The Panopticon IDE

It is 2:14 a.m. and a developer is stuck. She tries a recursive approach, deletes it. Tries a hashmap, deletes that too. Googles "python defaultdict nested" — a thing she has known how to do for six years but cannot recall right now because it is 2:14 a.m. She pastes the Stack Overflow answer, modifies it, runs the tests, watches them fail. Tries a third approach. The tests pass. She commits. Total elapsed time: forty-three minutes. The AI coding assistant watched every second of it — every false start, every deleted line, every basic concept she had to look up, every moment of confusion. It knows more about how she works than her manager, her team lead, or her own self-assessment. And that data just left her machine.

This is not a hypothetical. 84% of developers now use AI coding tools.¹ The tools see everything: the code you write, the code you delete, the questions you ask, the order in which you try solutions, how long you stare at a function before giving up. The finished commit tells one story. The process that produced it tells another — one that is far more revealing, far more intimate, and far more valuable to anyone interested in measuring how a developer actually works.

We spent the last decade fighting workplace surveillance software. Developers wrote browser extensions to block tracking pixels. They protested screenshot tools like Hubstaff and Time Doctor. They unionized over keystroke loggers. Then someone packaged a keystroke logger as a productivity tool, added autocomplete, and charged ten dollars a month. And 84% of us installed it voluntarily.

The Data Inventory

Let us be precise about what these tools collect. Not the marketing language — the actual data flows described in their privacy policies and telemetry documentation, as of March 2026.

GitHub Copilot transmits prompts — contextual code snippets from your open files — in real time to Microsoft and OpenAI servers.² On individual plans with telemetry enabled, those prompts are retained. User Engagement Data tracks every suggestion you accept, dismiss, or edit. Business and Enterprise plans promise ephemeral processing — code is not retained after inference — but the usage metadata still flows. Until March 25, 2026, the policy said model training on individual code was "currently disabled for everyone" — the word currently doing extraordinary work. Then GitHub opened the door: starting April 24, interaction data from Free, Pro, and Pro+ users will train AI models by default. Opt-out, not opt-in. The toggle is in account settings. The "currently" warned us. Nobody listened.³

Cursor has a Privacy Mode toggle. When it is off — which is the default — Cursor stores your codebase data, prompts, editor actions, and code snippets, and uses them to train its AI models.⁴ Prompts and telemetry are shared with third-party inference providers: Baseten, Together AI, Fireworks. When Privacy Mode is on, zero data is retained at model providers and code is encrypted with client-generated keys that exist only during the request. The distinction between these two states is enormous. The toggle that separates them is buried in settings. Most developers never change defaults.

Claude Code (Anthropic) takes a different approach depending on your plan. Consumer users choose whether their data is used for training — opt in gets five-year retention, opt out gets thirty days.⁵ That is a 60x difference in how long your code lives on their servers based on a single toggle. Commercial plans do not train on your code unless you explicitly opt in. Telemetry (Statsig metrics, Sentry error logs) explicitly excludes code and file paths, and can be disabled via environment variables. The design is more careful than most. But there is a trap: the /feedback command sends a full copy of your conversation history — including all code — to Anthropic, retained for five years. A user-initiated data disclosure disguised as a feature request form.

Windsurf (Codeium) is the bluntest. Free tier: your code may be used to improve models. Period.⁶ Teams and Enterprise get zero data retention by default and an on-prem deployment option. The privacy policy language admits that Personal Information is disclosed for "Training AI Models: To train, develop, and improve the artificial intelligence, machine learning, and models." If you are on the free tier, you are the product. If you are on Enterprise, you are the customer. The distinction is the credit card.

Tool	Default trains on code?	Opt-out?	Retention	Zero-retention option
Copilot (Individual)	Yes (from April 24)	Settings toggle	Varies	No
Copilot (Business)	No	N/A	Ephemeral	Yes
Cursor (default)	Yes	Toggle Privacy Mode	Indefinite	No
Cursor (Privacy Mode)	No	Must enable manually	Request-only	Yes
Claude Code (Consumer)	User chooses	Toggle in settings	30 days / 5 years	No
Claude Code (Commercial)	No	Opt-in only	30 days	Yes (Enterprise)
Windsurf (Free)	Possibly	Upgrade to paid	Unknown	No
Windsurf (Enterprise)	No	N/A	ZDR default	Yes

The pattern is clear. Every tool offers privacy protections — on the expensive tier. The free and individual plans, the ones most developers actually use, are where the data flows widest. And even when opt-out exists, the architecture of defaults means most developers never exercise it. GitGuardian found that in approximately 20,000 repositories where Copilot is active, 6.4% leaked at least one secret — API keys, tokens, credentials — a rate 40% higher than the baseline across all public repositories.⁷ The tools are not just collecting your code. They are collecting your secrets.

