We received an apology email at the same time, well written, explaining what they did wrong, apologizing, promising to do a post-mortem, promising to not send to 3rd party trackers, and saying they did a mistake and waiting for feedbacks on the issue tracker. And with very little BS in the mail.
Such level of transparency, of apologizing and clarity, especially written at the first person "I am truly sorry." is very rare and should be praised.
The reaction to this whole saga has been insane. Chill out people.
They fucked up, users gave feedback, they listened.
This isn't some corporate conspiracy, some grand ethical dilemma with an evil company on one side and some white knight hackers on the other.
Let's imagine for a second that they are people trying to do the right thing, with years of history doing the best they can.
They wanted to measure usage to make their product better. People seem to disagree, which, okay, but the outrage here is everything wrong with the internet.
> The reaction to this whole saga has been insane. Chill out people.
I very much disagree. I think the outcry was warranted, and right now I see GitLab doing the right thing (and, obviously, the outcry was a huge reason for that).
Changing plans in the harsh light of public condemnation isn't easy, and for that I very much commend GitLab. As someone who was very much against the previously announced change, though ( https://news.ycombinator.com/item?id=21350146 ), I'm glad the community feedback was so strong.
Their CFO showed that he has little regard for the privacy of their users. I highly doubt that has changed. Many devs and compliance folk were on the right side of this in the MR and feature threads, but they were overruled.
I highly doubt the CFO has changed his viewpoint, and he's still in power over there. They only backtracked after the "insane" reaction. They anticipated some amount of pushback, but obviously hoped it would be smaller and they could move forward.
> Let's imagine for a second that they are people trying to do the right thing, with years of history doing the best they can.
When I first saw they had their compliance policy repos set to public so anyone could view internal discussions around changes the lawyer in me just about fell off my chair. That is an almost unbelievable level of transparency. It's difficult for me to assume anything but the best intentions when GitLab has gone out of their way to let people see how the sausage is made.
> Let's imagine for a second that they are people trying to do the right thing, with years of history doing the best they can.
How could a company like this ever think that opt-out is appropriate? It seems like all their engineers knew this was a bad idea and everyone else seemed to think it was okay!
The problem for me was how a company like this couldn't see that this would happen and went along with it, I held Gitlab to a high standard and honestly I've lost a lot of trust with them.
I'm thankful for the outrage, and whilst I will never condemn personal attacks, I feel discussing the matter on places like HN was appropriate.
>"The reaction to this whole saga has been insane. Chill out people."
No, it hasn't unless a civil discussion in an area where people have strong opinions is somehow your definition of "insane."
>"People seem to disagree, which, okay, but the outrage here is everything wrong with the internet."
There is no "outrage" here just lots of concern if not some well-placed bewilderment at a particular brusque comment made by their CFO on the issue[1]
The great irony is that you have dismissed and self-proclaimed that an entire civilized and adult discussion as "outrage culture" and "everything wrong with the internet."
They wanted to violate my rights given by Article 7.2 of the General Data Protection Regulation (GDPR), this is clearly making the product worse.
What's great with GitLab compared to other companies is that they are doing things in the open, while another company would just violate my rights without me knowing it.
If you go through the comments, multiple (toxic) people in GitLab doesn't care about user rights, just want to push the change as soon as possible (just like in any other company that I have been working in).
It's also clear that you get VP/Director/Staff engineer by just pushing through other people (sadly I have seen the same thing happening other times as well).
I don't see where it is canceled. The closest thing I see to canceled, is postponed.
From the update:
'We will not activate user level product usage tracking on GitLab.com or GitLab self-managed before we address the feedback and re-evaluate our plan.'
You may or may not agree with that comment, but it is not nasty. What is nasty, on the other hand, is the vitriolic reaction to it. So far I count 16 "middle finger" emojis, including one with the subtitle "incompentent or malicious CFO". In what world does a disagreement over the right level of telemetry justify this kind of behavior?
It's mind-boggling to me how entitled and aggressive the open-source culture is allowed to be. Does a company like Gitlab really deserve to have its employees publicly insulted in this way, after giving away so much to their users, for free, and being so much more transparent than 99% of tech companies?
