The developer community is extremely unhappy with the upcoming privacy policy changes on GitHub – the new rules will allow GitHub to place “tracking” cookies on some subdomains.
Let me remind you that we also wrote that Many Repositories on GitHub Are Cloned and Distribute Malware, and also that Miners abuse GitHub infrastructure.The upcoming changes were announced earlier this month. Starting September 2022, GitHub is scheduled to start adding “optional cookies” to some marketing pages. The company offered users 30 days to discuss this decision.
GitHub’s current privacy policy (as of May 31, 2022) states that the platform places only “strictly necessary” cookies on users’ browsers and adheres to the W3C standard for the Do Not Track setting, if set by the user.
However, starting September 1, 2022, GitHub will start placing optional cookies on its marketing subdomains, such as resources.github.com.
Optional cookies (commonly referred to as “tracking cookies”) in this context refer to a class of cookies that are used by multiple sites and web services at once. These cookies may be used by third parties for advertising, marketing, customization and analytics purposes. At the same time, such cookies make it easy to identify browsing history and user behavior on other sites, potentially allowing attackers to track this activity.
The upcoming innovations have already been heavily criticized by the community. For example, GitHub Security Engineer Lucas Garron decided to draw everyone’s attention to the issue and the “30-day comment period” by citing an old GitHub blog post from 2020. In it, representatives of the platform stated that they “deleted all optional cookies” because they “respect the privacy of developers using the product.”
Quite funny, but a recent post from the GitHub developers explaining the need for implementing tracking cookies contains almost the same wording. The developers explain the need to implement cookie trackers by improving the reach and web experience for corporate users, but remind that “the developer community remains the heart of GitHub”, and the platform strives to “respect the privacy of developers using our product.”
While the comments are raging, a petition has already been created on change.org that calls the language of the new privacy policy “less transparent, unclear and misleading” and calls on GitHub to stop tracking cookies altogether.
At the same time, many users say they intend to leave GitHub (for example, to GitLab) or boycott it if the new rules come into force. Others blame Microsoft, the parent company of GitHub, for what is happening, saying that it discredits GitHub.
However, there are those who support the position of GitHub. For example, Rust and Android developer Evelyn Marie wonders why people are so angry about changes that “only affect corporate marketing subdomains.” Marie writes that most GitHub users don’t use Enterprise anyway and will likely never experience any inconvenience due to cookies.