The fact that they are transparent about this, that we can opt-out if we want and that they're open source makes me feel more than comfortable sharing anonymous usage information with them. Homebrew has been amazing for me!
Is an alert displayed to the user the first time it tries to send info to Google? If not, that is far from "transparent". It's good that they tell you how to opt out on the website, but I can't remember the last time I went to the website. Probably when I first installed Homebrew on this Mac.
This. Either everyone should be notified before the first google analytics transmission so that they can choose to opt in our out. Or the default should be off and maybe on new installs they can choose to opt in. At the opt in/out dialog (when you give the users a choice) you can make the default to opt-in, but having the default as opt-in without any input from the user is bad form. It is similar to spammers calling your e-mail address "double opt-in" because they got you to open an e-mail and you didn't click the unsubscribe link.
How should this be handled if the software in question is a server daemon? I want the users to make an explicit choice but it's not obvious what's the best way to do that.
Or if you want to cover existing users, just ask during the first interactive invocation, when there is no prior user chosen setting (works for new installs too)...
pseudocode:
choice = no
if $brew_prefix/etc/homebrew.yaml:
choice = read analytics $brew_prefix/etc/homebrew.yaml
else:
if interactive-tty and cmd != "--prefix":
choice = ask-user "enable anonymous analytics (it helps us!)? Y/N: "
write analytics=<choice> $brew_prefix/etc/homebrew.yaml
if choice == yes:
enable-analytics
I feel like on update would be better. Answering a yes/no/never isn't that much of an ask, I don't think. And that way you get a chance to use the software before you have to make a decision.
Get littlesnitch on Mac and you won't need to rely on third parties alerting about outgoing connections, although I recon the when we're talking about something like homebrew it's not easy to vet every single outgoing connection.
Still littlesnitch is really awesome for the privacy conscious users.
Only if you let them.
I have installed little snitch and the only applications that have unlimited access to the Internet (all servers on port 80/443) are my web browsers. The other applications barely have access to their on servers (only if I find it necessary for them to auto-check for updates) let alone google analytics.
To achieve the best security, you should disable most bultin rules or customize them yourself.
Many of the requests come from various services that I don't feel knowledgeable enough to disable. Like gamed, iTunes etc. no easy way to figure out if something is phoning home or a (close to) critical OS X service.
Could you point to a source which would help me educate myself?
Well, blocking OS X from phoning home is probably impossible or at best very dangerous (because you block all of OS X's anti-virus blacklists).
But most other processes are easy to block. The first thing you should do is check the name of the process. If it is something like iTunes, you need to ask yourself if you want iTunes to have Internet (do you want Apple Music/radio, wifi sync, and the iTunes Store? If not, just block all ports/servers for iTunes. If you only want Wifi sync, enable connections to the local network only (best do it manually in the rule settings). If you want iTunes to have Internet, I'd allow port 80 and 443 to apple servers and apples CDN (you will end up having ~15 rules, just allow the servers as you see fit and when prompted). Since iTunes is from Apple, it uses some system services to communicate with iCloud additionally, by default they are all enabled and you don't have to do anything.
All essential system processes are allowed by default. I personally disabled most of them since I don't need most of them. Let's have a look at gamed. gamed is a system process to communicate with the Game Center services. If you want Game Center to work, you will also need to enable this process. You can learn that by yourself if you click at the question mark on the bottom left corner when an alert pops up. It shows additional information for all system applications, and most popular apps. If it says that this process is needed for Game Center but you don't play any games on your Mac, it is safe to disable.
You can do that for all processes and eventually work out a list with trusted services and applications. I personally often only allow some applications Internet to port 80 and 443 and only if I know the apps really need it. If you don't trust the app at all, you should update it manually (by downloading the newest version on their website).
In a similar vein, installing uMatrix makes you (rightfully) paranoid about what web pages are collecting from you. "Wait I can disable 28 Javascript scripts and iframes and the page loads OK?"
For posterity, Homebrew is using curl to talk to Google Analytics. You will have to selectively block curl by destination in Little Snitch (or only allow the various other hosts Homebrew uses).
I block the google analytics at DNS level at home. However, don't use a Google product such as Chrome as it will totally ignore your DNS settings. There is also an issue of some webpages not loading because its waiting for google analytics to finish loading. So I normally re-direct the data to an internal server in my net that captures all the traffic, which will allow the server to finish loading (also allows me to replace image Ads with Jolly Rogers images).
The issue with this is that the DNS settings only apply at home. And most mobile devices totally ignores the DNS settings as well, using the one provided my my carrier instead.
I brew updated a few times today and finally got that message. By the time that message showed up, the file ~/.homebrew_analytics_user_uuid was already 4 hours old, which makes me wonder when they actually started doing the analytics
I updated Homebrew almost daily and my .homebrew_analytics_user_uuid shown that it was created on Apr 24[1], which means I have been sending the analytics data without knowing for two days already (UTC+7) :-\
