The proposed amendments to GitHub’s privacy policy, which would permit GitHub to set tracking cookies on sure of its subdomains, have enraged developers.
A thirty-day “comment period” was provided for users by the Microsoft subsidiary in its announcement this month that “non-essential cookies” would be added to some marketing web pages beginning in September.
GitHub will add optional cookies to its marketing pages
According to GitHub’s most recent privacy statement (dated May 31, 2022), the software development platform only sets “strictly necessary” cookies on users’ web browsers. It complies with W3C privacy standards when users use the “Do Not Track” (DNT) privacy setting.
On its marketing subdomains like resources.github.com, however, GitHub will begin putting non-essential cookies as of September 1, 2022.
“GitHub is introducing non-essential cookies on web pages that market our products to businesses,” explains Olivia Holder, GitHub’s Senior Privacy Counsel.
“These cookies will provide analytics to improve the site experience and personalize content and ads for enterprise users.”
Holder emphasizes that Github.com will continue to function as-is and that the change would only affect some subdomains and marketing webpages.
The term “tracking cookies,” refers to a class of cookies transferred across numerous websites and web services, and is used to describe non-essential cookies in this context.
Third parties may use these cookies to deliver advertisements or to give marketing, personalization, and analytics features. However, according to cybersecurity company F-Secure, such cookies can make it simple to determine a user’s browsing history and behavior across various websites, potentially allowing corrupt individuals to track this activity.
GitHub Security Engineer Lucas Garron cited GitHub’s 2020 blog post where the company had “removed all non-essential cookies” because of its commitment to “respecting the privacy of developers using our product” while bringing everyone’s attention to the new policy and a “30-day discussion period.”
Ironically, the brief notification from this month that explains the addition of monitoring cookies still uses a lot of the same language.
Users condemn Microsoft over the new policy language
Users have strongly criticized GitHub’s move in response to the platform’s revised policy phrasing, and some have even thought about switching to GitLab.
“You lost me at ‘ads for enterprise users,'” said pentester and security engineer Jonathan Gregson.
“If that PR goes in, I’m out. I’m not going to be a part of this digital dystopia where I am just a product and where companies don’t care about the people,” states user Willhelm Sokolov.
Some even accused Microsoft, the parent firm of GitHub, of introducing these damaging modifications that “undermined” the platform.
However, one of the developers had a somewhat different perspective:
“Why are people getting so riled up when this change only impacts the Enterprise marketing subdomains? Makes no sense to me how this of all things is getting negative attention,” commented Evelyn Marie, a Rust and Android developer.
The majority of GitHub users, according to Marie, don’t utilize Enterprise, a service targeted at businesses, so they won’t likely experience any annoyance from what are essentially simply cookies.
“Also, people love pointing the finger at Microsoft, as if this change was demanded by them. It more than likely wasn’t. There are always going to change that people don’t like, but not all changes are influenced by the parent company. If Microsoft was [putting] their hands all over GitHub, they probably would’ve moved GitHub to the Microsoft Policy Statement a long time ago,” says Marie.
On the thread, there was a lengthy discussion that received over 1,200 negative comments from the community. Some people went so far as to create a petition on change.org, complaining that the new policy phrasing was “less transparent,… more vague and misleading,” and urging GitHub to completely stop employing marketing cookies.
The changelog on GitHub is available to anyone interested in examining the planned privacy policy modifications.
