
Ask HN: Is personal GitHub information public domain? - hnysacct
Who is correct in this case?<p>I&#x27;ve been rather constructive in attempting to resolve this matter with gitpay to simply remove my information. However they have not been cooperative.<p>This person also provides an argument that is not valid.<p>What are your thoughts on this conversation?<p>https:&#x2F;&#x2F;github.com&#x2F;gitpay&#x2F;website&#x2F;pull&#x2F;4
======
JoshTriplett
To the extent copyright applies to such information (which would vary by
jurisdiction and the details of the information), it most certainly doesn't
fall in the "public domain" (a widely misused term). You've granted Github a
license to use it, and Github allows others to view it. The question then
becomes whether users of Github's API may copy that information. Legally,
Github has the ability to grant permission to third parties, so if they choose
to do so, you can't un-grant that permission, because you've already granted
it to Github. However, Github doesn't have to grant that permission, and may
set conditions on it via their ToS and their API ToS. And it doesn't seem
entirely clear whether Github's ToS allows what Gitpay has done.

Legal issues aside, though, scraping another service to create pseudo-accounts
and _refusing to provide even an opt-out_ does not seem like a good business
practice. While Gitpay appears to have done several things right that other
services get wrong, this definitely isn't one of them, and it needs fixing.

~~~
jrochkind1
It is unlikely your contact details are copyrightable in the first place, in
the US anyway.

It is unlikely you have the legal ability to prohibit someone from publishing
your contact details... _under copyright_. There may be other laws related to
privacy that are relevant.

If the publisher in question is referring to "public domain", they probably
have no idea what they're doing legally, "public domain" is unlikely to be
relevant.

Practically, I would complain to Github itself, who is likely to frown at them
doing that, and cut off their API access or what have you.

~~~
hnysacct
Yeah, contact details as far as I know aren't copyrightable nor under public
domain. Things like your personal contact details though are subject to
privacy violation laws if they are used without your consent, I believe. So
nothing stopping from one publishing them, but if one asks to have personal
detail taken down, they should be honoured without hesitation.

I've brought the issue to Github as well for them to judge whether there is
any breach. They are best to decide I guess.

~~~
JoshTriplett
> Things like your personal contact details though are subject to privacy
> violation laws if they are used without your consent, I believe.

Far fewer laws about that exist than most people think, especially in the US.
Some law and case law exists, but fairly narrowly. "Public disclosure of
private information" doesn't apply here, since you posted the information
publicly. "Intrusion of solitude" and "false light" don't apply. You could
_perhaps_ make a case for "appropriation" (using someone else's information
for commercial gain without consent), but submitting that information to
Github (and thus granting permission to Github under their terms, which they
can choose to further grant to others) would negate that.

In any case, making legal threats doesn't seem likely to help here, and seems
like overkill given the current state of the situation.

~~~
hnysacct
Good clarification! However, no legal threats have been made as of yet. Simply
pointing out TOS clauses, and discussing the matter with the community.

By the time lawyers get involved, which would be after the New Year, then the
author might have already merged the PR and problem solved.

At the moment, it's simply a matter of discussion.

No urgency to push the developers to take action either.

------
EE84M3i
It seems to me it should be

a) reasonable for gitpay to offer a way to 'opt out' if you don't want your
information there anymore, even if they're not legally required to.

b) fine to let the gitpay folks wait to add that until the end of the holiday
season.

The user who created the issue linked from the top of this thread seems to be
overwhelming the developers, who have graciously taken time out of their
vacation to say they'll follow up next week. The relative severity of this
does not seem to warrant a more urgent response.

~~~
kiernanmcgowan
The _take a breath and chill out_ approach is the most reasonable considering
its the holidays. Calls for shaming on social media over New Years is going to
drain any charity these devs have for OSS.

~~~
hnysacct
It _is_ the holidays and the right course of action really is to simply take a
breath and chill out. I'd agree with you.

This post isn't really for the purpose of shaming though. It's to bring up the
issue of such sites doing this kind of thing.

This topic could have been easily brought up after the holidays... but why
wait? It's a topic to be discussed.

~~~
jwcrux
> This topic could have been easily brought up after the holidays... but why
> wait? It's a topic to be discussed.

The way you're going about this entire conversation is simply too much. It
sounds like you've reached out to multiple personal emails, created multiple
issues, responded to those issues asking for updates, and brought the issue to
social media in less than a day. During the holidays. That's overwhelming and
doesn't put the devs on your side.

As others have mentioned, even if you're right, you really need to give the
devs some time to think through the alternatives, consider your argument, come
up with a solution, and implement it. This takes some time.

Removing information from a database may not seem hard to you, but you don't
maintain the service. Sending a pull request is fine, but maintainers don't
blindly merge anything. They have to review it, make sure it's the policy,
quality of code, etc. that they want in the product, merge it, and deploy to
prod after possibly testing everything.

Give it time (not measured in hours) and work with the developers.

Edit: This is exactly why maintainers don't blindly accept pull requests:
[https://github.com/gitpay/website/pull/4#pullrequestreview-1...](https://github.com/gitpay/website/pull/4#pullrequestreview-14492965)

~~~
hnysacct
> The way you're going about this entire conversation is simply too much. It
> sounds like you've reached out to multiple personal emails, created multiple
> issues, responded to those issues asking for updates, and brought the issue
> to social media in less than a day. During the holidays. That's overwhelming
> and doesn't put the devs on your side.

Not at all. All that I've done is sent an email.. waited to hear back. Haven't
heard back, thought it'd be a good idea to submit a pull request, and then
took the conversation to github.

I have not been badgering the dev on multiple emails or social accounts at
all.

------
rajington
> Social Linked Data: Gitpay follows the SoLiD specification for the next
> generation of web apps

[http://gitpay.org/](http://gitpay.org/)

> Users should have the freedom to choose where their data resides and who is
> allowed to access it by decoupling content from the application itself.

[https://solid.mit.edu/](https://solid.mit.edu/)

------
theaustinseven
Regardless of whether or not they are legally in the right, this is a definite
dark-pattern. Users should not exist on your site unless they signed up. Full
stop. This shouldn't be a question of whether they should allow users to
delete themselves, but rather why they are creating users for people who don't
even know about the service.

------
stonogo
The future of gitpay:
[http://web.archive.org/web/20160325072958/http://blog.readab...](http://web.archive.org/web/20160325072958/http://blog.readability.com/2012/06/announcement)

Collecting money on others' behalf without prior consent is a terrible idea,
and prepopulating your site with others' data to make it look like you have
consent is even worse.

------
ezekg
This website is just asking for an SQL injection. My goodness.

Edit: I spoke too soon. The database has been dropped:
[http://gitpay.org/user.php](http://gitpay.org/user.php).

~~~
hnysacct
Well the PR got merged, and finally he responded to my original request via
email:

"Im sorry I did not get back sooner as I and another family member have been
unwell in bed most of the last week.

I'd like to you for spoiling my Christmas

Now, someone hacked the server and deleted the whole gitpay database.

This was just volunteer work, so that open source developers like myself who
get no pay might be able to a tiny amount of donations.

I have now lost a huge amount of work.

I hope you feel quite satisfied."

~~~
ezekg
That sucks that he didn't have any backups, but it was just a matter of time
before it happened. But nobody hacked the server; you can literally just throw
SQL into the url:
[http://gitpay.org/user.php?user=%27%3B%20DROP%20DATABASE%20d...](http://gitpay.org/user.php?user=%27%3B%20DROP%20DATABASE%20database_name%3B%20%27).
That's why you should never trust any user input.

------
Macha
It depends on what the licence is for Github, both in terms of information
contributed to them and information obtained from them.

