GitLab backs down on telemetry changes and forced tracking - for now

Negative feedback from the community has forced GitLab to rethink its data collection plans.
Written by Charlie Osborne, Contributing Writer

GitLab has put the brakes on plans to introduce forced tracking by third-party telemetry services by changing its Terms of Service.

GitLab is a DevOps platform, delivered as a web application for purposes including management, code creation, security, and project planning. Used by over 100,000 organizations worldwide, GitLab has proven to be a popular resource for DevOps -- but its latest decision to introduce telemetry changes has resulted in high levels of criticism and threats by some users to move elsewhere. 

Two months ago, the company floated changes for Gitlab.com and proprietary software packages to include JavaScript snippets for third-party telemetry purposes. 

In a blog post describing the changes, GitLab said the snippets would collect information in a similar way to Google Analytics. 

"GitLab.com (GitLab's SaaS offering) and GitLab's proprietary Self-Managed packages (Starter, Premium, and Ultimate) will now include additional Javascript snippets (both open source and proprietary) that will interact with both GitLab and possibly third-party SaaS telemetry services (we will be using Pendo)," the company said. "We will disclose all such usage in our privacy policy, as well as what we are using the data for."

The company would "aim" for SOC2 compliance with any third-party telemetry service connected to the changes, GitLab added.

See also: FTC takes a stand against stalker apps through Retina-X court settlement

However, the community was not impressed, and for some, data collection in this manner should be implemented as an opt-in, rather than a default system only stopped by Do Not Track (DNT) mechanisms in web browsers. 

Users also complained that the changes seemed to be "poorly planned" and "anti-user orientated," and some said their organizations -- including government entities -- could not allow third-party tracking, and therefore would be forced to cancel their subscriptions. 

"GitLab is in a unique position to do the right thing and set a good example for others," user Yorick Peterse commented on the issue thread. "We have also always cared greatly about our users and the community. Let's keep it that way, instead of introducing telemetry and other potentially harmful changes that require one to opt-out (e.g. ads would be an example). This does nothing but alienate the community, and there is only so much you can do before people will have had enough and move elsewhere."

The issue of the EU's General Data Protection Regulation (GDPR) has also been raised, and whether or not a default opt-in, bound by Terms of Service, would violate European data protection standards. 

CNET: Facebook's Libra cryptocurrency gets a 'hell no' from Twitter CEO Jack Dorsey

A previous email sent to users informed them that they had to accept the new terms, or face disruption -- which, arguably, is in defiance of GDPR given that users would have little choice but to accept the snippets, on the pain of being blocked from the web interface. 

"For GitLab.com users: as we roll out this update you will be prompted to accept our new Terms of Service," the message said. "Until the new Terms are accepted access to the web interface and API will be blocked. So, for users who have integrations with our API this will cause a brief pause in service via our API until the terms have been accepted by signing in to the web interface."

TechRepublic: Top 5 ways organizations can secure their IoT devices

In the face of such negative feedback, GitLab has chosen to listen -- at least, for now. This week, the company posted an update promising to roll back any changes to its Terms of Service which forced users to accept the new telemetry push, saying that GitLab would "rethink its approach."

"We will not activate user-level product usage tracking on GitLab.com or GitLab self-managed before we address the feedback and re-evaluate our plan," the firm said. "We will make sure to communicate our proposed changes prior to any changes to GitLab.com or self-managed instances, and give sufficient time for people to provide feedback for a new proposal."

How to discover and destroy spyware on your smartphone (in pictures)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards