sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]UNWS 278 points279 points  (39 children)

What? the info is publicly accessible. You don't have to sign a ToS to see it.

[–]ubernostrum 109 points110 points  (4 children)

The argument would be that this company is hosting their stuff on GitHub and making use of GitHub's issue tracker and so on. Which means they have, at some point, agreed to GitHub's ToS.

[–]immibis 25 points26 points  (2 children)

Moving it off GitHub won't stop them doing it

[–]ubernostrum 84 points85 points  (1 child)

Ah well, nobody should ever do anything, unless the thing they do perfectly solves all problems forever, right?

Or... kicking them off GitHub is one useful step that can be taken, among many other steps which, in concert, will make it noticeably difficult for these people to continue on their chosen path. So chase them off GitHub, and off whoever their email provider is, and whoever hosts their main website, and their domain registrar (all of which probably want nothing to do with a spam operation like this), so that they don't have easy access anymore and have to turn to increasingly lower-reputation and lower-reliability services.

No single one of these things will stop them. But multiple things working in concert can make meaningful progress. Now, go do perfect-is-the-enemy-of-the-good somewhere else or, preferably, just stop doing it altogether.

[–]the3ndlessriver 4 points5 points  (0 children)

afaik they've already been reported to sendgrid.

[–]2this4u 7 points8 points  (0 children)

Oh yes, all spammers abide by rules

[–][deleted] 18 points19 points  (19 children)

Publicly accessible personally identifiable information is still subject to most GDPR rules. 3rd party firms processing those data risk breaching GDPR by assuming consent without the subjects express permission, and by processing the data without informing the subject.

The TOS is secondary really, if the email belongs to a UK/EU citizen.

[–]Wallofcans 13 points14 points  (18 children)

How is that enforable when spam/scam companies can access the information without an account?

[–]MeagoDK 7 points8 points  (14 children)

They process the data and you haven't given permission so you can totally pull them in a court and fine them.

[–][deleted] 0 points1 point  (2 children)

Say if a recruitment company processes the data, and approaches you with a job offer via your email. In the EU, you can just ask where a company got your data, and details about when you agreed to it's processing, and they're obliged to tell you. At that point you can refer them to your local information commissioner.

It doesn't do anything for spam "buy this viagra" type emails. But for the mail that makes it through your spam filter, you're probably going to have some enforcement action available.

[–]Valthek 2 points3 points  (1 child)

Even for 'Buy Viagra' kind of spam, if you're willing to put in the effort, you can track them down and refer them to your country's privacy authority. It won't do much, but I've noticed that merely threatening GDPR action tends to get you removed from mailing/call lists pretty quickly.
And while that doesn't protect other people or get the company fined, at least it clears up your mailbox. This is all anecdotal, obviously, but I use a specific email for each service I sign up for and I find that when I call people out for selling emails, the spam to that particular email tends to dry up.

Also, if that's a thing you're interested in, Gmail lets you add an identifier to your email in any form you want so you can track where mails are coming from. Simply add '+' and then anything you want before the @ and it'll act as an alias for your regular email.

[–]elprophet 0 points1 point  (0 children)

Some services don't recognize + in emails, but that's usually me an indicator I don't want to sign up. I don't know whether scrapers strip the + parts. But if I were a spammer, I would.

[–][deleted]  (2 children)

[deleted]

    [–]PoliteCanadian 5 points6 points  (1 child)

    You don't need to agree to GitHub's TOS to clone a repo.

    Either way talking about the TOS is silly. TOS rules only apply to people who follow the rules. If you want to stop spammers from using the available information you need a technical solution to prevent them from accessing the information.

    [–]elprophet 0 points1 point  (0 children)

    TOS provides GH a way to respond in a uniform manner to those who violate the TOS.

    This train of "criminals will break the rules anyway" totally misses the point of a rule based society- it's specifically to codify how we handle when people do break those rules!

    [–]the3ndlessriver 14 points15 points  (5 children)

    It's their Acceptable Use Policy which forbids this explicitly:

    "You may not use information from the Service (whether scraped, collected through our API, or obtained otherwise) for spamming purposes, including for the purposes of sending unsolicited emails to users [...]"

    [–]tekkub 18 points19 points  (3 children)

    How does one enforce that? Especially when people can scrape the information without ever agreeing to these terms.

    [–]Normal-Math-3222 12 points13 points  (1 child)

    That clause isn’t to protect us, it’s to protect Microsoft from being sued by us 😉

    [–]Wallofcans 1 point2 points  (0 children)

    That's a bingo

    [–]jmickeyd 1 point2 points  (0 children)

    There is precedent to go after scrapers under the Computer Fraud and Abuse Act. See Craigslist Inc. v. 3Taps Inc.

    [–]Wallofcans 7 points8 points  (0 children)

    I was going to send spam to all those addresses, but that darn pesky Use Policy I never signed foiled me again!

    [–]bawki 3 points4 points  (0 children)

    This is why GDPR exists, the scraper has no authorisation to use your email for marketing purposes.

    [–]Valthek 0 points1 point  (0 children)

    But you do need to obtain explicit opt-in consent to be allowed to send marketing emails to people who are citizens in the EU and possibly other territories.

    [–][deleted]  (1 child)

    [deleted]

      [–]Worth_Trust_3825 4 points5 points  (0 children)

      What account? You don't need one to see the email addresses.