On GitLab and keeping your privacy on the modern Web
TL;DR: If you are a privacy-conscious technical person, use uMatrix (or an alternative) and consider switching to SourceHut.org.
GitLab has upset hackers with their telemetry announcement. They have (wisely) back-tracked from it, but I don’t believe they changed their heart yet.
I think this telemetry scandal was bound to happen. I have been expecting it since the day GitHub was bought by Microsoft. I evalued my options with GitLab that day. GitLab wasn’t respecting user privacy then and it has not changed since.
Let me explain.
- Lets go to the websites [that I know best] for hosting your open-source code.
- Lets use uMatrix extension for Firefox and see what technologies from which domains are used.
GitHub
- Works without JavaScript – good.
- Tries to set 4 cookies without asking me first: not nice.
- No third-party resources on page – great.
Seems that they can take care of themselves without third parties involved.
Note: now owned by a corporation that mainstreamed vacuuming data from paying customers (telemetry).
SourceForge
- Works without JavaScript – good.
- Tries to set 1 cookie without asking me first: not nice.
- Third parties:
- fsdn.com Assuming it is owned by the same company. No way to check, because their Whois info is private. – kind of OK.
- fonts.google.com – privacy-ignorant (do I need to argue that using any resources from an advertising company and the biggest data-hoarder on the planet is at least ignorant?).
Note: uBlock Origin still finds ad trackers on the page.
Seems they care more about their own privacy than mine.
SourceHut
- Uses no JavaScript – great.
- No cookies – excellent.
- No third-party resources on page – great.
This is what I call hacker-friendly.
GitLab
- Works without JavaScript – good.
- Tries to set 1 cookie without asking me first: not nice.
- Third parties:
- cdnjs.cloudflare.com – not privacy friendly, bordering on ignorant
- cookiebot.com – Not sure what it does. Sounds evil, but probably just annoys you with a cookie consent banner
- fontawesome.com – not privacy friendly
- fonts.google.com – privacy-ignorant
- bizible.com – anti-privacy “Bizible offers an integrated marketing analytics platform for marketers to optimize their campaigns.”
- googletagmanager.com:
- privacy-hostile: Google: check. Google-tag-manager: “tag” means “tracking pixel”.
- security risk: Lets clueless marketers inject JavaScript from any third-parties of their choosing into the page. From my experience, the third-parties can look pretty shady. You are at risk of getting viruses, crypto-miners and other crap.
I don’t remember exactly what GitLab was using on the day Microsoft bought GitHub. Also I was using NoScript at the time.
What I remember is that GitLab.com looked at least anti-privacy (probably due to Bizible). So I didn’t switch to it. I see no big difference between Microsoft or Google plus shady third-parties hoarding my data.
What you can do
What I did: I looked at SourceHut and payed Drew DeVault the $20 he asked for. Currently I use it as a backup of my repos. I hope to use it for development and collaboration some day.
I have been using uMatrix for a few months now. It is developer-friendly, not user-friendly. Took some time until I got used to it. But now I enjoy it: I have granular control on who runs what on my computer.
uMatrix has also let me notice a hacked website I was visiting: I noticed that the page was trying to access resources from localhost (127.0.0.1):
The page was on a site I didn’t expect to be hacked: Lithuanian Post service. Not sure what the suspicious code was doing, but I reported it to the relevant authorities and it seems to be fixed.