Note: This affects every Minecraft version >=1.10, however, part of it (not informing the user about sending UUID information) has been fixed in 16w35a.
Since Minecraft 1.10.0, the information that the Snooper sends from the game to http://snoop.minecraft.net includes a field called "uuid". The code which generates it can be found in the class called by Main, commonly called "Minecraft", by looking for the string "uuid" with quotes.
Another way to check it is to use SHA1 to hash your UUID, with separators, as a string, and compare it to the "uuid" string shown in the Snooper Options.
As you can see, the field's value is a SHA1 hash of the player's UUID. The hash is not salted in any way, which means that an entity which has access to both the snooper data and a list of all UUIDs can create a list of SHA1->UUID mappings, and - due to the very low probability of hash collisions in normal conditions - effectively be able to map said SHA1 hash to the player UUID and de-anonymize the information contained in the snooper data.
This isn't really a vulnerability in the practical sense, perhaps a theoretical one, as prior knowledge of the UUID is still necessary to de-anonymize a packet - and the pool of potential UUIDs is far too large to efficiently compare them, unless you have a list of actually existing UUIDs (which is far smaller). However, the Snooper communications happen over unencrypted HTTP, which means that snooping on the Snooper is possible and a third party knowing your UUID (which is, indeed, unlikely) can become aware of additional details about the machine you're playing from.
One important step to take would be to prevent snooping on the Snooper data by third parties by using HTTPS (or, at the very least, prevent proxying the snooper domain by using some kind of verification).
I believe that the token usage should also be reconsidered, and ways of counting players to a reasonable degree of certainty which do not involve breaching their privacy (salting with the MAC address? It's possible in Java) considered.
Linked issues
relates to 1
Comments 3
Indeed, which could be deemed a working, if disappointing, solution. However, the second part of the issue (parties who are not Mojang potentially being able to capture the data) is still present. Once you're sending data which can potentially identify a user, you should take extra care to ensure it's transmitted in a safe manner.
(Also, I do believe ways of uniquely identifying users without compromising their privacy should be looked into as well.)
Fixed in 16w35a by changing the snooper data description.
Mojang.com:
>> ...We made text change to bring the Snooper Data description into line with the updated privacy policy. This refers to the fact that we collect a hashed identifier for your Minecraft account, so we can get an idea of the size of our active userbase. Remember you can always opt out!...