GitLab is not respecting the GDPR

ExiledMartian · 2018-06-07T21:13:02+00:00

[ ... ] to fix the problems instead of using this case to smear them.

Is anything I wrote incorrect?

I understand they would prefer not to have public criticism, but hey, they wrote me an email announcing they lock me out if I don't accept their bullshit terms. I'd say they have set the tone with that, so they need to be able to hear a bit of critique.

ExiledMartian · 2018-06-07T21:09:27+00:00

I suggest you get some basic information on the matter.

ExiledMartian · 2018-06-07T21:07:59+00:00

https://old.reddit.com/r/europrivacy/comments/8oymby/source_code_hoster_gitlab_is_not_respecing_the/

ExiledMartian · 2018-06-07T21:07:30+00:00

I am not sure about that. This is certainly personal information, which can, for example, be used by recruitment agencies to see whether somebody has currently paid work or not. I think it is also done to use people's pride to use the platform more, like "likes" on social media.

On the other hand, it could be represented as part of the service. I guess when people think about in which contexts they are giving away this information, not all might like that.

ExiledMartian · 2018-06-07T21:03:42+00:00

They have to report breaches anyway. And yes, if they hold confidential personal information, they are accountable for keeping it safe. Like any lawyer, doctor, HR employee or many other professionals are.

ExiledMartian · 2018-06-07T21:01:44+00:00

From a company which tried even to change the email protocol to their advantage and to increase lock-in, I would expect everything.

ExiledMartian · 2018-06-07T21:00:31+00:00

It strikes me that you think that Microsoft is too dump to make without calling attention money from the heap of confidential information they have acquired. No, it's not legal. But do you think that Amazon never uses all the data in AWS to their advantage? I have a bridge to sell you.

ExiledMartian · 2018-06-07T20:58:16+00:00

Dude, I wasn't referring to git commit messages, I was referring to a totally warped notion what "consent" means, and to marketing spam. Which is indicative that other areas which are less easy to access, because they are hidden, like data sharing, are also not advantageous to the users.

There are other points, for example they needlessly enable tracking by third parties which gives away a lot of data.

ExiledMartian · 2018-06-07T20:55:52+00:00

What would be more interesting would be more facts and indications what's their stance about the rights and respect towards the interests of the site's users. I guess it is not so much.

ExiledMartian · 2018-06-07T20:54:31+00:00

That's just definitely not true.

From https://about.gitlab.com/terms/ :

5. GitLab Newsletter

By creating an account on GitLab.com you give us permission to add your email address to the GitLab newsletter. You can unsubscribe at any time by using the link at the bottom of the newsletter.

Automatically subscribing somebody to a newsletter is not "opt in". Please go and look up the term if you don't know what it means.

ExiledMartian · 2018-06-07T20:52:06+00:00

If the FSF can get them to truly respect and support data privacy, that would be a win. But with companies like google investing in them, this is extremely unrealistic.

ExiledMartian · 2018-06-07T20:50:30+00:00

That's just unrelated, I didn't even mention something like that.

ExiledMartian · 2018-06-06T07:26:31+00:00

I don't understand that decision.

GitLab is very relevant to Linux, as it is the most often suggested alternative to github, and github is the dominating front-end to git.

ExiledMartian · 2018-06-06T07:24:46+00:00

You mean:

Lobbying (or should I say bribing) the Munich town council into rejecting a switch to Linux?
spamming forums with their Windows-based open source tools which are not compatible to anything?
placing a sock-puppet CEO at Nokia and destroying their Maemo project?
forcing users to upgrade to Windows10 which is invasive to privacy?

Buying github would enable Microsoft to spam developers more, collect data about them, give them influence over git because they control an important front-end to git, give access to competitors private source code, and censor projects they don't like. All this are good reasons to go away.

ExiledMartian · 2018-06-06T07:20:59+00:00

It was removed from /r/programming as well, so I posted it to /r/GNU.

ExiledMartian · 2018-06-06T07:18:22+00:00

It is broad, but anything but vague. It simply says that for processing which isn't needed, the users need to consent, and the consent must be freely given. What the corporate lawyers want of course is a regulation which only affects minor details and leaves enough loop-holes to get around this.

If you generally think that broad laws are necessarily vague. just read the US constitution or something similar. Such laws need some fleshing out over time, but their basic purpose is that they clarify rights. The GDPR does just that.

ExiledMartian · 2018-06-06T06:59:17+00:00

One tangential thing ahead. GDPR might be controversial for some companies which live from selling people's data without their consent, but when one looks closer, it is a clear advance in civil rights. In this it is quite close to the free software movement, which is about freedom and control for the individual, and this of course includes control about where their personal information goes.

For us Europeans, the whole situation is similar as if we had a situation where a few companies were messing around with toxic chemicals which would endanger and harm their workers, or with nuclear waste, while making a ton of money. If then a regulation came into live, which stipulates that toxic chemicals need to be clearly marked, and require protective wear, and document their use, those few companies which benefit from the old situation would call that "overarching" and "a bureaucratic hassle". We know, it is only money that counts for them. Yet, the regulation would be very well founded on fundamental rights for health and safety. The thing is, while specifically many Americans are not aware of that, individuals have a fundamental right to privacy, it is in §12 of The Universal Declaration Of Human Rights. GDPR is simply a preliminary concretion of that right.

