
A recruiter used the GitHub API to pull my email address out of Git commits - allthebest
https://twitter.com/garybernhardt/status/1159914615385382912
======
blodovnik
Why is this a big deal?

Of course recruiters search public information.

Learn to live with it.

If your outrage threshold is this low then you’re going to spent all your life
in a state of outrage.

It’s nit even interesting let alone important.

Information in github, far from being surrounded by an invisible force field
of integrity protection, is actually prime hunting territory for recruiters
and any recruiter who doesn’t mine it probably needs to explain to their boss
why they’re doing such a bad job.

The recruiter in question, far from being apologetic should have said “yes of
course I got your email from GitHub so what?”

The guy recommends avoiding this recruiter. I recommend you use this recruiter
as they clearly display basic competence at the task of recruiting.

~~~
lidHanteyk
This is a big deal because the recruiter is in clear violation of the GitHub
ToS[0]. Quoting from section H: "You may not use the API to download data or
Content from GitHub for spamming purposes, including for the purposes of
selling GitHub users' personal information, such as to recruiters,
headhunters, and job boards."

Of course recruiters are incapable of sound ethical judgement. Part of living
with people who have poor ethics is enacting rules which force them to conform
or be excluded.

If your ability to care about rules is this low, then you're going to spend
all of your life in a state of imminent lawlessness.

Your typos are honestly more interesting than anything else; your message
isn't important, just wrong and at the top of the page.

I hope that you are ready to explain CCPA to your boss. I won't accuse you of
doing a bad job, though.

The recruiter in question, like all recruiters, is to be avoided when
possible. Avoid rent-seeking and grifting.

[0] [https://help.github.com/en/articles/github-terms-of-
service#...](https://help.github.com/en/articles/github-terms-of-
service#h-api-terms)

~~~
blodovnik
It’s not spam for a recruiter to send an email to a developer.

Spam is defined as “unsolicited bulk email”.

Https://spamhaus.org/consumer/definition

It’s a one off, not hulk, so recruiters emailing developer emails found on
GitHub isn’t spamming.

Nor is the email address being sold in this case so that aspect of GitHub
terms is not being violated.

So in fact you’re wrong and it’s perfectly legitimate for recruiters to use
email addresses from GitHub and email them asking about jobs.

~~~
dragonwriter
> Spam is defined as “unsolicited bulk email”.

More commonly, unsolicited/unwanted _commercial_ email, see, e.g.:

[https://www.consumer.ftc.gov/articles/0038-spam](https://www.consumer.ftc.gov/articles/0038-spam)

~~~
DanBC
The commercial aspect is a red-herring, because B2B where there's an existing
business relationship are normally excluded from spam laws.

The UBE (unsolicited, bulk, email) definition is the one used by most
blocklists and filters and ISP AUPs.

~~~
dragonwriter
> The commercial aspect is a red-herring

No, it's not

> because B2B where there's an existing business relationship are normally
> excluded from spam laws.

That's not just B2B, but that's part of the definition of “unsolicited”, it
doesn't make the commercial part is a red-herring, either in general or in the
context of this thread, which did not involve either a pre-existing business
relationship or, since you unnecessarily called it out as relevant, a B2B
interaction.

> The UBE (unsolicited, bulk, email) definition is the one used by most
> blocklists and filters

That's because “bulk”, unlike “commercial”, is easily detectable. (And also
because because bulk has the most impact, because, bulk.)

> and ISP AUPs.

Virtually all ISP AUPs include prohibition on unlawful use which includes
violations of laws concerning unsolicited commercial email.

~~~
DanBC
The "bulk" definition is more widespread and is the definition that's enforced
more often. So, mentioning "commercial" is weird because most service
providers don't care whether it's commercial or not, they care whether it's
bulk or not.

------
lazyjones
"My email address isn't on the web"

Yes it is, you put it there.

[https://github.com/garybernhardt/dotfiles/blob/master/.mutt/...](https://github.com/garybernhardt/dotfiles/blob/master/.mutt/grb.muttrc)

I fail to see the dramatic issue here. FWIW, I once got a very good
(unsolicited) job offer after putting code on the web, more than a decade
before github even existed.

~~~
newscracker
Over decades, despite terms of service and laws, it looks like people have
been tamed to think that if they put their email address or phone number on
the web, they're asking to be spammed or called or sent communication they
don't want. It shows how poor a job laws and education have done. Backlash
like this article is warranted and required to change this defeatist attitude.

