-
Watch 464
-
Code
-
Checkout with GitHub CLI
Work fast with our official CLI. Learn more.
- Checkout with GitHub Desktop
Privacy Statement Updates September 2022 #582
+44
−39
Conversation
GitHub is introducing non-essential cookies on web pages that market our products to businesses. These cookies will provide analytics to improve the site experience and personalize content and ads for enterprise users. This change is only on subdomains, like resources.github.com, where GitHub markets products and services to enterprise customers. Github.com will continue to operate as-is.
This change updates the Privacy Statement based on this new activity.
These updates will go into effect after the 30-day notice and comment period, on September 1, 2022.
Verified
This commit was created on GitHub.com and signed with GitHub’s verified signature.
Updates to privacy statement
olholder
changed the title
Update github-privacy-statement.md
Privacy Statement Updates September 2022
11 days ago
rick
reviewed
10 days ago
Is the change from "Personal Data" to "personal data" a stylistic change?
I note that the paragraph above is still intact:
All capitalized terms have their definition in GitHub’s Terms of Service, unless otherwise noted here.
Presuming this capitalization change is unintentional, it has the unfortunate effect of decoupling "Personal Data" from the definition provided in the GitHub Terms of Service, which means that "personal data" is no longer as delineated there, but could well be anything.
If this is an intentional change, it would seem better made as a visible change to the Terms of Service. If the intent is not to change the Terms of Service but to arbitrarily expand "personal data" without drawing attention, well, that seems evil.
Looking into this further -- it looks like "Personal Data" is defined these days in the GitHub Data Protection Agreement. Perhaps this was being decapitalized since it is not directly defined (afaict) in the GitHub Terms of Service?
The collection of information and sale of it I think is something that has been going on for a long time. I think what matters is knowing what information we provide. But it's always good to know
krystian3w
suggested changes
10 days ago
Consolatis
reviewed
10 days ago
Let me prefix this by stating that I am a complete layman.
Previously: *GitHub* responds to browser DNT signals and follows the W3C spec.
Now: Some random services, somewhere in the world, hosted by GitHub or somebody else *may* respond to browser DNT signals and follow the W3C spec.
Now: Some random services, somewhere in the world, hosted by GitHub or somebody else *may* respond to browser DNT signals and follow the W3C spec.
Doesn't this change invalidate the whole paragraph and turns it into a generic wiki article?
Dunno, they will stop respecting DNT but leave this paragraph and make it seem as if they do. This is just confusing.
"Confusing" is one way to put it.
Edit:
@zzo38 articulated my personal opinion better than I could so I'll quote part of their comment here:
@zzo38 articulated my personal opinion better than I could so I'll quote part of their comment here:
I also think that they should avoid using confusing privacy policies; the mention of DNT should either be kept as is if GitHub uses the DNT header to reduce tracking, or deleted entirely if GitHub does not use the DNT header. If it does so only in some cases, it should mention what cases these are. The privacy policy made sense before the change in the section about DNT, although the change mentioned above makes it confusing (as other comments already mention).[..]I have no problem with adding these non-essential cookies to the enterprise marketing pages, as long as the rest of GitHub can be used without it and it is documented which pages these are (and if the cookie domain is the same, also which cookies). Moving the enterprise marketing pages to a separate domain seems to me to be a good idea though, in order to be clearly distinguished (although a subdomain is probably good enough, in my opinion; as long as it is documented clearly which subdomains these are).
Emphasis are mine.
In my opinion,
In my opinion,
documented should mean being very specific and being part of a legally binding document like the privacy policy.An example for not being specific is this part of the changes:
As described below, we may use non-essential cookies on certain pages of our website
So; let's get this straight:
- According to GDPR article 22 data subjects may exercise their right to object to processing using technical specifications.
- GitHub acknowledges the DNT signal as a valid technical standard, i.e. technical specification.
- Moreover; GitHub honors - or at least used to honor - that signal, illustrating that they have the capacity to respond to it appropriately.
Yeah... uhm..
How is attempting to weasel yourself out from under that not morally blackest evil?
How is attempting to weasel yourself out from under that not morally blackest evil?
|
"We are also committing that going forward, we will only use cookies that are required for us to serve GitHub.com."
Apparently in corporate terms, a "commitment" is now less than two calendar years of obligation. Good to know. Though, I guess I don't visit the marketing pages and hence, don't really care that much? Corporations being untrustworthy isn't new territory.
