
Gitlab cancels plan on tracking user behavior on GitLab.com - tyteen4a03
https://gitlab.com/gitlab-org/growth/product/issues/164
======
jbk
We received an apology email at the same time, well written, explaining what
they did wrong, apologizing, promising to do a post-mortem, promising to not
send to 3rd party trackers, and saying they did a mistake and waiting for
feedbacks on the issue tracker. And with very little BS in the mail.

Such level of transparency, of apologizing and clarity, especially written at
the first person "I am truly sorry." is very rare and should be praised.

~~~
stiray
What should really be praised... Without further, congratulations to everyone
protesting against this gitlab move. This is something that should be done
years back when google started with its tracking, same with facebook. This was
the behaviour that should be seen each and every time some company wants to
take advantage of its users. But to my sadness it is rarely seen. So once
again congratulations to each and every gitlab user that did anything against
their move.

~~~
tjoff
It was done. There even was those small banners that said something in the way
of "if you have gmail I won't mail you" etc.

Thing is, the broader public don't care. The difference between gitlab and
gmail is primarily that developers care more about this stuff and value their
code more than most people care about their email. They are also much more
informed in the matter, most using gmail haven't got a clue.

~~~
z92
There's a difference between gitlab and gmail. People pay for gitlab while
gmail is free. Google can easily declare "either you take it for what it is,
or leave."

Gitlab can't.

~~~
cellar_door
My understanding was that Gitlab wanted to collect your data to improve their
product. Google is collecting your data to sell ads.

I understand the reticence towards third party telemetry, but refusing basic
interaction tracking for a product you pay for is just hurting yourself, even
if you're already satisfied with the service. You don't go to the doctor for a
checkup and then refuse bloodwork. Obviously there are rules around privacy
for medical records that don't exist for interaction tracking. But I don't
think the solution should be to get rid of tracking entirely, it should be to
extend reasonable privacy rights and protections to our online data.

~~~
onion2k
_My understanding was that Gitlab wanted to collect your data to improve their
product._

Gitlab could have collected anonymous data, with opting out of collection as
the default, and promised not to sell it if they seriously believed it was
about improving their product. Plenty of products record telemetry data only
if you opt in to the program. Users understand and often accept that. That
approach would have generated fewer headlines.

~~~
maccam94
opt-in telemetry does not allow you to draw statistical conclusions because
your data is skewed/incomplete due to selection bias. This is why developers
are so intent on opt-out, it ensures that they have more accurate data to
drive their roadmap. Clearly there are going to be privacy concerns with this,
so they really need to minimize how much identifiable information they
collect, and then communicate to users what will be collected, how it can be
used, and who will have access to it. Gitlab seems to have jumped the gun and
skipped over much of this part of the process, which sparked a justified
backlash, but I don't fault them for wanting opt-out telemetry.

~~~
krageon
Opt-out is not a reasonable approach to telemetry, end of story. It's
perfectly understandable how problematic that is for statistics, but
statistics never trumps the fact that your software should not snoop without
your permission.

No amount of vague promises over how good you will be and how nice you'll
treat your users' information should be enough to make this acceptable. We
have a huge body of evidence informing us that trust is a fundamentally bad
idea when it comes to a corporation.

------
tyre
The reaction to this whole saga has been insane. Chill out people.

They fucked up, users gave feedback, they listened.

This isn't some corporate conspiracy, some grand ethical dilemma with an evil
company on one side and some white knight hackers on the other.

Let's imagine for a second that they are people trying to do the right thing,
with years of history doing the best they can.

They wanted to measure usage to make their product better. People seem to
disagree, which, okay, but the outrage here is everything wrong with the
internet.

~~~
hn_throwaway_99
> The reaction to this whole saga has been insane. Chill out people.

I very much disagree. I think the outcry was warranted, and right now I see
GitLab doing the right thing (and, obviously, the outcry was a huge reason for
that).

Changing plans in the harsh light of public condemnation isn't easy, and for
that I very much commend GitLab. As someone who was very much against the
previously announced change, though (
[https://news.ycombinator.com/item?id=21350146](https://news.ycombinator.com/item?id=21350146)
), I'm glad the community feedback was so strong.

~~~
prophesi
Yeah, if the outcry continued even after their rollback & apology, _then_ it
would be unwarranted. But everyone's happy now (well, arguably GitLab may not
be, but they should surely be able to work out a solution with the community
on how to collect telemetrics in a privacy-conscious way).

I'm also glad the feedback was so strong, as the ad-tech industry has spent
the past 15 years numbing the general populace to unwarranted (and often
unnecessary) telemetrics.

It's understandable that GitLab had no ill-intentions. But how can one know
whether third-parties share such sentiments?

