I hope this is a good demonstration of a hands-off approach at Microsoft in regard to company culture.
I realize you likely still collect some analytics for yourself and that this change does nothing to alleviate that. EG, first party javascript. But it's great that it's divorced from 3rd parties.
Presumably Microsoft has access to those metrics, though? I wonder how deeply that gets parsed in conjunction with everything else they collect.
If only you could export some of that culture back to your corporate overlord. I'd love if MS Teams stopped exploding it's RAM usage until it eventually has to be killed if it's unable to get an OK response from its analytics endpoint.
And I'd love to turn off analytics in Windows altogether. Even getting to the minimal analytic configuration is an exercise in futility spread out across a million different settings, some of which decide to reset themselves in obfuscated ways sometimes. eg, some think updates reset them, either directly or by doing things like changing default programs to ones which require analytics (eg Office). Or a change to one setting requires additional changes elsewhere to be effective.
GitHub still sends the same personal data to their own analytics endpoint, and the privacy policy which lists third-party data subprocessors [1] has not been updated.
Tracking cookies have little value for GitHub when they can collect data about users that have already been authenticated, and they send the username and user ID as part of their tracking request.
Inspect the request sent to collector.githubapp.com on every page load to see the type of personal data that is being collected on the client-side.
We have no visibility into how they associate this data with analytics data collected on the server-side, and that's where an updated privacy policy would also help.
A GitHub spokesperson has issued this statement [1] about a request to api.github.com: "That endpoint tracks aggregate performance metrics, and does not rely on cookies or other unique identifiers".
GitHub is still sending our usernames and other unique IDs, our device data, and the pages we visit to the collector.githubapp.com endpoint.
GitHub's claims about not tracking users are false, they do identify users in tracking requests. See this tracking URL, it's full of unique identifiers and personal data, and it is currently sent after every page load, without user consent:
this isn't about tracking users, it's about cookies. no cookies doesn't mean no tracking. it's just a workaround to improve UX. "visiting our website does not send any information to third-party analytics services" - but presumably third parties are still able to access this data on request. their privacy policy probably reflects this. if you visit a website and don't want to be tracked, make it as hard as possible for the host to do so, don't rely on what the host says. they can do anything they like with visitors' data. anyone who hosts websites will confirm this
Don't confuse "we don't set cookies" with "we don't set non-essential cookies".
They say no "non-essential" cookies, but an anonymous user just landing on the homepage gets a cookie with some unique-looking tokens.
I've seen many companies just hire the right lawyers that would sign off on all sorts of tracking cookies as "yeah, this is essential, since we can't track users without it, and tracking users is essential to our business model".
> this isn't about tracking users, it's about cookies. no cookies doesn't mean no tracking. it's just a workaround to improve UX.
Except the GDPR and cookie directive, obviously, undeniably, unmistakably, weren't intended to give websites a "bad UX" obstacle to work around.
It's not even about cookies. It's about letting users AGREE to being tracked and then track them, OR (with the same amount of effort and without denying them service vs tracked people) DISAGREE and then not track them.
If they're still tracking me and keeping data about me that they can match to the PI that is my github account, then this "no cookie" thing is just more "letter of the law" bullshit.
I think it's pretty damn clear to Github and MS what the intention of these EU laws are. They can't just say "oh it's worded in a way that gives us wiggle room, so fuck your intentions". Well they can but they'll find out whose faces they told "fuck your intentions" to.
We're trying to protect consumers from tracking bullshit, here. Not throwing up obstacles for large corporations to work around.
It does though make tracking by third parties so they can sell things to me (or sell information about me to other parties for that use) more difficult. Not impossible though, of course.
Yes, they can do anything with the user's data, if the user has consented, or if they are willing to break the law.
The tracking request you see above requires informed consent under GDPR, and GitHub does not ask for consent before collecting browsing and device data that is tied to GitHub usernames.
> consent is simple to gain, who reads the entire ToS and privacy policy?
That's not how informed consent works, you can't just mention the collection of personal data in a privacy policy. Consent must be explicitly requested for this type of tracking, and you must be able to reject it, and continue using the service.
