A GitHub spokesperson has issued this statement [1] about a request to api.github.com: "That endpoint tracks aggregate performance metrics, and does not rely on cookies or other unique identifiers".
GitHub is still sending our usernames and other unique IDs, our device data, and the pages we visit to the collector.githubapp.com endpoint.
GitHub's claims about not tracking users are false, they do identify users in tracking requests. See this tracking URL, it's full of unique identifiers and personal data, and it is currently sent after every page load, without user consent:
this isn't about tracking users, it's about cookies. no cookies doesn't mean no tracking. it's just a workaround to improve UX. "visiting our website does not send any information to third-party analytics services" - but presumably third parties are still able to access this data on request. their privacy policy probably reflects this. if you visit a website and don't want to be tracked, make it as hard as possible for the host to do so, don't rely on what the host says. they can do anything they like with visitors' data. anyone who hosts websites will confirm this
Don't confuse "we don't set cookies" with "we don't set non-essential cookies".
They say no "non-essential" cookies, but an anonymous user just landing on the homepage gets a cookie with some unique-looking tokens.
I've seen many companies just hire the right lawyers that would sign off on all sorts of tracking cookies as "yeah, this is essential, since we can't track users without it, and tracking users is essential to our business model".
> this isn't about tracking users, it's about cookies. no cookies doesn't mean no tracking. it's just a workaround to improve UX.
Except the GDPR and cookie directive, obviously, undeniably, unmistakably, weren't intended to give websites a "bad UX" obstacle to work around.
It's not even about cookies. It's about letting users AGREE to being tracked and then track them, OR (with the same amount of effort and without denying them service vs tracked people) DISAGREE and then not track them.
If they're still tracking me and keeping data about me that they can match to the PI that is my github account, then this "no cookie" thing is just more "letter of the law" bullshit.
I think it's pretty damn clear to Github and MS what the intention of these EU laws are. They can't just say "oh it's worded in a way that gives us wiggle room, so fuck your intentions". Well they can but they'll find out whose faces they told "fuck your intentions" to.
We're trying to protect consumers from tracking bullshit, here. Not throwing up obstacles for large corporations to work around.
It does though make tracking by third parties so they can sell things to me (or sell information about me to other parties for that use) more difficult. Not impossible though, of course.
Yes, they can do anything with the user's data, if the user has consented, or if they are willing to break the law.
The tracking request you see above requires informed consent under GDPR, and GitHub does not ask for consent before collecting browsing and device data that is tied to GitHub usernames.
> consent is simple to gain, who reads the entire ToS and privacy policy?
That's not how informed consent works, you can't just mention the collection of personal data in a privacy policy. Consent must be explicitly requested for this type of tracking, and you must be able to reject it, and continue using the service.
> the bottom line is, do you place more trust in your local lawmakers and the website you are visiting than you do in yourself
The request can be blocked with uBlock Origin, but it's still important to draw attention to tracking that may be illegal, since not everyone has a content blocker installed.
if you agree to terms which request consent, you are giving consent. how they are displayed to you and whether or not they are explicit enough or too hidden is subjective
you'll need a stronger arsenal than a content blocker to avoid modern fingerprinting, legal or otherwise
from my understanding of the rules even a lot of the informed consent popups today aren't compliant.
If I understand it correctly (and I think I am) the standard is that it should be equally easy to op out as to opt in, and the default should be opt out.
IMO this means I should just be able to dismiss any GDPR compliant box and the result should be no tracking.
Correct. Also, you cannot with hold access upon users not consenting, so there's literally zero incentive for users to ever consent for compliant providers. Which is kinda obvious with the GDPR's overall goal of making it impossible to use privacy as currency.
GDPR has lots of issues and this is one of the major ones.
It can be easily argued that companies cannot be forced to service users and there has been no real precedent or enforcement around this.
A company cannot be forced to service users. It can also decide to stop operating entirely, and die. A company can be forced to not use particular criteria to decide to service specific users, an idea with a long history - a common example is skin color.
This has nothing to do with immutable physical characteristics and such comparisons only highlight how silly the argument is.
Consent is a voluntary action. Usage itself is a form of consent. However a user disagreeing with what the company requires to provide that service but still being entitled to and actively using that service is not workable. User can decide to stop using a service entirely though, if they don't agree with the requirements.
You aren't forced to service users. You just cannot make consent the currency for your service. Either don't require consent or don't operate in the EU.
That's meaningless. Usage is already a form of consent. The discrepancy is between the user and the company in what is consented. Forcing the company to provide service to the user even if the user disagrees with an upfront description of what the company requires to provide that service is a completely valid objection.
Also GDPR applies to any organization providing to citizens of the EU, not companies operating there, but that's yet another example of poor design which results in GDPR having little enforcement.
it will appear legal if it is worded correctly, just the right side of ambiguity, proofread by a dozen lawyers and backed by a multi-million dollar body
also, to contradict your own tangential claim (from your non-authoritative link):
"You _should_ ask for consent where you are offering a genuine choice over a non-essential service. Typical examples include:
Did you seriously just link an IETF document as the basis for an argument about the law? Never mind the difference between "should" and "must", do you understand the difference between an RFC and the law?
And there is no room for ambiguity in the actual law:
> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
> Did you seriously just link an IETF document as the basis for an argument about the law?
of course not, it was an example to demonstrate the difference and easier to include one link for both definitions than e.g. two for each from a dictionary
> Never mind the difference between "should" and "must"
given the context I believe the difference is of paramount importance
> do you understand the difference between an RFC and the law?
slightly reworded first question but yes, I do, thanks
that seems a good example for a better source which actually bolsters my point on bad sources, but alas, it's irrelevant. note that it refers to personal data and not (third time lucky) the original argument concerning tracking consent. in fact, I cannot even find any personal data in the OP's URL, probably because no personal data is required to create a GitHub account. let's just ignore that one for now
> consent is simple to gain, who reads the entire ToS and privacy policy?
nobody because they are pretty much meaningless in the EU
we got laws to protect consumers, not laws for businesses to trick users into making some meaningless gesture
> the bottom line is, do you place more trust in your local lawmakers and the website you are visiting than you do in yourself
what do you mean by "local lawmakers"? these laws are EU-wide. or did you mean "local" to mean, "non-US"
anyway, these lawmakers are fighting the shitty corporations that pull this tracking stuff
and your bottom line is not really a choice one way or the other. I can use blockers and other plugins to protect myself, AND cheer on the people fighting the fuckfaces that think it's in any way honourable to make a profit by merely following the letter of our laws
but we got some really good consumer protections in the EU. and we try to keep it that way. we're not going to simply roll over because some US corporations are used to being able to track the hell out of US customers
GitHub is still sending our usernames and other unique IDs, our device data, and the pages we visit to the collector.githubapp.com endpoint.
GitHub's claims about not tracking users are false, they do identify users in tracking requests. See this tracking URL, it's full of unique identifiers and personal data, and it is currently sent after every page load, without user consent:
[1] https://www.theregister.com/2020/12/17/github_will_no_longer...