~~~
flukus
> Yeah, if the outcry continued even after their rollback & apology, _then_ it
> would be unwarranted.

The outcry may stop but the trust is now gone and will take years to rebuild.
Next time I'm considering/recommending on-premise git hosting I won't be
recommending gitlab.

I'm also considering moving my personal repos that I pay for. Generally I only
interact through the CLI and don't think about the web interface much, but
apparently when I go there I'm sharing info with whatever the hell gravatar
is.

~~~
hunter2_
While I haven't used it myself, I think gravitar is an avatar that gravitates
toward you, as implemented by you putting an image on their server, and
countless other websites include it from that server when an identifier
(probably email address) match exists between the two accounts. So in other
words, gravitar knows a bit about your usage of countless websites that each
volunteered your usage pattern to it. Since evidently you are seeing a
connection between your machine and gravatar, they get page-load granularity.
If this description is incorrect, which it very well might be since I know
nothing about the service beyond what I inferred by its name, please do
correct me.

------
igreulich
I don't see where it is canceled. The closest thing I see to canceled, is
postponed.

From the update: 'We will not activate user level product usage tracking on
GitLab.com or GitLab self-managed before we address the feedback and re-
evaluate our plan.'

That leaves a lot of wiggle room.

~~~
SlowRobotAhead
No 1/2 decent CEO, PR, Legal or any other department at work here would leave
themselves without wiggle room.

I’ll reserve the pitchforks for if this comes up again.

~~~
hanniabu
Yup, and it's not that they plan to backtrack, it's to reserve room for not
committing to an exact outcome, but instead a general outcome. What they plan
to do is not necessarily what will happen exactly, as anybody that has been in
a position of authority or part of a project knows. Things may take a little
longer, there may be some detours, etc. It's insurance so somebody doesn't
armchair nitpick and shame them.

------
tyteen4a03
This comment, from the CFO, is particularly nasty: [https://gitlab.com/gitlab-
org/gitlab/merge_requests/14182#no...](https://gitlab.com/gitlab-
org/gitlab/merge_requests/14182#note_203849107)

~~~
zapita
You may or may not agree with that comment, but it is not nasty. What is
nasty, on the other hand, is the vitriolic reaction to it. So far I count 16
"middle finger" emojis, including one with the subtitle "incompentent or
malicious CFO". In what world does a disagreement over the right level of
telemetry justify this kind of behavior?

It's mind-boggling to me how entitled and aggressive the open-source culture
is allowed to be. Does a company like Gitlab really deserve to have its
employees publicly insulted in this way, after giving away so much to their
users, for free, and being so much more transparent than 99% of tech
companies?

At this point I don't understand why anyone in their right mind would go to
the trouble of making their product open-source. It's just not worth it.

~~~
Accacin
> In what world does a disagreement over the right level of telemetry justify
> this kind of behavior?

In a world where companies think little of collecting and selling our personal
data to make a profit? In a world where companies feel the need to track every
part of my life with or without my permission. This is something I can't
escape, as every time I interact with someone that does use one of these
platforms than they are able to collect data on me.

We both know that there _are_ companies out there that are trying their best
to not exploit their users, and sadly these companies are often held to much
higher standards. When a company that we trust, and trust enough to recommend
to others who value their privacy, it _does_ hurt when a company goes in the
opposite direction with your privacy even when they have noble intentions at
heart.

It's also completely telling when their engineers are standing up for their
users and others at the company are trying to find any excuse to collect
certain information for _reasons_.

Now, I'm never for personal attacks on someone no matter what, but I find it
hard to call out people for using a widely used and available emoji. I do
agree it's very much on the line and others might take the other opinion in
this case.

~~~
matz1
Then what about the people who are fine with the tracking and selling personal
data (I for one) ? I think its great that let say google manage to make money
out of my personal data, and in return I get to use their of free service.

~~~
necovek
Great for you. But please smoke outside so the rest of us don't have to deal
with negatives (eg. smell if not health issues).

(Hopefully you get the parallel: some of us consider it harmful, and the fact
that you don't care or you actually enjoy it does not mean we should be
subjected to it)

~~~
matz1
In the regards of smoking, sure its great for the non-smokers but its sucks
for the rest of smokers.

~~~
TeMPOraL
It's really not too much to ask smokers to not externalize the health problems
of their addiction to other people. On the contrary, a decent human being
would not willingly expose non-smokers to cigarette smoke. Unfortunately,
there's not enough decency around to outweight convenience, so it had to be
turned into law.

As for telemetry, I can't find any reason one would willingly subject to it.
But even if, that's why laws like GDPR don't ban it outright, just ask for it
to be optional and opt-in.

~~~
matz1
>It's really not too much to ask smokers to not externalize

Sure, from the perspective of non-smokers.

>On the contrary, a decent human being would not willingly expose non-smokers
to cigarette smoke

A decent non smoker can also excuse themselves, in order not to disturb the
smokers.

>Unfortunately, there's not enough decency around to outweight convenience, so
it had to be turned into law

This is nothing to do with decency, the smokers doesn't have enough
power/influence to prevent it to become law.

Lets say in a place where 95% are smokers, or even in the place there are 5%
smokers but those 5% has a lot of power/influence. Do you think there will be
law againts smokers ?

>As for telemetry, I can't find any reason one would willingly subject to it

You mean willingly subject to tracking ? Like I said before, I am fine with
tracking because the benefit outweight the cost, it gives me something in
return, free or cheap service.

~~~
TeMPOraL
> _Sure, from the perspective of non-smokers._

From the perspective of any moral human being. Not intentionally harming
others is kind of fundamental.

> _A decent non smoker can also excuse themselves, in order not to disturb the
> smokers._

Non-smokers came first. And there's more of them. Plus, non-smokers are at
best inconvenience to smokers, while smokers are a health hazard to non-
smokers.

> _Lets say in a place where 95% are smokers, or even in the place there are
> 5% smokers but those 5% has a lot of power /influence. Do you think there
> will be law againts smokers ?_

Not likely. If the smokers are decent people, there won't be a problem; if
they aren't, they obviously won't vote in laws that inconvenience them. But
that only tells about deficiencies of the regulatory process, which optimizes
for the loudest voices instead of maximizing good for everyone.

> _Like I said before, I am fine with tracking because the benefit outweight
> the cost, it gives me something in return, free or cheap service._

And like I said, that's why current legal standard people are leaning towards
is not to ban it, but to make it _opt-in_. So if you're fine with tracking,
you can have it. The problem is with the infectious, anticompetitive nature of
tracking - once one party does it to offset their costs, all other competitors
have to follow suit or risk getting outcompeted.

~~~
matz1
>From the perspective of any moral human being. Not intentionally harming
others is kind of fundamental.

Sure, at least from your perspective. But all human being ? Even now we
disagree.

There are some people that to them harming people is the moral thing to do.

You may then say they are wrong, but again you view it from your morality,
using your definition of 'wrong'.

>Non-smokers came first.

Sure, for the Non-smokers, Non-smokers came first.

>And there's more of them

Right, so its more to do with which side has more power/influence.

>Plus, non-smokers are at best inconvenience to smokers

Sure the non-smokers can dismiss it as merely inconvenience. But I'm sure
there is some smokers that are highly suffer from not able to smoke anywhere
anytime.

>Not likely. If the smokers are decent people, there won't be a problem

Again, some smokers can use the same argument, if the non-smokers are decent
people, they can excuse themselves and there won't be a problem.

>if they aren't, they obviously won't vote in laws that inconvenience them

While I'm sure within smokers there are people who support the law, but I'm
taking about the smokers who againts the law. Unfortunately, they fail or just
don't have enough power/influence to prevent the law to exist.

>deficiencies of the regulatory process, which optimizes for the loudest
voices instead of maximizing good for everyone

Its not deficiencies because it just the way it is, whichever side who are the
strongest get to decide the law.

Maximizing good for everyone is an impossibility. What one human consider as
good may be considered bad to other human.

>And like I said, that's why current legal standard people are leaning towards
is not to ban it, but to make it opt-in. So if you're fine with tracking, you
can have it

Sure if you can gain the power/influence to make it law. But I hope not and I
will not support it. why ? It increase friction/inconvenience. Just like the
cookie warning, its highly annoying, I would much prefer it to be opt-out or
no option at all.

