Such level of transparency, of apologizing and clarity, especially written at the first person "I am truly sorry." is very rare and should be praised.

Thing is, the broader public don't care. The difference between gitlab and gmail is primarily that developers care more about this stuff and value their code more than most people care about their email. They are also much more informed in the matter, most using gmail haven't got a clue.

No, they only care when the tools they are using are targeted. Otherwise, they couldn't care less.

We have tracking on websites and in apps on an industrial scale - built by developers in technology companies. We even have tracking of school kids courtesy of ChromeOS. When have developers ever shown any care about that? When have they ever spoken out about that? They're more likely to rush to defend that software and the company that built it: It's not being used to build profiles, or the data is aggregated and anonymous.

Presumably, if GitLab tracked behaviour 'anonymously' and in aggregate form, that would all be fine? Didn't think so. The hypocrisy that runs through the programming profession when it comes to online tracking really knows no end.

However, giving a third party script, potentially unvetted, access to the crown jewels of the company I work for? No fucking way.

Different. Not a double standard.

Gitlab can't.

It’s a shame that so many innovations are being squashed in communication because of the “free” price for cloud solutions.

Google is learning so much about students thanks to this program.

I understand the reticence towards third party telemetry, but refusing basic interaction tracking for a product you pay for is just hurting yourself, even if you're already satisfied with the service. You don't go to the doctor for a checkup and then refuse bloodwork. Obviously there are rules around privacy for medical records that don't exist for interaction tracking. But I don't think the solution should be to get rid of tracking entirely, it should be to extend reasonable privacy rights and protections to our online data.

Gitlab could have collected anonymous data, with opting out of collection as the default, and promised not to sell it if they seriously believed it was about improving their product. Plenty of products record telemetry data only if you opt in to the program. Users understand and often accept that. That approach would have generated fewer headlines.

No amount of vague promises over how good you will be and how nice you'll treat your users' information should be enough to make this acceptable. We have a huge body of evidence informing us that trust is a fundamentally bad idea when it comes to a corporation.

In GitLab's case, developers weren't. Their C-level executives simply overruled them and forced the change.

If that were the case, Gitlab could have simply asked for permission.

For me, the concern was the value of the content. It might as well have been my bank saying they were going to start embedding disqus threads.

My point still stands though.

https://about.gitlab.com/pricing/gitlab-com/feature-comparis...

If only this worked with giant corps. FB has around 2.4 billion MAU and a few nerd rants won't be noticed the next time they screw the user and a handful complain.

Goldman Sachs valued it close to $3b.

Why Gitlab wanted to do this I have no idea, sounds like some marketing people came up with such idea "because everyone is doing this"?

Tracking wasn't going to bring much revenue, if any, so they could just get rid of that, trying to turn it into some positive PR. The cynic in me tells me that if they smell any significant money from tracking they would tell HN and the rest to back off (or would added some convoluted way to opt-out from tracking).

There was a huge uproar when Facebook first launched "Beacon", and it was cancelled as a result.

Unfortunately it just morphed into the Facebook Platform and eventually the Pixel. Same pig with different lipstick.

I agree it's one of the best-written apologies I've heard in a while, and they deserve some praise for not letting the corporate ~bullshit~ PR department run loose all over it.

But still. I suggest that whoever is responsible should resign as a result of this Pendogate business. I feel that he has betrayed users' trust in a way where an apology alone is not sufficient. I personally consider the original plan - we'll lock you out of your accounts and disable the API until you accept our new TOS, if you don't like it there's the door - far worse than anything Brendan Eich ever did, for example. I don't want people who ever think that could be an acceptable idea in charge of a company I rely on day-to-day.

Replacing him would be a very strong signal from Gitlab's board that they are truly sorry and understand the severity of this scandal, and would also encourage future CFOs to take their users' views more seriously.

It is pathetic in a way that while lots of people were worried that Microsoft would "corporatise" github, it's gitlab that decided it was ok to threaten to lock people out from their accounts until they "consented" to this.

_EDIT: Paul Machle is CFO, Sid Sijbrandij is CEO and the person who sent the apology. I have removed names from the original post as I am not sure which of them signed off the original idea. I expect a CEO to take the attitude "the buck stops with me" though - they should be accountable even if they're not directly responsible._

When I delete all my repositories by hand, one by one, I expect to not find a joke in that email about how "this email is sent to you because you have an active repository on Gitlab".