When the Walls Leaked

In March 2023, three separate incidents at Samsung's semiconductor division demonstrated what happens when proprietary code meets AI tools that train on inputs.⁸ One employee entered faulty source code for a facility measurement database seeking a fix. Another submitted program code for identifying defective equipment. A third converted a meeting recording into text and fed it to ChatGPT for meeting minutes. All three data sets entered OpenAI's training corpus. Samsung's response escalated from limiting prompts to 1,024 bytes to banning generative AI tools entirely.

Samsung was the canary. The mine kept filling with gas.

In 2025, security researchers disclosed CamoLeak, a CVSS 9.6 vulnerability in GitHub Copilot Chat that allowed silent exfiltration of private source code and secrets.⁹ The attack combined a Content Security Policy bypass using GitHub's own infrastructure with remote prompt injection. Researchers demonstrated the ability to get Copilot to search a victim's codebase for AWS_KEY and exfiltrate it to an attacker-controlled server. GitHub patched it by disabling image rendering in Copilot Chat entirely — the digital equivalent of bricking the windows because you cannot secure them.

RoguePilot showed that attackers could trigger passive prompt injections via GitHub issues, manipulating Copilot into reading internal files and exfiltrating GITHUB_TOKEN values to remote servers.¹⁰ EchoLeak (CVE-2025-32711) demonstrated zero-click prompt injection in Microsoft 365 Copilot, where a poisoned email could force the assistant to exfiltrate sensitive business data to an external URL.¹¹ And Truffle Security's scan of approximately 400 terabytes of Common Crawl data found roughly 12,000 live secrets — valid API keys, tokens, passwords — embedded in web content that had been ingested into LLM training sets.¹²

The OmniGPT breach in February 2025 exposed 30,000 user records and 34 million lines of conversation logs, including code from private GitHub repositories.¹² Models can memorize and regurgitate sensitive information, and there is no reliable mechanism to guarantee they will not. The data does not just flow to the vendor. It flows through the vendor, and sometimes it flows out the other side.

The pattern is not hypothetical. Code leaks through AI tools via training data ingestion, via security vulnerabilities in the tools themselves, via memorization and regurgitation by models, and via social engineering of AI assistants. Four attack surfaces, all open simultaneously, all expanding as adoption grows.

The Productivity Panopticon

If the data collection were purely a security risk, the story would be simpler. Patch the vulnerabilities, encrypt the pipelines, move on. But there is a second data flow that is not a bug — it is a product feature.

Microsoft's Copilot Dashboard, integrated into Viva Insights, provides managers with per-team adoption metrics, usage patterns, productivity impact indicators, and ROI calculations.¹³ It tracks behavior shifts: time in meetings, email volume, Teams chat patterns. Benchmarking allows comparing cohorts by manager, region, and job function against Copilot usage percentages. This is not a privacy violation. This is a product listing. It is in the marketing materials.

The metrics tell a story that managers have never had access to before. Not just what code a developer shipped, but how they shipped it. How many AI suggestions they accepted. How many they rejected. How long they spent between suggestion and commit. Whether they are an "efficient AI collaborator" or a "resistor." The raw material for a performance review that evaluates not just output but process — the most intimate dimension of knowledge work.

The industry numbers frame the stakes. AI now writes 41% of all code. 26.9% of production code is AI-authored, up from 22% last quarter.¹⁴ Google reports 25% of its code is AI-assisted, with CEO Pichai framing it as a velocity gain, not a headcount reduction.¹⁴ But the productivity data is genuinely mixed. A controlled METR study in early 2025 found AI actually caused tasks to take 19% longer. A subsequent study showed an 18% speedup, but with wide confidence intervals.¹⁴ Pull requests with AI-generated code have roughly 1.7x more issues. Only about 30% of AI suggestions get accepted.¹⁴

The data is uncertain. The dashboards are not. A manager looking at Copilot adoption metrics does not see confidence intervals. They see a number next to each developer's name.

Taylor's Stopwatch, Digitized

In 1911, Frederick Winslow Taylor published The Principles of Scientific Management, which proposed breaking every job into its component motions, timing each with a stopwatch, and eliminating the unnecessary ones. Workers became, in Taylor's framework, machines to be optimized. Frank and Lillian Gilbreth filmed workers' activities and timed them — the original surveillance footage, shot not for security but for efficiency.¹⁵

The resistance was immediate and fierce. Workers understood that being watched meant being controlled. The observer changed the observed. Surveillance was not neutral measurement — it was a power relationship disguised as science.

