On one hand, it sounds like it's only on marketing pages, which I never visit anyways.
On the other hand, in December 2020, they said "We are also committing that going forward, we will only use cookies that are required for us to serve GitHub.com" and apparently in corporate terms, a "commitment" lasts less than two years now.
Presumably the main change here is Nat made this commitment and Nat has since left Microsoft, but it's hard to believe their marketing team thinks the data value from a couple marketing pages is worth the PR hit from this. Just a dumb--- business move, really.
Someone suggested using a different domain name for the marketing pages. I think that this would be a good idea, then you can clearly tell the difference. And, if the different domain name is something other than "GitHub.com" then the commitment mentioned in December 2020 is still valid.
As long as it only affects the enterprise marketing pages (which, like you, I do not use) and it is clearly documented (unfortunately some of the documentation changes seem confusing, and I am not the only one who thinks that), then I have no problem with this.
(I do not use GitHub for my own projects, but I do use it to view other projects and to communicate with other projects that do use GitHub. In future I might also set up mirrors of my projects on GitHub, but the main working of the project will not be on GitHub.)
No, but people are looking for any reason to claim that MS has ruined GitHub so that the loud Twitter predictions they made during the acquisition aren't as embarrassing.
They changed the section about DNT, which makes it confusing. If GitHub can use DNT, then they should mention that (like it had before). If GitHub does not use DNT, then they should delete that section.
The same section mentions Privacy Badger and uBlock Origin, which they could mention anyways if they want to do, but they should mention that GitHub is not affiliated with them (even though some of these projects might be hosted on GitHub).
Slippery slope. First it's cookies for marketing, then it's selling your data, then it's "sponsored" repositories showing up in search. Next thing you know, recruiters are cold-calling you with your private email address and you can't even get to your own README without scrolling past banner ads and autoplay videos. After all, that's pretty much how the rest of the web works.
Do I really think that's going to happen? No. If GitHub were to introduce ads or invasive marketing everyone would move to GitLab in a second. A decent amount of people are already moving to GitLab and GitHub hasn't even done anything! Things like marketing cookies for analytics on marketing pages are genuinely not an issue.
But people take it as a sign, because of all the shit that goes on the rest of the web, and how GitHub explicitly said they were not going to do this. The fact they made a "commitment" not to do this is particularly important because it shows that GitHub's promises don't mean anything.
But migrating your repo is easy. Personally I'm going to wait until things actually get bad before moving.
GitHub made a huge fuss in a blog post about their compliance with the ePrivacy directive not more than 2 years ago. I personally found their approach and interpretation interesting and unique, so this change seems noteworthy for that reason alone
Do you think ads have gotten better or worse over time?
I think it's unequivocally worse now than it was then. There's a point where you're fed up with seeing the same ads for products you don't want or need.
Imagine if a store put a tiny sticker on anyone who stopped by to look at their products. Not this person is identifiable as "stopped to look at product X" whenever they visit other stores from the same owner.
Personally, it just creeps me out, even though it's basically the norm online.
developers are typically unreachable to marketers. This will be MSFT unlocking a rare audience that will fetch top dollars from enterprise advertisers, right before cookies go out of standard.
This move, like the exclusive Netflix ads inventory, makes it clear that MSFT sees ads as a big driver to business growth.
As much as I loathe the cookie warnings, I'm constantly amazed at situations that don't avoid them. For example: there is no reason that PayPal needs to serve 3rd party cookies in a payment flow.
I've actually started to reject nonessential cookies most of the time now. Doubt it matters at all.
I worked for a payment gateway years ago, when safari rolled out their initial blocking of third party cookies back in 2013 it broke some of our transaction flows yes.
There are a bunch of different kinds of payment gateway integrations, with various tradeoffs.
However a common pattern, at least at the time, was to use an iframe with the payment form in it.
Our form was multi page, and used cookie based sessions to track state between pages, so when they started being blocked, the payment form stopped working for safari users.
The solution we chose at the time was to put the session id into the URL, but that has it's own security issues. There are other ways to address that particular issue that don't involve cookies, but would have required a significant rewrite of the system.
Some potentially legitimate ongoing use cases for 3rd party cookies, would be remembering payment details, and one click checkout across various sites that use the same payment gateway.
If the use is required for the site to function, the data may be shared. The only ones you can reject are the ones that are not necessary, which usually involves ad trackers and similar things.
It should also be noted that these popups are likely not legal (or rather, they probably don't constitute informed consent under the the GDPR), but that's a completely different discussion to be had.