Literally just "business advice": Your marketing teams should be weighing the value of the data here against the cost of "yet another breach of user trust and commitment", user trust, of course, being something extremely hard to earn back.
|
|
Marketing people don't care about user trust or commitments. They'll just burn things to the ground and move on to the next corp job, each time making the world a slightly worse place.
|
Microsoft fucking sucks, GitHub wasn't evil until Microsoft really started to abuse GitHub.
|
@TheMaverickProgrammer GitLab probbably.
|
|
I understand that cookies are helpful for analytics and gathering sales funnel data. It's always sad when companies don't keep prior promises, though
If you must break the promise, here's my suggestion, for what it's worth: move enterprise marketing pages (maybe even all marketing pages besides the front page?) off of
github.com onto a separate domain. Maybe github.info?Then point marketing links from the front page to that domain.
This will allow folks to deal with that domain separately from
github.com. |
|
I personally feel that the enterprise version can be made independently.
|
|
As a happy GitHub user I just hope all this recreational outrage doesn't result in GitHub allocating more time or resources than would otherwise be required to complete this change. Full speed ahead!
|
I'd want GitHub to remove Microsoft, then continue full speed ahead
|
Why are people getting so riled up when this change only impacts the Enterprise marketing subdomains? Makes no sense to me how this of all things is getting negative attention. Majority of people don't use GitHub Enterprise, as its only for businesses, And they're just cookies. Use uBlock Origin as it says if you really can't stand a few cookies on subdomains you'll probably never end up going to.
Also, people love pointing the finger at Microsoft, as if this change was demanded by them. It more than likely wasn't. There are always going to be changes that people don't like, but not all changes are influenced by the parent company. If Microsoft was puttng their hands all over GitHub, they probably would've moved GitHub to the Microsoft Policy Statement a long time ago.
|
How exactly does this in any way impact user trust? It doesn't impact the main site, like the dashboard, the landing page, or any other part of GitHub like profiles, repositories, or organizations. It literally only impacts the enterprise marketing pages, and its for sales data tracking & analytics. GitHub Enterprise is a very business-oriented product, so the only visitors to those pages will be by business leaders potentially interested in GitHub Enterprise, or users who land on that page by mistake.
And I believe that is what GitHub meant when they said "to serve GitHub.com" - the main site (dashboard, repos, profiles, etc), not including stuff related to their Enterprise product, so I genuinely don't believe they broke their commitment. People are overreacting, as usual, to insignificant changes that don't really impact them.
|
This was more than likely not Microsoft's doing. Not everything a subsidiary of Microsoft does is because of Microsoft itself. You have the vast majority of comments on this PR (at 8 comments), and your opinion isn't be all end all. Most of the negative reactions are additionally probably from people who don't understand the scope of what GitHub said back when they committed to not use cookies not necessary to serve GitHub itself - they probably didn't extend it to the Enterprise marketing pages to begin with and always meant the main site that serves repositories and profiles and such.
There are things worse than cookies by the way, like actual trackers embedded in web pages. Cookies are relatively harmless if used sparingly and for very specific purposes like tracking sales analytics or for keeping a user logged into their web browsers, or in a specific GitHub use case, tracking the current site theme. There is nothing wrong with stuff like this.
You seem awfully mad at Microsoft for some reason, as if they stole your pet dog or something. This isn't 2000s & early 2010s-era Microsoft, Microsoft is nowhere near as bad as they were when Steve Ballmer was the CEO of Microsoft. Ever since Satya became CEO, I have noticed a significant improvement in Microsoft's business culture and strategy. MS was way, way, way worse back when Ballmer was CEO.
(also, slight question, why upvote your own comments?)
|
I don't know why anyone at GitHub would do this change, and Microsoft is the only other entity with the authority to make such a change.
I just poke in whenever this comes up on my GitHub notifications.
That is a good point, however, that doesn't change the fact that GitHub is no longer the white and fluffy angel that it was.
While you seem quite intelligent, I don't think that you understand that cookies could actually be used as slight trackers, and if used to their fullest potential, complete on-site tracking for AI/ML based targeted recommendations for profit.
Microsoft is still a mega-corp. They're still 'evil', just like Google or Apple. I also don't see much of a difference with the two CEOs. One was making more money, one was discussing ethics more often, but in the end, Microsoft is still somewhat invasive. To add on, Microsoft decided to absolutely RUIN Minecraft, a game that I don't really play these days, but my friends play a lot.
(also, slight question, why downvote my comments?)
|
|
I think that the cookies ought to be documented, so that you know which cookie means what.
