Update github-privacy-statement.md #314
Conversation
* Clarifications and alignment of the language across our Terms of Service, Privacy Statement, Corporate Terms of Service, and Enterprise Subscription Agreement regarding: * notice of changes * access to private content * Mirrored language in Acceptable Use Policies to provide additional clarifying example of prohibited use of GitHub user information Updates will go into effect after the 30-day notice and comment period, on November 16, at 5 pm PT.
Policies/github-privacy-statement.md
Outdated
| ### Changes to our Privacy Statement | ||
|
|
||
| Although most changes are likely to be minor, GitHub may change our Privacy Statement from time to time. We will provide notification to Users of material changes to this Privacy Statement through our Website at least 30 days prior to the change taking effect by posting a notice on our home page or sending email to the primary email address specified in your GitHub account. We will also update our [Site Policy repository](https://github.com/github/site-policy/), which tracks all changes to this policy. For changes to this Privacy Statement that are not material changes or that do not affect your rights, we encourage Users to check our Site Policy repository frequently. | ||
| Although most changes are likely to be minor, GitHub may change our Privacy Statement from time to time. We will provide notification to Users of material changes to this Privacy Statement through our Website at least 30 days prior to the change taking effect by posting a notice on our home page or sending email to the primary email address specified in your GitHub account. We will also update our [Site Policy repository](https://github.com/github/site-policy/), which tracks all changes to this policy. For other changes to this Privacy Statement, we encourage Users to check our Site Policy repository frequently. |
There was a problem hiding this comment.
IMHO: to check our Site Policy repository frequently. should be replaced with to subscribe to our Site Policy repository using "watch" feature or any other means and to provide feedback using PR review capabilities.
There was a problem hiding this comment.
Thanks @KOLANICH for the suggestion! We've added "watch" with a link to our documentation in case the reader is not familiar.
Policies/github-privacy-statement.md
Outdated
| #### Cookies | ||
|
|
||
| GitHub uses cookies to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies (and similar technologies, like HTML5 localStorage) to keep you logged in, remember your preferences, and provide information for future development of GitHub. For security purposes, we use cookies to identify a device. By using our Website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use GitHub’s services. | ||
| GitHub uses cookies and similar technologies (collectively, “cookies”) to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies to provide you our services, for example, to keep you logged in, remember your preferences, identify your device for security purposes, and provide information for future development of GitHub. By using our Website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use GitHub’s services. |
There was a problem hiding this comment.
similar technologies are too broad and inexact. IMHO it may be even incorrect to call them cookies. So enumeration of all the tracking technologies used on GH is needed.
There was a problem hiding this comment.
What would you expect from a complete list?
Unless there's something unique about a particular tracker, I'm worried a long list of technical details will make the policy harder to read without leaving me any more informed.
There was a problem hiding this comment.
Let's see the list of tracking technologies that GitHub uses and see how graceful we can make the text. For instance, does GitHub reserve the right to use 1 pixel gifs to track referrers?
There was a problem hiding this comment.
Of course, you could link to a separate or expandable attachment / policy page to let users decide whether they want to scan the list or not.
There was a problem hiding this comment.
I agree with @KOLANICH and wrapping things up under "cookies" and then further describing cookies in a way that doesn't apply to other technologies like local storage feels a little off to me.
This is my stab at it but obviously I'm no lawyer and this likely needs to be retooled. I thought about doing the (collectively, "identifiers") but that might make it harder to read as the description of cookies is still important for non-technical readers.
| GitHub uses cookies and similar technologies (collectively, “cookies”) to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies to provide you our services, for example, to keep you logged in, remember your preferences, identify your device for security purposes, and provide information for future development of GitHub. By using our Website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use GitHub’s services. | |
| GitHub uses cookies and similar technologies (“identifiers”) to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies and identifiers to provide you our services, for example, to keep you logged in, remember your preferences, identify your device for security purposes, and provide information for future development of GitHub. By using our Website, you agree that we can place these types of cookies and identifiers on your computer or device. If you disable your browser or device’s ability to accept these cookies and identifiers, you will not be able to log in or use GitHub’s services. |
There was a problem hiding this comment.
What would you expect from a complete list?
The complete list should mention all the tracking technologies de-facto used or planned to be used when the policy comes into effect and should not mention the tracking technologies that are not used and are not planned to be used after policy comes into effect. Why it is needed: to make it clear which tracking tech is going to be used.
Because different tracking tech have different invasiveness. I.e. cookies and storage API and service workers are acceptable as long I can easily disable, block or clean each of them and it won't make the service unusable. Passive server-side fingerprinting (i.e. TCP/IP stack) is acceptable in the sense we as users cannot even know if it has happenned, and we can take countermeasures, like standardizing behavior of TCP/IP stacks, to make all the stacks observable behavior to be identical. Client-side JS-, CSS-, WebGL-, WebGPU- and any kind of sensor-based fingerprinting and input tracking is completely inacceptable. Reliable sandboxing of code in a Turing-complete language is impossible, so the only choice to mitigate kt is to disable JS completely. Intentionally using speculative attacks or exploits to extract data stored on PC to which websites normally have no access, is so inacceptable, that may be even illegal.