> the bottom line is, do you place more trust in your local lawmakers and the website you are visiting than you do in yourself
The request can be blocked with uBlock Origin, but it's still important to draw attention to tracking that may be illegal, since not everyone has a content blocker installed.
if you agree to terms which request consent, you are giving consent. how they are displayed to you and whether or not they are explicit enough or too hidden is subjective
you'll need a stronger arsenal than a content blocker to avoid modern fingerprinting, legal or otherwise
from my understanding of the rules even a lot of the informed consent popups today aren't compliant.
If I understand it correctly (and I think I am) the standard is that it should be equally easy to op out as to opt in, and the default should be opt out.
IMO this means I should just be able to dismiss any GDPR compliant box and the result should be no tracking.
Correct. Also, you cannot with hold access upon users not consenting, so there's literally zero incentive for users to ever consent for compliant providers. Which is kinda obvious with the GDPR's overall goal of making it impossible to use privacy as currency.
GDPR has lots of issues and this is one of the major ones.
It can be easily argued that companies cannot be forced to service users and there has been no real precedent or enforcement around this.
A company cannot be forced to service users. It can also decide to stop operating entirely, and die. A company can be forced to not use particular criteria to decide to service specific users, an idea with a long history - a common example is skin color.
This has nothing to do with immutable physical characteristics and such comparisons only highlight how silly the argument is.
Consent is a voluntary action. Usage itself is a form of consent. However a user disagreeing with what the company requires to provide that service but still being entitled to and actively using that service is not workable. User can decide to stop using a service entirely though, if they don't agree with the requirements.
You aren't forced to service users. You just cannot make consent the currency for your service. Either don't require consent or don't operate in the EU.
That's meaningless. Usage is already a form of consent. The discrepancy is between the user and the company in what is consented. Forcing the company to provide service to the user even if the user disagrees with an upfront description of what the company requires to provide that service is a completely valid objection.
Also GDPR applies to any organization providing to citizens of the EU, not companies operating there, but that's yet another example of poor design which results in GDPR having little enforcement.
it will appear legal if it is worded correctly, just the right side of ambiguity, proofread by a dozen lawyers and backed by a multi-million dollar body
also, to contradict your own tangential claim (from your non-authoritative link):
"You _should_ ask for consent where you are offering a genuine choice over a non-essential service. Typical examples include:
Did you seriously just link an IETF document as the basis for an argument about the law? Never mind the difference between "should" and "must", do you understand the difference between an RFC and the law?
And there is no room for ambiguity in the actual law:
> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
> Did you seriously just link an IETF document as the basis for an argument about the law?
of course not, it was an example to demonstrate the difference and easier to include one link for both definitions than e.g. two for each from a dictionary
> Never mind the difference between "should" and "must"
given the context I believe the difference is of paramount importance
> do you understand the difference between an RFC and the law?
slightly reworded first question but yes, I do, thanks
that seems a good example for a better source which actually bolsters my point on bad sources, but alas, it's irrelevant. note that it refers to personal data and not (third time lucky) the original argument concerning tracking consent. in fact, I cannot even find any personal data in the OP's URL, probably because no personal data is required to create a GitHub account. let's just ignore that one for now
> consent is simple to gain, who reads the entire ToS and privacy policy?
nobody because they are pretty much meaningless in the EU
we got laws to protect consumers, not laws for businesses to trick users into making some meaningless gesture
> the bottom line is, do you place more trust in your local lawmakers and the website you are visiting than you do in yourself
what do you mean by "local lawmakers"? these laws are EU-wide. or did you mean "local" to mean, "non-US"
anyway, these lawmakers are fighting the shitty corporations that pull this tracking stuff
and your bottom line is not really a choice one way or the other. I can use blockers and other plugins to protect myself, AND cheer on the people fighting the fuckfaces that think it's in any way honourable to make a profit by merely following the letter of our laws
but we got some really good consumer protections in the EU. and we try to keep it that way. we're not going to simply roll over because some US corporations are used to being able to track the hell out of US customers
What is the real value in a privacy policy? I assumed they were similar to EULAs - totally unenforceable. Are there actually any legal repercussions if they lie in their privacy policy? Or is it just ill will that might be accrued (and probably quickly forgotten) if they are found out to have violated their own privacy policy?