------
segmondy
This is just the beginning, at some point, they will flip. Google was our
darling, that could do no wrong. Just imagine, to be bold and say "Don't be
evil!" And then, what happened? This is just a short term reaction to quiet
down the noise, but their long term hand has been exposed. They are not going
to do it, but note that nothing says they won't try to or do it again in the
far future.

What I really will like to know is how they will profit off that data. Is it
even going to make a bump on their bottom line?

~~~
mav3rick
What happened ? Google is still one of the better players around. They pulled
out of DoD contracts etc. This site just hates it for every single thing..it's
just group think now , majority of the general public still loves it.

~~~
akhilcacharya
They trust lots of other companies more, including Amazon

[http://nymag.com/intelligencer/2018/10/americans-cant-
agree-...](http://nymag.com/intelligencer/2018/10/americans-cant-agree-on-
anything-except-loving-amazon.html)

~~~
mav3rick
No bathroom breaks and shitty benefits.

~~~
akhilcacharya
Take that up with the American people being polled then I guess.

$15/hr is a pretty good minimum wage for a company that operates in every
state!

(My benefits are fine too, for what it's worth)

~~~
mav3rick
What about bathroom breaks ? Also even Microsoft insurance is better than
Amazon. All my friends say Amazon's perks sucks. Even at the concert
apparently people were allowed two non-alcoholic drinks for the first time.
There was a joke that this was a big deal when it came to perks.

------
donarb
Gitlab has also committed to doing a post-mortem on this, just as they do for
crashes or data breaches, which is a good thing.

------
buremba
We sent an MR to Gitlab 1.5 years ago ([https://gitlab.com/gitlab-org/gitlab-
foss/merge_requests/156...](https://gitlab.com/gitlab-org/gitlab-
foss/merge_requests/15697)) implementing our open-source analytics tool to
their app and letting the system administrators opt-in to this feature if they
want to analyze their user behavior but it looks like Gitlab wanted to
implement a centralized user tracking feature for themselves instead.

However, given that most of the Gitlab customers / open-source community cares
about their privacy and want to have the control (well, that's probably why
they switched to Gitlab from other products), I wonder why they wanted to
follow this approach in the first place. The good thing is that they almost
always know how to take action when their community reacts.

------
jamiequint
This is incredibly dumb. Both Pendo and Snowplow are analytics providers,
meaning they both have in their TOS that the company remains the owner of the
data in question and that the services only exist to facilitate analysis of
the data in question.

Effectively this is users complaining that Gitlab wants to simplify their data
analysis overhead. Presumably nothing precludes them from sending the exact
same data to these companies and more on the backend. What do users expect?
For Gitlab to build every single part of their stack in-house (CRM, analytics,
support tooling, etc)? Because that's what this is effectively asking for.

What's next? Protesting that a company uses RDS instead of their own hand-
rolled Postgres setup? Because this is the same level of stupid.

~~~
jackcodes
What about running third party scripts on the page, which would have access to
all code on the account you’re logged in with? How do organisations audit
these scripts, and how can they audit new versions of these scripts when
gitlab controls the release strategy of these scripts?

You’d be moving from one (possibly two if you include the cloud provider)
vendors having theoretical access to all of your code to four vendors having
potential access.

~~~
jamiequint
Any vendor Gitlab works with already has potential access. Just because you
have a known front-end attack vector doesn’t mean you’ve gone from 1 to 4.
You’ve been at N the whole time, it just hasn’t been as visible.

FWIW I agree that on-page JS on pages with source code is a terrible idea, but
that’s easily fixable and doesn’t seem to be at the root of the issue.

------
falcor84
Could someone here please explain to me why Gitlab's product managers would be
so interested in client-side analytics in the first place? From my familiarity
with their service, almost every operation requires an ajax call, or a full
page refresh. Is there really that much value for the product managers in
these additional analytics?

~~~
robszumski
Even anonymous cohort analysis can be super useful as a product manager. If
you want to encourage usage of a particular feature and the most successful
users of that feature fit into a cohort, you can reach out to them for
feedback, optimize paths between those features, improve documentation
connecting relevant features together, etc.

This doesn't mean its malicious or all about the $$$...it might be that users
that set up GitLab CI have 40% fewer security incidents and they want to
encourage that behavior as a better customer outcome with the overall product.

edit: and this behavior might take place over a long period of time, not
something you can get from access logs or just-in-time stats.

~~~
falcor84
That's an interesting point. But wouldn't the vast majority of Gitlab users be
signed in (and thus server-side trackable)? Pretty much all functionality
other than just reading code seems to require it.

~~~
teej
The only way to know this would be if you read the entire discussion across 2+
threads on the Gitlab site for their event tracking MR. Basically this whole
shit show started as so:

* Gitlab previously used 3rd party infrastructure for their user event tracking

* They did not send this 3rd party user id for GDPR and other reasons

* Because they did not have user id, they could not understand user behavior across sessions. Understanding user behavior across sessions is important, so they wanted to add it.

* Gitlab had just finished moving their event tracking infrastructure in house.

* The original MR was to add user id as an attribute to their event tracking

What proceeded was what I consider a very reasonable back and forth between
data, infrastructure, and legal on the correct way to add user id. But
somewhere along the line it went off the rails. How it turned from simply
adding user id into including Pendo JS tags for on-prem customers, I have no
idea.

~~~
jsmith45
I read in one of the issues that it was Marketing that wanted Pendo tracking.
(I'm guessing marketing mainly wanted it for gitlab.com).

In one place I saw a developer basically say Pendo is marketing's, and product
is only interested in using Snowplow (with first party data processing).

Development was entirely happy with a true opt-in. Development does want to be
able to get data back from on premises instances, but is totally fine with
having it be an instance wide option that can be off.

------
notJim
I find the anti-telemetry attitude honestly kind of confusing. I mean, you
know that the shops you go to know what products you're buying from them,
right? Presumably those shops look at that data in aggregate when thinking
about which products to stock. How is this any different? If you're
transacting with someone, it's not possible to hide that transaction from
them. Of course you should have the right to have that data deleted, but
that's different from saying it should never be collected at all.

Also, given that nearly all websites are using something like Google Analytics
or similar (or several of these at once), the reaction and vitriol here just
seems weirdly disproportionate.

~~~
mkl
Web tracking is different in that it's ongoing tracking of behaviour. When I
buy something from a shop, that's the end of their knowledge: the shop has no
idea what I use it for.

~~~
kevin_thibedeau
When you make non-cash purchases in a shop they sell your purchase data to an
aggregator who adds it into their profile of you and derives demographic
classifications from that.

Single woman driving a Subaru? Your odds of being lesbian go up a few points.
We'll target you for a certain form of advertising.

This has been going on for decades. Before the web ever existed.

~~~
teej
To make it worse - the shop, your credit card issuer (aka the bank) and the
payment processor (aka Visa) are all each doing this.

------
andrewbinstock
>We have not yet added instrumentation to the Enterprise edition versions, and
we will not do so until we have a way for self-hosted customers to opt out...
(Scott Williamson, Gitlab VP of product, responding to the OP)

That's not the right way to do it. Customers should need to opt in, rather
than having to opt out.

------
dreamcompiler
I'm glad they reversed course and apologized but it still amazes me how
powerful the reality distortion bubble can be even at well-meaning
corporations. It's as if there was a meeting at the Red Cross where somebody
said "Hey why don't we start selling guns? It would be a great fundraising
tool." And everybody in the room just nodded and said "Yeah that's a pretty
great idea. Let's start tomorrow!"

------
mobee
The real reason you shouldn't be using GitLab is performance. How is it
possible that that page took over a minute to load? Nevermind that the design
is completely incomprehensible.

~~~
swasheck
further down the thread are mentioned of ruby on rails.

i use gitlab because it allows me > 1 private repo. if there are better
solutions then i'm all ears.

~~~
smudgymcscmudge
Have a look at GitHub. It's a similar service with unlimited private repos for
free.

~~~
swasheck
thanks. not sure why i was downvoted but the last time i checked, GH only
allowed 1

~~~
catalogia
They only started allowing free private repos this year:
[https://github.blog/2019-01-07-new-year-new-
github/](https://github.blog/2019-01-07-new-year-new-github/)

------
foreign-inc
How can you trust a company like GitLab whose default decision is always bad
and then they change direction after public outcry.

Either they don't think before they make decisions or they are just trying to
figure out what they can get away with.

This really shows their lack of morality. They kind of remind me of Facebook.

~~~
techntoke
Lol, I think you're forgetting about another provider. Besides you can always
try Gitea.