I also think that they should avoid using confusing privacy policies; the mention of DNT should either be kept as is if GitHub uses the DNT header to reduce tracking, or deleted entirely if GitHub does not use the DNT header. If it does so only in some cases, it should mention what cases these are. The privacy policy made sense before the change in the section about DNT, although the change mentioned above makes it confusing (as other comments already mention).
Mentioning other programs such as Privacy Badger and uBlock Origin are OK, although it might be worth to add a disclaimer if GitHub is not affiliated with such programs, even if they are hosted on GitHub. (Since GitHub is used for many FOSS projects, it is likely that some of them will be.)
I have no problem with adding these non-essential cookies to the enterprise marketing pages, as long as the rest of GitHub can be used without it and it is documented which pages these are (and if the cookie domain is the same, also which cookies). Moving the enterprise marketing pages to a separate domain seems to me to be a good idea though, in order to be clearly distinguished (although a subdomain is probably good enough, in my opinion; as long as it is documented clearly which subdomains these are).
About alternatives to GitHub, I would not recommend GitLab because it will not display the files if JavaScripts are not enabled. However, it is acceptable to use GitLab if there are mirrors on multiple services. GitHub, Codeberg, and NotABug, and some others, also use JavaScripts, although the files can be displayed even if JavaScripts are disabled (even though there is a note that says enable JavaScripts, it is not required to simply view files), so it is acceptable. Another alternative is Sourcehut, which also doesn't need JavaScripts (and says that all features work without JavaScripts, although it still has some).
|
|
I don't mind GitLab, except that I have to pause for 15 minutes to finish laughing every time i see "Merge Requests"
|
|
What happened to this policy https://github.blog/2020-12-17-no-cookie-for-you/ ?
I guess it's a bit like Microsoft
|
There are a lot of factors that go into making a decision such as this, and it was probably some higher-ups at the executive level for GitHub who decided to make the decision. Keep in mind, GitHub did just get a new CEO, @ashtom, who could have had a factor in why this change was made. GitHub is an independent subsidiary within Microsoft, so I do not believe Microsoft would force this kind of a change.
No business or company is ever a "white fluffy angel". Companies get embroiled in controversy all the time, and GitHub did as well even before Microsoft ever acquired it, a big one being back in 2014 when there were proven harassment allegations regarding the founder of GitHub regarding him and his wife where they harassed an employee, Julie, to the point of basically forcing her to resign from the company. To say the least, there are a lot of iffy things a company does, and no company has ever been perfect, not even GitHub.
I am aware that cookies can be used for more-sophisticated tracking, however what I was saying that is that if they are used sparingly, and only for essential product functionality (like remembering your login details), they aren't all that bad. However, if they are used for the purposes that you suggested, for tracking users unnecessarily for example or for targeted recommendations, that is when the usefulness and privacy of cookies does come into question.
I genuinely do not understand this one. I do understand that Mojang recently added a player chat reporting system to the Java Edition of the game as of version 1.19.1, however I do not find that to be a bad thing, as a report system is pretty useful to avoid malicious players from being able to harm or abuse others. I additionally do understand that the ban is on a multiplayer-wide level, where if you're banned from one server, it takes effect account-wide regarding online play for a set duration of time, or permanently, but I do not find this to be a bad thing either. If a player harasses someone on one server, what stops them from harassing more people on other servers? Aside from this system, which has been controversial and that I do genuinely believe should exist, I do not believe that Mojang or Microsoft has ruined Minecraft in any way at all.
It still applies to the entirety of GitHub.com, such as repositories, profiles, the dashboard, account settings, etc. It only impacts GitHub's enterprise pages, the ones that market and sell Enterprise to companies and organizations. Everything else is unaffected, so no, it is not like Microsoft
|
Your friend might be interested in hosting their code at codeberg.org. A friend of mine moved there, too.
|
Do you know about Manifest version 3 ? They are going to kill Ublock Origin , how stupid you think we are ?
|
Cent OS wasn't even a Microsoft product, it was a product owned by Red Hat, which is in turn a subsidiary of IBM. Microsoft had nothing to do with why they killed off the standard CentOS operating system. And I'm not shilling for Microsoft at all, I'm simply trying to be reasonable here. Not everything that happens is Microsoft's fault, and if you think that, then you are immediately wrong. And Microsoft never jeopardized Java - Java is Oracle, and Java is still going strong and being used in lots of software and products to this day, including Android. Microsoft has done nothing to Java, so that last point is moot, null, and void.
That is Google's problem, not Microsoft's. Again, Manifest v3 is a Google-developed feature, not something developed by Microsoft. Microsoft does use Chromium, but this is Google's fault, not Microsoft's. People love bashing Microsoft for things they never even do, as if everything wrong that ever happens in the world is Microsoft's fault, which is not the case at all.
|
Microsoft, Google, Aamzon, Red Hat, these are corporations, they all have same motive: Money, I was simply stating what happened to Cent OS, Java, Manifest v2 will happen to Github because Microsoft being corporation will burn github down for monetary gains.
I have deleted my comment of you accusing of payment and shilling because that was somewhat in bad taste
|
Everything in this world requires money. And that's what matters. No money = No everything.
Money may not buy everything. But money can buy almost anything.
And I think you're hating their organization.
|
mxrcury
approved these changes
10 days ago
Uzhastin-Nikita
approved these changes
10 days ago
|
No one here is confused about this. The difference between essential and non-essential cookies is very clear, and GitHub has always used the former ("We are also committing that going forward, we will only use cookies that are required for us to serve GitHub.com."). GitHub is adding marketing cookies, and that's what the discussion is about.
People are concerned about GitHub using cookies for marketing purposes. In my opinion, such cookies are always malicious, unless they are genuinely opt-in, are added at the request of users and where there is complete transparency as to the data that is collected.
|
|
Everything Microsoft touches becomes bad.. Gitlab is on the same boat due to being a public company
Time for an alternative, luckily we have choice
|
airtower-luna
reviewed
10 days ago
There's no mention of the "non-essential cookies" and which sites are affected in the linked
github-subprocessors-and-cookies page. That seems important for people to form an informed opinion on this change, let along whether to use those sites.
The cookies will be added to the subprocessors and cookies page once the change goes into effect more than likely.
Yes, but not publishing that information in advance means that there can't be any public scrutiny of what will be affected by this policy change, which goes against the entire point of having a public pull request to discuss.
This is how it always starts.
Also, why are you writing novels in here and defending them so hard? You must be on the team promoting this change.
|
Microsoft sucks DICH.
|
Go ahead make your own twitter. Parlor shut down by all Amazon, Google and Apple, You see, You claim to make your own stuff and when people do, these big techs gang up and destroy those.
|
Gitlab is even worse it is backed by YCombinator
https://sourcehut.org/ for a real independent alternative
both care about your privacy
|
The reason they shut it down is because it was used to help stage a coup against a democratic government, not because it was a twitter copy.
|
|
Before we had the promise of not having third party cookies anymore
Now, we are having the promise of having it partially back Later it will just be al over the place again, that's how it always ends up. remembers me of the old famous "Embrace, extend and extinguish"
i wonder which company was that.... hmmm... |
@TheMaverickProgrammer join Codeberg and liberate your live.
|
|
Hahah , Github Marketing and HR is finally turning developers into consumers.
All the data coming from individuals , tracking and fingerprinting users over the years on Github, has been collecting dust.
I am sure majority of developers/programers don't even care enough to interact with GitHub itself. It was only a matter of time before Github gets to utilize that personal information from our job and school using their enterprise server.
Github already has our internal/private IP address and system information, now it's time to get the person behind the screen.
We are getting closer to GitHub becoming a social media platform.
|
|
My normal comment was deleted lmao - how poorly can olholder handle critical comments? There were no insults, no personal attacks, nothing. |
|
GDPR / The Cookie Law states that consent must be obtained and freely given without coercion (e.g. blocking access to Github) before they can use non-essential cookies / PII (personal identifiable info). This sounds kinda illegal to force through in EU countries no?
See: https://gdpr.eu/cookies/ > "Cookie compliance"
|
Hopefully, if such cookies are only applicable for the enterprise marketing pages, and it is clear which ones those are, then such a message can be added on those pages only without disrupting the rest of GitHub. Then, users can still use GitHub even if they refuse the non-essential cookies. Then such "cookie popups" will not be needed on most of the GitHub; they are only in one section which hopefully most users will not need.
|
tejusp
approved these changes
9 days ago
XynoxTheDev
approved these changes
8 days ago
|
As a California resident I am unable to find your CCPA contact info. What is the correct contact at GitHub/Microsoft to have this information deleted? I believe legally there is a requirement to have at least 2 easily accessible methods for submitting these requests.
|
e-coders
approved these changes
8 days ago
left a comment
I hope these changes are good, approving is good.
|
We need to get a YouTuber in here to read these comments. That's the only way to get the right thing done these days.
