The reaction to this whole saga has been insane. Chill out people.
They fucked up, users gave feedback, they listened.
This isn't some corporate conspiracy, some grand ethical dilemma with an evil company on one side and some white knight hackers on the other.
Let's imagine for a second that they are people trying to do the right thing, with years of history doing the best they can.
They wanted to measure usage to make their product better. People seem to disagree, which, okay, but the outrage here is everything wrong with the internet.
> The reaction to this whole saga has been insane. Chill out people.
I very much disagree. I think the outcry was warranted, and right now I see GitLab doing the right thing (and, obviously, the outcry was a huge reason for that).
Changing plans in the harsh light of public condemnation isn't easy, and for that I very much commend GitLab. As someone who was very much against the previously announced change, though ( https://news.ycombinator.com/item?id=21350146 ), I'm glad the community feedback was so strong.
Yeah, if the outcry continued even after their rollback & apology, _then_ it would be unwarranted. But everyone's happy now (well, arguably GitLab may not be, but they should surely be able to work out a solution with the community on how to collect telemetrics in a privacy-conscious way).
I'm also glad the feedback was so strong, as the ad-tech industry has spent the past 15 years numbing the general populace to unwarranted (and often unnecessary) telemetrics.
It's understandable that GitLab had no ill-intentions. But how can one know whether third-parties share such sentiments?
> Yeah, if the outcry continued even after their rollback & apology, _then_ it would be unwarranted.
The outcry may stop but the trust is now gone and will take years to rebuild. Next time I'm considering/recommending on-premise git hosting I won't be recommending gitlab.
I'm also considering moving my personal repos that I pay for. Generally I only interact through the CLI and don't think about the web interface much, but apparently when I go there I'm sharing info with whatever the hell gravatar is.
While I haven't used it myself, I think gravitar is an avatar that gravitates toward you, as implemented by you putting an image on their server, and countless other websites include it from that server when an identifier (probably email address) match exists between the two accounts. So in other words, gravitar knows a bit about your usage of countless websites that each volunteered your usage pattern to it. Since evidently you are seeing a connection between your machine and gravatar, they get page-load granularity. If this description is incorrect, which it very well might be since I know nothing about the service beyond what I inferred by its name, please do correct me.
It doesn't seem to me that GP disagrees with that. They're not telling people to chill out in the sense that they should have voiced their concerns about the feature; it's about the outcry, about the black-and-white, evil-vs-good type of discourse that was happening in response to it.
Their CFO showed that he has little regard for the privacy of their users. I highly doubt that has changed. Many devs and compliance folk were on the right side of this in the MR and feature threads, but they were overruled.
I highly doubt the CFO has changed his viewpoint, and he's still in power over there. They only backtracked after the "insane" reaction. They anticipated some amount of pushback, but obviously hoped it would be smaller and they could move forward.
Yet, the CFO was given authority to make an important product decision, over the objections of engineering and product design. Can you name any successful tech company that sells a highly technical product to a highly technical audience that give the CFO final decision authority on product decisions -- decision authority over and above marketing, product design, and engineering?
The root-cause screw-up here is delegating product decisions to F&A. A good CFO adds huge value to a company, but should not have final decision authority over product decisions. That is not the role of a CFO. Any company that makes it so is organizationally dysfunctional from the C-suite down.
Privacy? Their users are companies building software. The CFO is right -- they can agree or disagree to the terms of use and choose whether or not to use the new software.
No, the CFO is dead wrong. I'm a very vocal Gitlab advocate and would have stopped promoting them if they did this. There are 100's if not 1000's of people like me and we help build Gitlab value. And then there is the GDPR to contend with.
The only sense in which he's "wrong" is as you describe: people won't want to use the software, and it's a bad decision when it comes to making money. He's not wrong on some principles-based reason.
Since GitLab have operations, sales and other employees inside the European Union, and the assertions from the CFO are contrary to European law, he is wrong for legal reasons.
It's strictly illegal under GDPR, the agreement is void as it contradicts the law (you cannot have terms and conditions superseding the law). The policy - "agree to tracking" must be explained and justified, consent must be given (affirmative action by customer/user).