But Taylor won. Henry Ford implemented time-motion studies alongside the assembly line. The factory floor accepted the stopwatch. Then came the office. Call centers introduced call recording, average handle time, calls per hour. Email monitoring became normalized in the 2000s. The surveillance software market grew: Hubstaff offered optional screenshots (up to three per ten minutes), keyboard and mouse tracking, URL monitoring. Time Doctor went further: continuous screen recording, live screen viewing, webcam capture. Teramind: keystroke logging, application monitoring, file transfer tracking.

The employee surveillance software market hit $648.8 million in 2025, projected to reach $1.47 billion by 2032.¹⁵ Remote work monitoring specifically: $1.92 billion in 2024, headed for $7.09 billion by 2033. Seven out of ten large companies now monitor workers, up from six out of ten in 2021. 74% of US employers use online tracking tools.¹⁵

And at every step, there was pushback. 54% of employees say they would consider quitting if their employer increased surveillance. 68% oppose AI-powered surveillance specifically.¹⁵ Time Doctor's own rationale — "if employees are monitored, they'll be more productive" — was criticized for creating a "culture of distrust and unhappy workforce."

This is the historical thread: Taylor's stopwatch to Gilbreth's film camera to Ford's assembly line to call recording to email monitoring to screenshot tools to keystroke loggers. Each generation of surveillance more intimate than the last. Each resisted, then normalized. Each eventually accepted because the employer held the power asymmetry. AI coding tools are the latest iteration — and the most granular by orders of magnitude. They do not sample your screen every ten minutes. They record every character you type, every character you delete, every question you ask, in real time, continuously, for the entire workday.

The difference is that this time, the workers installed it themselves.

The Inspector Who Lives in Your Editor

In 1785, the English philosopher Jeremy Bentham designed a prison. The Panopticon was a circular building with a central watchtower surrounded by a ring of cells. The guard in the tower could see every inmate at all times, but the inmates could never tell whether the guard was actually watching at any given moment.¹⁶

The design was elegant in its cruelty. The surveillance did not need to be constant. It needed only to be possible. The inmates, never knowing when they were observed, had to assume they were observed always. They disciplined themselves. The external surveillance became internal self-regulation.

Nearly two centuries later, Michel Foucault seized on Bentham's design as the defining metaphor for modern power. In Discipline and Punish (1975), Foucault wrote: "The major effect of the Panopticon is to induce in the inmate a state of conscious and permanent visibility that assures the automatic functioning of power."¹⁶ The person being watched internalizes the observer. They become their own guard. Foucault called this "panopticism" — a mode of social control that produces "disciplined, docile and productive bodies."

The AI coding assistant is a literal Panopticon. You have no way to tell when your code is being retained, when it trains a model, when your manager can see your productivity metrics on a dashboard, or which of your keystrokes persist in a database for five years. So you code as if all of them persist. As if you are always being watched.

And this changes how you code. Not necessarily for the better. The developer at 2:14 a.m. who needs to try three bad approaches before finding the good one — does she try all three when the AI is recording? Or does she hesitate, self-censor, avoid the exploratory dead ends that are the actual mechanism of creative problem-solving? The junior developer who needs to look up a basic concept — does he ask the AI, knowing that the question reveals a knowledge gap that is now logged somewhere? Or does he open an incognito browser tab, as if the act of learning were something to hide?

Foucault's key insight was that panopticism does not require a malicious observer. It does not require any observer at all. The architecture of potential observation is sufficient. The AI does not need to surveil you constantly. It just needs to make surveillance constantly possible. The developer becomes their own guard, self-censoring their exploration, their mistakes, their creative dead ends. That produces more anxious engineering, not better engineering.

The Stack Overflow 2025 Developer Survey quantified the psychological state of the inmates. Trust in AI coding tools dropped from 40% to 29% between 2024 and 2025, even as adoption rose to 84%.¹ A 55-point gap between usage and confidence. 81% of developers report concerns about the security and privacy of AI tool data.¹ They are using tools they do not trust, with data practices they are worried about, because the productivity benefit feels too large to refuse — and because not using AI tools increasingly feels like a career risk.

This is coerced adoption wearing the mask of convenience.