~~~
lazyjones
> _it looks like people have been tamed to think that if they put their email
> address or phone number on the web, they 're asking to be spammed or called
> or sent communication they don't want. It shows how poor a job laws and
> education have done_

They're not _asking_ to be spammed, but _risking_ it. Laws will punish
offenders, but not free you from your personal responsibility to protect
what's worth something to you.

> _Backlash like this article is warranted and required to change this
> defeatist attitude._

I'm sure it will lead to harsher punishment for spammers who exploit one's
stupidly putting their personal information on the web and then complaining
about bad people seeing and using it, while we're not even punishing
corporations whose data leaks due to incompetence are putting even those at
risk who do not exhibit such gross negligence with their personal info.

------
morpheuskafka
When you run 'git config --global user.email _my@email.net_ '... where do you
think that email goes if not in your git commits? Why do you say "my email is
not on the web" if you upload your commits to a public web host?

------
ddevault
Emails in git commit logs are not a secret, which I wish more people
understood and acknowledged. In general I don't think that expecting your
email address to be private is reasonable. If you collaborate with others
online, they should be able to get in touch. Stuff like this is an unfortunate
consequence, but a manageable problem imo.

~~~
baddox
Email addresses in general are not supposed to be a secret. They’re supposed
to be for people to send you electronic mail. Remember when there used to be
books that contained everyone’s phone number?

If you’re a high profile person or are particularly guarding of your personal
communication, I think it’s your responsibility to maintain separate public
and private email addresses. You should only be making commits to open source
projects with an email address that you intend to be public. It’s literally
there so that people can email you about the commit.

------
pembrook
Annoying, yes. But not worthy of the front page here.

Meanwhile in West Virginia, wages are deflating, working-age unemployment is
the 3rd highest in the nation and the opioid crisis rages on.

But yes, it is terrible to work in one of the fastest growing, highest paying
sectors of the economy—growing so fast that recruiters will go to such extreme
lengths to fight for a chance at giving you even more money.

Sometimes I think we could use a little perspective.

------
nfoz
One of the things I _hate_ about Git is that it requires an email address. It
doesn't let you just leave a blank value, it needs _something_ that resembles
an email address.

I get that email is how the kernel-devs do it. But IMO it's inappropriate for
the version-control software to link a particular communication mechanism.
Sure you can use a fake email address, and many of us do. Finally github has a
feature to use their own no-reply email addresses, but it's a kludge.

~~~
pwg

       git config --global user.email no@email.invalid
    

And git happily accepts the value, yet the result is not useful to anyone
([https://en.wikipedia.org/wiki/.invalid](https://en.wikipedia.org/wiki/.invalid)).

Or, just edit your .gitconfig by hand after adding an email and change the
value there to whatever you want.

~~~
nfoz
Thanks, I didn't know about the `invalid` non-TLD. I've been using
example.com.

Still, it seems inappropriately opinionated for git to tie in and _require_ an
identifier on a specific communication mode, even if we can come up with fake
emails. And I dislike the extra bits of reduced anonymity (eg "correlate
pseudonyms by which fake email they all use")

------
mikeash
If you put your email address out there, people will use it. Maybe github
needs to do a better job of conveying what you’re making public when you push
a commit, although as a service for programmers it may be reasonable to expect
people to understand this already.

~~~
crashbunny
I got the impression from the tweet it wasn't about github, it was about the
recruiter. The lengths the recruiter is willing to go through to get an email
address doesn't start and stop with github.

~~~
mikeash
Right, but that seems to be based in confused expectations. The tweet starts
out, “My email address isn't on the web.“ But it clearly is.

------
delinka
I thought Mr Bernhardt was technical enough to know that pushing commits onto
a public web server made those commits and their metadata public information.
I get that you don't care for spam, but they used information you published.

