It transmits your on-device activity to Google without consent. It includes a unique tracking identifier generated on install that never changes, like a supercookie. Every time you run brew, it transmits this to Google, which allows Google to assemble a city-level tracklog of your device based on client IP geolocation, along with a list of all the packages you have installed, and when.
It does this silently, and without obtaining any sort of consent, which is why most people are unaware that homebrew is spying on them.
> You will be notified the first time you run brew update or install Homebrew. Analytics are not enabled until after this notice is shown, to ensure that you can opt out without ever sending analytics data.
I'm confused- the brew developers say you can run `brew analytics off` to "prevent analytics from ever being sent" [1]. Is this not accurate? Are analytics still being sent? Is your concern with the consent, or are the brew developers lying when they say this command prevents analytics from being sent?
I think what he means is that there isn't explicit consent given for the analytics, as in opt-in rather than opt-out. You can disable it but that's not the same.
When they implemented it, they opted everyone in and buried the notice in a wall of text. I only caught it when Little Snitch notified me that brew was reaching out to Google.
The project still doesn't seem to understand how bad of a mistake this was and how bad their response to it was. But as the project lead told us while playing the victim, if we're not contributors, our opinions on the matter mean nothing.
Every time I've ever seen anyone question their decision to embed Google spyware in their product, however, the GitHub issues are closed and locked, so I don't know if you'll have very good luck. I stopped trying to convince them
to behave ethically and simply use nixpkgs now instead (which incidentally in my experience works better) and do my best to inform people about the facts so they can make their own decisions (something I wish homebrew would do, instead of deciding for them to use their computer to spy).
What is spyware to you? If it's spying on me without consent and sending private information about my computer it is definitely spyware, regardless of the database they use.
Since they don't ask for consent and uses PII, it is illegal under GDPR, probably CCPA and other laws too. It's also Not Nice™.
What private information about your computer is it sending? Browser, OS, screen size, location, ISP. Under GDPR, and the way i see things, none of that is PII.
It generates a unique identifier which it transmits on each invocation. The identifier uniquely identifies the installation of homebrew, linking all of those other bits of data together across time and space.
It does this silently, and without obtaining any sort of consent, which is why most people are unaware that homebrew is spying on them.