Told by privacytools.io to avoid USA services, but every important thing seems in USA. Where are you guys from?

…analytics and telemetry for advertising purposes. Github’s revenue model is through selling…

We may share your information with third parties under one of the following circumstances: with your consent, with our service providers, for security purposes, to comply with our legal obligations, or when there is a change of control or sale of corporate entities or business units.”

So when don’t they share your info?

“Tracking and analytics: We use a number of third-party analytics and service providers to help us evaluate our Users’ use of GitHub, compile statistical reports on activity, and improve our content and Website performance. We only use these third-party analytics providers on certain areas of our Website, …”

A number of? Who is not on this list of companies sharing not selling your site activity info?

I don’t work for Microsoft or Github, so I don’t know for certain, but these would be my best guesses:

So they either ask you.

People that provide service to Github (ISP, DC etc), this could possibly be DDoS protection, etc. Additionally Github logins can be used as an OAuth login, so that would be any site which you use your Github password to log into.

Server logs, abuse detection etc.

Law enforcement ie in the event someone committed something they were not supposed to, or financially related as Github does sell services (Pro/Enterprise) ie some sort of fraud, debt collection etc.

Obviously if Microsoft sold the whole of Github off to someone else, that new owner would want to pick up where they left off. The product may of course change in any number of ways.

Well I think you answered your own question there. Those Github sub processors only likely get the relevant information to provide their services anyway. Certain fairly obvious features (such as SMS obviously require the use of things like Twilio etc).

I am surprised to see Google Analytics there, as I don’t see any cross-site requests to that when using their site.

To be honest, I see a lot of outrage over nothing really, this sort of privacy policy is fairly standard practice for a company offering products (some of which are paid).

I wouldn’t say “outrage,” but strong dislike would fit. Yes, those Terms of Service are similar to others we give our privacy in surveillance capitalism. Other than difficulty/effort of moving to another service or hosting your own, I can’t understand your lack of concern, but I’ll drop it after this:

Kudos to @infosechandbook who only stayed on github for about 9 months, whatever the reasons:

Changes on October 20, 2019: Moved blog content repo from GitHub to codeberg dot org.

Changes on January 21, 2019: Migrated development backend from Keybase Git to GitHub.


~June-October 2018 Microsoft buys Github

Just for clarification:

  • Codeberg hosts the public Git repository containing our blog content (e.g., all pages, all articles) and our website mirror. One of our contributors is an active member of the Codeberg association, so the project is more transparent than other services, and we are (indirectly) paying for their hosting.
  • Apart from this, we still have repositories hosted by other providers. However, those Git repositories are all private.

Keep in mind that different providers come with various features. While codeberg.org (or similar services) might fit our use case of showing a full and signed changelog of our blog changes for transparency, there are other features that you don’t get due to limitations of Gitea that runs under the hood.