We received an apology email at the same time, well written, explaining what they did wrong, apologizing, promising to do a post-mortem, promising to not send to 3rd party trackers, and saying they did a mistake and waiting for feedbacks on the issue tracker. And with very little BS in the mail.
Such level of transparency, of apologizing and clarity, especially written at the first person "I am truly sorry." is very rare and should be praised.
What should really be praised... Without further, congratulations to everyone protesting against this gitlab move. This is something that should be done years back when google started with its tracking, same with facebook. This was the behaviour that should be seen each and every time some company wants to take advantage of its users. But to my sadness it is rarely seen. So once again congratulations to each and every gitlab user that did anything against their move.
It was done. There even was those small banners that said something in the way of "if you have gmail I won't mail you" etc.
Thing is, the broader public don't care. The difference between gitlab and gmail is primarily that developers care more about this stuff and value their code more than most people care about their email. They are also much more informed in the matter, most using gmail haven't got a clue.
No, they only care when the tools they are using are targeted. Otherwise, they couldn't care less.
We have tracking on websites and in apps on an industrial scale - built by developers in technology companies. We even have tracking of school kids courtesy of ChromeOS. When have developers ever shown any care about that? When have they ever spoken out about that? They're more likely to rush to defend that software and the company that built it: It's not being used to build profiles, or the data is aggregated and anonymous.
Presumably, if GitLab tracked behaviour 'anonymously' and in aggregate form, that would all be fine? Didn't think so. The hypocrisy that runs through the programming profession when it comes to online tracking really knows no end.
If I had a guarantee from Gitlab that _they_ were scrubbing the data, I would have no problem. I get the sense they know what they're doing (naive, maybe)
However, giving a third party script, potentially unvetted, access to the crown jewels of the company I work for? No fucking way.
They are tracking things anonymously at least in some places, judging by what I've read in the linked Gitlab issue tracker threads. The debacle started with someone higher up requesting to start recording user ID with that data, in order for the "growth team" to be able to do "experiments".
There's a difference between gitlab and gmail. People pay for gitlab while gmail is free. Google can easily declare "either you take it for what it is, or leave."
A lot of institutions used to run their own e-mail. Over the years I've watched as my e-mail addresses (both universities and my current employer) have been replaced by Gmail on the backend. All of them stopped being willing to manage e-mail themselves. None of them were willing to use a less surveillance-oriented provider. That choice wasn't made by consumers. It was made by the same kind of informed IT people. I suspect it wasn't free, either.
I thought the main problem with e-mail specifically was spam, and the reputation model that's arisen to combat it: a medium-sized university running their own e-mail service runs a risk of getting their domain blacklisted, if a few accounts are compromised and start sending out mass mailings.
My understanding was that Gitlab wanted to collect your data to improve their product. Google is collecting your data to sell ads.
I understand the reticence towards third party telemetry, but refusing basic interaction tracking for a product you pay for is just hurting yourself, even if you're already satisfied with the service. You don't go to the doctor for a checkup and then refuse bloodwork. Obviously there are rules around privacy for medical records that don't exist for interaction tracking. But I don't think the solution should be to get rid of tracking entirely, it should be to extend reasonable privacy rights and protections to our online data.
My understanding was that Gitlab wanted to collect your data to improve their product.
Gitlab could have collected anonymous data, with opting out of collection as the default, and promised not to sell it if they seriously believed it was about improving their product. Plenty of products record telemetry data only if you opt in to the program. Users understand and often accept that. That approach would have generated fewer headlines.
opt-in telemetry does not allow you to draw statistical conclusions because your data is skewed/incomplete due to selection bias. This is why developers are so intent on opt-out, it ensures that they have more accurate data to drive their roadmap. Clearly there are going to be privacy concerns with this, so they really need to minimize how much identifiable information they collect, and then communicate to users what will be collected, how it can be used, and who will have access to it. Gitlab seems to have jumped the gun and skipped over much of this part of the process, which sparked a justified backlash, but I don't fault them for wanting opt-out telemetry.
Opt-out is not a reasonable approach to telemetry, end of story. It's perfectly understandable how problematic that is for statistics, but statistics never trumps the fact that your software should not snoop without your permission.
No amount of vague promises over how good you will be and how nice you'll treat your users' information should be enough to make this acceptable. We have a huge body of evidence informing us that trust is a fundamentally bad idea when it comes to a corporation.
Gitlab has an excellent free plan, in fact it’s so good I honestly don’t understand how they can afford it and doubt it will last (but really hope it will for individual developers). They even give you Docker registries and thousands of CI hours.
Yeah, people back then should have written angry replies to Google's and Facebook's advance warnings about the tracking they were planning on doing. /s
It's a tiny SaaS that depends on customer good will. A few hundred pings did the job because we matter.
If only this worked with giant corps. FB has around 2.4 billion MAU and a few nerd rants won't be noticed the next time they screw the user and a handful complain.
Frankly I can understand that ads selling company like Google wants to track its users. Their core business depends on that.
Why Gitlab wanted to do this I have no idea, sounds like some marketing people came up with such idea "because everyone is doing this"?
Tracking wasn't going to bring much revenue, if any, so they could just get rid of that, trying to turn it into some positive PR. The cynic in me tells me that if they smell any significant money from tracking they would tell HN and the rest to back off (or would added some convoluted way to opt-out from tracking).
If you want to ban tracking, I would totally oppose it. I think its great that google manage to make money out of my personal data, and in return I get to use their of free service. Fortunately, in the regards of google user, there are more people who are fine (or don't care) with tracking.
The ability for people to have amazing technology and spend no currency on it is, in my opinion, a net positive for the world. But it would be nice if there were some provable toggle switch to choose between paying with data and paying with currency, for those who prefer the latter. Since proof is problematic, carefully selecting your vendor is the toggle switch, and that kind of switching unfortunately has switching costs including the massive inconvenience when, say, using an Android phone without a Google account.
Saying "I'm sorry" when you don't have to is worth praise. Saying it when your back is to the wall and your job is on the line - even cowards can do that.
I agree it's one of the best-written apologies I've heard in a while, and they deserve some praise for not letting the corporate ~bullshit~ PR department run loose all over it.
But still. I suggest that whoever is responsible should resign as a result of this Pendogate business. I feel that he has betrayed users' trust in a way where an apology alone is not sufficient. I personally consider the original plan - we'll lock you out of your accounts and disable the API until you accept our new TOS, if you don't like it there's the door - far worse than anything Brendan Eich ever did, for example. I don't want people who ever think that could be an acceptable idea in charge of a company I rely on day-to-day.
Replacing him would be a very strong signal from Gitlab's board that they are truly sorry and understand the severity of this scandal, and would also encourage future CFOs to take their users' views more seriously.
It is pathetic in a way that while lots of people were worried that Microsoft would "corporatise" github, it's gitlab that decided it was ok to threaten to lock people out from their accounts until they "consented" to this.
_EDIT: Paul Machle is CFO, Sid Sijbrandij is CEO and the person who sent the apology. I have removed names from the original post as I am not sure which of them signed off the original idea. I expect a CEO to take the attitude "the buck stops with me" though - they should be accountable even if they're not directly responsible._
When I delete all my repositories by hand, one by one, I expect to not find a joke in that email about how "this email is sent to you because you have an active repository on Gitlab".
When I delete an account on Gitlab I expect to be deleted from all further mailings (especially ones I never subscribed separately to), yet I got this email today. How many more places do I have to delete my information from to finally be rid of Gitlab?
How many more third-party companies Gitlab shared my data with at this point? Because that they do have it, there's no question about it - after all I just got this email.
Hi GitLab employee, we used the same mailing list as the one we used for the first email, so that's why you still received it. If you deleted your account you won't get any future emails.
What concerns me is how it got to the point of having to apologize in the first place. It implies a level of disconnect and and corporate group-think that is fundamentally misaligned with core customer expectation of what is in essence a community enabling system. How did Gitlab end up with a set of managers that ever thought this would fly ? They clearly were completely surprised by their customer's reaction - something that almost any of Gitlab' users would have understood viscerally.
This level of management disconnect does not bode well for Gitlab, as a paying customer this worries me...
Given that any default opt-out is a clear violation of GDPR when it comes to data gathering, I wonder how it ever passed compliance/legal. Given the size of the company (valued ~ $3b) they should have some 'data protection officer' position.
I recall they setup some blog page with explanations, so obviously they expected push back. Part of my work is making sure policies, code, etc. are compliant. Notifying compliance for such changes should be a standard procedure as well. In this regard I can't understand how the entire process went through, as GDPR challenge should have been expected.
The original comment from Paul Machle is "I don’t understand. This should not be an opt in or an opt out. It is a condition of using our product. There is an acceptance of terms and the use of this data should be included in that."
I am not a lawyer, but that does contradict pretty much everything I've been taught about GDPR.
Such level of transparency, of apologizing and clarity, especially written at the first person "I am truly sorry." is very rare and should be praised.