What 3rd party cookie is needed to process a payment? It's obnoxious I have to take care of the cookie situation what seems like every time I start a PayPal payment flow.
They almost feel like a passive-aggressive thing at this point. There's no reason a cookie banner needs to be a modal dialog that blacks out the rest of the web page.
It’s like prop 65 posters warning about carcinogens in California. If people insist you warn them about something they are doing, you get around it by forcing everyone to do it for everything so people start ignoring them.
>If people insist you warn them about something they are doing, you get around it by forcing everyone to do it for everything so people start ignoring them.
Who does "you" refer to in this sentence? A random business that doesn't like the warnings? How can that random business force everyone to do it for everything?
AFAIK GDPR requires that consent can be removed as easily as it was granted - where's the modal pop-up on every screen allowing me to revoke my prior consent and have their advertising partners delete any gathered data?
You really don't understand why people don't want to have their internet history logged or be tracked as they browse the internet? Cookies that track you are bad. The banners are bad too.
How do I grant universal consent to be tracked so that I can browse the web in peace? The law failed to consider this and made the browsing experience considerably worse for those of us who couldn't care less about being tracked.
Not to mention teaching users who are not tech-savvy to blindly click "I Accept" and "I Agree" without thinking about it which is an absolute disaster since such users cannot distinguish between a marketing cookie prompt and an OS elevation prompt coming from a piece of malware they just downloaded.
This tends to be an unpopular opinion here, but I agree completely. We had almost gotten rid of popups entirely, and now we have something worse, a required annoying banner that often causes the whole window to redraw and move around.
Since untracked ads pay 80-90% less than tracked ones, they are borderline required by every site that requires advertising to survive (most websites).
In a way I'm sure it's added to vendor lock in, any random Google result you click is guaranteed to hit you with the banner, which on mobile is especially annoying when since they're also required to be prominent (ie take up half the screen because everything in that law is incredibly vague).
The ad/pop-up blockers need to start also blocking the dumb modal windows for this. It might be easier too, there's financial insentive in breaking the blocker
My guess is that the original intent of the legislation wasn't to force users to click about 20 buttons in order to opt-out (IANAL but this seems to run directly counter to the mandate that it must be as easy to withdraw consent as it is to give it?). I agree that the current experience sucks, although unlike you I'd prefer not to be tracked. That being said, the EU has shown that it continues to iterate legislatively on issues around privacy - see the recent Digital Markets Act, for example. I guess my point is that legislation doesn't always get it right the first time, but I'd much rather see an evolutionary approach to fixing a problem than simply throwing up our hands.
This is a fair concern. The particular extension is developed by Aarhus University, which is a major university in Denmark. Not a guarantee it won't do anything bad, but it should give you more comfort than any random extension developer.
As I understand it, the GDPR did not make web browsing a worse experience. Rather, folks tasked with compliance at a few companies came up with a horrible solution that probably doesn't actually comply, and everyone started copying it. GDPR requires consent; it doesn't require you to come up with the most obnoxious way to obtain it.
Can you think of another way to implement it that wouldn't be just as obnoxious though? I feel like anything that could be perceived as unobtrusive could just as likely be seen as trying to hide or minimize the presence of the banner which might be construed as a violation of the law.
I feel like EU regulators should have worked with web standards committees to add a technical means and requirement to classify cookies. Then browser vendors could allow users to choose which types of cookies they are willing to accept from which websites.
> Can you think of another way to implement it that wouldn't be just as obnoxious though?
A link to a page where visitors can opt-in would work just fine and not be obnoxious. The banners are obnoxious not because it's impossible, but because the very idea of consent goes against the business' goals. Or their just lazy: You don't need PII to track marketing performance, and if you aren't unnecessarily collecting PII, you don't need to ask.
> I feel like EU regulators should have worked with web standards committees to add a technical means and requirement to classify cookies.
Hardly anyone would use it, because most companies aren't seriously interested in getting consent. They are interested in data, and consent is merely a hoop to jump through.
There's currently hullabaloo regarding the Global Privacy Control HTTP header as a spiritual successor to Do Not Track. It's already enforceable in California under the California Consumer Protection Act and the specification suggests they are also targeting GDPR compliance (although I don't know how close/feasible that is).
If it were to see widespread adoption then all you would have to do is change a setting in your browser.
I think that (maybe) a possible better way might be, instead of such cookie popups, to have:
- Needing writing a documentation (which is viewable even if cookies, CSS, and JavaScripts are disabled) about what each cookies means. (This includes both necessary and unnecessary cookies.)
- Writing a better web browser(s) with more user controls, and can more easily modify it and recompile, etc. (This way, you can more easily adjust individual cookies more finely, including which cookies are enabled, duration overrides, values, etc.)
> Only consent is needed for cookies that aren't strictly necessary.
Do you mean “Consent is only needed...”, because while the existing word order is grammatically viable, it doesn't communicate anything that makes sense with the rest of the post.
The nuisance is an intentional choice by the bad actors in marketing to make you mad about the banner instead of their business practices of tracking you everywhere.
Understand that cookie banners are malicious compliance and they make a lot more sense.
This is an utterly annoying failure of legislation. The law could have mandated that a standardized mechanism to opt in (or even out!) would be implemented by major browsers and the relevant standards, providing APIs for websites to integrate. It could have even been about that vague and still be more effective and less counterproductive. The actual legislation invites this sort of abuse. Understanding that the abuse is intentional is a component of understanding the situation. But the blame for it doesn’t absolve the law, it implicates it.
If the vague proposal I’m suggesting sounds outlandish, that’s more or less how every major browser implements other requests for intrusive APIs as a matter of protecting users. Even when they do it half-heartedly they do it by developing a standard with their more invested peers which is far less prone to universal abuse.
I agree it was a weak legislation, but I think governments failed at the time to realize just how blatantly crooked the tech industry is, and is willing to be. I think it's taken a while but more aggressive actions are starting to be taken. Though ultimately I don't think we'll have straightened out Big Tech until we have laws on the books that let us put Pichai and Zuckerberg in prison. As long as their actions can be aspired to instead of a cautionary tale, more will follow in their footsteps.
There are no laws in Australia requiring cookie banners, and yet I get hit with them constantly. So the law is clearly not the reason for these annoying banners.
The EU laws require the banners to be shown to all EU citizens regardless of the country they're in, right? I think the only way to be absolutely safe is to show cookie banners everywhere.
No it doesn't. It stipulates that the site operators need informed consent to track you using cookies. So what they do is nag you with dark patterns to obtain it, creating an annoying experience.
Developer here. Its much easier and a lazy way to enable for everyone, rather than tracking ips, citizenship and show accordingly. Developers are lazy.
*Edit: Sorry if this came off as rude but it was a legitimate question. I honestly cannot think of another plausible reason that would explain the proliferation of the banners.
Yep, this is why we can't have nice things. Nice things sometimes sound nice initially but they have major design flaws and made by people who don't know much about things. But these people have monopoly of coercion on you so you can't really do anything about it.
> “The legislative department is everywhere extending the sphere of its activity, and drawing all power into its impetuous vortex.” -Madison, Federalist No. 48
I do not (and will not) use GitHub for my own projects, although I use it for viewing other projects that do use GitHub and for communicating with them. Mirroring projects on GitHub (and possibly other services too) even if the main working is not on GitHub, is also possible (I might add mirrors on GitHub and others in future, but currently I only have the main working hosted on my own computer and the mirror on Chisel, and I still intend to keep both of these even if there are mirrors on other services too). (Even SQLite is mirror on GitHub even though its main working is hosted by themself instead and is not even using git.)
I would not recommend using GitLab unless it is not the only mirror of your project (it is acceptable if you are mirroring it on something else, too). If you do want alternatives, you may consider Codeberg, NotABug, and/or Sourcehut. The reason I exclude GitLab is because it cannot display the files unless JavaScripts are enabled (or if you use the git protocol, which is kind of confusing compared with fossil) (it is OK if it uses JavaScript for other functions as long as the files can be viewed without it) (this is not a problem if there are other mirrors, since you can view the mirrors instead).
This is Microsoft we’re talking about here. They provide OSes and PowerPoint for the CIA laptops that plan extrajudicial assassinations and torture sites, and groupware for the concentration camps for children down in Texas; their blatant commercialism is perhaps the least gross thing about them.
Imagine the most terrible dark patterns from LinkedIn (which they also own), and go self-host Gitea and move your repos.
If the FSF becomes a CIA vendor, I'm definitely out. Your analogy doesn't quite make sense, though. Neither Linux nor GNU are vendors to anyone. If they were, it would throw enough of their mission into question that most people would stop supporting them and fork everything.
On the other hand, in December 2020, they said "We are also committing that going forward, we will only use cookies that are required for us to serve GitHub.com" and apparently in corporate terms, a "commitment" lasts less than two years now.
Presumably the main change here is Nat made this commitment and Nat has since left Microsoft, but it's hard to believe their marketing team thinks the data value from a couple marketing pages is worth the PR hit from this. Just a dumb--- business move, really.