Do you have a comment or suggestion to improve SQL Server? We’d love to hear it!

Allow users to disable phone-home feedback in SQL 2016 Developer, Express, and Evaluation Editions

By default, SQL Server 2016 phones home with telemetry data as described in https://support.microsoft.com/en-us/kb/3153756. Let users disable that telemetry in Developer, Express, and Evaluation Editions.

0 votes
Sign in
(thinking…)
Password icon
Signed in as (Sign out)

We’ll send you updates on this idea

AdminMicrosoft SQL Server (Product Manager, Microsoft Azure) shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

Upvotes: 325

<=-=Jun 2 2016 10:19AM=-=>

From https://www.microsoft.com/EN-US/privacystatement/SQLServer/Default.aspx, “It is possible that personally identifiable information may be captured in memory or in the data collected from open files, but Microsoft does not use it to identify you.”
My developers must write and use interfaces to bank cores. Because of https://support.microsoft.com/en-us/kb/3153756, my developers will potentially be sending MS the bank accounts, names, addresses, social security numbers, birth dates, and various passwords for millions of US citizens. This is unacceptable.

<=-=Jun 2 2016 11:26AM=-=>

I was going to install it on my report server but I can’t if this isn’t fixed because even the potential of leaked data is serious to my clients. In fact, I already keep a SQL express version separate for my internal reporting from my non-express SQL Server engine to minimize exposure. That means I’ll need to stick with 2014 which is too bad as I was looking forward, finally, to a revamp of SSRS. Finally HTML5.

With this kind of back door being put into 2016 it certainly makes me think security isn’t that important to Microsoft.

<=-=Jun 2 2016 12:53PM=-=>

This could very well violate the HIPAA restrictions we are under, as Microsoft appears unwilling to guarantee no information about the server/data is ever captured. If in-house counsel determines that to be the case, we will almost certainly start looking for a new database vendor. I strongly urge Microsoft to reconsider forced telemetry for this product.

<=-=Jun 2 2016 6:51PM=-=>

Without the ability to turn this off no matter what edition it will fail several high restriction environments. Most of this actually revolves around the transmitting of data and not necessarily the data being transmitted.

From https://www.microsoft.com/EN-US/privacystatement/SQLServer/Default.aspx, “It is possible that personally identifiable information may be captured in memory or in the data collected from open files, but Microsoft does not use it to identify you.”
On the HIPPA side it means I need to sign a BAA with Microsoft and they must treat this data under those condition that also means transmitting the data must be secured as well.

This is all unacceptable in some critical highly secured environments i.e. the ones that pay money. You are basically saying you must now develop on full versions of SQL Server if you are in these environments.

<=-=Jun 3 2016 4:47AM=-=>

Is it really such a big deal that you can turn it off on application level? I’d hope that information security for machines with databases in high restriction environments are restricted by firewalls.

If you let those kind of machines communicate directly to the internet I’d say you’re doing it wrong…

<=-=Jun 3 2016 4:54AM=-=>

@Ron – one problem is that you can’t always control firewalls for development machines. They’re often in end user networks.

<=-=Jun 15 2016 8:53AM=-=>

I understand that making the Developer Edition free for the general public comes with strings attached, but it is unacceptable for enterprise customers. Has Microsoft considered adding a separate key for enterprise customers to disable this?

For SQL Enterprise Edition, even if we disable the telemetry on servers that can’t reach the internet, we still have an unused extra service and in the case of clusters have an extra cluster resource. This goes against best practices and Microsoft efforts like the Core OS versions that minimize attack and resource footprints to the bare minimum.

<=-=Oct 25 2016 2:01PM=-=>

I also agree that the “free” editions should be allowed to turn off telemetry. A lot of developers use production data to test with to ensure that their fixes will work. Also, express editions that are installed as part of an applications installation where being used for production use will also potentially inadvertently send along data with the errors and usage information.

<=-=Nov 1 2016 7:34AM=-=>

I am still trying to understand how forcing this behavior is a good idea. Researching SQL Server installs prior to actually installing seems like a novel idea to most, but not an assumption MS should make. If someone performs the install, and misses the auto-update detail, MS could be contributing to the unemployment rate of DBAs world-wide. Seriously, why would you blanket an update to include previous versions of SQL Server? Most shops have a rigorous versioning structure. Even if someone is testing a side-by-side install, their previous versions of SQL Server could break because of a forced update? Horrible idea. Absolutely horrible.

<=-=Nov 1 2016 9:48AM=-=>

The risk to deploy or upgrade to SQL 2016 has been determined unacceptable by Executive decision. The Enterprise Environment has a mixture of several versions of MS SQL with a Oracle and a couple of MySql. Many vendor systems with SQL back ends are not supported at the latest patch level. This is forcing middle management to consider using Oracle, MySql, and postgres as options for future projects. The cost savings in windows server and SQL licensing alone has made the move to linux and other engines more attractive to most managers.

<=-=Jan 4 2017 3:17PM=-=>

After a discussion on Brent’s blog post that linked to this connect item, I’d like to close the loop here in case others have only seen the connect item.

Microsoft SQL Server 2016 made a change to enable sending generic usage data to Microsoft by default. In paid versions, this can be disabled but it is not something one can disable in un-paid versions of SQL Server 2016. The SQL team uses this to find and fix bugs in the product more proactively than in the past – we are fixing significantly more bugs in each Cumulative Update both because of data we receive from SQL Server 2016 as well as similar data collected from SQL Azure (which uses the same SQL engine but it is a different product and has a different EULA model that is not covered by the SQL Server EULA).

Since RTM, we have released an auditing capability so that customers can see for themselves what data is being collected from a given instance (for all editions). We also are working to release additional documentation to help customers understand how this works, what data Microsoft can collect, and how we make sure to protect the privacy of our customers. We will continue to work on this area to help customers with any issues in this area.

For the specifics of the connect item, claiming that running highly secure data in a free edition of the product (which does not have various security features allowed in those SKUs or are not licensed for production use) is not a significant reason for us to change the model for how usage data is configured for the product.

Microsoft has no current plans to change the model for how usage data is emitted. For customers who have questions or concerns on how this impacts them, we are very happy to discuss this with them to help expain what data is collected, address any regulatory concerns, or otherwise make sure that customers can successfully use the product in their environments. We will also continue to look at regulatory requirements in each market where SQL Server is sold so that we can help customers dealing with regulations and laws in each country or region. Please feel free to reach out directly to Microsoft on any specific deployments that are blocked or impacted by the usage data collection model – we are happy to engage customers directly to make sure that they are not blocked by this.

Thank you,
Conor Cunningham
Architect, SQL Server

1 comment

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Anonymous commented  ·   ·  Flag as inappropriate

    LAME!! "Microsoft has no current plans to change the model for how usage data is emitted"

Feedback and Knowledge Base