When I delete an account on Gitlab I expect to be deleted from all further mailings (especially ones I never subscribed separately to), yet I got this email today. How many more places do I have to delete my information from to finally be rid of Gitlab?

How many more third-party companies Gitlab shared my data with at this point? Because that they do have it, there's no question about it - after all I just got this email.

This level of management disconnect does not bode well for Gitlab, as a paying customer this worries me...

I recall they setup some blog page with explanations, so obviously they expected push back. Part of my work is making sure policies, code, etc. are compliant. Notifying compliance for such changes should be a standard procedure as well. In this regard I can't understand how the entire process went through, as GDPR challenge should have been expected.

pushing through legal recommendation is quite reckless. GDPR is quite a hot topic and the regulation has real teeth (aside the public backlash)

The original comment from Paul Machle is "I don’t understand. This should not be an opt in or an opt out. It is a condition of using our product. There is an acceptance of terms and the use of this data should be included in that."

I am not a lawyer, but that does contradict pretty much everything I've been taught about GDPR.

They fucked up, users gave feedback, they listened.

This isn't some corporate conspiracy, some grand ethical dilemma with an evil company on one side and some white knight hackers on the other.

Let's imagine for a second that they are people trying to do the right thing, with years of history doing the best they can.

They wanted to measure usage to make their product better. People seem to disagree, which, okay, but the outrage here is everything wrong with the internet.

I very much disagree. I think the outcry was warranted, and right now I see GitLab doing the right thing (and, obviously, the outcry was a huge reason for that).

Changing plans in the harsh light of public condemnation isn't easy, and for that I very much commend GitLab. As someone who was very much against the previously announced change, though ( https://news.ycombinator.com/item?id=21350146 ), I'm glad the community feedback was so strong.

I'm also glad the feedback was so strong, as the ad-tech industry has spent the past 15 years numbing the general populace to unwarranted (and often unnecessary) telemetrics.

It's understandable that GitLab had no ill-intentions. But how can one know whether third-parties share such sentiments?

The outcry may stop but the trust is now gone and will take years to rebuild. Next time I'm considering/recommending on-premise git hosting I won't be recommending gitlab.

I'm also considering moving my personal repos that I pay for. Generally I only interact through the CLI and don't think about the web interface much, but apparently when I go there I'm sharing info with whatever the hell gravatar is.

I highly doubt the CFO has changed his viewpoint, and he's still in power over there. They only backtracked after the "insane" reaction. They anticipated some amount of pushback, but obviously hoped it would be smaller and they could move forward.

The root-cause screw-up here is delegating product decisions to F&A. A good CFO adds huge value to a company, but should not have final decision authority over product decisions. That is not the role of a CFO. Any company that makes it so is organizationally dysfunctional from the C-suite down.

I don't know why you think that's ethically ok to hold user data hostage until they agree to give up more rights. It's borderline ransom.

It's strictly illegal under GDPR, the agreement is void as it contradicts the law (you cannot have terms and conditions superseding the law). The policy - "agree to tracking" must be explained and justified, consent must be given (affirmative action by customer/user).

Failing to do that and holding user's data as hostage would be compliance breach. GDPR fines are no joke and set forward to prevent abuse. (up to 20m euro or 4% global revenue) GitLab is no small business any more and a fine would outweight the 'tracking profits'

Not sure I follow your logic there.

First of all, he's not right. As stated by the compliance officer in that thread, his plan would have violated the GDPR. It also would have violated existing contracts with enterprise customers.

Secondly, it's a scummy thing to do. just because you have the right to do something doesn't make it the right thing to do.

Honestly, who here is arguing that they can't implement some form of this? No one. Exactly no one. We don't like what it, and we're the consumer! It's not entitlement to pushback when a vendor changes their terms in a way you don't like.

I have no idea what point you're trying to make here.

When I first saw they had their compliance policy repos set to public so anyone could view internal discussions around changes the lawyer in me just about fell off my chair. That is an almost unbelievable level of transparency. It's difficult for me to assume anything but the best intentions when GitLab has gone out of their way to let people see how the sausage is made.

EDIT: https://gitlab.com/gitlab-org/gitlab/merge_requests/14182#no...

Note - it is worth saying, CFOs are, generally speaking consider extremely important positions for many companies, even more-so than the CEO. But this isn't because they make policy decisions or conduct external communications, but rather because they control the lifeblood of any company - the money.

As you say, whoever controls the money flow, ultimately controls the people, and can shut down any activity they desire...

Sure it's not "legitimate veto power", but ultimately it is the same thing.

I never said this...

that the board failed to stop this (or was bypassed) is telling, but this doesn't seem like a failure of the corporate governance model or anything. money is basically essential to a corporation; engineering staff shouldn't be on the level of C suite, despite what many here would have you believe

It doesn't take a genius to realize the mistake here.

How could a company like this ever think that opt-out is appropriate? It seems like all their engineers knew this was a bad idea and everyone else seemed to think it was okay!

The problem for me was how a company like this couldn't see that this would happen and went along with it, I held Gitlab to a high standard and honestly I've lost a lot of trust with them.

I'm thankful for the outrage, and whilst I will never condemn personal attacks, I feel discussing the matter on places like HN was appropriate.

No, it hasn't unless a civil discussion in an area where people have strong opinions is somehow your definition of "insane."

>"People seem to disagree, which, okay, but the outrage here is everything wrong with the internet."

There is no "outrage" here just lots of concern if not some well-placed bewilderment at a particular brusque comment made by their CFO on the issue[1]

The great irony is that you have dismissed and self-proclaimed that an entire civilized and adult discussion as "outrage culture" and "everything wrong with the internet."

[1] https://gitlab.com/gitlab-org/gitlab/merge_requests/14182#no...

What's great with GitLab compared to other companies is that they are doing things in the open, while another company would just violate my rights without me knowing it.

If you go through the comments, multiple (toxic) people in GitLab doesn't care about user rights, just want to push the change as soon as possible (just like in any other company that I have been working in).

It's also clear that you get VP/Director/Staff engineer by just pushing through other people (sadly I have seen the same thing happening other times as well).

The advice I have bookmarked (which I'll admit is not a legal opinion or the source legislation) says:

‘specific website content’ means that you should not make ‘general access’ subject to conditions requiring users to accept non-essential cookies – you can only limit certain content if the user does not consent;

and

the term ‘legitimate purpose’ refers to facilitating the provision of an information society service – ie, a service the user explicitly requests. This does not include third parties such as analytics services or online advertising.

As I read/understand things, unless the service you're providing is "being tracked by advertisers or analytics", you cannot block ac cess to users based on then not consenting to being tracked for advertising/analytics.

Pretty sure "They'd be supposed to drop EU users, under some interpretation of the law." is correct there, and that if Gitlab wants to have tracking consent as a mandatory requirement for using their source control service, they'd need to stop selling it in EU completely.

Good luck trying your luck with international law.

,,You may be wondering how the European Union will enforce a law in territory it does not control. The fact is, foreign governments help other countries enforce their laws through mutual assistance treaties and other mechanisms all the time. GDPR Article 50 addresses this question directly. So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.''

It won't even go to US court, but to EU one.

You cannot conduct business in the EU unless you have a VAT number issued by any of the member (still 28) states. You cannot sell anything in the EU w/o VAT, it'd be illegal. The company =must= pay the collected VAT to the respective member state(s).

So they have to register in the EU to conduct business (and issue VAT receipts). This requires some assets and people to be responsible.

The only way to conduct business outside is a small shipments (less than 22e) that would be free of VAT and customs clearance.

It's impossible for people in the EU to track all the time how different services use their data, so what you are suggesting is not practical.

As an example if you go with 200km/h on the German highway the responsibility of the road not ending is not yours. When I was going with a car in Albania and this happened to me, I (and my car) was quite shocked, but there are differences between countries.

From the update: 'We will not activate user level product usage tracking on GitLab.com or GitLab self-managed before we address the feedback and re-evaluate our plan.'

That leaves a lot of wiggle room.

That seems like a pretty solid indication that the plans are cancelled.

Self-host it if you don't want it. I dunno what to tell you; at some point, the company does have to observe how people use their product, and they'll do so a lot more effectively by looking at how most people are using it, rather than … idk, send a survey or something. Not that they won't do the latter anyway, nothing prevents them from doing that, but it's a very different type of data.

I'm a privacy nut by the way, and nothing in that field pisses me off more than people who vocally shit on telemetry. "I hate you, you should just GUESS what I want rather than do real work to figure it out" sort of thing.

What is it about telemetry you don't like, exactly? And I do say "telemetry" in general, because you're saying it sucks in general. So no specific examples like Windows 10's abhorrently overreaching telemetry, privacy invasions that look at PII, etc.

Telemetry generally is things like "97% of users have visited the issue tracker. 66% of projects with an issue tracker enabled have at least 1 issue. new issue rate on public repositories climbs by 15% if the new issue button is orange instead of green. users spend 30% more time on the new issue page if there's a new issue template. issues with a template have a commit/mr associated with them at a 8% higher rate than issues with empty templates".

By choosing to die on this hill, you're taking both good-will and attention away from much more severe issues of telemetry abuse, such as "let's collect the precise geoloc of all our users in our gay dating app at 5 minute intervals, store it for 3 years and not care one ounce about security".

And it may still have it. I just don't trust GitLab's management anymore.

There is still a difference between sending actions you selected to the server and tracking where you move the mouse while on the page in your browser or other bs like that. One is required to implement the functionality, the other is not.

You want a counter-example? Reddit has very little telemetry and quite famously barely looks at the data it does gather. You want to talk about deterioration, how's that for some severe rot.

Fair. It's just my opinion. Though I'm not the only one expressing it. You've probably heard the phrase "optimizing for lowest common denominator", or as 'dredmorbius calls it, "the tyranny of the minimum viable user".

> I personally find that a lot of software I use daily does improve over time, especially web software.

I find the reverse. GMail and Dropbox being prominent examples.

> Reddit has very little telemetry and quite famously barely looks at the data it does gather.

Huh. That's not what I expected. I see Reddit as poster child of making the UX worse and worse, driven by advertising goals - something that generally does correlate strongly with running telemetry. I'm confused about them now.

Dropbox I'd agree with, gmail I actually much prefer the current UI to the old one.

And indeed web services do tend to optimize for the "lowest common denominator", or more generally for the "majority of users". Which does tend to fuck over power-users. But it also means for most people telemetry works out.

It does fuck over power-users, but it also fucks over regular users. Not only doing tasks takes longer than it could (or than it took in previous generations of equivalent software), it often precludes them from becoming power users. Because a "power user" of a specific suite of software is something a person becomes over time and repeated exposure. Which includes essentially everyone doing a full-time job in front of computers. I believe dumbed down software is causing a huge hidden economic loss in reduced efficiency of office workers. Not to mention their misery.

(A good example here would be POS systems. If you've ever seen a DOS based one, you'll know it's an order of magnitude more efficient to use than the current breed of browser-based ones. The old-school UI was clean, ergonomic, consistent and fully keyboard-operated, allowing to do most tasks without even looking at the screen for most of the time. There was a relevant thread on HN recently[2].)

--

[0] - actually, I think it's more like: $$ \sum_{user \in users} utility_{user} $$ (https://latex.codecogs.com/gif.latex?%5Csum_%7Buser%20%5Cin%...).

[1] - by "useful" I mean, what tasks it lets users accomplish and how efficiently.

[2] - https://news.ycombinator.com/item?id=21045935

I am more than willing to help GitLab, but telemetry in a VCS is simply a red flag (even a legal impediment in many cases).

I’ll reserve the pitchforks for if this comes up again.

It's mind-boggling to me how entitled and aggressive the open-source culture is allowed to be. Does a company like Gitlab really deserve to have its employees publicly insulted in this way, after giving away so much to their users, for free, and being so much more transparent than 99% of tech companies?

At this point I don't understand why anyone in their right mind would go to the trouble of making their product open-source. It's just not worth it.

I'm not advocating in favor of rudeness, but the same reasoning goes for the middle finger gesture. It's an emoji that Gitlab have (I believe) deliberately included in their commenting mechanism. As far as I understand, it acts as a way to categorize users' anger and vitriol in a much more sanitized manner than if the users were to type their sentiment into the comment box. In general, allowing and encouraging negative feedback of specific parts of the service helps drive user engagement and demonstrably makes good business sense.

If users feel entitled and free to speak up, it's because there is a lot of competition in this area and they can easily leave. The fact that users are providing this feedback to Gitlab, rather than just deleting their users is a sign that they still trust the company and the service, want to keep using it and to drive it to be better.

When a C-level fundamentally misunderstands the company's culture and the culture of their target audience, incompotence becomes presumable and maliciousness becomes possible, IMO.

