Developer Tools

GitHub CLI Silently Enables Telemetry: Opt-Out Is Wrong

18 views0
Illustration of GitHub CLI terminal sending telemetry data to cloud servers with privacy warning symbols
ByteBotBy
Share

GitHub quietly enabled opt-out telemetry in CLI v2.91.0 on April 22. Moreover, there was no announcement, no consent prompt—just a buried changelog entry and a new documentation page. Consequently, every gh command now sends usage data to GitHub’s servers unless you actively opt out. The developer community erupted: 419 points and 302 comments on Hacker News in 24 hours. The company that hosts your code now watches how you use it—without asking first.

Opt-Out Telemetry Breaks Developer Trust

Opt-in versus opt-out isn’t semantics—it’s about consent. Developers choose command-line tools for control and transparency. However, opt-out telemetry flips that relationship. Now you’re tracked by default; privacy requires action. GitHub’s official telemetry documentation claims they need “visibility into how features are being used in practice” to prioritize work. Nevertheless, if visibility requires surveillance without consent, the feature isn’t ready.

The fact that GitHub chose opt-out instead of opt-in reveals everything. They knew most developers would say no to opt-in telemetry. Therefore, they flipped the default and buried the announcement. This isn’t transparency—this is surveillance theater.

What Data GitHub CLI Collects

GitHub calls the telemetry “pseudonymous,” but that’s misleading. Specifically, every command execution sends:

  • command: The exact gh command you ran
  • flags: Which options you used
  • device_id: A “random” identifier stored locally—but stable across sessions
  • os, architecture, timestamp: Device fingerprinting
  • ci, github_actions: Workflow intelligence
  • agent: Whether an AI agent called gh

Here’s a sample payload from the documentation:

{
  "command": "gh pr edit",
  "device_id": "d80dc1eb-5c66-4bcd-bbc8-568e173bb977",
  "flags": "body,title",
  "os": "darwin",
  "version": "2.91.0"
}

“Pseudonymous” sounds safe until you realize GitHub controls both the CLI and the platform. When you use gh with authentication, they know who you are. Thus, the device_id becomes a pseudonym for your GitHub account. Correlation is trivial. Additionally, GitHub doesn’t disclose data retention policies—how long do they keep this?

The Silent Rollout Shows Bad Faith

GitHub didn’t announce this with a blog post. Furthermore, there was no notification to existing users. Just a changelog entry and an updated docs page. In contrast, Visual Studio Code at least shows a notification on first run when telemetry is enabled. Similarly, Homebrew publicly announced telemetry when they introduced it.

The silence is the story. If telemetry were genuinely beneficial for users, GitHub would be loud about it. Instead, they shipped it quietly and hoped no one would notice. The Register reported the move as “GitHub opts all CLI users into telemetry collection whether they want it or not.” That’s not product improvement—that’s data collection prioritized over user autonomy.

How to Opt Out of GitHub CLI Telemetry

Fortunately, GitHub provides three ways to disable telemetry:

# Method 1: Environment variable (per session)
export GH_TELEMETRY=false

# Method 2: DO_NOT_TRACK standard (global)
export DO_NOT_TRACK=true

# Method 3: gh config (persistent)
gh config set telemetry disabled

For a permanent solution, add export DO_NOT_TRACK=true to your .bashrc or .zshrc. You can verify opt-out worked by enabling logging mode:

export GH_TELEMETRY_LOG=true
gh pr list
# Check stderr for JSON payload (should be empty if opted out)

However, here’s the problem: you shouldn’t have to opt out. Privacy should be the default. Convenience should be opt-in. This places the burden on users to protect themselves from tools they’re supposed to trust.

Surveillance Normalization in Developer Tools

This isn’t just about GitHub. Rather, it’s a pattern. Microsoft ships opt-out telemetry in Visual Studio Code and the .NET SDK. Google proposed opt-out telemetry for the Go toolchain—then backtracked after massive community backlash. Apple embeds telemetry in Xcode and macOS diagnostics. Meanwhile, open-source communities like Rust resist: Cargo has no telemetry.

The trend is clear: big tech companies push opt-out telemetry in developer tools. Year over year, more tools add tracking. Privacy-conscious developers are increasingly marginalized. “If you have nothing to hide” mentality spreads. Consequently, trust erodes: the tools we depend on now watch us.

There’s also suspicion about ulterior motives. Companies need data to train AI models. Developer workflows are high-value training datasets. Is this really about “product improvement,” or is it free labeled data for the next generation of AI coding assistants?

Draw the Line on CLI Surveillance

CLI tools are where developers go for control. Security-conscious workflows depend on tools that don’t phone home. GDPR guidelines on telemetry make clear that opt-out procedures aren’t sufficient—data collection requires explicit consent before processing begins. Therefore, GitHub’s opt-out model may not be legally compliant in the EU.

If we accept opt-out telemetry in core CLI tools, we accept surveillance everywhere. The line must be drawn here. Opt out of GitHub CLI telemetry. Demand opt-in defaults from all vendors. Support privacy-respecting alternatives. Vote with your tools: if vendors won’t respect privacy, use something else.

GitHub should have asked permission first. The fact that they didn’t tells you everything you need to know.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:Developer Tools