Failing to do that and holding user's data as hostage would be compliance breach. GDPR fines are no joke and set forward to prevent abuse. (up to 20m euro or 4% global revenue) GitLab is no small business any more and a fine would outweight the 'tracking profits'
>Privacy? Their users are companies building software
Not sure I follow your logic there.
First of all, he's not right. As stated by the compliance officer in that thread, his plan would have violated the GDPR. It also would have violated existing contracts with enterprise customers.
Secondly, it's a scummy thing to do. just because you have the right to do something doesn't make it the right thing to do.
I'm not talking about existing contracts or the law in some far-off land, and neither are you. You deserve nothing. You aren't entitled to Gitlab releasing software the way you'd like them to. Maybe your brain tells you otherwise. Instead, just don't use their software. For example, I wish Windows 10 didn't have telemetry. But it does, so I don't use Windows 10.
The world doesn't owe you a free Git issue tracker.
Oh, so you're not talking about the two ways in which he is objectively wrong in arguing to implement this feature, only that a vendor has the right to add user hostile terms to their ToS. Ok, well you've convinced me!
Honestly, who here is arguing that they can't implement some form of this? No one. Exactly no one. We don't like what it, and we're the consumer! It's not entitlement to pushback when a vendor changes their terms in a way you don't like.
I have no idea what point you're trying to make here.
> Their CFO showed that he has little regard for the privacy of their users.
Their users are companies, who can put on their big boy pants and decide what they think of Gitlab earnestly gathering usage information, not deep personal secrets, that it uses to help it improve its own product so that it can better serve the customer.
Throwing this all under the same category of "privacy" that one might use for private content -- the content of emails, the content of messages, copyrighted material, trade secrets, and the like -- as if this is a great moral issue, is just not a clear-minded way of operating.
People store copyrighted code and trade secrets in their repositories with gitlab, if the third party tracker is compromised those secrets can also be compromised.
> Let's imagine for a second that they are people trying to do the right thing, with years of history doing the best they can.
When I first saw they had their compliance policy repos set to public so anyone could view internal discussions around changes the lawyer in me just about fell off my chair. That is an almost unbelievable level of transparency. It's difficult for me to assume anything but the best intentions when GitLab has gone out of their way to let people see how the sausage is made.
Uh, that's not how it works. Legitimate veto power is usually based on a board and/or shares of the company. Not to mention most CFOs are appointed positions in startups, because they are usually not roles filled in the early days of a tech startups life (as opposed to CEOs and CTOs).
Note - it is worth saying, CFOs are, generally speaking consider extremely important positions for many companies, even more-so than the CEO. But this isn't because they make policy decisions or conduct external communications, but rather because they control the lifeblood of any company - the money.
"Oh, you're wanting to implement more 'privacy' for our users? Well it turns out that we've just done a reorg, and your whole department has no budget for the rest of the year."
As you say, whoever controls the money flow, ultimately controls the people, and can shut down any activity they desire...
Sure it's not "legitimate veto power", but ultimately it is the same thing.
Sorry. I was paraphrasing your " ... but rather because they control the lifeblood of any company - the money." rather than directly quoting you there. I think my point stands.
that the board failed to stop this (or was bypassed) is telling, but this doesn't seem like a failure of the corporate governance model or anything. money is basically essential to a corporation; engineering staff shouldn't be on the level of C suite, despite what many here would have you believe
Although I think the person is getting too much grief for this, I have to say that if a CFO is allowed to make decisions in an area where he lacks understanding, simply because his title starts with a "C", that counts as a failure of the governance model.
"Sadly" because in this instance, it appears there's a CFO in power who's championing selling user's privacy out. Not a comment of whether or not a CFO in general has more influence than engineering (or other) staff, but that an ethically challenged CFO is potentially a toxic influence to a company culture and direction.
> Let's imagine for a second that they are people trying to do the right thing, with years of history doing the best they can.
How could a company like this ever think that opt-out is appropriate? It seems like all their engineers knew this was a bad idea and everyone else seemed to think it was okay!
The problem for me was how a company like this couldn't see that this would happen and went along with it, I held Gitlab to a high standard and honestly I've lost a lot of trust with them.