|
|
So let me get this straight... you're introducing marketing cookies for enterprise — i.e. paying — customers? That has the same energy as Google Workspace accounts being way worse than free Google accounts. Why would you do that to people who are paying you money?
|
Microsoft more than Gh
|
Microsoft doesn't do a lot with it subsidiaries. For example, a mojang dev said:
Marketplace? Mojangs Idea
Chat Report System? Mojangs Idea Its probably not gonna be different on GitHub
|
|
pal, i just don't know why i would trust megacorps, but honestly, i'm just sad that GitHub is losing its authenitc "we aren't evil"
|
It's already on the main page, you know what's going to happen...
|
|
What leaves me speachless is that there are still people not using https://privacybadger.org/ and https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
|
The good thing about Firefox is Total Cookie Protection. It's the only reason I'm still using it. I hope chromium based browsers also get this feature OR firefox gets more adoption (unlikely)
|
|
Yeah, sure. And the UWP based version is also Mojang's idea. Microsoft is known to ruin their subsidiares by making the wrong choices. Like a helicopter parent.
|
Low key, If i could just fork github and run it on my local network....and
git pullwhen they make pr's :) |
Sure, the Mojang Employee loves Microsoft and would defend them for no purpose at all!
|
|
This is the problem with the unprofitable give-stuff-for-free-using-venture-capital-money business model. Eventually all values get compromised to make a buck.
|
|
Whatever, as long as you don't show those obnoxious cookie banners and popups anywhere… I don't care as much about what code a site is running as I'm browsing it, as about not being forced to review and accept or reject something before I read every page on the internet…
|
|
This seems straightforwardly bad. I've seen a lot of people expressing concern about the potential harms of having github be such a common and centralized authority, and this is one of the most persuasive arguments I've seen that they're right and that github shouldn't be trusted with that level of effective-authority.
I should maybe mention that at least one group of developers I work with is at this moment in the process of discussing whether to keep hosting things on github, move them to gitlab, or do something else...
|
|
I think that you can make multiple mirrors on different services (and store them locally on your own computer too), if you are worried about some not working, and you do not have to use only one service. For example, you can mirror on both GitHub and on Codeberg (or some other combination), instead of only one.
|
|
I do appreciate the opportunity to comment on this. I know some parties (not calling out anyone particular in this thread) are upset by this change, to put it mildly. Count me among their number. I do not think these changes are a move in the positive direction. Please continue to support the DNT standard, and endeavour to instill its importance when acting in partnership with other businesses.
As we are all parties who interact with Microsoft, I find this expansion of tracking cookies another reason to weaken my personal relationship with the platform, as well as a reason to second guess business dealings with Microsoft and its subsidiaries. I am certainly NOT the only developer who feels this way. While GitHub offers a good product for many, be aware that any de facto position of market leader is beholden to a market that is very willing to vote with its feet.
edits: correcting typos, its vs. it's (written from a phone)
|
|
I'm sure various teams within GitHub (marketing, UX, product development, data analytics...) have been clamoring for this change for some time. However, they've almost certainly set expectations too high for how much value you'll get from this data, especially given the loss of trust with your customer base. Please reconsider this.
|
|
Let me just tighten my content blocker.
Github already has SOOO MUCH information. Why the fluff does it need more? How can you STILL be hungry for more data? The tracking glutony must stop!
|
|
As if github didn’t walk the line enough with copilot and the used training data.
@ashtom, Is this your call? What the fuck
|
|
This is a poorly-considered change. If you want analytics cookies, I understand that, but deliberately ignoring DNT is beyond the pale.
|
|
Wildly disappointed in this shift. The developer goodwill you will burn from making this change is not worth the marginal potential pipeline increase.
This reflects extremely poorly both on GitHub and on Microsoft as the stewards of this platform.
|
|
As someone who uses both github dot com and github enterprise on a daily basis for work, I do not appreciate being tracked across one set of offerings -- what more could you possibly want to know about us? What data do you not get by knowing everything we do on the platform, our codebase, the way we use CI/CD, and so on? If you want to have a site for people who don't use the product but you want tracking details from them, why not make a separate domain entirely for marketing purposes and send that around? How are we supposed to trust any of Github's other commitments if they won't even stick to no cookies?
|
This policy was introduced under Microsoft in the first place.
|
gruselhaus
reviewed
4 days ago
|
Should this merge go through, I'll be pulling my personal projects and ending my GitHub subscription.
|
|
I think your lawyers need to look at the EU rules a bit more carefully before ignoring DNT, and also fix your EU/US data sharing in light of the legal rulings over adequacy
|
|
(Interrupting my beach vacation OOO for this one...