~~~
flukus
Is the on premise one different? The hosted one leaks data to google and
cloudflare.

------
Sir_Cmpwn
I don't understand, what changed? This was last updated on the 24th. They said
they'll be re-evaluating it and returning later, but afaict they haven't made
any statements about a blanket cancellation of the telemetry roll-out.

~~~
lbotos
An email is being sent right now, but emailing at scale... takes time:

\---8<\---

Dear GitLab users and customers,

On October 23, we sent an email entitled “Important Updates to our Terms of
Service and Telemetry Services” announcing upcoming changes. Based on
considerable feedback from our customers, users, and the broader community, we
reversed course the next day and removed those changes before they went into
effect. Further, GitLab will commit to not implementing telemetry in our
products that sends usage data to a third-party product analytics service.
This clearly struck a nerve with our community and I apologize for this
mistake.

So, what happened? In an effort to improve our user experience, we decided to
implement user behavior tracking with both first and third-party technology.
Clearly, our evaluation and communication processes for rolling out a change
like this were lacking and we need to improve those processes. But that’s not
the main thing we did wrong.

Our main mistake was that we did not live up to our own core value of
collaboration by including our users, contributors, and customers in the
strategy discussion and, for that, I am truly sorry. It shouldn’t have
surprised us that you have strong feelings about opt-in/opt-out decisions,
first versus third-party tracking, data protection, security, deployment
flexibility and many other topics, and we should have listened first.

So, where do we go from here? The first step is a retrospective that is
happening on October 29 to document what went wrong. We are reaching out to
customers who expressed concerns and collecting feedback from users and the
wider community. We will put together a new proposal for improving the user
experience and share it for feedback. We made a mistake by not collaborating,
so now we will take as much time as needed to make sure we get this right. You
can be part of the collaboration by posting comments in this issue:
[https://gitlab.com/gitlab-com/www-gitlab-
com/issues/5672](https://gitlab.com/gitlab-com/www-gitlab-com/issues/5672) If
you are a customer, you may also reach out to your GitLab representative if
you have additional feedback.

I am glad you hold GitLab to a higher standard. If we are going to be
transparent and collaborative, we need to do it consistently and learn from
our mistakes.

Sincerely, Sid Sijbrandij Co-Founder and CEO GitLab

~~~
Sir_Cmpwn
Thanks! That context is sorely needed in their web channels.

------
swoongoonz
remember when everyone was bailing on github because of evil microsoft?

~~~
rvz
Most of everyone's main reason was that GitLab was "open source" and also
supports free software. As much as they claim to do, I'm afraid that by being
partially owned by VCs, they are at the mercy of pleasing those who may
conflict with these ideas in favour of adware such a telemetry or ad-tracking.

A very principled move from GitLab to revert this, but I think that GitLab's
trusted is damaged due to this.

~~~
nessunodoro
I think it will bring them under more scrutiny and rightfully so. But this
sounds like a misunderstanding, both of the GDPR and user sentiment, enforced
without discussion from the top. They responded quickly, humbly, and
transparently in reversing the decision. I'm not sure about long-term erosion
of trust, although this may harm subscription levels or contract negotiation
in the medium term

~~~
tssva
An employee comment in the relevant merge request indicates that they are
already knowing non-compliant with the GDPR. While I applaud their openness I
wonder if this will comeback to bite them.

~~~
Omin
Do you have a link (or screenshot) of that comment?

~~~
tofof
"This is because we suspect that we are not currently in compliance but cannot
expressly call out the gaps until the DPIAs are complete. (Actually, by not
having the DPIAs, we are, on our face, out of compliance with GDPR
regulations.)"

[https://gitlab.com/gitlab-
org/gitlab/merge_requests/14182#no...](https://gitlab.com/gitlab-
org/gitlab/merge_requests/14182#note_204187905)

The author, @cciresi is Candice Ciresi, their Director of Global Risk and
Compliance.

[https://i.imgur.com/52DUErO.png](https://i.imgur.com/52DUErO.png)

------
akerro
I'm happy to enable telemetry on my self-hosted Gitlab if that makes gitlab
better, maybe make it opt-in instead opt-out?

------
btashton
Something a little ironic about putting a tracked click link in an email
apologizing for adding tracking. That said I firmly believe in opt-in tracking
and would likely enable it for my gitlab usage.

------
gorkemcetin
Long story short, if Gitlab were to use a open source & self hosted platform
(like Countly) with a clear mentioning of what to collect and what not,
clarifying that nothing is collected which is not anything unknown to them,
there would be no problems. Gitlab CEO has provided the right response with
the right tone, which is something we don't usually see in big corps. I again
would like to stress that such platforms not use 3rd party analytics providers
but a self hosted and/or in-house solution.

------
techntoke
This just tells me that someone needs to continue working on Gitea or another
open source alternative so that you can easily self host something comparable
to GitLab enterprise. Yes, GitLab has an open source CE version but it has
limited functionality. If another open source solution can implement the same
functionality as their enterprise product, then GitLab will be forced to adopt
or risk losing their business. Time to put some pressure on them.

------
koalaman
How is this different from the telemetry that VS Code is collecting? The
"community" seems to have swallowed that pill with much less complaining.