~~~
rubenfonseca
Just because it’s published on the internet doesn’t give you absolutely any
right to use it. I don’t understand why people don’t get this...

~~~
delinka
I understand copyright - you created source code, placed it online, didn't
apply an open source license to it, so those accessing it have no right to
"make use" of the code.

What's the mechanism by which an email address found on a public website
shouldn't be used to send email? Who decided on this social policy? I've been
on the internet with email since about 1995 and this is the first time I've
heard it suggested that public information shouldn't be "used" without
permission. (And before you go off on a doxing tirade, let me address this:
"using" someone's published physical address would be _mailing_ them something
- visiting them in person unannounced and/or republishing their address is
definitely against social contract and might even be illegal.)

So what's the supposed social contract here? You found an email address but
you're not allowed to email to it without permission? How do you get
permission?

~~~
rubenfonseca
It’s called the law ;) I’m a EU user and article 5 and 6 of GDPR is pretty
clear about this.

~~~
delinka
Bernhardt is a subject of US law. Do you have a comparable US legal citation?

Further, how would these articles of GDPR apply in this case? GitHub makes no
representations about keeping your public data private. Please also suggest
interpretation of specific parts of these articles that cover the recruiter
collecting and making use of public information.

------
azhenley
You can do this from the browser.

View any commit of the user on GitHub and add ".patch" to the end of the URL.
Done.

------
saagarjha
Why do you need the GitHub API for this? Can't you just clone the repository
and log all the commit authors?

~~~
garmaine
People on Twitter don’t know how git works, it seems.

~~~
ChickeNES
No, the recruiter admitted to following a guide online that used the API

~~~
garmaine
What I mean is that outrage over GitHub revealing author email is a bit odd
given the way public git repos work.

------
someexgamedev
GitHub supports noreply emails from git cli. Configure it so you don't pwn
yourself!

[https://github.blog/2017-04-11-private-emails-now-more-
priva...](https://github.blog/2017-04-11-private-emails-now-more-private/)

------
missingcolours
API? Why bother with that when you can just "git clone ... git log"

~~~
azhenley
Don't even bother cloning! Just view the commit details in the browser.

------
dglass
> My email address isn’t on the web.

Email address is in your public git commits.

Your email address is on the web.

------
JohnTHaller
Ah yes, the 'drip campaigns' from 'cold email senders' that you get once your
email address is 'in the wild'.

Also known as ongoing spam from spammers once they scrape your email address
or pull it from an API in violation of that API's terms of service.

Don't forget the bonus invisible tracking image and CAN-SPAM-YOU compliant
unsubscribe link at the bottom in gray text to make it harder to see.

------
mcpherrinm
Eqrecruiters.com has been spamming emails I've used for git commits as well,
trying to offer positions at Quizlet and Zume. I really don't appreciate that
kind of spam.

~~~
privateSFacct
Mark them as spam - at least on google it seems to learn pretty quickly and in
a few days whoever is spamming is in my spam folder and then not even there
(some spam seems to get blasted even from spam folder? Maybe they stop...)

~~~
gorbachev
This is also what I normally do. GMail is pretty good at learning how to auto-
detect new sources of spam.

However, I haven't had to do this for years now though, for the absolute worst
of the worst obnoxious spammers who won't take no for an answer I set a filter
to auto-forward their crap to the entire company of the spammer. The spam
stops immediately, every time I've done this.

~~~
azhenley
How do you forward an email to an entire company?

------
7ewis
They've been doing this for _years_.

Back when I first created a GitHub profile, I started getting emails to an
email that I don't usually give out. This eventually led me to GitHub after
some mentioned seeing my profile which led to me improving my Git knowledge
and finding out how they did it.

------
rubenfonseca
To all people out there that say “you are making your email public by pushing
it to github”, please remember that just because something is on the internet
doesn’t give you absolutely any right to use it. That’s the big deal here.

~~~
inlined
Last I checked CA law (an ethics class), a computer permission setting
explicitly does not grant actual permission to use a computer. Given that the
TOS explicitly prohibits the use of the API for selling info to recruiters, it
may be construable that this was hacking. Not sure that Microsoft, the owner
of both GitHub and LinkedIn, would cooperate with a claim that a recruiter
hacked their dev network.

------
gtirloni
I think we're all going crazy. Seriously, we as a society must be running out
of real problems. Enough internet for today.

