Can I disable anonymous telemetry ?

[stevensu1977]

CrewAI it's cool stuff , but I think default send anonymous telemetry it's not good idea , because some company have network security policy , can we disable anonymous telemetry with option args ?

[aliensouls]

good point, some detection mechanism in the LAN might even flag you and you'll get a talk from the SecOps about being naughty and why you use tools which were not vetted 😄. depends how strict your env is. This is a must feature, 100% (I run with "share_crew=True" to give them even more data (all my content, since I just play with open source docs and stuff) but this needs to have an easy switch to disable. +1

[gardner]

It sends telemetry in clear text over the wire:

crewAI/src/crewai/telemetry/telemetry.py

Line 43 in a3abdb5

telemetry_endpoint = "http://telemetry.crewai.com:4318"

It appears crewAI is not usable if telemetry is disabled at the network layer: #254

[gardner]

I published a pypi package from my opt-out branch: https://pypi.org/project/crewai-clean/

You need to set CREWAI_TELEMETRY_OPT_OUT=True in your environment.

Please test it out and leave a comment on #402

[joaomdmoura]

Hey folks, we are bringing more security to telemetry in the next version, upgrading to https and looking into adding an extra layer of encryption on top of that in the version after that.
We have been talking and dwelling on adding the ability to disable it given it could extremely hinge our ability to improve the library effectively if enough people disable it, versus the fact it's anonymous and we making it more secure. Not saying we wont add it, just pondering for now.

[gardner]

I'm happy to keep the crewai-clean PyPI project updated until your team can add an option for people to opt-out of telemetry. ✅

[raghav135]

@joaomdmoura , thanks for this library, having the opt out of telemetry would get you more folks using this for sure. This is a must have feature for our enterprise.

[dezoito]

Hey folks, we are bringing more security to telemetry in the next version, upgrading to https and looking into adding an extra layer of encryption on top of that in the version after that. We have been talking and dwelling on adding the ability to disable it given it could extremely hinge our ability to improve the library effectively if enough people disable it, versus the fact it's anonymous and we making it more secure. Not saying we wont add it, just pondering for now.

João,

I work in a security sensitive environment and I just cannot use Crew AI if it's going to send any data off premise.

Allowing a complete OPT OUT of telemetry would gain you more users (and corporate/government adoption), and very little data loss, as I believe the largest share of developers and early adopters don't have to work with these constraints.

Please take that into account.

Congratulations on your awesome work, nonetheless!

[openjay]

indeed

[gardner]

After some experimentation, it does appear that the following will disable the telemetry. You can add this in your main.py before you instantiate any crewAI classes:

os.environ["OTEL_SDK_DISABLED"] = "true"

To test this is working, first remove the above line from your code. Now add this to your /etc/hosts:

127.0.0.1	telemetry.crewai.com

Run your code and observe the timeout errors spamming the console:

urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x100db7c40>: Failed to establish a new connection: [Errno 61] Connection refused

urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='telemetry.crewai.com', port=4319): Max retries exceeded with url: /v1/traces (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x100db7c40>: Failed to establish a new connection: [Errno 61] Connection refused'))

Now add the environment variable at the top of your script:

import os
from crewai import Agent, Task, Crew, Process
from crewai_tools import SerperDevTool

os.environ["OTEL_SDK_DISABLED"] = "true"

Now when your main.py is run a warning is displayed and no timeout errors are thrown:

2024-05-08 21:43:19,654 - 8682764992 - __init__.py-__init__:1198 - WARNING: SDK is disabled.

Which I hope this line of code in opentelemetry/sdk/trace/init.py.

[MattFriedman]

It is my understanding that telemetry is currently hardwired into the system. If this is incorrect, please let me know.

If there is no way to opt out/in of the system sending information or attempting to send information outside of the business network, the business I work for will have to decline using CrewAI.

The nature of the telemetry information does not matter.

The business I work for gets security audited, and the auditors would not accept this.

I want to emphasize that I really like CrewAI so far (and will likely use it personally), but this issue needs to be addressed if you want security-focused businesses to adopt it.

[dezoito]

It is my understanding that telemetry is currently hardwired into the system. If this is incorrect, please let me know.

You are correct, but Telemetry can (or at least could) be disabled, by adding the following snippet:

from crewai.telemetry import Telemetry


def noop(*args, **kwargs):
    print("Telemetry method called and noop'd\n")
    pass


for attr in dir(Telemetry):
    if callable(getattr(Telemetry, attr)) and not attr.startswith("__"):
        setattr(Telemetry, attr, noop)

I am NOT running this in production or anywhere with confidentiality requirements and would not suggest anyone to do so.

[MattFriedman]

Hey folks, we are bringing more security to telemetry in the next version, upgrading to https and looking into adding an extra layer of encryption on top of that in the version after that. We have been talking and dwelling on adding the ability to disable it given it could extremely hinge our ability to improve the library effectively if enough people disable it, versus the fact it's anonymous and we making it more secure. Not saying we wont add it, just pondering for now.

Hello João,
@joaomdmoura

Thanks for the security upgrades coming with HTTPS and the planned extra encryption layer.

In secure environments, users will likely disable telemetry anyway, even without an explicit option. By not offering this out of the box, it might actually push some users to avoid the library entirely for security reasons.

I think having an option to disable telemetry would build more trust and transparency. It would acknowledge the security needs of users and could help more people feel comfortable using the library.

Thanks for considering this!
Matt

[stevensu1977]

@dezoito
Yes , I use this snippet, but I think this is "Monkey Patch", I think if we can support disable it use official OPT it's better .

@joaomdmoura
Thank your response , CrewAI is popular agent framework, but send "anonymous telemetry and can't disable it " is bad idea for many company, because some production environment even can't access public internet, may be telemetry can be a options and not be core components.

[leonard-henriquez]

Yes, I confirm that most mid market or enterprise companies won't be able to use crewAI if telemetry can't be disabled (either because it violates their security policy or either because their network policy won't allow them at all!)