~~~
account42
Is that the same community that is complaining now?

------
mbar84
I'm normally one to hold a grudge. I still don't buy Sony products for
something they did over a decade ago. In this case I think forgiveness is
appropriate. There are obviously people working at Gitlab who have terrible
ideas, but the organization seems to be able to deal with them in a healthy
and transparent way. This compares favourably to companies like Zoom or
Equifax.

------
musicale
> It shouldn’t have surprised us that you have strong feelings about opt-
> in/opt-out decisions

Well yes, it should be obvious by now that requiring users to opt out to avoid
some privacy-violating behavior is a facebook-class dark pattern.

------
thsowers
Is this supposed to read "misunderstands"? And if not, could you elaborate?

~~~
Sir_Cmpwn
Yes, it was. Thanks, I edited it.

------
tachion
Well, I suppose that's The Gitlab Drama for this quarter. /s

------
PacifyFish
Maybe I've missed the boat, but what's the big deal about collecting
telemetry?

You already trust Gitlab with everything you store in Gitlab, like source
code, which is presumably much more sensitive than the number of times you
loaded a page or clicked on a button or whatever.

Is it because the data would be stored with a third party, and you don't trust
that third party? If Gitlab trusts the third party, and they're giving you the
option to NOT trust the third party and only trust Gitlab, what's the issue?

~~~
sleepytimetea
"in Gitlab" has 2 meanings - Gitlab cloud and Gitlab on-premises. For
customers running off-the-grid or in countries with enhanced privacy (GPDR?)
laws and restrictions on where their data lives, this is not what they signed
up for. Nor was the timeline forced on them reasonable in any way. Imagine
your Oracle software TOS says we will now export anonymized data from your SQL
queries to somewhere out there in the cloud ? What if it was a HIPAA-compliant
hospital datacenter ?

We wouldn't want first-party telemetry either, we don't want _any_ data
leaving our datacenter, period.

------
AdrienLemaire
Great attitude. Interesting correlation with the episode S06E01 of Silicon
Valley released this week, on the same topic :)

------
Yuval_Halevi
I'm impressed by the way Gitlab is communicating on a personal level with all
of their users on email bombs.

------
je42
If i compare this to StackOverflows communication, I like this way a lot more.

------
ptah
I think it would be more acceptable if they let users preview the data sent

------
grumpy-cowboy
If I pay for a product (on-premise), it's not your business what I do with it.

If I use the free hosted service (ex: gitlab.com), then this is the price to
pay for a free service (within legal rules like GDPR).

BTW, it's too late for me. I'm about to move all my stuff to a self-hosted
Gitea (on a cheap VPS) in addition to Matrix, Mastodon, ...

------
OrgNet
how did they get caught?

~~~
TeMPOraL
They self-pwnd themselves. They posted a blog post saying that starting very
soon, everyone will be getting third-party telemetry, self-hosted instances
included.

------
omani
it still boggles my mind how one can use gitlab.

------
sacrificedcapon
Is it possible to enforce american spelling ( especially in the title )?
Behavior vs Behaviour?

HN is an american company and gitlab is an american company so people who
participate here should use correct american spelling.

The gitlab post itself uses the correct spelling - behavior.

"In an effort to improve our user experience, we decided to implement user
behavior tracking with both first and third-party technology"

~~~
samsari
So if the subject on the story was a Swedish company you'd presumably be up
here arguing that people who participate should use the correct Swedish
spelling?