In a world where companies think little of collecting and selling our personal data to make a profit? In a world where companies feel the need to track every part of my life with or without my permission. This is something I can't escape, as every time I interact with someone that does use one of these platforms than they are able to collect data on me.

We both know that there are companies out there that are trying their best to not exploit their users, and sadly these companies are often held to much higher standards. When a company that we trust, and trust enough to recommend to others who value their privacy, it does hurt when a company goes in the opposite direction with your privacy even when they have noble intentions at heart.

It's also completely telling when their engineers are standing up for their users and others at the company are trying to find any excuse to collect certain information for reasons.

Now, I'm never for personal attacks on someone no matter what, but I find it hard to call out people for using a widely used and available emoji. I do agree it's very much on the line and others might take the other opinion in this case.

(Hopefully you get the parallel: some of us consider it harmful, and the fact that you don't care or you actually enjoy it does not mean we should be subjected to it)

As for telemetry, I can't find any reason one would willingly subject to it. But even if, that's why laws like GDPR don't ban it outright, just ask for it to be optional and opt-in.

Sure, from the perspective of non-smokers.

>On the contrary, a decent human being would not willingly expose non-smokers to cigarette smoke

A decent non smoker can also excuse themselves, in order not to disturb the smokers.

>Unfortunately, there's not enough decency around to outweight convenience, so it had to be turned into law

This is nothing to do with decency, the smokers doesn't have enough power/influence to prevent it to become law.

Lets say in a place where 95% are smokers, or even in the place there are 5% smokers but those 5% has a lot of power/influence. Do you think there will be law againts smokers ?

>As for telemetry, I can't find any reason one would willingly subject to it

You mean willingly subject to tracking ? Like I said before, I am fine with tracking because the benefit outweight the cost, it gives me something in return, free or cheap service.

From the perspective of any moral human being. Not intentionally harming others is kind of fundamental.

> A decent non smoker can also excuse themselves, in order not to disturb the smokers.

Non-smokers came first. And there's more of them. Plus, non-smokers are at best inconvenience to smokers, while smokers are a health hazard to non-smokers.

> Lets say in a place where 95% are smokers, or even in the place there are 5% smokers but those 5% has a lot of power/influence. Do you think there will be law againts smokers ?

Not likely. If the smokers are decent people, there won't be a problem; if they aren't, they obviously won't vote in laws that inconvenience them. But that only tells about deficiencies of the regulatory process, which optimizes for the loudest voices instead of maximizing good for everyone.

> Like I said before, I am fine with tracking because the benefit outweight the cost, it gives me something in return, free or cheap service.

And like I said, that's why current legal standard people are leaning towards is not to ban it, but to make it opt-in. So if you're fine with tracking, you can have it. The problem is with the infectious, anticompetitive nature of tracking - once one party does it to offset their costs, all other competitors have to follow suit or risk getting outcompeted.

Sure, at least from your perspective. But all human being ? Even now we disagree.

There are some people that to them harming people is the moral thing to do.

You may then say they are wrong, but again you view it from your morality, using your definition of 'wrong'.

>Non-smokers came first.

Sure, for the Non-smokers, Non-smokers came first.

>And there's more of them

Right, so its more to do with which side has more power/influence.

>Plus, non-smokers are at best inconvenience to smokers

Sure the non-smokers can dismiss it as merely inconvenience. But I'm sure there is some smokers that are highly suffer from not able to smoke anywhere anytime.

>Not likely. If the smokers are decent people, there won't be a problem

Again, some smokers can use the same argument, if the non-smokers are decent people, they can excuse themselves and there won't be a problem.

>if they aren't, they obviously won't vote in laws that inconvenience them

While I'm sure within smokers there are people who support the law, but I'm taking about the smokers who againts the law. Unfortunately, they fail or just don't have enough power/influence to prevent the law to exist.

>deficiencies of the regulatory process, which optimizes for the loudest voices instead of maximizing good for everyone

Its not deficiencies because it just the way it is, whichever side who are the strongest get to decide the law.

Maximizing good for everyone is an impossibility. What one human consider as good may be considered bad to other human.

>And like I said, that's why current legal standard people are leaning towards is not to ban it, but to make it opt-in. So if you're fine with tracking, you can have it

Sure if you can gain the power/influence to make it law. But I hope not and I will not support it. why ? It increase friction/inconvenience. Just like the cookie warning, its highly annoying, I would much prefer it to be opt-out or no option at all.