At this point I don't understand why anyone in their right mind would go to the trouble of making their product open-source. It's just not worth it.
At least they said what they actually thought and opened a discussion instead of spewing one of the standard canned PR statements. The replies are a pretty good source of arguing against the position he took and now can be referenced by anyone else having a similar discussion.
>I don’t understand. This should not be an opt in or an opt out. It is a condition of using our product. There is an acceptance of terms and the use of this data should be included in that.
This is just the beginning, at some point, they will flip.
Google was our darling, that could do no wrong. Just imagine, to be bold and say "Don't be evil!" And then, what happened? This is just a short term reaction to quiet down the noise, but their long term hand has been exposed. They are not going to do it, but note that nothing says they won't try to or do it again in the far future.
What I really will like to know is how they will profit off that data. Is it even going to make a bump on their bottom line?
What happened ? Google is still one of the better players around. They pulled out of DoD contracts etc. This site just hates it for every single thing..it's just group think now , majority of the general public still loves it.
We sent an MR to Gitlab 1.5 years ago (https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/156...) implementing our open-source analytics tool to their app and letting the system administrators opt-in to this feature if they want to analyze their user behavior but it looks like Gitlab wanted to implement a centralized user tracking feature for themselves instead.
However, given that most of the Gitlab customers / open-source community cares about their privacy and want to have the control (well, that's probably why they switched to Gitlab from other products), I wonder why they wanted to follow this approach in the first place. The good thing is that they almost always know how to take action when their community reacts.
This is incredibly dumb. Both Pendo and Snowplow are analytics providers, meaning they both have in their TOS that the company remains the owner of the data in question and that the services only exist to facilitate analysis of the data in question.
Effectively this is users complaining that Gitlab wants to simplify their data analysis overhead. Presumably nothing precludes them from sending the exact same data to these companies and more on the backend. What do users expect? For Gitlab to build every single part of their stack in-house (CRM, analytics, support tooling, etc)? Because that's what this is effectively asking for.
What's next? Protesting that a company uses RDS instead of their own hand-rolled Postgres setup? Because this is the same level of stupid.
What about running third party scripts on the page, which would have access to all code on the account you’re logged in with? How do organisations audit these scripts, and how can they audit new versions of these scripts when gitlab controls the release strategy of these scripts?
You’d be moving from one (possibly two if you include the cloud provider) vendors having theoretical access to all of your code to four vendors having potential access.
I think part of the issue was that there are many cases where you can't send potentially sensitive information to a third party, regardless of their TOS.
I left a comment on the feedback issue about this. It's not as comprehensive as a third party, but you can build your own analytics in house. There are a lot of managed services (like BigQuery) that make it significantly easier to implement it yourself, and you do get valuable insights from such data.
The main issue was that this is for internally hosted enterprise instances, so no they can't just pass along the same data on the backend because they don't control the environment the backend is running in.
In the hosted gitlab, if they want to keep me as a paying customer they should be looking at on premise analytics providers. If there going to be sending data out to random third parties I don't trust, who I can't trust because I have never heard of them and have no relationship with, then I can't trust gitlab either.
There is a lot of FUD whenever someone mentioned third party because many don't know the difference between a dedicated analytics provider and Facebook.
Could someone here please explain to me why Gitlab's product managers would be so interested in client-side analytics in the first place?
From my familiarity with their service, almost every operation requires an ajax call, or a full page refresh. Is there really that much value for the product managers in these additional analytics?
I find the anti-telemetry attitude honestly kind of confusing. I mean, you know that the shops you go to know what products you're buying from them, right? Presumably those shops look at that data in aggregate when thinking about which products to stock. How is this any different? If you're transacting with someone, it's not possible to hide that transaction from them. Of course you should have the right to have that data deleted, but that's different from saying it should never be collected at all.
Also, given that nearly all websites are using something like Google Analytics or similar (or several of these at once), the reaction and vitriol here just seems weirdly disproportionate.
> I mean, you know that the shops you go to know what products you're buying from them, right?
They know what products are selling. They don't necessarily know what I personally am buying.
The point of those loyalty program cards is to associate purchasing habits with repeat customers. Those cards, you may note, are opt-in. To belabor the analogy, this was the equivalent of my grocery store putting cameras all over the building and offering me a mask if I wanted to opt out of the user monitoring program.
"Everyone else is doing it" is a pretty bad reason when many of your clients chose to do business with you at least in part because you are not doing it.
Web tracking is different in that it's ongoing tracking of behaviour. When I buy something from a shop, that's the end of their knowledge: the shop has no idea what I use it for.
> Of course you should have the right to have that data deleted, but that's different from saying it should never be collected at all.
Err...do you have that right? The whole concept of a "right to be forgotten" is a relatively new thing that generally has not been observed in the past.
Like, if I want the library to erase all records of me checking out books, they probably just aren't going to do it, and I don't see how I have a right to force them to. I willingly gave them my information and used the books there.
I'm hostile towards both on-line and meatspace telemetry alike. It's just it's much harder to opt out from the latter. When a store I frequent decides to be total assholes and install customer-tracking cameras, I can't even tell (and unfortunately, there's no legal requirement to inform about it; I hope it'll change in the future). And even if I could, like most people, I'm rather price-sensitive when bulk shopping. On-line, I can at least try to defeat most telemetry with content blockers and network filters.
> Of course you should have the right to have that data deleted, but that's different from saying it should never be collected at all.
Anything that GDPR forces to be opt-in (like this telemetry here) is essentially data that shouldn't be collected in the first place.
> Also, given that nearly all websites are using something like Google Analytics or similar (or several of these at once), the reaction and vitriol here just seems weirdly disproportionate.
There were couple compounding issues here, not the least of which was them wanting to deploy telemetry on self-hosted instances. On Gitlab.com, they can deploy analytics scripts to their heart's content; that's just being disrespectful. But self-hosting is something one does in big part to control the data flow, and pushing telemetry onto that kind of defeats the point (it's a real compliance issue for a lot of companies).
As others have said, just because many other people do something, doesn't mean it's good and you should do it too.
>We have not yet added instrumentation to the Enterprise edition versions, and we will not do so until we have a way for self-hosted customers to opt out... (Scott Williamson, Gitlab VP of product, responding to the OP)
That's not the right way to do it. Customers should need to opt in, rather than having to opt out.
I'm glad they reversed course and apologized but it still amazes me how powerful the reality distortion bubble can be even at well-meaning corporations. It's as if there was a meeting at the Red Cross where somebody said "Hey why don't we start selling guns? It would be a great fundraising tool." And everybody in the room just nodded and said "Yeah that's a pretty great idea. Let's start tomorrow!"
The real reason you shouldn't be using GitLab is performance. How is it possible that that page took over a minute to load? Nevermind that the design is completely incomprehensible.
I don't understand, what changed? This was last updated on the 24th. They said they'll be re-evaluating it and returning later, but afaict they haven't made any statements about a blanket cancellation of the telemetry roll-out.
Something a little ironic about putting a tracked click link in an email apologizing for adding tracking. That said I firmly believe in opt-in tracking and would likely enable it for my gitlab usage.
Long story short, if Gitlab were to use a open source & self hosted platform (like Countly) with a clear mentioning of what to collect and what not, clarifying that nothing is collected which is not anything unknown to them, there would be no problems. Gitlab CEO has provided the right response with the right tone, which is something we don't usually see in big corps. I again would like to stress that such platforms not use 3rd party analytics providers but a self hosted and/or in-house solution.
[+] [-] jbk|6 years ago|reply
Such level of transparency, of apologizing and clarity, especially written at the first person "I am truly sorry." is very rare and should be praised.
[+] [-] tyre|6 years ago|reply
They fucked up, users gave feedback, they listened.
This isn't some corporate conspiracy, some grand ethical dilemma with an evil company on one side and some white knight hackers on the other.
Let's imagine for a second that they are people trying to do the right thing, with years of history doing the best they can.
They wanted to measure usage to make their product better. People seem to disagree, which, okay, but the outrage here is everything wrong with the internet.
