Privacy Statement Updates September 2022 #582
Conversation
Updates to privacy statement
olholder
changed the title
| @@ -33,13 +34,13 @@ To see our Privacy Notice to residents of California, please go to [GitHub's Not | |||
|
|
|||
| | Section | What can you find there? | | |||
| |---|---| | |||
| | [Who is responsible for the processing of your information](#who-is-responsible-for-the-processing-of-your-information) | Subject to limited exceptions, GitHub is the controller and entity responsible for the processing of your Personal Data in connection with the Website or Service. | | |||
There was a problem hiding this comment.
Is the change from "Personal Data" to "personal data" a stylistic change?
I note that the paragraph above is still intact:
All capitalized terms have their definition in GitHub’s Terms of Service, unless otherwise noted here.
Presuming this capitalization change is unintentional, it has the unfortunate effect of decoupling "Personal Data" from the definition provided in the GitHub Terms of Service, which means that "personal data" is no longer as delineated there, but could well be anything.
If this is an intentional change, it would seem better made as a visible change to the Terms of Service. If the intent is not to change the Terms of Service but to arbitrarily expand "personal data" without drawing attention, well, that seems evil.
There was a problem hiding this comment.
Looking into this further -- it looks like "Personal Data" is defined these days in the GitHub Data Protection Agreement. Perhaps this was being decapitalized since it is not directly defined (afaict) in the GitHub Terms of Service?
There was a problem hiding this comment.
The collection of information and sale of it I think is something that has been going on for a long time. I think what matters is knowing what information we provide. But it's always good to know
There was a problem hiding this comment.
in a court of law, doesn't "Personal Data" mean "personal data" ?
lol
|
|
||
| Our emails to users may contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email communications more effective and to make sure we are not sending you unwanted email. | ||
|
|
||
| ### DNT | ||
|
|
||
| "[Do Not Track](https://www.eff.org/issues/do-not-track)" (DNT) is a privacy preference you can set in your browser if you do not want online services to collect and share certain kinds of information about your online activity from third party tracking services. GitHub responds to browser DNT signals and follows the [W3C standard for responding to DNT signals](https://www.w3.org/TR/tracking-dnt/). If you would like to set your browser to signal that you would not like to be tracked, please check your browser's documentation for how to enable that signal. There are also good applications that block online tracking, such as [Privacy Badger](https://privacybadger.org/). | ||
| "[Do Not Track](https://www.eff.org/issues/do-not-track)" (DNT) is a privacy preference you can set in your browser if you do not want online services to collect and share certain kinds of information about your online activity from third party tracking services. Some services may respond to browser DNT signals and follow the [W3C standard for responding to DNT signals](https://www.w3.org/TR/tracking-dnt/). If you would like to set your browser to signal that you would not like to be tracked, please check your browser's documentation for how to enable that signal. There are also good applications that block online tracking, such as [Privacy Badger](https://privacybadger.org/) or [uBlock Origin](https://github.com/gorhill/uBlock/). |
There was a problem hiding this comment.
Let me prefix this by stating that I am a complete layman.
Previously: *GitHub* responds to browser DNT signals and follows the W3C spec.
Now: Some random services, somewhere in the world, hosted by GitHub or somebody else *may* respond to browser DNT signals and follow the W3C spec.
Doesn't this change invalidate the whole paragraph and turns it into a generic wiki article?
There was a problem hiding this comment.
Dunno, they will stop respecting DNT but leave this paragraph and make it seem as if they do. This is just confusing.
There was a problem hiding this comment.
"Confusing" is one way to put it.
Edit:
@zzo38 articulated my personal opinion better than I could so I'll quote part of their comment here:
I also think that they should avoid using confusing privacy policies; the mention of DNT should either be kept as is if GitHub uses the DNT header to reduce tracking, or deleted entirely if GitHub does not use the DNT header. If it does so only in some cases, it should mention what cases these are. The privacy policy made sense before the change in the section about DNT, although the change mentioned above makes it confusing (as other comments already mention).
[..]
I have no problem with adding these non-essential cookies to the enterprise marketing pages, as long as the rest of GitHub can be used without it and it is documented which pages these are (and if the cookie domain is the same, also which cookies). Moving the enterprise marketing pages to a separate domain seems to me to be a good idea though, in order to be clearly distinguished (although a subdomain is probably good enough, in my opinion; as long as it is documented clearly which subdomains these are).
Emphasis are mine.
In my opinion, documented should mean being very specific and being part of a legally binding document like the privacy policy.
An example for not being specific is this part of the changes:
As described below, we may use non-essential cookies on certain pages of our website
There was a problem hiding this comment.
So; let's get this straight:
- According to GDPR article 22 data subjects may exercise their right to object to processing using technical specifications.
- GitHub acknowledges the DNT signal as a valid technical standard, i.e. technical specification.
- Moreover; GitHub honors - or at least used to honor - that signal, illustrating that they have the capacity to respond to it appropriately.
Yeah... uhm..
How is attempting to weasel yourself out from under that not morally blackest evil?
|
You lost me at |
|
Github is being undermined by Microsoft. |
|
so what github alternative is everyone using these days? asking for a friend. |
|
"We are also committing that going forward, we will only use cookies that are required for us to serve GitHub.com." Apparently in corporate terms, a "commitment" is now less than two calendar years of obligation. Good to know. Though, I guess I don't visit the marketing pages and hence, don't really care that much? Corporations being untrustworthy isn't new territory. Literally just "business advice": Your marketing teams should be weighing the value of the data here against the cost of "yet another breach of user trust and commitment", user trust, of course, being something extremely hard to earn back. |
|
Marketing people don't care about user trust or commitments. They'll just burn things to the ground and move on to the next corp job, each time making the world a slightly worse place. |
Microsoft fucking sucks, GitHub wasn't evil until Microsoft really started to abuse GitHub. |
@TheMaverickProgrammer GitLab probbably. |
|
I understand that cookies are helpful for analytics and gathering sales funnel data. It's always sad when companies don't keep prior promises, though If you must break the promise, here's my suggestion, for what it's worth: move enterprise marketing pages (maybe even all marketing pages besides the front page?) off of Then point marketing links from the front page to that domain. This will allow folks to deal with that domain separately from |
|
I personally feel that the enterprise version can be made independently. |
|
As a happy GitHub user I just hope all this recreational outrage doesn't result in GitHub allocating more time or resources than would otherwise be required to complete this change. Full speed ahead! |
I'd want GitHub to remove Microsoft, then continue full speed ahead |
Why are people getting so riled up when this change only impacts the Enterprise marketing subdomains? Makes no sense to me how this of all things is getting negative attention. Majority of people don't use GitHub Enterprise, as its only for businesses, And they're just cookies. Use uBlock Origin as it says if you really can't stand a few cookies on subdomains you'll probably never end up going to. Also, people love pointing the finger at Microsoft, as if this change was demanded by them. It more than likely wasn't. There are always going to be changes that people don't like, but not all changes are influenced by the parent company. If Microsoft was puttng their hands all over GitHub, they probably would've moved GitHub to the Microsoft Policy Statement a long time ago. |
|
Cuz GitHub said they wouldnt use cookies |
How exactly does this in any way impact user trust? It doesn't impact the main site, like the dashboard, the landing page, or any other part of GitHub like profiles, repositories, or organizations. It literally only impacts the enterprise marketing pages, and its for sales data tracking & analytics. GitHub Enterprise is a very business-oriented product, so the only visitors to those pages will be by business leaders potentially interested in GitHub Enterprise, or users who land on that page by mistake. And I believe that is what GitHub meant when they said "to serve GitHub.com" - the main site (dashboard, repos, profiles, etc), not including stuff related to their Enterprise product, so I genuinely don't believe they broke their commitment. People are overreacting, as usual, to insignificant changes that don't really impact them. |
|
Thats fine but fuck microsoft for existing |
|
There's a reason this PR has 128+ negative reactions |
|
Also, they have, take a look at this PR. |
This was more than likely not Microsoft's doing. Not everything a subsidiary of Microsoft does is because of Microsoft itself. You have the vast majority of comments on this PR (at 8 comments), and your opinion isn't be all end all. Most of the negative reactions are additionally probably from people who don't understand the scope of what GitHub said back when they committed to not use cookies not necessary to serve GitHub itself - they probably didn't extend it to the Enterprise marketing pages to begin with and always meant the main site that serves repositories and profiles and such. There are things worse than cookies by the way, like actual trackers embedded in web pages. Cookies are relatively harmless if used sparingly and for very specific purposes like tracking sales analytics or for keeping a user logged into their web browsers, or in a specific GitHub use case, tracking the current site theme. There is nothing wrong with stuff like this. You seem awfully mad at Microsoft for some reason, as if they stole your pet dog or something. This isn't 2000s & early 2010s-era Microsoft, Microsoft is nowhere near as bad as they were when Steve Ballmer was the CEO of Microsoft. Ever since Satya became CEO, I have noticed a significant improvement in Microsoft's business culture and strategy. MS was way, way, way worse back when Ballmer was CEO. (also, slight question, why upvote your own comments?) |
I don't know why anyone at GitHub would do this change, and Microsoft is the only other entity with the authority to make such a change.
I just poke in whenever this comes up on my GitHub notifications.
That is a good point, however, that doesn't change the fact that GitHub is no longer the white and fluffy angel that it was.
While you seem quite intelligent, I don't think that you understand that cookies could actually be used as slight trackers, and if used to their fullest potential, complete on-site tracking for AI/ML based targeted recommendations for profit.
Microsoft is still a mega-corp. They're still 'evil', just like Google or Apple. I also don't see much of a difference with the two CEOs. One was making more money, one was discussing ethics more often, but in the end, Microsoft is still somewhat invasive. To add on, Microsoft decided to absolutely RUIN Minecraft, a game that I don't really play these days, but my friends play a lot.
(also, slight question, why downvote my comments?) |
|
I think that the cookies ought to be documented, so that you know which cookie means what. I also think that they should avoid using confusing privacy policies; the mention of DNT should either be kept as is if GitHub uses the DNT header to reduce tracking, or deleted entirely if GitHub does not use the DNT header. If it does so only in some cases, it should mention what cases these are. The privacy policy made sense before the change in the section about DNT, although the change mentioned above makes it confusing (as other comments already mention). Mentioning other programs such as Privacy Badger and uBlock Origin are OK, although it might be worth to add a disclaimer if GitHub is not affiliated with such programs, even if they are hosted on GitHub. (Since GitHub is used for many FOSS projects, it is likely that some of them will be.) I have no problem with adding these non-essential cookies to the enterprise marketing pages, as long as the rest of GitHub can be used without it and it is documented which pages these are (and if the cookie domain is the same, also which cookies). Moving the enterprise marketing pages to a separate domain seems to me to be a good idea though, in order to be clearly distinguished (although a subdomain is probably good enough, in my opinion; as long as it is documented clearly which subdomains these are). About alternatives to GitHub, I would not recommend GitLab because it will not display the files if JavaScripts are not enabled. However, it is acceptable to use GitLab if there are mirrors on multiple services. GitHub, Codeberg, and NotABug, and some others, also use JavaScripts, although the files can be displayed even if JavaScripts are disabled (even though there is a note that says enable JavaScripts, it is not required to simply view files), so it is acceptable. Another alternative is Sourcehut, which also doesn't need JavaScripts (and says that all features work without JavaScripts, although it still has some). |
|
I don't mind GitLab, except that I have to pause for 15 minutes to finish laughing every time i see "Merge Requests" |
|
What happened to this policy https://github.blog/2020-12-17-no-cookie-for-you/ ? I guess it's a bit like Microsoft |
It is not clear if this change will only apply to this particular subdomain ( If you are going to make this change, then it's better to explicitly state exactly what subdomains are getting it. Also I'm particularly concerned about the "Personal Data" => "personal data" change in the privacy statement as well. Someone at GitHub mind to explain that? |
|
Please don't become evil. |
|
54 upvotes by CEOs and investors. 1.7k downvotes by people |
I don't think so. People just like to complain (especially when you can hate MS for no reason), I cannot explain otherwise how so many are triggered by a change that doesn't really impact anyone. If you care about privacy, you have extensions like PrivacyBadger and uBlock installed and DNT doesn't make any difference anyway. |
|
TLDR, Ambigous terms(Close to becoming an invalid legal document,I mean.. copying what other companies are doing,not going to point fingers....But Sus,lol) eg.