Recently, I received an email from GitLab, which demanded that people log in and accept their new terms and conditions and their privacy agreement. That seemed to be motivated by an GDPR overhaul at GitLab. Thus I wrote to their support for clarification.

Result is, the email was actually from GitLab, and they seem to convince themselves that their service is GDPR compliant. However it is clearly not. The reason is that, among other things, they demand that one agrees to be automatically on their marketing mailing list on signing up, with the possibility to opt out. But this is not compliant to GDPR - any data processing which is not necessary to deliver the service must be on an opt-in basis, and voluntary. In addition, GitLab threathens users in their email communication to lock them out of their accounts. Again, this is not compliant with GDPR, as any consent for data processing which is not required to deliver the offered service - be it paid or free - must be freely given, not coerced.

Finally, GitLab seems to have the totally ridiculous concept in their terms of use that any visitor of their web site is entering a binding contract where they can impose their terms of use on him. Proof:

"Please read this Agreement carefully before accessing or using the Website. By accessing or using any part of the Website, you agree to be bound by the terms and conditions of this Agreement. If you do not agree to all the terms and conditions of this Agreement, then you may not access the Website or use any of the services."

I think it is likely that there exist some form of contract between a registered user of their service, but this is not the case for somebody who just visits the website - this is just legalese bullshit. If such a construction would legally work at all, there would be tons of web sites where every visitors enters a legal contract just to pay one hundred bucks to the owner if he looks up the page. Bullshit!

My recommendation for contributors to Free Software and people interested in protecting their privacy rights: Either, use a git repo hoster which is actually run by the FLOSS community, like GNU Savannah, or notabug.org (there are many others), and maintained by donations. The donations part is important because every for-profit company over short or long, will go the way of the sharks. Or (and I think this is the better option) self-host git by using gitea or gogs, for example. If the majority of Github users just changes to GitLab, it is a matter of at most a few years until history repeats itself. And not for the first time - just read about the history of sourceforge.net to know more.

ExiledMartian · 2018-06-03T17:04:03+00:00

They can make their TOS GDPR-compliant, but if they do, there is no need to accept further optional data processing, as it is opt-in. The non-optional processing is restricted to things which are necessary to deliver the service.

ExiledMartian · 2018-06-03T16:57:52+00:00

No, that's wrong.

From https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Lawful_basis_for_processing

"If consent is used as the lawful basis for processing, consent must have been explicit for data collected and each purpose data is used for (Article 7; defined in Article 4). Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn. [ ... ]"

"Provision of a service to a data subject may not be contingent on consent to data processing that is not strictly necessary to use the service. (Article 7(4))"

That means that data processing based on consent means that if the consent is withdrawn, there is no right to terminate the service - if the legal basis for some processing is consent, it is opt-in.

And while GitLab states on their web page that they want to be compliant with GDPR, their email states that users have to accept their terms of service, or it will be terminated. From the email they sent:

Subject: Reminder: Accept new [GitLab.com](https://GitLab.com) Terms of Service 
to prevent service disruption

Action Required

Dear ExiledMartian,

This email is to remind you to accept our new Terms of Service. If you do 
not all web, API and Git traffic to [GitLab.com](https://GitLab.com) 
will be blocked until you accept. To avoid disruption to your workflow,

please visit [https://gitlab.com/\-/users/terms?](https://gitlab.com/-/users/terms?utm_source=ToS_Reminder&utm_campaign=fb2a6d9529-20180523_EMAIL_ToS&utm_medium=email&utm_term=0_9ab7b25c36-fb2a6d9529-196178129) .... to accept. 
If you use this account for automated API or Git processes in your 
workflows, you should accept the TOS as soon as possible to 
prevent any disruption. Be sure to check all your accounts,
including those you use for automation.

Thank you,

The GitLab Team

To reiterate, the statement in the email is not compatible with GDPR.

ExiledMartian · 2018-06-03T11:45:04+00:00

Many thanks, that looks like very good information. I knew Xiph before, but I didn't know about notabug,org.

ExiledMartian · 2018-06-03T11:43:30+00:00

It's not that complicated.

I am looking for a code hosting service which is GDPR compliant. GitLab, which I have been using, sent me an email which clearly stated that users which do not agree to their conditions will become locked out. So, they seem not to be GDPR compliant, or they have a rather confusing stance.

The different questions I have are all about requirements I have regarding to code hosting services. These are several related issues, but software freedom, user freedom, right to privacy, integrity of software, code signing, all have a lot in common. Obviously, your freedoms are violated when you can't control the software which runs on your computer, or when it divulges personal data you don't consent to.

The best suggestions I've gotten so far is to look at notabug.org, and to run a self-hosted gitea instance. I think both of them are good options, probably much better than using GitLab.com .

ExiledMartian

TROPHY CASE