The Law Is Three Steps Behind

There is no US federal law specifically regulating AI in the workplace. The EEOC, DOJ, CFPB, and FTC issued a joint statement that existing civil rights laws apply to AI-driven employment decisions, but the statement offers no specific protections for the data generated by AI coding tools.¹⁷ California's CCPA/CPRA is the only state law covering employee data, and it was written for a world where "personal information" meant names and email addresses, not the complete cognitive process of writing software.

The EU's GDPR is stronger in principle. Employers must provide notice about decisions made through automated processing. Workers have the right to "meaningful information about the logic involved." And Article 22 protects against decisions based solely on automated processing.¹⁷ But there is a problem that no regulation has solved: the right to deletion is technically incompatible with how large language models work. If your code trained a model, the model cannot "forget" individual data points. The right to erasure may be technically impossible to fulfill. Your code is in the weights now. It is not a row in a database that can be deleted. It is a statistical ghost distributed across billions of parameters.

Colorado's SB 205, effective February 2026, is the first comprehensive state law regulating AI, creating a private right of action for applicants rejected due to AI bias.¹⁷ But it covers hiring, not the ongoing surveillance generated by AI tools during employment. The law protects you from being denied a job by AI. It does not protect you from being profiled by AI every minute you hold the job.

The Resistance

There is an alternative. VS Code plus Ollama plus Continue.dev equals a fully offline AI code assistant. No data leaves the machine. Zero telemetry. Zero training. Zero cloud inference.¹⁸ Models like Qwen 2.5 Coder (7B parameters) and DeepSeek Coder v2 (16B) run on a modern laptop and match or beat GPT-3.5-era performance. Cost: $0 per month versus $10–$19 for cloud tools. No rate limits, no usage caps. Works on planes, on restricted corporate networks, in classified environments.

The catch is real and it is significant. Local models are meaningfully worse than cloud models for complex tasks. The gap has narrowed, but it has not closed. The developers running Ollama on their laptops know this. They accept the capability tax in exchange for privacy. They are making a conscious tradeoff that most of their colleagues are not even aware exists.

Enterprise has options too. Windsurf offers on-prem deployment — the AI engine runs on internal servers, code never leaves the network. Self-hosted inference is possible but expensive. The privacy-preserving path exists, but it costs more money, more setup, more maintenance, and delivers less capability. The market has priced privacy as a premium feature, which means the developers who can least afford to pay — freelancers, students, indie developers, workers at small companies — are the ones whose code flows most freely into training pipelines.

A freelancer on Cursor's free plan, Privacy Mode off by default, working on a client's proprietary codebase. The client never consented. The freelancer may not even know. The code enters Cursor's training set. The client's competitor buys Cursor next quarter. The data has a half-life longer than the contract that generated it.

The Surveillance You Asked For

Here is the thing about the Panopticon that Foucault found most interesting. It was not the guard in the tower. It was that the inmates eventually stopped needing the guard at all. The architecture of observation became the mechanism of control. The possibility of being watched was sufficient to change behavior permanently.

We are watching this happen in real time with developers. The 2:14 a.m. coder who hesitates before trying a bad approach because the AI is recording. The junior who asks fewer questions because questions reveal gaps. The senior who writes more "correct" code on the first pass because they know acceptance rates are being tracked. The team lead who pushes AI adoption because the Copilot Dashboard will show their manager the adoption metrics next quarter. The manager who uses those metrics in performance reviews because the data is there and the data has always been used.

None of this requires malice. It does not require a conspiracy. It does not require anyone deciding to spy on developers. It requires only the existence of the data and the organizational incentive to use it. The data exists because the tools are genuinely helpful. The incentive exists because managers have always wanted to measure developer productivity and have never had good tools for it. AI coding assistants are, as an unintended side effect of their primary function, the most granular developer productivity measurement system ever built.

For years, developers fought screen-recording software and keystroke loggers, wrote browser extensions to block tracking pixels, lobbied against Hubstaff and Time Doctor, and argued — correctly — that surveillance degrades trust, harms morale, and produces worse work. 54% of employees said they would consider quitting over increased surveillance.¹⁵ 68% opposed AI-powered monitoring specifically.

Then someone made the surveillance helpful. Genuinely, undeniably helpful. The autocomplete that finishes your thought. The assistant that writes your boilerplate. The tool that catches your bugs before you run the tests. Helpful enough that 84% of developers adopted it voluntarily, despite 81% having privacy concerns about it, despite trust in these tools falling to 29%.

The most effective surveillance is the kind you ask for. The Panopticon works best when the inmates furnish their own cells.