On GitLab and keeping your privacy on the modern Web

2019-10-24

TL;DR: If you are a privacy-conscious technical person, use uMatrix (or an alternative) and consider switching to SourceHut.org.

GitLab has upset hackers with their telemetry announcement. They have (wisely) back-tracked from it, but I don’t believe they changed their heart yet.

I think this telemetry scandal was bound to happen. I have been expecting it since the day GitHub was bought by Microsoft. I evalued my options with GitLab that day. GitLab wasn’t respecting user privacy then and it has not changed since.

Let me explain.

  • Lets go to the websites [that I know best] for hosting your open-source code.
  • Lets use uMatrix extension for Firefox and see what technologies from which domains are used.

GitHub

  • Works without JavaScriptgood.
  • Tries to set 4 cookies without asking me first: not nice.
  • No third-party resources on page – great.

Seems that they can take care of themselves without third parties involved.

Note: now owned by a corporation that mainstreamed vacuuming data from paying customers (telemetry).

SourceForge

  • Works without JavaScriptgood.
  • Tries to set 1 cookie without asking me first: not nice.
  • Third parties:
    • fsdn.com Assuming it is owned by the same company. No way to check, because their Whois info is private. – kind of OK.
    • fonts.google.comprivacy-ignorant (do I need to argue that using any resources from an advertising company and the biggest data-hoarder on the planet is at least ignorant?).

Note: uBlock Origin still finds ad trackers on the page.

Seems they care more about their own privacy than mine.

SourceHut

  • Uses no JavaScriptgreat.
  • No cookiesexcellent.
  • No third-party resources on page – great.

This is what I call hacker-friendly.

GitLab

  • Works without JavaScriptgood.
  • Tries to set 1 cookie without asking me first: not nice.
  • Third parties:
    • cdnjs.cloudflare.comnot privacy friendly, bordering on ignorant
    • cookiebot.comNot sure what it does. Sounds evil, but probably just annoys you with a cookie consent banner
    • fontawesome.comnot privacy friendly
    • fonts.google.comprivacy-ignorant
    • bizible.comanti-privacyBizible offers an integrated marketing analytics platform for marketers to optimize their campaigns.
    • googletagmanager.com:
      • privacy-hostile: Google: check. Google-tag-manager: “tag” means “tracking pixel”.
      • security risk: Lets clueless marketers inject JavaScript from any third-parties of their choosing into the page. From my experience, the third-parties can look pretty shady. You are at risk of getting viruses, crypto-miners and other crap.

I don’t remember exactly what GitLab was using on the day Microsoft bought GitHub. Also I was using NoScript at the time.

What I remember is that GitLab.com looked at least anti-privacy (probably due to Bizible). So I didn’t switch to it. I see no big difference between Microsoft or Google plus shady third-parties hoarding my data.

What you can do

What I did: I looked at SourceHut and payed Drew DeVault the $20 he asked for. Currently I use it as a backup of my repos. I hope to use it for development and collaboration some day.

I have been using uMatrix for a few months now. It is developer-friendly, not user-friendly. Took some time until I got used to it. But now I enjoy it: I have granular control on who runs what on my computer.

uMatrix has also let me notice a hacked website I was visiting: I noticed that the page was trying to access resources from localhost (127.0.0.1):

The page was on a site I didn’t expect to be hacked: Lithuanian Post service. Not sure what the suspicious code was doing, but I reported it to the relevant authorities and it seems to be fixed.