It sounds like you have misunderstood the purpose of a privacy policy. It is very rare that I encounter one that is designed to protect the user's privacy. Far more often, it's there to protect the company. "I have read and agree to the privacy policy," is a coded way of saying, "I have read and agree to waive my claims to privacy, as outlined in the privacy policy."
>Far more often, it's there to protect the company.
That's pretty much true. And why shouldn't a group try to limit their liability?
>"I have read and agree to the privacy policy," is a coded way of saying, "I have read and agree to waive my claims to privacy, as outlined in the privacy policy."
That's often, but not always true. For example, here's a [sanitized] privacy policy I wrote for a website I set up for a specific (noncommercial) purpose:
"[Site] Privacy Policy
No personal information^ will be stored on the https://www.[site] web server (except as specifically authorized), and every effort will be made to protect the integrity and privacy of such information.
[Site], its management or assignees will never sell personal information collected on this site, nor will they use such information for purposes other than specifically related to the operation of the [Site] website and/or to facilitate the dissemination of information regarding [purpose of site] and other group activities related to [potential users] and other [user purpose] related group activities.
Under no circumstances will street address or telephone number information be stored on the www.[site] by [Site], its management or assignees.
[Site], its management and assignees will never, under any circumstances reveal email addresses, street addresses and/or telephone numbers to anyone without explicit authorization. From time to time, [site] may offer services to allow [potential users] to contact each other. For these services, [Site], its management and assignees makes no warrantee of fitness for any purpose, including maintaining the privacy of users' personal information.
All personal information will be held in confidence and will only used for the purposes of the [potential users] [purpose of site] and official [membership organization] business.
This business includes (but is not limited to) providing personal information for inclusion (by the [membership organization]) in a printed work to be published at a later date. If this published work is then used for illegal and/or nuisance purposes, [Site], its management and assignees disavow any responsibility or liability for the use of that information by third parties for any purpose.
If a subscriber (limited to members of the [potential users]) chooses to share their personal information with other subscribers via any mechanism made available through the [Site] web site, mailing list or other conveyance provided by [Site], its management and assignees disavow any responsibility or liability for the use of that information by third parties for any purpose.
Under no circumstances will [Site], its management or assignees be liable or otherwise legally responsible for the theft, misuse or other unauthorized use of personal information.
Any person or entity registering on, providing contact information, or subscribing to the [Site] web site explicitly agrees to all the terms of this privacy policy.
This policy applies to the www.[Site] web site and the [Purpose of site]@[Site] mailing list.
If any portion of this policy is found, by any competent jurisdiction, to be invalid or unlawful, the remainder of this policy will continue to be in force.
The terms of this policy may be modified at any time at the discretion of [Site]. It is the responsibility of the subscriber to review the terms of this policy on a regular basis. Current versions of this policy can be found at https://www.[site]/privacy.html.
^Personal Information: Data such as street address, email address and telephone number which would enable direct contact with the subject of that information."
It does two specific things:
1. Informs users how their PII will (and will not) be used;
2. Clarifies the liability of those who own/run the site.
Unlike most "privacy" policies, there's nothing underhanded or privacy invading/data stealing involved.
Violation of privacy policies alone does not give rise to a cause of action. However such violations could be useful as evidence in the context of suing on some other basis. Of course, there is no satisfactory basis to sue tech companies for violations of privacy. That is why privacy is being decimated by tech companies. There are no adequate laws to protect it. Privacy policies seem to be an effective way to placate the public. Users seem to take tech companies on their word.
I haven't seen a lot of repercussions, if any actually. I would've figured something big would've happened right now with the antics that are up, but here we are - necessary to download an _opt-out_ extension for Google Analytics. This couldn't be a more blatant disregard for the EU laws than I could imagine.
And at the same time here in the Netherlands we have the party responsible for enforing laws handing out one, almost disproportionally large fine, to a small organisation each year. Like a 800k fine to a tennis unity because they were too aggressive in their data grievance, while all the big guys are still going at it and then some. Sorry for the rant but it's hard to stay optimistic, so seeing something like Github making a good move in the right direction, and seeing the post of plausible.io on the front page, this seems like a good day on the front of privacy.