There was a problem hiding this comment.
Because different tracking tech have different invasiveness.
In that case, would it be enough to say how invasively they track us?
| GitHub uses cookies and similar technologies (collectively, “cookies”) to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies to provide you our services, for example, to keep you logged in, remember your preferences, identify your device for security purposes, and provide information for future development of GitHub. By using our Website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use GitHub’s services. | |
| GitHub uses cookies and similar technologies (“identifiers”) to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies and identifiers to provide you our services, for example, to keep you logged in, remember your preferences, identify your device for security purposes, and provide information for future development of GitHub. By using our Website, you agree that we can place these types of cookies and identifiers on your computer or device. If you disable your browser or device’s ability to accept these cookies and identifiers, you will not be able to log in or use GitHub’s services. GitHub does not use client-side "fingerprinting" technologies to bypass your cookie settings. |
Or if they are using them:
GitHub may use client-side "fingerprinting" technologies to identify you even if you do this.I'd also expect to find a more complete list of technologies in the cookies on GitHub page linked in the next paragraph. It doesn't seem like it's getting the new ones yet, though.
There was a problem hiding this comment.
In that case, would it be enough to say how invasively they track us?
IMHO no. Different tracking tech has different countermeasures. So a list is needed, that can be monitored. Ideally the list should also mention sufficient countermeasures to each tracking technology used/planned.
There was a problem hiding this comment.
Thanks @KOLANICH and others! Please see my latest commit. We use localStorage, which enables our site to store information locally on your device. For example, localStorage may be used to enable functionality such as your pre-populated search results in the search drop-down.
Policies/github-privacy-statement.md
Outdated
| #### Cookies | ||
|
|
||
| GitHub uses cookies to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies (and similar technologies, like HTML5 localStorage) to keep you logged in, remember your preferences, and provide information for future development of GitHub. For security purposes, we use cookies to identify a device. By using our Website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use GitHub’s services. | ||
| GitHub uses cookies and similar technologies (collectively, “cookies”) to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies to provide you our services, for example, to keep you logged in, remember your preferences, identify your device for security purposes, and provide information for future development of GitHub. By using our Website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use GitHub’s services. |
There was a problem hiding this comment.
I agree with @KOLANICH and wrapping things up under "cookies" and then further describing cookies in a way that doesn't apply to other technologies like local storage feels a little off to me.
This is my stab at it but obviously I'm no lawyer and this likely needs to be retooled. I thought about doing the (collectively, "identifiers") but that might make it harder to read as the description of cookies is still important for non-technical readers.
| GitHub uses cookies and similar technologies (collectively, “cookies”) to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies to provide you our services, for example, to keep you logged in, remember your preferences, identify your device for security purposes, and provide information for future development of GitHub. By using our Website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use GitHub’s services. | |
| GitHub uses cookies and similar technologies (“identifiers”) to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies and identifiers to provide you our services, for example, to keep you logged in, remember your preferences, identify your device for security purposes, and provide information for future development of GitHub. By using our Website, you agree that we can place these types of cookies and identifiers on your computer or device. If you disable your browser or device’s ability to accept these cookies and identifiers, you will not be able to log in or use GitHub’s services. |
Under Changes to our Privacy Statement, have added "watch" with a link to our documentation in case the reader is not familiar.
Edit responding to user comments on need for clarity on "similar technologies" under "Our use of cookies and tracking"
| #### Cookies | ||
|
|
||
| GitHub uses cookies and similar technologies (collectively, “cookies”) to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies to provide you our services, for example, to keep you logged in, remember your preferences, identify your device for security purposes, and provide information for future development of GitHub. By using our Website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use GitHub’s services. | ||
| GitHub uses cookies and similar technologies (e.g., HTML5 localStorage) to make interactions with our service easy and meaningful. Cookies are small text files that websites often store on computer hard drives or mobile devices of visitors. We use cookies and similar technologies (hereafter collectively "cookies") to provide you our services, for example, to keep you logged in, remember your preferences, identify your device for security purposes, and provide information for future development of GitHub. By using our Website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept these cookies, you will not be able to log in or use GitHub’s services. |
There was a problem hiding this comment.
It hasn't improved anyhow. I still don't see the full list.
improved [link](docs.github.com/github/managing-subscriptions-and-notifications-on-github/viewing-your-subscriptions#configuring-your-watch-settings-for-an-individual-repository) for watching a repo
|
Thanks for all your feedback! The policy changes are now live. You can learn more in our blog post here. |
Updates will go into effect after the 30-day notice and comment period, on November 16, at 5 pm PT.