Happy GitHub user here - I've used it for many projects with many organizations (from bootstrapped startup to enterprise orgs), OSS teams, and personal projects.
IMO, this is a bad move.
GitHub has the power and potential to get the attention of virtually every enterprise business around the world - by way of delivering great, meaningful and impactful products.
You've brought many things to market that are improve team workflows, save orgs money, and make delivering great software incrementally easier. Tools like codespaces and copilot, Kanban boards for issue tracking and Actions for automation can make all of our lives easier. We see these things and we pay attention. Every dev team in the world knows what GitHub can deliver on.
We also see when GitHub makes decisions that endanger people, erode trust, and work against the presumptive goals of OSS and an open internet. These things hurt GitHub more than they help, despite the short term gains which may seem appealing during Annual and Quarterly planning.
This choice seems like one of those decisions.
The long term effect of adopting non-essential cookies is to serve what must feel like an easy short term win is a net negative for GitHub and its users, especially after a very public recent announcement that GitHub would be doing exactly the opposite of this from [then] on.
Please consider rejecting this proposal, and not approving the use of any non-essential tracking. The dev community and your enterprise customers will appreciate you for it that much more.
|
|
This is a really poor change. Sad to see GitHub so obviously prioritizing profits over its users.
|
|
I thoroughly disagree with the proposed changes.
|
|
Hey, I'm an extremely heavy user, advocate, and enjoyer of GitHub.
Totally understand the desire to use cookies for marketing purposes. It's clear you're trying to keep the boundaries where non-essential cookies are only used for enterprise pages. I appreciate this approach.
Two suggestions that would make me less worried that these changes would one day spill over into the critical open source software infrastructure side of GitHub that so many of us care about and depend on:
|
|
I am a long-term paying user of Github and an advocate for the use of Github in the businesses I interact with. I view this change as hostile to user privacy and if adopted, will move my code off of Github and change my advocacy with businesses as well.
As many other commenters have already voiced, this change reneges on a previous privacy promise you made to your users. There are many suggestions in the thread already of how you can make this change more palatable so I'll refrain from adding any more.
|
Nothing bad on making extra profit, they're a business and we're in the middle of a crisis. But, privacy is essential, they promised not to use cookies. Look, just the fact that I'll have to click a reject cookies dialog - makes me sick.
|
|
I object to these additional tracking cookies. Why? GitHub itself said it best: https://github.blog/2020-12-17-no-cookie-for-you/ This proposed change is a direct undermining of GitHub's claimed company values and promises.
|
|
It's literally as simple as https://github.blog/2020-12-17-no-cookie-for-you/ -- especially when the Enterprise customers are already tracked via... y'know... all of their business data you're handling.
Hate to see companies go back on their word like this.
|
|
Please don't. We have already enough pages where you have to click "deny all" on every visit. I don't need another one...
|
|
I fail to see how this is terrible for me (some clarification would be cool.) Not an ideal direction to be heading in, I understand, but it doesn't seem in the spirit of how I want this site operated.
|
|
If that PR goes in, I'm out. I'm not going to be a part of this digital dystopia where I am just a product and where companies don't care about the people.
Let's make it straight. This is the beginning of the end. If such changes go through, and people tolerate it, we are to see way more of “corporate practices” (i.e., bullshit). You'll see more of «to protect our customers' and company's values, we are to integrate
<yet another money bringing something exposing users with wording so unclear and polite you won't have any idea of what it might be>». And of course it won't be GitHub or MS if anything critical happens: «As you know, the biggest leak of 2024 has happened due to a third-party service (that we are bound to keep in secret), however, we've done everything in our power to ensure such thing never happening again!»Self-hosted or cloud-based is yet something I'll need to decide. For those who are looking for GitHub alternatives, there are plenty. To name a few:
|
Snaddyvitch-Dispenser
suggested changes
3 days ago
left a comment
•
edited
edited
Perhaps: Don't?
Alternative: I can move everything over to my gitea instance if you feel it so necessary to do this.
|
Hi, please don't do this. If you want to know what your users want, how about asking us instead of spying on us?
|
|
I would definitely feel less comfortable visiting, hosting code on, etc. GitHub if this change were made. Please no.
|
|
Many people around the world have felt free to collaborate on this platform untracked and safe from their local oppressive governments. You were built on the backs of open source. You looted open source to build your own products. Now, this...