I find this attitude honestly kind of confusing. I mean, you know that the shops you go to know what products you're buying from them, right? Presumably those shops look at that data in aggregate when thinking about which products to stock. How is this any different? If you're transacting with someone, it's not possible to hide that transaction from them.

Umm...that's their business model. It's not an act of generosity. It was a decision that they thought was in their best interest.

Do you also think Facebook and Google are making their products free out of the goodness of their hearts?

How any C level position blindly walks into this kind of thing in a post Cambridge-Analytica world is a different conversation.

'Allowed' to be? The "open source culture" is the sum of the participants and participation is open to the general public. If being rude were "not allowed" who would be doing the not allowing and why should they be so empowered over members of the general public?

How is this different than what would be expected with a Code of Conduct? Must one call out “Don’t be a dick”? Vigorous debate is to be expected, being rude is not.

For example, I don't see anyone stepping up in that github thread and saying that insults and middle finger emojis are not OK. That's because that behavior is normalized. Participants in the thread either a) are OK with it; b) have resigned themselves to it; c) are refraining from speaking up for fear of being attacked too. That is what I mean by "allowed to happen".

Your right to criticize it and their right to say it are one and the same. Criticizing it and not permitting it are not the same thing.

I can't see tears falling for either of those companies' employees as far as the broader community goes.

Unfortunately the problem has deep roots, and the corporations you mention have a track record of either turning a blind eye to bad behavior when the perpetrator is a popular open-source figure (Google), or actively supporting it because the victims are employed by a competitor (Red Hat).

In general, open-source communities are still stuck in the middle ages from an HR perspective. You can be the victim of terrible behavior, and have no recourse at all, because the project itself has no clear legal requirement to protect you, and none of the corporate sponsors will take responsibility for protecting you in the same way they protect their own employees; even if in practice they are the only ones with the power to do so. The result is a legal limbo where people can get away with terrible behavior. I've seen people get crushed by this, it's kafkaesque.

It is public evidence of commitment to an illegal policy after the CFO was informed of the legal problems.

Not sure how you can do something worse.

https://imgur.com/a/uxaU0h8

How is GitLab still this slow?

These kind of things, by nature, are difficult to cache because the balance between “fresh” new content and how often they are accessed leans heavily towards having it served from the backend directly.

>I don’t understand. This should not be an opt in or an opt out. It is a condition of using our product. There is an acceptance of terms and the use of this data should be included in that.

In what way is that "nasty"?

What I really will like to know is how they will profit off that data. Is it even going to make a bump on their bottom line?

http://nymag.com/intelligencer/2018/10/americans-cant-agree-...

$15/hr is a pretty good minimum wage for a company that operates in every state!

(My benefits are fine too, for what it's worth)

The general public does not really care, they just want to get on with their lives.

However, given that most of the Gitlab customers / open-source community cares about their privacy and want to have the control (well, that's probably why they switched to Gitlab from other products), I wonder why they wanted to follow this approach in the first place. The good thing is that they almost always know how to take action when their community reacts.

Effectively this is users complaining that Gitlab wants to simplify their data analysis overhead. Presumably nothing precludes them from sending the exact same data to these companies and more on the backend. What do users expect? For Gitlab to build every single part of their stack in-house (CRM, analytics, support tooling, etc)? Because that's what this is effectively asking for.

What's next? Protesting that a company uses RDS instead of their own hand-rolled Postgres setup? Because this is the same level of stupid.

You’d be moving from one (possibly two if you include the cloud provider) vendors having theoretical access to all of your code to four vendors having potential access.

FWIW I agree that on-page JS on pages with source code is a terrible idea, but that’s easily fixable and doesn’t seem to be at the root of the issue.

I left a comment on the feedback issue about this. It's not as comprehensive as a third party, but you can build your own analytics in house. There are a lot of managed services (like BigQuery) that make it significantly easier to implement it yourself, and you do get valuable insights from such data.

I don’t think this is true, provided the third-party is GDPR compliant themselves. It’s the controller-processor relationship under GDPR. Presumably if there was not a cutout for this, AWS would not be able to exist.

The "can't" here isn't necessary legal, it could be internal.

I don’t see the fact that you have or don’t have a relationship with the company as relevant. The mechanism of passing of the data is just an implementation detail. You don’t have control over what relationships the company has on the backend (e.g. what if they store your telemetry data in BigQuery or Snowflake, or keep your log data in Loggly) so I don’t see how this expectation suddenly applies if the data is being sent from the frontend instead.

If you have a contract with that third party, and you deem that third party to be a safe harbour for your data (yes, that includes gitlab.org, AWS, etc), then that's a different case.

If Gitlab was to have instead said:

1. We are going to enable telemetry on all public repositories on Gitlab

2. On self-hosted instances we will provide you with the ability to embed your own analytics, from a company of your choosing

Then the screeching (and I fully agree it is screeching) would have been less. Unfortunately, with self-hosted instances, you simply cannot allow Gitlab to leak information like that to a company you don't have a direct relationship with. I'm not sure how else to phrase this concept or explain it, and it doesn't really matter if you use safeframes or not.

That said, while I'm not familiar enough with the details of how Gitlab supports self-hosting to comment on whether or not their particular case allows them control over the backend still or not, many self-hosted AWS solutions are implemented as marketplace AMIs for which the end-user can run in their VPC but still doesn't maintain control over what is running inside the AMI. It's not necessarily that odd for software implemented this way to still phone home with telemetry.

You can also view all the data it sends back in the admin console, and disable it.

Again, it’s the trust aspect. Sure, gitlab could just silently implement a phone home with all your private data (even by accident). They would be put out of business if they did, for breaking their contract with us and others. Nobody would trust them.

It is common sense. Some are even legally required to ensure that.

In the hosted gitlab, if they want to keep me as a paying customer they should be looking at on premise analytics providers. If there going to be sending data out to random third parties I don't trust, who I can't trust because I have never heard of them and have no relationship with, then I can't trust gitlab either.

This doesn't mean its malicious or all about the $$$...it might be that users that set up GitLab CI have 40% fewer security incidents and they want to encourage that behavior as a better customer outcome with the overall product.

edit: and this behavior might take place over a long period of time, not something you can get from access logs or just-in-time stats.

* Gitlab previously used 3rd party infrastructure for their user event tracking

* They did not send this 3rd party user id for GDPR and other reasons

* Because they did not have user id, they could not understand user behavior across sessions. Understanding user behavior across sessions is important, so they wanted to add it.

* Gitlab had just finished moving their event tracking infrastructure in house.

* The original MR was to add user id as an attribute to their event tracking

What proceeded was what I consider a very reasonable back and forth between data, infrastructure, and legal on the correct way to add user id. But somewhere along the line it went off the rails. How it turned from simply adding user id into including Pendo JS tags for on-prem customers, I have no idea.

In one place I saw a developer basically say Pendo is marketing's, and product is only interested in using Snowplow (with first party data processing).

Development was entirely happy with a true opt-in. Development does want to be able to get data back from on premises instances, but is totally fine with having it be an instance wide option that can be off.

I expect that a lot of other companies are also doing this to themselves...

They don't have any visibility in how those instances are being used, and wanted to use the telemetry to get that. (Not understanding that often, the entire point of choosing to host your own instance is to avoid this in the first place)

Also, given that nearly all websites are using something like Google Analytics or similar (or several of these at once), the reaction and vitriol here just seems weirdly disproportionate.

They know what products are selling. They don't necessarily know what I personally am buying.

The point of those loyalty program cards is to associate purchasing habits with repeat customers. Those cards, you may note, are opt-in. To belabor the analogy, this was the equivalent of my grocery store putting cameras all over the building and offering me a mask if I wanted to opt out of the user monitoring program.

"Everyone else is doing it" is a pretty bad reason when many of your clients chose to do business with you at least in part because you are not doing it.

The vast majority of people use credit cards, which would allow them to track you. If you want to be more anonymous, you can use cash, just like you could install a blocker extension if you want to be more anonymous in the browser.

> To belabor the analogy, this was the equivalent of my grocery store putting cameras all over the building and offering me a mask if I wanted to opt out of the user monitoring program.

Indeed, my local grocery store added cameras all over recently, and apparently many of them use bluetooth trackers. I don't even think they offer masks, though I've never asked.

> "Everyone else is doing it" is a pretty bad reason when many of your clients chose to do business with you at least in part because you are not doing it.

Did gitlab pitch themselves as a privacy-centric git host? I thought their main selling point used to be that they had unlimited private repos. I could be wrong though, I haven't followed them much.

