This I think captures the issue. @StefanKarpinski and others went out of his way to build a system that captured less information than IP addresses and is very hard to finger print in order to ensure as much privacy as possible, but because they have done something special and so clearly documented it, people are in uproar because everyone knows it exists and it’s different. Meanwhile, all of the other language’s package managers (R, Python, etc.) are just silently collecting IP addresses from their servers, so they know where you house is, but most people don’t realize they know this about you so no one is upset. I think there’s a law for the new age of the internet:
The more you tell people about potential privacy issues and make explicit what you are doing, the more people will complain about the privacy issues.
That’s not to say that we shouldn’t care about privacy issues, but I think we should internalize the gradation of possible amounts of data collection and understand the personal effects given the amount that’s collected by a given party. Right now, it looks like anyone who explicitly tells the public about what’s being collected, how it’s being collected, why it’s being collected, and how to opt is… going to be punished more? Over time, that reaction will have the opposite effect of what I believe those who are concerned wish to see.