[+] [-] hn_throwaway_99|6 years ago|reply
I very much disagree. I think the outcry was warranted, and right now I see GitLab doing the right thing (and, obviously, the outcry was a huge reason for that).
Changing plans in the harsh light of public condemnation isn't easy, and for that I very much commend GitLab. As someone who was very much against the previously announced change, though ( https://news.ycombinator.com/item?id=21350146 ), I'm glad the community feedback was so strong.
[+] [-] EpicEng|6 years ago|reply
I highly doubt the CFO has changed his viewpoint, and he's still in power over there. They only backtracked after the "insane" reaction. They anticipated some amount of pushback, but obviously hoped it would be smaller and they could move forward.
[+] [-] elliekelly|6 years ago|reply
When I first saw they had their compliance policy repos set to public so anyone could view internal discussions around changes the lawyer in me just about fell off my chair. That is an almost unbelievable level of transparency. It's difficult for me to assume anything but the best intentions when GitLab has gone out of their way to let people see how the sausage is made.
[+] [-] Operyl|6 years ago|reply
EDIT: https://gitlab.com/gitlab-org/gitlab/merge_requests/14182#no...
[+] [-] stefan_|6 years ago|reply
It doesn't take a genius to realize the mistake here.
[+] [-] Accacin|6 years ago|reply
How could a company like this ever think that opt-out is appropriate? It seems like all their engineers knew this was a bad idea and everyone else seemed to think it was okay!
The problem for me was how a company like this couldn't see that this would happen and went along with it, I held Gitlab to a high standard and honestly I've lost a lot of trust with them.
I'm thankful for the outrage, and whilst I will never condemn personal attacks, I feel discussing the matter on places like HN was appropriate.
[+] [-] bogomipz|6 years ago|reply
No, it hasn't unless a civil discussion in an area where people have strong opinions is somehow your definition of "insane."
>"People seem to disagree, which, okay, but the outrage here is everything wrong with the internet."
There is no "outrage" here just lots of concern if not some well-placed bewilderment at a particular brusque comment made by their CFO on the issue[1]
The great irony is that you have dismissed and self-proclaimed that an entire civilized and adult discussion as "outrage culture" and "everything wrong with the internet."
[1] https://gitlab.com/gitlab-org/gitlab/merge_requests/14182#no...
[+] [-] overgard|6 years ago|reply
[+] [-] acrispino|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] xiphias2|6 years ago|reply
What's great with GitLab compared to other companies is that they are doing things in the open, while another company would just violate my rights without me knowing it.
If you go through the comments, multiple (toxic) people in GitLab doesn't care about user rights, just want to push the change as soon as possible (just like in any other company that I have been working in).
It's also clear that you get VP/Director/Staff engineer by just pushing through other people (sadly I have seen the same thing happening other times as well).
[+] [-] igreulich|6 years ago|reply
From the update: 'We will not activate user level product usage tracking on GitLab.com or GitLab self-managed before we address the feedback and re-evaluate our plan.'
That leaves a lot of wiggle room.
[+] [-] tyteen4a03|6 years ago|reply
[+] [-] zapita|6 years ago|reply
It's mind-boggling to me how entitled and aggressive the open-source culture is allowed to be. Does a company like Gitlab really deserve to have its employees publicly insulted in this way, after giving away so much to their users, for free, and being so much more transparent than 99% of tech companies?
At this point I don't understand why anyone in their right mind would go to the trouble of making their product open-source. It's just not worth it.
[+] [-] dsissitka|6 years ago|reply
https://imgur.com/a/uxaU0h8
How is GitLab still this slow?
[+] [-] kgwxd|6 years ago|reply
[+] [-] colechristensen|6 years ago|reply
>I don’t understand. This should not be an opt in or an opt out. It is a condition of using our product. There is an acceptance of terms and the use of this data should be included in that.
In what way is that "nasty"?
[+] [-] user9837|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] 250R|6 years ago|reply
[+] [-] segmondy|6 years ago|reply
What I really will like to know is how they will profit off that data. Is it even going to make a bump on their bottom line?
