Hacker News new | past | comments | ask | show | jobs | submit login

Had a similar thing happen to me with Github a while back (pre-Microsoft acquisition).

Even as a paying customer for many years, my account was disabled – without even receiving an email warning. I only discovered when browsing issue histories where I knew I'd left detailed comments, and noticing my comments gone without even a note about deletion, leaving threads nonsensically fragmented.

When I tried to login, I was only faced with a generic "activity that looked malicious" message – but no hint of what that might have been. Once I complained, I was restored quickly – but if I'd been on extended vacation, or perhaps even passed away, there'd have remained giant holes, indefinitely, in projects I'd contributed to.

Was anything I legitimately did as myself suspect? (They couldn't say.) Was some third party trying to get access – or did they even briefly succeed, perhaps with some compromised credential somewhere? (That was my fear – but they couldn't say & there was no evidence of compromise in what I could see.)

After several angry emails about how they shouldn't accuse a longtime paying account in good standing of 'malicious activity' – creating fear of an account compromise of unknown extent – they finally said no, it wasn't unauthorized access (or attempts thereof) but some comment (unspecified in age/topic) that a filter deemed similar to other malicious comments.

I'd paid them ~$600 over the previous 5 years, and still had an active subscription with working billing details. My account was nearly a decade old with a wide variety of contributions & comments. But still, an automated system with no apparent human review disappeared my account, without even generating a notification.

For a paid account this is utterly unacceptable. For a free account I can kinda understand it, although it'd still be nice to get some automated explanation. An automated system that can't provide a good reason to disable an account, shouldn't be disabling accounts at all.

If this is a thing that happens at Github, I guess that's another reason to check out Gitlab instead.

And this sort of thing is why some of us have been endlessly warning that it's probably a bad idea to centralize all of the open-source ecosystem onto a single centralized, proprietary, commercial platform.

Not that those warnings were heeded, of course, as usual.

Technically git is free and you can self host. The issue is that the power of money cannot be ignored. Github has become the defacto centralized OSS ecosystem because it is free and can afford to be free due to the money they have.

I would argue that we should encourage more platforms (paid) that can host git and not just depend on github or gitlab. But those 2 are successful because they were some of the early ones and then got a lot of money/funding. There may be other alternatives but no one wants to put their code with a small risky company that may not exist tomorrow. IF we can solve that problem, I think we will be ok.


Age and activity matters here too. There are plenty of developers who have never paid github but do endlessly important work through it. At the very least flag these accounts for human review.

Par for the course these days. And its getting worse.

When you have 40 million users and a few hundred people running the system, all kinds of issues just sit in queues never seen by human eyes until a gigantic stink about it is raised.

For those in the EU/UK, it's worth noting that the GDPR isn't just about controlling how personal data is used. It also imposes obligations on data processors to take care of that data properly.

The usual issues arise about enforceability as long as this is only European law, and about ambiguity in the way the GDPR itself is written.

However, it seems likely that arbitrary deletion of personal data like this could fall foul of the requirements for integrity and availability, particularly given the GP was a paying customer.

Because we're talking about an automated decision, Art. 22(1, 3) of the GDPR applies as well where:

> The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

And any exceptions still require the data controller to provide:

> suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact