Developers are furious at GitHub’s upcoming privacy policy changes that would allow GitHub to place tracking cookies on some of its subdomains.
The Microsoft subsidiary announced this month, it would be adding “non-essential cookies” on some marketing web pages starting in September, and offered a thirty-day “comment period” for users.
GitHub to add non-essential cookies on marketing pages
GitHub’s present privacy policy (dated May 31, 2022) states that the software development platform places only “strictly necessary” cookies on users’ web browsers and adheres to W3C’s standard concerning the “Do Not Track” (DNT) privacy preference, should it be set by users.
Effective September 1, 2022, however, GitHub will start placing non-essential cookies on its marketing subdomains like resources.github.com.
“GitHub is introducing non-essential cookies on web pages that market our products to businesses,” explains Olivia Holder, GitHub’s Senior Privacy Counsel.
“These cookies will provide analytics to improve the site experience and personalize content and ads for enterprise users.”
Holder stresses, however, the change will only impact marketing webpages and select subdomains and that “Github.com will continue to operate as-is.”
The non-essential cookies in this context, better known as “tracking cookies” refer to a class of cookies that are shared across multiple websites and web services.
These cookies may be used by third-parties for delivering ads or for the purposes of providing marketing, customization, and analytics features. But such cookies can make it easy to ascertain a user’s browsing history and behavior across multiple sites, potentially allowing malicious actors to track this activity, explains cybersecurity firm F-Secure.
While drawing everyone’s attention to the new policy and a “30-day comment period,” GitHub Security Engineer Lucas Garron pointed out GitHub’s 2020 blog post where the platform had “removed all non-essential cookies” out of its commitment to “respecting the privacy of developers using our product.”
Ironically, this month’s succinct announcement explaining the introduction of tracking cookies retains much the same wording.
Users criticize new policy wording, blame Microsoft Reacting to GitHub’s new policy wording, users sharply criticized the platform’s decision, with some even considering leaving GitHub for GitLab.
“You lost me at ‘ads for enterprise users,'” said pentester and security engineer Jonathan Gregson.
“If that PR goes in, I’m out. I’m not going to be a part of this digital dystopia where I am just a product and where companies don’t care about the people,” states user Willhelm Sokolov.
Some even blamed Microsoft, GitHub’s parent company for bringing such detrimental changes that have “undermined” the platform.
But one of the devs had a slightly different take:
“Why are people getting so riled up when this change only impacts the Enterprise marketing subdomains? Makes no sense to me how this of all things is getting negative attention,” commented Evelyn Marie, a Rust and Android developer.
Marie further states that most GitHub users don’t use Enterprise, an offering oriented toward businesses, and will likely never be inconvenienced by, what is just, cookies.
“Also, people love pointing the finger at Microsoft, as if this change was demanded by them. It more than likely wasn’t. There are always going to be changes that people don’t like, but not all changes are influenced by the parent company. If Microsoft was [putting] their hands all over GitHub, they probably would’ve moved GitHub to the Microsoft Policy Statement a long time ago,” says Marie.
A lengthy debate ensued on the thread that has now garnered over 1,200 dislikes from the community. Some even drafted a change.org petition, alleging that the new policy wording was “less transparent,… more unclear and confusing,” and urged GitHub to drop marketing cookies altogether.
Those interested in reviewing the upcoming privacy policy updates can refer to the changelog on GitHub.