Please revert this terrible idea.
|
freezer2019
approved these changes
3 days ago
|
I think people might be somewhat… overreacting in this thread? It says it's only on sites like https://resources.github.com, not on main github.com. I don't think many non-enterprise users even visit that site. And I don't think it's uncommon for a website to record some things about what its users are doing in order to improve the experience, I'm sure github.com is already doing quite a lot of that - without using cookies, because you don't need cookies when the user is logged in and you can just record data in their account in the database…
|
|
@mackuba for the 1000th time, it's not about which domains have it. It's about the fact that GitHub previously stated that it was against its ethics to use non-essential cookies. It is therefore fair to treat this as a change in the ethics of GitHub. This is the concerning fact. If GitHub hadn't explicitly stated that its commitment to privacy prevented it from using non-essential cookies, there wouldn't be such a huge reaction. Because of those previous statements, this is not a simple cookie policy change. GitHub itself, by making those commitments previously, has turned this into an acknowledgment that they now care about our privacy less than before, and that now their ethical standards are lower.
GitHub used those commitments to build trust and attract privacy-sensitive users. Now that they managed to do that, they are going to break their promises, because they know that stopping to use their service is going to be hard for many. This is the problem. Not the action per se, but the way that this action goes against what they set out as their ethics and privacy commitments.
|
I somewhat agree: however it's a strong stance to keep as is, and a slippery slope with this change.
So much of the problem with modern marketing and tracking isn't actually the privacy aspects: it's the fact that everything now is designed around what these tools measure, and standing strong against that does leave us with the possibility of doing better, more understanding relationships.
|
ArjunSharda
reviewed
3 days ago
Suggested change
| 38 | - | [What information GitHub collects](#what-information-github-collects) | GitHub collects information directly from you for your registration, payment, transactions, and user profile. We also automatically collect from you your usage information, cookies, and device information, subject, where necessary, to your consent. GitHub may also collect personal data from third parties. We only collect the minimum amount of personal data necessary from you, unless you choose to provide more.| |
| 38 | + | [What information GitHub collects](#what-information-github-collects) | GitHub collects information directly from you for your registration, payment, transactions, and user profile. We also automatically collect from you your usage information, cookies, and device information, subject, where necessary, to your consent. GitHub may also collect personal data from third parties. We only collect the minimum amount of personal data necessary from you, unless you choose to provide more voluntarily.| |
|
I thought this was a tool for managing your source code. If I wanted to be advertised to, I'd scroll Facebook.
|
It's harder to switch back to Github, so think well :) And, gitlab has cookies on their entire website, not only resources.github.com. but still this is 1 step forward 2 steps backwards, microsoft.
|
|
Why in the world would github start tracking and serving ads to the single group that's directly paying them money for services?
It makes no sense.
|
They're just greedy. If this goes through, they lost all trust they still had left after the acquisition by Microsoft...
|
Probably to please the free & open source community. But they have done it the other way around
|
|
I would very much like and honestly expect GitHub to take a stand on the feedback already written.
|
Stop spamming
|
I completely agree with your assessment of lots of people overreacting in this thread without even knowing what they are talking about. My biggest issue is what this PR is actually about: the modification of the policy.
In my opinion it is a) either really sloppy work or b) actively malicious (I am not sure which one it is). It changes / weakens privacy protections for the whole site instead of just a strict subset of domains for a strictly specified usecase. |
|
What throws me isn't that this is that big a deal, because it's not, but that the cost/benefit analysis for this change has to be so incorrect internally as to be absolutely comedic. There's no way the analytics data from a marketing subdomain is worth the bad PR of backing away from a commitment made by the CEO only two years ago from a reputational standpoint.
|
|
|
Also, remember there is yet another new issue with Microsoft, about DuckDuckGo's sending over data to them. I just hope they will actually block MS' trackers, too.
|
@UnoYakshi
You can disable ms trackers by disabling ads in ddg settings |
Come on now. Cookies are not required for providing valuable analytics and information. There are so many ways of doing this without attempting to force cookies on the end user.
No. Do not advertise to paying customers. If you want to understand the needs and requirements of those customers, reach out to them and engage with them, rather than enforcing 'advert number 7'. Adverts and generic mailings are blocked/junked/unsubscribed from. If an account manager reaches out to have an honest discussion around requirements and improvements, I'll engage.
|
|
I don't think you can just feel morally okay with reneging on your initial No Cookies policy by using confusing wording and marketing terms, ... or can you?
|
|
Nack.