Single woman driving a Subaru? Your odds of being lesbian go up a few points. We'll target you for a certain form of advertising.

This has been going on for decades. Before the web ever existed.

Following the shopping analogy, it'd be like they let you in the store, but they won't let you leave with your purchase until you fill out a survey by a 3rd party company.

Err...do you have that right? The whole concept of a "right to be forgotten" is a relatively new thing that generally has not been observed in the past.

Like, if I want the library to erase all records of me checking out books, they probably just aren't going to do it, and I don't see how I have a right to force them to. I willingly gave them my information and used the books there.

In the EU, yes you do.

>Like, if I want the library to erase all records of me checking out books, they probably just aren't going to do it, and I don't see how I have a right to force them to.

They will. You do.

>I willingly gave them my information and used the books there.

And then you changed your mind.

> Of course you should have the right to have that data deleted, but that's different from saying it should never be collected at all.

Anything that GDPR forces to be opt-in (like this telemetry here) is essentially data that shouldn't be collected in the first place.

> Also, given that nearly all websites are using something like Google Analytics or similar (or several of these at once), the reaction and vitriol here just seems weirdly disproportionate.

There were couple compounding issues here, not the least of which was them wanting to deploy telemetry on self-hosted instances. On Gitlab.com, they can deploy analytics scripts to their heart's content; that's just being disrespectful. But self-hosting is something one does in big part to control the data flow, and pushing telemetry onto that kind of defeats the point (it's a real compliance issue for a lot of companies).

As others have said, just because many other people do something, doesn't mean it's good and you should do it too.

That's not the right way to do it. Customers should need to opt in, rather than having to opt out.

(But yes, gitlab's web interfaces are generally frustrating. Slow, bugged, or just organized in ways I find challenging.)

If you don't find them acceptable, that's legit. Those are the "real reasons" you shouldn't use it. However, those reasons may not apply to others. They don't apply to me, for instance, and as Gitlab has a lot of users, I'm not alone.

i use gitlab because it allows me > 1 private repo. if there are better solutions then i'm all ears.

Either they don't think before they make decisions or they are just trying to figure out what they can get away with.

This really shows their lack of morality. They kind of remind me of Facebook.

With GitLab we know about everything that's happening and can react before bad things happen. This is awesome.

---8<---

Dear GitLab users and customers,

On October 23, we sent an email entitled “Important Updates to our Terms of Service and Telemetry Services” announcing upcoming changes. Based on considerable feedback from our customers, users, and the broader community, we reversed course the next day and removed those changes before they went into effect. Further, GitLab will commit to not implementing telemetry in our products that sends usage data to a third-party product analytics service. This clearly struck a nerve with our community and I apologize for this mistake.

So, what happened? In an effort to improve our user experience, we decided to implement user behavior tracking with both first and third-party technology. Clearly, our evaluation and communication processes for rolling out a change like this were lacking and we need to improve those processes. But that’s not the main thing we did wrong.

Our main mistake was that we did not live up to our own core value of collaboration by including our users, contributors, and customers in the strategy discussion and, for that, I am truly sorry. It shouldn’t have surprised us that you have strong feelings about opt-in/opt-out decisions, first versus third-party tracking, data protection, security, deployment flexibility and many other topics, and we should have listened first.

So, where do we go from here? The first step is a retrospective that is happening on October 29 to document what went wrong. We are reaching out to customers who expressed concerns and collecting feedback from users and the wider community. We will put together a new proposal for improving the user experience and share it for feedback. We made a mistake by not collaborating, so now we will take as much time as needed to make sure we get this right. You can be part of the collaboration by posting comments in this issue: https://gitlab.com/gitlab-com/www-gitlab-com/issues/5672 If you are a customer, you may also reach out to your GitLab representative if you have additional feedback.

I am glad you hold GitLab to a higher standard. If we are going to be transparent and collaborative, we need to do it consistently and learn from our mistakes.

Sincerely, Sid Sijbrandij Co-Founder and CEO GitLab

A very principled move from GitLab to revert this, but I think that GitLab's trusted is damaged due to this.

https://gitlab.com/gitlab-org/gitlab/merge_requests/14182#no...

The author, @cciresi is Candice Ciresi, their Director of Global Risk and Compliance.

https://i.imgur.com/52DUErO.png