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] mav3rick|6 years ago|reply
[+] [-] donarb|6 years ago|reply
[+] [-] buremba|6 years ago|reply
However, given that most of the Gitlab customers / open-source community cares about their privacy and want to have the control (well, that's probably why they switched to Gitlab from other products), I wonder why they wanted to follow this approach in the first place. The good thing is that they almost always know how to take action when their community reacts.
[+] [-] jamiequint|6 years ago|reply
Effectively this is users complaining that Gitlab wants to simplify their data analysis overhead. Presumably nothing precludes them from sending the exact same data to these companies and more on the backend. What do users expect? For Gitlab to build every single part of their stack in-house (CRM, analytics, support tooling, etc)? Because that's what this is effectively asking for.
What's next? Protesting that a company uses RDS instead of their own hand-rolled Postgres setup? Because this is the same level of stupid.
[+] [-] jackcodes|6 years ago|reply
You’d be moving from one (possibly two if you include the cloud provider) vendors having theoretical access to all of your code to four vendors having potential access.
[+] [-] orf|6 years ago|reply
I left a comment on the feedback issue about this. It's not as comprehensive as a third party, but you can build your own analytics in house. There are a lot of managed services (like BigQuery) that make it significantly easier to implement it yourself, and you do get valuable insights from such data.
[+] [-] flukus|6 years ago|reply
In the hosted gitlab, if they want to keep me as a paying customer they should be looking at on premise analytics providers. If there going to be sending data out to random third parties I don't trust, who I can't trust because I have never heard of them and have no relationship with, then I can't trust gitlab either.
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] mobjack|6 years ago|reply
[+] [-] falcor84|6 years ago|reply
[+] [-] notJim|6 years ago|reply
Also, given that nearly all websites are using something like Google Analytics or similar (or several of these at once), the reaction and vitriol here just seems weirdly disproportionate.
[+] [-] stonogo|6 years ago|reply
They know what products are selling. They don't necessarily know what I personally am buying.
The point of those loyalty program cards is to associate purchasing habits with repeat customers. Those cards, you may note, are opt-in. To belabor the analogy, this was the equivalent of my grocery store putting cameras all over the building and offering me a mask if I wanted to opt out of the user monitoring program.
"Everyone else is doing it" is a pretty bad reason when many of your clients chose to do business with you at least in part because you are not doing it.
[+] [-] mkl|6 years ago|reply
[+] [-] d357r0y3r|6 years ago|reply
Err...do you have that right? The whole concept of a "right to be forgotten" is a relatively new thing that generally has not been observed in the past.
Like, if I want the library to erase all records of me checking out books, they probably just aren't going to do it, and I don't see how I have a right to force them to. I willingly gave them my information and used the books there.
[+] [-] TeMPOraL|6 years ago|reply
> Of course you should have the right to have that data deleted, but that's different from saying it should never be collected at all.
Anything that GDPR forces to be opt-in (like this telemetry here) is essentially data that shouldn't be collected in the first place.
> Also, given that nearly all websites are using something like Google Analytics or similar (or several of these at once), the reaction and vitriol here just seems weirdly disproportionate.
There were couple compounding issues here, not the least of which was them wanting to deploy telemetry on self-hosted instances. On Gitlab.com, they can deploy analytics scripts to their heart's content; that's just being disrespectful. But self-hosting is something one does in big part to control the data flow, and pushing telemetry onto that kind of defeats the point (it's a real compliance issue for a lot of companies).
As others have said, just because many other people do something, doesn't mean it's good and you should do it too.
[+] [-] andrewbinstock|6 years ago|reply
That's not the right way to do it. Customers should need to opt in, rather than having to opt out.
[+] [-] dreamcompiler|6 years ago|reply
[+] [-] mobee|6 years ago|reply
[+] [-] foreign-inc|6 years ago|reply
Either they don't think before they make decisions or they are just trying to figure out what they can get away with.
This really shows their lack of morality. They kind of remind me of Facebook.
[+] [-] Sir_Cmpwn|6 years ago|reply
[+] [-] swoongoonz|6 years ago|reply
[+] [-] akerro|6 years ago|reply
[+] [-] btashton|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] gorkemcetin|6 years ago|reply