterns creates a fingerprint that, for most developers, is trivially re-identifiable.
The announcement landed on Hacker News with a score north of 356, which puts it in the top tier of developer-tool controversies for the week. The reaction was predictable in direction but notable in intensity.
The opt-out problem is the real story. GitHub chose the same default that has burned trust for every developer tool that tried it before. Telemetry that's on by default is surveillance you haven't consented to; telemetry that's opt-in is product research you've volunteered for. The technical difference is a single boolean. The trust difference is enormous.
This matters more than it would for a random npm package because `gh` is infrastructure. It's embedded in CI/CD pipelines, automation scripts, GitHub Actions workflows, and developer dotfiles across millions of machines. Many of those machines are corporate workstations and build servers where outbound network calls to third-party endpoints are — or should be — controlled. An update that silently starts sending data to Microsoft's telemetry endpoints from inside a corporate build pipeline is the kind of thing that makes security teams write memos.
The "pseudoanonymous" framing deserves scrutiny. Research has repeatedly shown that behavioral telemetry — which commands you run, when, how long they take, on what OS — can be de-anonymized with modest effort when combined with other data. GitHub already knows your identity through authentication. The hashed machine ID doesn't protect your privacy; it protects GitHub's PR positioning. If they wanted anonymous aggregate data, they wouldn't need a per-machine identifier at all.
There's also a pattern worth naming. Microsoft's approach to telemetry across its developer tools has been consistently opt-out: VS Code sends telemetry by default, .NET CLI collects telemetry by default, and now `gh` follows suit. Each individual tool's data collection might be modest. The aggregate picture — where Microsoft has behavioral telemetry from your editor, your runtime, your source control client, and your CI system — is a different proposition entirely. No single product team at Microsoft is building that panopticon intentionally, but the data is all flowing to the same parent company.
The Hacker News thread surfaced several recurring arguments. Defenders of the change point out that telemetry helps prioritize features, identify broken workflows, and allocate engineering resources — all true. The `gh` team is relatively small, and understanding which commands are actually used (versus which ones people complain about on Twitter) is genuinely valuable product data.
Critics counter that the same data could be collected opt-in with a first-run prompt, the way Homebrew does it. Homebrew's approach — ask once, respect the answer, make it trivial to change — has been the gold standard for CLI telemetry since 2016. GitHub choosing opt-out over opt-in, a decade after Homebrew proved the alternative works, is a choice that reveals priorities.
Several commenters noted the irony: GitHub is the platform where thousands of open-source projects have debated telemetry ethics in issues and pull requests. The `gh` CLI itself is open source. The telemetry code is visible. But visibility isn't consent.
A more pragmatic cohort pointed out that if you're already using GitHub — a proprietary platform owned by Microsoft — complaining about CLI telemetry is somewhat performative. Your code, issues, pull requests, and collaboration patterns are already on their servers. This argument has surface appeal but misses the point: there's a difference between data you explicitly put on a platform and data silently collected from your local machine.
Immediate action for individual developers: Run `gh config set telemetry disabled` or add `export GH_NO_TELEMETRY=1` to your shell profile. This takes ten seconds and there's no reason not to do it unless you actively want to contribute usage data.
Immediate action for teams: Audit your CI/CD pipelines and GitHub Actions workflows. If any step uses `gh`, telemetry is now flowing from your build infrastructure. Add the environment variable to your pipeline configuration. For any organization with a security policy governing outbound data from build systems, this is not optional — it's a compliance requirement.
Longer-term consideration: This is a good moment to audit what other CLI tools in your stack have telemetry enabled. The `dotnet` CLI, `az` CLI, VS Code, Terraform, and several others all collect telemetry by default. A single line in your team's base Docker image or shared shell config can disable all of them.
For those evaluating alternatives, the `gh` CLI remains the best-in-class GitHub client — the telemetry doesn't change that. But if this is the kind of thing that matters to your organization's security posture, document the opt-out in your onboarding docs and infrastructure-as-code templates.
The pattern is clear: as developer tools consolidate under a few large companies, telemetry becomes the default because the incentive structure demands it. Product managers need usage data; executives need engagement metrics; the path of least resistance is opt-out. The counter-pressure comes entirely from developer trust, which is real but diffuse. GitHub will almost certainly keep this default. The question for practitioners isn't whether to be outraged — it's whether your `GH_NO_TELEMETRY=1` is in your dotfiles yet.
If you have 3 of your developers spending 80% of their time in an area of the codebase that gets no usage and you don't see a path forward that realistically is likely to increase usage, it can be a better use of developer time to focus them elsewhere or even rethink the feature.The problem I h
> you're going to have to opt out of a lot more than this one settingThe opt-out situation for gh CLI telemetry is actually trickier than it sounds. gh runs in CI/CD pipelines and server environments where you may not want any outbound connections to github.com at all, not because of pr
Love it when a PR is brief: https://github.com/cli/cli/pull/13254> Removes the env var that gates telemetry, so it will be on by default.
Do people think that GitHub isn't already collecting and aggregating all the requests sent to their servers, which is after all the entire point of the gh CLI?If you don't want your requests tracked, you're going to have to opt out of a lot more than this one setting.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
Why we collect telemetry ...our team needs visibility into how features are being used in practice. We use this data to prioritize our work and evaluate whether features are meeting real user needs. I'm curious why corporate development teams always feel the need to spy on their users? Is it no