IANAL and I'm too lazy to read it, but I suspect the case is you've given
Githuba very broad licence to use the info but they've passed on a much more
restrictive one to their users so they can't just run g1thub, an exact mirror
of the site. Public domain is very unlikely, but that doesn't mean gitpay is
in breach of their terms.

~~~
hnysacct
Thanks Macha, good point. Yeah whether gitpay is in breach of github's terms
is a bit unclear. On one hand, you allow your content/information to be viewed
but not necessarily copied.

So, information is not really in the public domain it's just publicly
available. In this case, gitpay should allow anyone who does not wish to have
their information available on their website should have a delete feature, and
should not hesitate on takedown requests.

Odd that they launched without such a feature.

Upon inspection of their code, at least what is public, they don't have any
function for deleting information.

------
joshu
Linkified:
[https://github.com/gitpay/website/pull/4](https://github.com/gitpay/website/pull/4)

------
franciscop
I agree you are on the right path here. You have three options from my point
of view (this is not legal advice):

1\. Get lawyers involved

2\. Get social media and shame involved, which will probably make them take
action. You seem to be doing 2 by being in the front page of HN, take it to
twitter as well. This is ridiculous but it's "easy and cheap" way of doing it.

3\. Nullify your account by setting up fake data and making them update it
(automatically?). This is why you sometimes want throwaway services or
[http://mailinator.com/](http://mailinator.com/) , for companies who abuse
people's data as seems to be the case.

Waiting for others to comment here, as it's a really interesting topic and I
want to see other options as well

~~~
hnysacct
Thanks franciscop and thank you for your advice! It's definitely an
interesting topic as it touches upon a few ethics.

I'm considered #1 but the thing is it might take time. The person stated that
the PR will be reviewed in the New Year, so by the time I involve lawyers the
matter might have already been resolved.

So, at the moment I've taken the matter to social media to bring up the matter
of ethics in this case.

Thanks again!

------
jlarocco
If the info was scraped from public Github pages then I think it's legal for
Gitpay to use it, assuming they aren't violating the Github TOS.

That doesn't mean it's not a shitty thing to do, and I really think it
_should_ be a violation of the Github TOS to republish the information without
the user's explicit consent.

This has come up a number of times, and I'm really surprised Github hasn't
addressed it already. I don't care if people read my info on Github (that's
why I made it public), but it's really sleazy to co-opt that information to
automatically create accounts on other services for people.

~~~
hnysacct
Exactly. You don't have control over other services spawning up accounts for
you. Which is just an annoyance if they have a way for you to take the
information down (most do) but when they don't... that's a problem.

------
magicmu
Exposing personal information like that, while maybe not illegal (I don't have
the qualifications to say), is something I definitely see as unethical; at
least if an opt-out option isn't even provided. Beyond the personal info like
email, full name, and profile picture (all of which is definitely easily
scrapable and not a _huge_ deal to me), I noticed that it had made the type,
modulus, and exponent of each of my RSA keys available. I know that these can
be derived from an RSAPublicKey, but I'm not sure what making them easily
viewable means (if anything). Could someone with more encryption knowledge
shed some light on that?

~~~
hnysacct
Curious about that too now.

------
awinder
Now I'm kinda curious how many other sites pull this type of stunt. I'm
definitely torn on how I feel about this, I find it even more weird that
there's people listed as following me on a site that I just have a shadow
account on. Most of all I just want to know how many other weird sites I have
shadow accounts on and what kind of interaction people have with shadow-me.

As far as the product decision on this one, man, I can't imagine which
alternative universe this would ever play well in. Is it like a Silicon-
Valley-esque VC numbers pumping game or what?

~~~
hnysacct
A bunch of freelancer and recruiting type sites do that as well. However they
make it easy for you to have your information removed.

> Is it like a Silicon-Valley-esque VC numbers pumping game or what?

That is my initial thought too. If you create a website and create shadow
accounts or "LinkedData" then you're creating the illusion that you have a
larger following than you really do.

Whether that was gitpay's intention, probably not.

------
Macha
Relevant previous incident with another git tipping site:
[https://news.ycombinator.com/item?id=8542969](https://news.ycombinator.com/item?id=8542969)

------
tingletech
the gitpay site also lacks a posted privacy policy, making the site illegal in
CA [https://consumercal.org/about-cfc/cfc-education-
foundation/c...](https://consumercal.org/about-cfc/cfc-education-
foundation/california-online-privacy-protection-act-caloppa-3/)

~~~
chris_7
They appear to be located in California, check:

    
    
        whois gitpay.com

~~~
hnysacct
wrong domain: Gitpay is gitpay.org.

