> Maybe I'm missing something here but I'd guess that data is encrypted and not a free for all of open data that any old ISP could snoop on.

Yes, you are missing the entire point. You are talking about data. I am talking about metadata — data about data. The contents of each log request are a total red herring. Just pretend that the encrypted log messages are a single bit, just a way to increase a counter that “something has happened” on a person's Tailnet.

The encrypted log message structure does tell Tailscale “this particular machine on the Tailnet talked to this other particular machine on the Tailnet at this time”, and one should assume Tailscale decrypt and interpret those details, but what I'm talking about is the ability for any part of the network path to interpret those log connections without decrypting them as “somebody is using their Tailnet right now in any capacity”, and when, and from where, and the ability to combine that new class of metadata with all the other metadata our modern OSes are constantly generating.

> Do they aggregate and then send it at regular intervals, etc?

This is already addressed in my original comment. Again, see KB1011: https://tailscale.com/kb/1011/log-mesh-traffic

“Each Tailscale agent in your distributed network streams its logs to a central log server (at log.tailscale.com). This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”

“This includes real-time events for open and close events for every inter-machine connection (TCP or UDP) on your network.”

“real-time events”!!

e: Recommended reading:

- https://kieranhealy.org/blog/archives/2013/06/09/using-metad...

- https://abcnews.go.com/blogs/headlines/2014/05/ex-nsa-chief-...