Fake useless advice in documents eg.
No feedback loop(imagine a git repo with no issue tab...yeah...#YOLO,DEAL WITH IT) eg.
|
I think GitHub is looking very closely at the comments in this PR. Maybe they are too embarrassed to respond. I wonder how @nat would have reacted to it. @ashtom apparently does not seem to interfere. |
| @@ -24,7 +25,7 @@ All capitalized terms have their definition in [GitHub’s Terms of Service](/gi | |||
|
|
|||
| ## The short version | |||
|
|
|||
| We use your personal information as this Privacy Statement describes. No matter where you are, where you live, or what your citizenship is, we provide the same high standard of privacy protection to all our users around the world, regardless of their country of origin or location. | |||
| We use your personal information as this Privacy Statement describes. No matter where you are, where you live, or what your citizenship is, you have the same high standard of privacy protection when using GitHub's products as all our users around the world, regardless of their country of origin or location. | |||
There was a problem hiding this comment.
I am unable to comprehend why the previously present description of what is provided to the user has been replaced by this modification with what appears to be guarantee that something is already possessed by the user.
I believe that this new phrasal might incur unnecessary legal liability if a user were to somehow not receive the described “high standard of privacy”, whereas the previous version merely stated that it was provided, and not even whom to, thus certainly absolving GitHub of any relevant potential liability.
|
|
||
| Our emails to users may contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email communications more effective and to make sure we are not sending you unwanted email. | ||
|
|
||
| ### DNT | ||
|
|
||
| "[Do Not Track](https://www.eff.org/issues/do-not-track)" (DNT) is a privacy preference you can set in your browser if you do not want online services to collect and share certain kinds of information about your online activity from third party tracking services. GitHub responds to browser DNT signals and follows the [W3C standard for responding to DNT signals](https://www.w3.org/TR/tracking-dnt/). If you would like to set your browser to signal that you would not like to be tracked, please check your browser's documentation for how to enable that signal. There are also good applications that block online tracking, such as [Privacy Badger](https://privacybadger.org/). | ||
| "[Do Not Track](https://www.eff.org/issues/do-not-track)" (DNT) is a privacy preference you can set in your browser if you do not want online services to collect and share certain kinds of information about your online activity from third party tracking services. Some services may respond to browser DNT signals and follow the [W3C standard for responding to DNT signals](https://www.w3.org/TR/tracking-dnt/). If you would like to set your browser to signal that you would not like to be tracked, please check your browser's documentation for how to enable that signal. There are also good applications that block online tracking, such as [Privacy Badger](https://privacybadger.org/) or [uBlock Origin](https://github.com/gorhill/uBlock/). |
There was a problem hiding this comment.
This modification removes all statement of what GitHub does. Additionally, I do not believe that which (presumably 3rd-party) services implicated by this new phrasal have been specified.
|
@literarytea Please don't do it. You're better than this. |
|
1.5k downvotes, eh? @github ya might want to rethink your descisions |
| @@ -111,7 +112,7 @@ Co-branding/marketing partners. We may receive information from partners with wh | |||
|
|
|||
| Publicly available sources. We may also obtain information from publicly available sources as GitHub repositories. | |||
|
|
|||
| When you are asked to provide Personal Data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional. | |||
| When you are asked to provide personal data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional. | |||
There was a problem hiding this comment.
| When you are asked to provide personal data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional. | |
| When you are asked to provide personal data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional for you. |
There was a problem hiding this comment.
@ArjunSharda, I believe that “for” might be superior to “to” in this instance.
There was a problem hiding this comment.
@ArjunSharda, I believe that “for” might be superior to “to” in this instance.
| @@ -33,13 +34,13 @@ To see our Privacy Notice to residents of California, please go to [GitHub's Not | |||
|
|
|||
| | Section | What can you find there? | | |||
| |---|---| | |||
| | [Who is responsible for the processing of your information](#who-is-responsible-for-the-processing-of-your-information) | Subject to limited exceptions, GitHub is the controller and entity responsible for the processing of your Personal Data in connection with the Website or Service. | | |||
There was a problem hiding this comment.