I'm thankful for the outrage, and whilst I will never condemn personal attacks, I feel discussing the matter on places like HN was appropriate.
>"The reaction to this whole saga has been insane. Chill out people."
No, it hasn't unless a civil discussion in an area where people have strong opinions is somehow your definition of "insane."
>"People seem to disagree, which, okay, but the outrage here is everything wrong with the internet."
There is no "outrage" here just lots of concern if not some well-placed bewilderment at a particular brusque comment made by their CFO on the issue[1]
The great irony is that you have dismissed and self-proclaimed that an entire civilized and adult discussion as "outrage culture" and "everything wrong with the internet."
They wouldn't have. many devs were against it internally, but they went forward anyway with the opt-out scheme. Why would they go through all that, announce the feature, and then just decide to cancel it?
They wanted to violate my rights given by Article 7.2 of the General Data Protection Regulation (GDPR), this is clearly making the product worse.
What's great with GitLab compared to other companies is that they are doing things in the open, while another company would just violate my rights without me knowing it.
If you go through the comments, multiple (toxic) people in GitLab doesn't care about user rights, just want to push the change as soon as possible (just like in any other company that I have been working in).
It's also clear that you get VP/Director/Staff engineer by just pushing through other people (sadly I have seen the same thing happening other times as well).
You can opt out by not using it, right? They'd be supposed to drop EU users, under some interpretation of the law. But even if they didn't, then as an EU user, you'd still be able to protect your own rights by ceasing use of their services.
The advice I have bookmarked (which I'll admit is not a legal opinion or the source legislation) says:
‘specific website content’ means that you should not make ‘general access’ subject to conditions requiring users to accept non-essential cookies – you can only limit certain content if the user does not consent;
and
the term ‘legitimate purpose’ refers to facilitating the provision of an information society service – ie, a service the user explicitly requests. This does not include third parties such as analytics services or online advertising.
As I read/understand things, unless the service you're providing is "being tracked by advertisers or analytics", you cannot block ac cess to users based on then not consenting to being tracked for advertising/analytics.
Pretty sure "They'd be supposed to drop EU users, under some interpretation of the law." is correct there, and that if Gitlab wants to have tracking consent as a mandatory requirement for using their source control service, they'd need to stop selling it in EU completely.
Good luck trying your luck with international law.
,,You may be wondering how the European Union will enforce a law in territory it does not control. The fact is, foreign governments help other countries enforce their laws through mutual assistance treaties and other mechanisms all the time. GDPR Article 50 addresses this question directly. So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.''
The EU could certainly stop them from doing business there. Beyond that, you can't be sure they could collect fines. It may depend on the technical details of what the fines are about, and how big they are. America has human rights that privacy regulations like California's CCPA are careful to waltz around.
If at all, then only as long as they're conducting their business with EU customers entirely from the US. As soon as they're putting servers in a colo in the EU, there's something that EU authorities could confiscate to cover outstanding fines.
You cannot conduct business in the EU unless you have a VAT number issued by any of the member (still 28) states. You cannot sell anything in the EU w/o VAT, it'd be illegal. The company =must= pay the collected VAT to the respective member state(s).
So they have to register in the EU to conduct business (and issue VAT receipts). This requires some assets and people to be responsible.
The only way to conduct business outside is a small shipments (less than 22e) that would be free of VAT and customs clearance.
GDPR is very clear, there are no multiple interpretations: the responsibility of telling me how they are using data about me is on the server side.
It's impossible for people in the EU to track all the time how different services use their data, so what you are suggesting is not practical.
As an example if you go with 200km/h on the German highway the responsibility of the road not ending is not yours. When I was going with a car in Albania and this happened to me, I (and my car) was quite shocked, but there are differences between countries.
They fucked up, users gave feedback, they listened.
This isn't some corporate conspiracy, some grand ethical dilemma with an evil company on one side and some white knight hackers on the other.
Let's imagine for a second that they are people trying to do the right thing, with years of history doing the best they can.
They wanted to measure usage to make their product better. People seem to disagree, which, okay, but the outrage here is everything wrong with the internet.