GitLab Faces Overwhelming Community Pressure over Multiple Privacy and Security Issues

The controversy over online privacy and the selling of user data has come up time and again in recent years. The latest company entangled in a privacy controversy is GitLab. GitLab is primarily used as a collaborative space for programmers, whether they be private individuals or large companies.

 GitLab has always been an open-source platform and started out as entirely free. It is used by large entities like Sony and NASA, who now pay for certain features, but the basic free platform still exists. When GitLab attempted to add telemetry to its main platform, there was a backlash from the community. An email sent on October 23 informed GitLab users of the changes that would be added to the platform and the new Terms of Service the users would have to agree to. This change included the possibility of third-party telemetry service Pendo being used by GitLab in addition to GitLab’s own new tracking program. While Pendo is a SOC 2 certified company and therefore follows security and confidentiality protocols approved by the American Institute of Certified Public Accountants, GitLab is not currently SOC 2 certified. Nevertheless, an addition of a third party has raised security concerns from the community. Additionally, only some of the new tracking program would be open source. While these changes were initially only being made to the main version of GitLab, the intention to eventually add these changes to Gitlab EE, the edition used by most of the major companies, was clear.

In an email on October 29, GitLab CEO Sid Sijbrandij admitted that adding the user data monitoring was a mistake and doing so without discussion with the community went against the open-source spirit of the company. The changes had only been implemented for a day when the response from users forced the walkback. Gitlab has initially removed both its own monitoring software and all third-party counterparts, and opened discussion to the community as to how to proceed. The later email expressed interest in finding a way to move forward with certain elements of telemetry in the future so that they can use the data to help improve user experience. Initial suggestions by Sijbrandij include a way to turn tracking on and off, distinguishing first and third-party tracking, and “deployment flexibility.” On GitLab’s website the conversation between the company and its users has raised several issues with these solutions; including that GitLab doesn’t always fix problems reported by users as is, and that any collected data is a security risk no matter how carefully it is handled.

A second privacy issue is stirring up trouble at the company as some of GitLab EE’s clients expressed concerns about employees in China and Russia compromising their security. These concerns were raised after reports of China using hackers to steal airplane designs from Western companies. The clients brought their preemptive concerns to GitLab, fearing similar instances of espionage and coercion of employees by their own foreign governments could lead to a security issue in the future. GitLab does not currently employ anyone in either China or Russia.

The proposed solution is not to avoid hiring people in these countries, but rather to avoiding employing them in specific roles which give them more access to the customers data. The hiring ban, if it is implemented, would apply specifically to the tech support positions that grant the employee full access to the users’ data; Site Reliability Engineer and Support Engineer. Another community discussion is being held by GitLab, who acknowledge that this concern is common in the industry at the moment due to current world events. The blanket ban on hiring people for these positions comes from an impracticality of the alternative, which would be to limit what these employees could see based on the country they are in. GitLab added that this alternative “would also force us to confront the possibility of creating a ‘second class of citizens’ on certain teams who cannot take part in 100% of their responsibilities.” GitLab stated that they prefer this solution because it will affect none of their current employees, other than preventing them from then moving to either China or Russia. The ban should not affect Chinese or Russian developers who use Gitlab.