Stop using sha256(MAC address) for telemetry machine ID

[mmdriley]

Today, getMachineId returns the sha256 hash of the machine's (primary?) MAC address.

There are a few things wrong with this from a privacy perspective.

1. The MAC address is personally identifiable information. It allows Microsoft to identify a specific user's machine, even well after they've uninstalled Visual Studio Code, and can be easily correlated with other data sources.
2. Hashing does not anonymize. Microsoft can still look up a user by their MAC address.
3. MAC addresses are 48 bits, so the sha256 hash is relatively easily reversed to a unique value.

If VS Code wants to identify a given installation, the generally accepted method is to create a random value on first use and persist it.

It appears other Microsoft developers are relying on this worrying precedent, which makes it all the more important that this be fixed soon.

[seanmcbreen]

Hi Matthew,

Thanks for reaching out – sorry this took a few days to bubble up to the top after the long weekend.

We use the data that VS Code gathers to provide and improve the product. For example, in the past, we’ve used the data we collected to isolate several hard to track down sources of crashes and performance regressions. VS Code may use the hashed MAC address to identify a machine over time. For example, we may use the hashed MAC address to identify a particular machine experiencing an unusually high number of crashes (which would skew our crash result information). You are right that we could correlate a machine across data streams, but that’s not how we use it -- we use the unique system information to connect things like crash reports with feature use.

When we first launched VS Code we didn’t allow people to opt out of this collection of data because it was a pre-release product and we were trying to understand if the product was actually useful and had the right mix of features. As a fully released and supported product from Microsoft, we now let users opt out of providing data -- if users don’t want to provide us with data, then they can opt out but we really appreciate it when we do receive the telemetry as it helps improve the product for all. That’s said, we want to ensure users have adequate control.

I’d be happy to chat with you on this issue and the points you raise. I think the easiest way to do that is to connect on email/skype/hangout … I’m smcbreen@microsoft.com.
Sean

[hrj]

@seanmcbreen Couldn't you collect this data offline on the target? And then, you could ask the user before sending such data (on the event of a crash or an issue submission by the user).