~~~
chris_7
Got it. They are in the UK.

~~~
tingletech
Then they probably need that "we use cookies" banner, and will fall under the
Data Protection Act.

"The Data Protection Act does not define fair processing. But it does say
that, unless a relevant exemption applies, personal data will be processed
fairly only if certain information is given to the individual or individuals
concerned. It is clear that the law gives organisations some discretion in how
they provide fair processing information – ranging from actively communicating
it to making it readily available."

[https://ico.org.uk/for-organisations/guide-to-data-
protectio...](https://ico.org.uk/for-organisations/guide-to-data-
protection/principle-1-fair-and-lawful/)

------
jc4p
Maybe this is off-topic but I'm wondering what people think about tech
recruiting websites that scrape profiles on sites like Github to sell you to
other recruiters (or for other purposes, like GitPay).

With badly coded websites like GeekedIn the attack vector is all of their data
being public like so: [https://www.troyhunt.com/8-million-github-profiles-
were-leak...](https://www.troyhunt.com/8-million-github-profiles-were-leaked-
from-geekedins-mongodb-heres-how-to-see-yours/)

But with the websites that aren't as badly coded, the annoyance is recruiters
messaging you on your Github account pitching you random jobs. Do you get
those?

This is something we deal with at Stack Overflow (where I work) a lot. People
love trying to scrape our content and creating Chrome plug-ins that when
someone loads up a Github or SO profile shows all the random bits of info
they've been able to scrape about that person. It leads into a lot of issues
for us e.g.:

Recruiter claims to have gotten my email address from Stack Overflow
[http://meta.stackoverflow.com/q/318621/472021](http://meta.stackoverflow.com/q/318621/472021)

to the point where we've (semi) recently changed our ToS to directly be able
to fight cases like this:

A Terms of Service update restricting companies that scrape your profile
information without your permission
[http://meta.stackexchange.com/questions/277369/a-terms-of-
se...](http://meta.stackexchange.com/questions/277369/a-terms-of-service-
update-restricting-companies-that-scrape-your-profile-informa)

Do you think Github should try to do something similar? I just want to have a
place to put my code and be able to easily talk to others working on code, not
something that results in recruiters messaging me and random websites taking
my data hostage.

Edit: In case you want to see what the "attack vector" looks like, find any of
your recent Github commits, e.g. for me:

[https://github.com/jc4p/quick-hue-
toggle/commit/28f4cf724968...](https://github.com/jc4p/quick-hue-
toggle/commit/28f4cf724968557cfae1e90793561c1b96d80384)

and add a `.patch` at the end to get the patch file:

[https://github.com/jc4p/quick-hue-
toggle/commit/28f4cf724968...](https://github.com/jc4p/quick-hue-
toggle/commit/28f4cf724968557cfae1e90793561c1b96d80384.patch)

and bam, my e-mail (per my git user config) is right there. Should we all be
using fake e-mails when we commit to git?

~~~
hnysacct
jc4p, you're totally on topic. The issue here is very similar to recruiter
sites. Gitpay is doing essentially the same thing where they are scraping data
and creating in-active accounts.

This is sometimes annoying, in the case of recruiters. However sometimes it
can be useful if the product has potential.

Gitpay possibly originated from a good idea.

Regardless however, they should launched with an opt-out feature. Many such
website that scrape content and create accounts _for_ people have an automatic
opt-out feature.

You do open a really good question though if this should be allowed in the
first place.

Say if I deleted my github account.. by deleting my account, it doesn't get
deleted off of this website.

