crewAI
crewAI copied to clipboard
crewAIInc
Can I disable anonymous telemetry ?
CrewAI it's cool stuff , but I think default send anonymous telemetry it's not good idea , because some company have network security policy , can we disable anonymous telemetry with option args ?
good point, some detection mechanism in the LAN might even flag you and you'll get a talk from the SecOps about being naughty and why you use tools which were not vetted 😄. depends how strict your env is. This is a must feature, 100% (I run with "share_crew=True" to give them even more data (all my content, since I just play with open source docs and stuff) but this needs to have an easy switch to disable. +1
It sends telemetry in clear text over the wire:
https://github.com/joaomdmoura/crewAI/blob/a3abdb5d1992bfd8080a077af28b4924fdc6d761/src/crewai/telemetry/telemetry.py#L43
It appears crewAI is not usable if telemetry is disabled at the network layer: https://github.com/joaomdmoura/crewAI/issues/254
I published a pypi package from my opt-out branch: https://pypi.org/project/crewai-clean/
You need to set CREWAI_TELEMETRY_OPT_OUT=True in your environment.
Please test it out and leave a comment on https://github.com/joaomdmoura/crewAI/pull/402
Hey folks, we are bringing more security to telemetry in the next version, upgrading to https and looking into adding an extra layer of encryption on top of that in the version after that. We have been talking and dwelling on adding the ability to disable it given it could extremely hinge our ability to improve the library effectively if enough people disable it, versus the fact it's anonymous and we making it more secure. Not saying we wont add it, just pondering for now.
I'm happy to keep the crewai-clean PyPI project updated until your team can add an option for people to opt-out of telemetry. ✅
@joaomdmoura , thanks for this library, having the opt out of telemetry would get you more folks using this for sure. This is a must have feature for our enterprise.
Hey folks, we are bringing more security to telemetry in the next version, upgrading to https and looking into adding an extra layer of encryption on top of that in the version after that. We have been talking and dwelling on adding the ability to disable it given it could extremely hinge our ability to improve the library effectively if enough people disable it, versus the fact it's anonymous and we making it more secure. Not saying we wont add it, just pondering for now.
João,
I work in a security sensitive environment and I just cannot use Crew AI if it's going to send any data off premise.
Allowing a complete OPT OUT of telemetry would gain you more users (and corporate/government adoption), and very little data loss, as I believe the largest share of developers and early adopters don't have to work with these constraints.
Please take that into account.
Congratulations on your awesome work, nonetheless!
After some experimentation, it does appear that the following will disable the telemetry. You can add this in your main.py before you instantiate any crewAI classes:
os.environ["OTEL_SDK_DISABLED"] = "true"
To test this is working, first remove the above line from your code. Now add this to your /etc/hosts:
127.0.0.1 telemetry.crewai.com
Run your code and observe the timeout errors spamming the console:
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x100db7c40>: Failed to establish a new connection: [Errno 61] Connection refused
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='telemetry.crewai.com', port=4319): Max retries exceeded with url: /v1/traces (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x100db7c40>: Failed to establish a new connection: [Errno 61] Connection refused'))
Now add the environment variable at the top of your script:
import os
from crewai import Agent, Task, Crew, Process
from crewai_tools import SerperDevTool
os.environ["OTEL_SDK_DISABLED"] = "true"
Now when your main.py is run a warning is displayed and no timeout errors are thrown:
2024-05-08 21:43:19,654 - 8682764992 - __init__.py-__init__:1198 - WARNING: SDK is disabled.
Which I hope this line of code in opentelemetry/sdk/trace/init.py.
It is my understanding that telemetry is currently hardwired into the system. If this is incorrect, please let me know.
If there is no way to opt out/in of the system sending information or attempting to send information outside of the business network, the business I work for will have to decline using CrewAI.
The nature of the telemetry information does not matter.
The business I work for gets security audited, and the auditors would not accept this.
I want to emphasize that I really like CrewAI so far (and will likely use it personally), but this issue needs to be addressed if you want security-focused businesses to adopt it.
It is my understanding that telemetry is currently hardwired into the system. If this is incorrect, please let me know.
You are correct, but Telemetry can (or at least could) be disabled, by adding the following snippet:
from crewai.telemetry import Telemetry
def noop(*args, **kwargs):
print("Telemetry method called and noop'd\n")
pass
for attr in dir(Telemetry):
if callable(getattr(Telemetry, attr)) and not attr.startswith("__"):
setattr(Telemetry, attr, noop)
I am NOT running this in production or anywhere with confidentiality requirements and would not suggest anyone to do so.
Hey folks, we are bringing more security to telemetry in the next version, upgrading to https and looking into adding an extra layer of encryption on top of that in the version after that. We have been talking and dwelling on adding the ability to disable it given it could extremely hinge our ability to improve the library effectively if enough people disable it, versus the fact it's anonymous and we making it more secure. Not saying we wont add it, just pondering for now.
Hello João, @joaomdmoura
Thanks for the security upgrades coming with HTTPS and the planned extra encryption layer.
In secure environments, users will likely disable telemetry anyway, even without an explicit option. By not offering this out of the box, it might actually push some users to avoid the library entirely for security reasons.
I think having an option to disable telemetry would build more trust and transparency. It would acknowledge the security needs of users and could help more people feel comfortable using the library.
Thanks for considering this! Matt
@dezoito Yes , I use this snippet, but I think this is "Monkey Patch", I think if we can support disable it use official OPT it's better .
@joaomdmoura
Thank your response , CrewAI is popular agent framework, but send "anonymous telemetry and can't disable it " is bad idea for many company, because some production environment even can't access public internet, may be telemetry can be a options and not be core components.
Yes, I confirm that most mid market or enterprise companies won't be able to use crewAI if telemetry can't be disabled (either because it violates their security policy or either because their network policy won't allow them at all!)
Yes, I confirm too that for my organization it a show stopper. CrewAI is for me the best so far but I need to know before starting a project for my organization. I found the telemetry option on Crew constructor but it doesn't eliminate calls to telemetry.
It is my understanding that telemetry is currently hardwired into the system. If this is incorrect, please let me know.
You are correct, but Telemetry can (or at least could) be disabled, by adding the following snippet:
from crewai.telemetry import Telemetry def noop(*args, **kwargs): print("Telemetry method called and noop'd\n") pass for attr in dir(Telemetry): if callable(getattr(Telemetry, attr)) and not attr.startswith("__"): setattr(Telemetry, attr, noop)I am NOT running this in production or anywhere with confidentiality requirements and would not suggest anyone to do so.
This seems to be work, thanks!
This should definitely be opt-in. Anyway, thanks the for snippet @heyfixit.
I'm not using that library anymore...
I created a new project using crewai==0.35.8
At this site: https://docs.crewai.com/telemetry/Telemetry/
It's pivotal to understand that NO data is collected concerning prompts, task descriptions, agents' backstories or goals, usage of tools, API calls, responses, any data processed by the agents, or secrets and environment variables
I did not enable the share_crew setting. I placed a breakpoint at the location in the OTEL library right before information is transmitted to your server and dumped the data that was to be transmitted:
telemetry.json crew_agents.json crew_tasks.json llm.json
The telemetry data contains:
- Prompts
- Task Descriptions
- Agent Backstories
- Agent Goals
- Contents of the environment variable (base_url of my local ollama server)
#524 #726
Once telemetry is off I find to run much faster. Definitely a no-go to submit any data without opt-out functionality.
Please add telemetry full off as an option, until then crewai is useless!
I’m uncertain about when this feature will be available for toggling on or off. However, it cannot serve as the open solution for the company, as it would likely fail most company security audits.
This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}