Hello everyone, I'm new here, do not know what to say but hey I was looking at /private/var/db/analyticsd there you will find a folder called " aggregates " by defaults it is locked and for a reason, unlocking it will reveal a bunch of files on everything we are doing on our machines and reports to apple and it seems to me that in this new version of macOS we are being tracked down even more. The CoreAnalytics artifact provides a historical and current perspective on program execution, on a near-daily basis. This data is derived from two sources: Files with the extension .core_analytics in /Library/Logs/DiagnosticReports/ that are comprised of JSON records: The first two records can be parsed to reveal the timestamps that the diagnostic period began and ended; the data following those records indicates system and application usage over the diagnostic period. Files with GUID-like names in /private/var/db/analyticsd/aggregates/ that are comprised of nested arrays: The subsystems that report to the analytics daemon temporarily stage program execution data in these aggregate files, for the current diagnostic period. The staged data is typically pushed to a .core_analytics file at the end of the diagnostic period. The diagnostic period is defined within the .core_analytics files within the first two lines, which establish the times that the period began and ended. Each diagnostic period ends at the first system sleep or shutdown after 00:00:00 UTC. As mentioned above, data for the day is staged in aggregate files before being submitted to a .core_analytics file for longer-term storage at the end of the diagnostic period. Consequently, CoreAnalytics cannot be used to determine the exact time that a program was executed, but can be used to determine the time frame (approximately within a 24-hour period) in which the program was run. Anybody looking at this already how we could prevent the system to send back everything we open ( evidence of program execution ). I am going to keep my eyes on that and see if I can lock files to prevent the system to send, what I have done so far, is "aggregates folder" > get info > and by default _analyticsd as read only and I changed to write only dropbox and remove every files there. I do not know if this will do something or not. and I will do the same to the other folder. A quick opening of the files in the aggregates folder with Hex Fiend editor and it will show you everything you have done, installed... everything.