Changes like this will slowly turn GitHub into another predatory user-as-a-product platform, and accelerate political corruption of open source.
|
Political corruption of open source? they're just seeking more profit....
|
|
Did Microsoft ask you to do this? Too many wonderful platforms get destroyed by shitty corporations.
|
Apparently not microsoft, but high executives or investors of github. Or the new CEO. Microsoft wouldn't do this.
|
It certainly seems odd that adverts are being targeted only at paying customers. Enterprise is not cheap by any means so this seems highly counter productive from a business perspective.
|
You're joking right?
|
|
Cookies are the least of my concerns on this change; Github wants to stop respecting the Do-Not-Track (DNT) header all together! That's a massive hit towards user privacy. They want to take away our standardized way to opt-out.
I will move all of my projects out of Github if this gets implemented, and I recommend everyone else to prepare to do the same.
|
No, microsoft doesn't do a lot with its independent subsidiaries apparently. Same for mojang.
|
Don't agree with the "same for mojang" part at all, they forced migration to microsoft accounts and now are trying to force chat reporting down people's throats.
|
|
This feels like a breach of trust for us longterm Github users. That said, there's another issue comments here certainly range from helpful to downright inappropriate, and I just hope Github doesn't double down and stop making site policies discussable in the future as a result.
|
|
I am a current GitHub enterprise user. Specifically the user that chooses whether we keep using GitHub enterprise. A large portion of what we do with GitHub can easily be done with gitlab or gitea. The reason we use GitHub is because our developers like the company. That’s it. That’s the differentiating factor.
I’ve gotten contacted about this change by multiple members of our engineering team. We haven’t changed yet, but for us, the change isn’t very hard to execute.
I’d keep in mind that the non enterprise users are often the ones actually selling your product.
|
|
What specifically makes this change so galling is that enterprise users pay for the product. We don't buy a product hoping to be sold to inside the product. The minute that the emphasis goes from "how do we make this easier for our teams" to "how does some growth PM use the app to sell more stuff", the company has lost the plot and has moved away from actually doing their primary job, which is make the product itself better.
The line of "but it's only enterprise" almost makes this worse. It means that they would do it to everyone the minute that it's profitable to do so. This is just the first tick of a dial that ends up with "this repo sponsored by X" ads for anyone using Github.
|
|
Background: https://github.blog/2020-12-17-no-cookie-for-you/
Intended Change: Tracking/Advertising enabled on enterprise subdomains Actual Change: That, but also GH (accidentally?) removes promise to respect DNT header. Reflexive Objection: How dare you track me! Reflexive Rebuttale: Bruv that's only enterprise subdomains, which ain't you. Actual Objection 1: DNT headers? D00d? Actual Objection 2: Wait...you want to advertise specifically to the people who pay you?! Actual Objection 3: Advertising revenue comes with shitty incentives. Maybe, just, don't? Actual Objection 9000: "Smeagol promised!" |
|
Just stop this right here!
By merging this PR you're basically losing the trust that people put on you with their data like me. You've already done enough damage by scanning everyone's else code without their actual consent to build github co-pilot. You're losing people's trust by following what Microsoft has ordered you to do so.
|
|
And here starts the downfall into invasive privacy practices.
The fact they're conveniently rephrasing the DNT section on this same PR (to no longer assure its respected when sent) tells a story on its own.
First goes the enterprise section, then the main page for non logged in users, then X other "non-vital" section. Before you know it, two/three years down the line Github has the same privacy policy as [Insert generic big tech company here].
|
(Apologies if that was a rhetorical question.)
|
|
This a very broad PR with many changes that have several different implications. At the very least it should be split into several PRs given the scope of each of the implications discussed.
|
It is not clear if this change will only apply to this particular subdomain (
resources.github.com). The saying could also imply that any subdomains could at some point start to use these analytics / marketing cookies as well, for example, docs.github.com.If you are going to make this change, then it's better to explicitly state exactly what subdomains are getting it.
Also I'm particularly concerned about the "Personal Data" => "personal data" change in the privacy statement as well. Someone at GitHub mind to explain that?
|
Merge state
Review required
At least 1 approving review is required by reviewers with write access. Learn more.
1 pending reviewer
Merging is blocked
Merging can be performed automatically with 1 approving review.
Remember, contributions to this repository should follow
its
contributing guidelines
and
code of conduct.
Labels
None yet
Notifications
Customize
Notifications
Customize
Notification settings
You’re not receiving notifications from this thread.
126 participants
