rtk-ai/rtk

privacy: change telemetry from opt-out to opt-in

Open

#1,154 opened on Apr 10, 2026

View on GitHub
 (1 comment) (0 reactions) (0 assignees)Rust (2,914 forks)batch import
area:configeffort-mediumenhancementhelp wantedpriority:high

Repository metrics

Stars
 (48,085 stars)
PR merge metrics
 (Avg merge 11d 1h) (45 merged PRs in 30d)

Description

Current behavior

Telemetry is enabled by default and sends a ping every 23 hours to a hardcoded URL. Users must explicitly opt out via `RTK_TELEMETRY_DISABLED=1` or `[telemetry]\nenabled = false` in config.

`src/core/telemetry.rs` lines 19-53:

```rust pub fn maybe_ping() { // No URL compiled in -> telemetry disabled if TELEMETRY_URL.is_none() { return; } // Check opt-out: env var if std::env::var("RTK_TELEMETRY_DISABLED").unwrap_or_default() == "1" { return; } // ... proceeds to send } ```

Data collected

  • Device hash (SHA-256 of hostname + username + random salt stored locally)
  • RTK version, OS, architecture, install method
  • Command count (last 24h) and top 5 command names
  • Token savings percentage

Concerns

  1. Developer tools should not phone home by default. This is a security-sensitive tool that sits between the developer and their shell commands. Default-on telemetry erodes trust.

  2. Device hash is not truly anonymous. SHA-256(hostname:username:salt) is reversible if an attacker knows the target space. For a developer tool used on corporate machines, this is a privacy risk.

  3. Enterprise adoption blocker. Many companies ban tools that make outbound network connections without explicit approval.

Proposed change

  1. Default telemetry to OFF. Only enable if the user explicitly sets `RTK_TELEMETRY_ENABLED=1` or adds `[telemetry]\nenabled = true` to config.

  2. Print a one-time notice at first run explaining what telemetry collects and how to enable it (similar to Rustup, Homebrew, etc.)

  3. Honor the existing opt-out env var for backward compatibility with existing users

Acceptance criteria

  • `maybe_ping()` returns immediately unless explicitly enabled
  • First-run message informs user about optional telemetry
  • All existing opt-out mechanisms continue to work
  • Documentation updated to reflect opt-in default

Contributor guide