They definitely are certain. They would not have modified this as they have if they were not.
| | [Who is responsible for the processing of your information](#who-is-responsible-for-the-processing-of-your-information) | Subject to limited exceptions, GitHub is the controller and entity responsible for the processing of your Personal Data in connection with the Website or Service. | | ||
| | [What information GitHub collects](#what-information-github-collects) | GitHub collects information directly from you for your registration, payment, transactions, and user profile. We also automatically collect from you your usage information, cookies, and device information, subject, where necessary, to your consent. GitHub may also collect Personal Data from third parties. We only collect the minimum amount of Personal Data necessary from you, unless you choose to provide more.| | ||
| | [Who is responsible for the processing of your information](#who-is-responsible-for-the-processing-of-your-information) | Subject to limited exceptions, GitHub is the controller and entity responsible for the processing of your personal data in connection with the Website or Service if you are in North America. For individuals outside North America the data controller is GitHub B.V. | | ||
| | [What information GitHub collects](#what-information-github-collects) | GitHub collects information directly from you for your registration, payment, transactions, and user profile. We also automatically collect from you your usage information, cookies, and device information, subject, where necessary, to your consent. GitHub may also collect personal data from third parties. We only collect the minimum amount of personal data necessary from you, unless you choose to provide more.| |
|
Can anyone explain how gitlab is supposed to be better in that matter ? |
|
As they're going to do here. See? Contributors keep approving no matter what. They'll do the change, people will blame github, but then in 6 months no one's going to remember. Isn't this a comfortable way of doing business. Got something to say @Abo-Sofian? (not your fault you're just 1 more person that approved) |
|
@dragonDScript, anybody is able to approve the proposed modification. "http://github.com/github/site-policy/pull/582#:~:text=Review%20required,with%20write%20access." should demonstrate that nobody at GitHub or Microsoft has approved this. |
|
I Don’t Know Rick, Looks Fake to Me. |
Oh! My bad then. Thought they were actual GitHub or Microsoft employees. What I said is sad but true, it is what it is. |
|
|
Broken links. Please review:
Lines: 60, 109, 135 (x2), 142, 145, 161, 181, 189, 221, 263, 267, 281, 285, 288, 291, 305 (x2), 330.
Most of them need to point to docs.
For example this:
/site-policy/github-terms/github-terms-of-service
Should redirects to:
https://docs.github.com/en/site-policy/github-terms/github-terms-of-service
|
@Karmavil, I believe that the current hyperlinks are deliberately relative. Superior suggestion would be enclosure of them by HTML as "http://stackoverflow.com/a/24028648/9731176" describes. |
| versions: | ||
| fpt: '*' | ||
| topics: | ||
| - Policy | ||
| - Legal | ||
| --- | ||
|
|
||
| Effective date: May 31, 2022 |
There was a problem hiding this comment.
| versions: | ||
| fpt: '*' | ||
| topics: | ||
| - Policy | ||
| - Legal | ||
| --- | ||
|
|
||
| Effective date: May 31, 2022 |
| versions: | ||
| fpt: '*' | ||
| topics: | ||
| - Policy | ||
| - Legal | ||
| --- | ||
|
|
||
| Effective date: May 31, 2022 | ||
| Effective date: September 1, 2022 |
|
lmao look at this recent editor "Aa1106443102". To avoid any heat they're just going to keep moving forward with this and use anonymous throwaway accounts to edit the policy. No one to throw your rocks at this way. Brilliant. Privacy is suddenly important for the company but not for its actual users. |
I believe it was the account That proposed the change. The account you listed merely reviewed it. This is the account that likely is required to approve for this to merge https://github.com/literarytea |
GitHub is introducing non-essential cookies on web pages that market our products to businesses. These cookies will provide analytics to improve the site experience and personalize content and ads for enterprise users. This change is only on subdomains, like resources.github.com, where GitHub markets products and services to enterprise customers. Github.com will continue to operate as-is.
This change updates the Privacy Statement based on this new activity.
These updates will go into effect after the 30-day notice and comment period, on September 1, 2022.