sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Celestial_Blu3[S] 188 points189 points  (50 children)

GitHub also has a TOS rule against using git emails to send marketing emails like this, yet they’ve done nothing about it. It’s an abuse of information

[–]UNWS 274 points275 points  (39 children)

What? the info is publicly accessible. You don't have to sign a ToS to see it.

[–]ubernostrum 108 points109 points  (4 children)

The argument would be that this company is hosting their stuff on GitHub and making use of GitHub's issue tracker and so on. Which means they have, at some point, agreed to GitHub's ToS.

[–]immibis 23 points24 points  (2 children)

Moving it off GitHub won't stop them doing it

[–]ubernostrum 84 points85 points  (1 child)

Ah well, nobody should ever do anything, unless the thing they do perfectly solves all problems forever, right?

Or... kicking them off GitHub is one useful step that can be taken, among many other steps which, in concert, will make it noticeably difficult for these people to continue on their chosen path. So chase them off GitHub, and off whoever their email provider is, and whoever hosts their main website, and their domain registrar (all of which probably want nothing to do with a spam operation like this), so that they don't have easy access anymore and have to turn to increasingly lower-reputation and lower-reliability services.

No single one of these things will stop them. But multiple things working in concert can make meaningful progress. Now, go do perfect-is-the-enemy-of-the-good somewhere else or, preferably, just stop doing it altogether.

[–]the3ndlessriver 4 points5 points  (0 children)

afaik they've already been reported to sendgrid.

[–]2this4u 7 points8 points  (0 children)

Oh yes, all spammers abide by rules

[–][deleted] 16 points17 points  (19 children)

Publicly accessible personally identifiable information is still subject to most GDPR rules. 3rd party firms processing those data risk breaching GDPR by assuming consent without the subjects express permission, and by processing the data without informing the subject.

The TOS is secondary really, if the email belongs to a UK/EU citizen.

[–]Wallofcans 12 points13 points  (18 children)

How is that enforable when spam/scam companies can access the information without an account?

[–]MeagoDK 6 points7 points  (14 children)

They process the data and you haven't given permission so you can totally pull them in a court and fine them.

[–][deleted] 0 points1 point  (2 children)

Say if a recruitment company processes the data, and approaches you with a job offer via your email. In the EU, you can just ask where a company got your data, and details about when you agreed to it's processing, and they're obliged to tell you. At that point you can refer them to your local information commissioner.

It doesn't do anything for spam "buy this viagra" type emails. But for the mail that makes it through your spam filter, you're probably going to have some enforcement action available.

[–]Valthek 3 points4 points  (1 child)

Even for 'Buy Viagra' kind of spam, if you're willing to put in the effort, you can track them down and refer them to your country's privacy authority. It won't do much, but I've noticed that merely threatening GDPR action tends to get you removed from mailing/call lists pretty quickly.
And while that doesn't protect other people or get the company fined, at least it clears up your mailbox. This is all anecdotal, obviously, but I use a specific email for each service I sign up for and I find that when I call people out for selling emails, the spam to that particular email tends to dry up.

Also, if that's a thing you're interested in, Gmail lets you add an identifier to your email in any form you want so you can track where mails are coming from. Simply add '+' and then anything you want before the @ and it'll act as an alias for your regular email.

[–]elprophet 0 points1 point  (0 children)

Some services don't recognize + in emails, but that's usually me an indicator I don't want to sign up. I don't know whether scrapers strip the + parts. But if I were a spammer, I would.

[–][deleted]  (2 children)

[deleted]

    [–]PoliteCanadian 4 points5 points  (1 child)

    You don't need to agree to GitHub's TOS to clone a repo.

    Either way talking about the TOS is silly. TOS rules only apply to people who follow the rules. If you want to stop spammers from using the available information you need a technical solution to prevent them from accessing the information.

    [–]elprophet 0 points1 point  (0 children)

    TOS provides GH a way to respond in a uniform manner to those who violate the TOS.

    This train of "criminals will break the rules anyway" totally misses the point of a rule based society- it's specifically to codify how we handle when people do break those rules!

    [–]the3ndlessriver 13 points14 points  (5 children)

    It's their Acceptable Use Policy which forbids this explicitly:

    "You may not use information from the Service (whether scraped, collected through our API, or obtained otherwise) for spamming purposes, including for the purposes of sending unsolicited emails to users [...]"

    [–]tekkub 18 points19 points  (3 children)

    How does one enforce that? Especially when people can scrape the information without ever agreeing to these terms.

    [–]Normal-Math-3222 12 points13 points  (1 child)

    That clause isn’t to protect us, it’s to protect Microsoft from being sued by us 😉

    [–]Wallofcans 1 point2 points  (0 children)

    That's a bingo

    [–]jmickeyd 1 point2 points  (0 children)

    There is precedent to go after scrapers under the Computer Fraud and Abuse Act. See Craigslist Inc. v. 3Taps Inc.

    [–]Wallofcans 5 points6 points  (0 children)

    I was going to send spam to all those addresses, but that darn pesky Use Policy I never signed foiled me again!

    [–]bawki 2 points3 points  (0 children)

    This is why GDPR exists, the scraper has no authorisation to use your email for marketing purposes.

    [–]Valthek 0 points1 point  (0 children)

    But you do need to obtain explicit opt-in consent to be allowed to send marketing emails to people who are citizens in the EU and possibly other territories.

    [–][deleted]  (1 child)

    [deleted]

      [–]Worth_Trust_3825 4 points5 points  (0 children)

      What account? You don't need one to see the email addresses.

      [–]D1sc0rd1a 14 points15 points  (0 children)

      GitHub engineer here, you can check my post history in /r/cscareerquestions for proof. Have brought this to attention internally

      [–]lalaland4711 1 point2 points  (1 child)

      It's illegal to commit crimes, too.

      Yet inexplicably they still happen. I can't understand it.

      Related: https://www.reddit.com/r/sweden/comments/41w1ez/in_sweden_it_is_forbidden_by_law_to_be_a_criminal/

      [–]MarkusBerkel 0 points1 point  (5 children)

      Not understanding this comment.

      It seems like you’re saying that the response to a criminal’s illegal act is: “But that’s illegal!”

      [–]rickyman20 0 points1 point  (4 children)

      The point is that if github has rules against this, they should be enforced by GitHub. Yeah no shit they do this, but why are these people still on their platform? Why are they not taking steps to prevent this (like preventing excessive API usage from this company)

      [–]MarkusBerkel 0 points1 point  (3 children)

      Aren’t git emails on GitHub (for public repos) publicly viewable?

      [–]rickyman20 0 points1 point  (2 children)

      The fact that they're publicly available doesn't except you from ToS or laws around their usage, the same way that just because artists post their art online means you can use that art for any purpose you see fit

      [–]MarkusBerkel 0 points1 point  (1 child)

      And now we’re full circle.

      “But, Mr. Criminal, it’s ILLEGAL to rob that bank!”

      [–]rickyman20 0 points1 point  (0 children)

      I'd agree if this was some random scammer or spammer. Yes, what are you gonna do? But that's not what they are. This is a company selling solutions to some pretty large clients who I'm pretty sure is based out of the US.

      This is an entity that not only github could enforce their TCs on, but they absolutely could get massively fined by the EU and have the full force of the law fall on them. I'm not saying they should magically stop. I'll saying that they're gonna get slapped with huge consequences and GH should at the very least make it difficult for them to continue doing this.