The trick is: the publisher/intermediary have even more information about you, but they call you User-A instead of your name, so they can sell your history, zip, DNA, etc... just pretend not labeling the data with your name or some other personal identifiable information already listed in a Law somewhere makes everything fine.
History, ZIP and DNA already are personally identifiable information (PII). Pseudonymisation is in general not enough to avoid the GDPR and similar laws. And pseudonymisation would require the removal or obfuscation of all PII to the point that it is impossible to reconstruct the identity of the user.
There's no specific list of information regarded as PII, it's PII if it can be used to identify the user, even if only in combination of the other PII.
The GDPR is really quite broad there, other laws may be more lenient. However, the GDPR is not yet very strictly enforced or tested in court.
> Pseudonymisation is in general not enough to avoid the GDPR and similar laws.
fortunately, "undermining the spirit of the law in order to continue to make a profit" is generally frowned upon in the EU, and lawmakers don't take too kindly to it. sometimes I get the feeling that in the US it's almost acceptable to publicly brag about doing this, like it's even more "socially" acceptable.
Why is it not GDPR compliant. You do not need consent under the GDPR. You need a (documented) "lawful basis for processing" personal information. Consent is just one of several lawful bases and honestly it's the most useless one, if you need consent your business model is screwed.
It's perfectly possible for GitHub to process personal information without explicit consent while not violating the GDPR. Several options come to mind:
1) consider analytics part of the "contract legal" basis, arguing that analytics to improve the usability of the website is a fundamental part of running a website.
2) The "legitimate interest" lawful basis, which states:
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Arguing that improving the accessibility/usability is in the legitimate interest of both company and user.
I'm fairly confident that, depending on which and what detail of personal information, both of these justifications will be accepted by EU courts.
That's a good point. Microsoft has been much less heavy handed than I expected. But your point about how the data is used, I am very curious too. I wonder if they'd be willing to make the privacy policy readable?..
Microsoft would like for you to adopt an image of GitHub as an upright corporate endeavor - but remember they blocks/censor developers from world states that the US doesn't like.
Microsoft/GitHub as businesses incorporated in the United States are bound by the law of the United States. I am not sure of what you are insinuating here.
Yes, I don't understand this weird movement where businesses are expected to go against the government.
You disagree with your own government that's perfectly fine, and for the record I agree with you on the issues themselves, but if you want embargoes against Iran to be lifted or for the NSA to stop hoarding Americans' data you have to do the boring work of convincing the people to vote for people who share those ideas.
Real change will not come from corporations, it simply cannot because their mission if profitability, they support movements if there is no financial risk to do so.
Good job, can more companies follow the lead now? Btw when I see that banner - I always reject the option and still have not experienced any bad experience from website.
If you don’t have to actually make money though, there isn’t really a point to the analytics third parties enable - eliminating bots and click fraud. Microsoft managers are incentivized to not identify bot or noise traffic, since their performance metrics do not separate those.
> I hope this is a good demonstration of a hands-off approach at Microsoft in regard to company culture.
I might 1‰ buy that if they restored the Widevine repos they snuck down for Google under cover of the controversy caused by complying with the MS-funded RIAA’s quasi-legal youtube-dl takedown request.
I hope this is a good demonstration of a hands-off approach at Microsoft in regard to company culture.
I realize you likely still collect some analytics for yourself and that this change does nothing to alleviate that. EG, first party javascript. But it's great that it's divorced from 3rd parties.
Presumably Microsoft has access to those metrics, though? I wonder how deeply that gets parsed in conjunction with everything else they collect.
If only you could export some of that culture back to your corporate overlord. I'd love if MS Teams stopped exploding it's RAM usage until it eventually has to be killed if it's unable to get an OK response from its analytics endpoint.
And I'd love to turn off analytics in Windows altogether. Even getting to the minimal analytic configuration is an exercise in futility spread out across a million different settings, some of which decide to reset themselves in obfuscated ways sometimes. eg, some think updates reset them, either directly or by doing things like changing default programs to ones which require analytics (eg Office). Or a change to one setting requires additional changes elsewhere to be effective.