GitHub will no longer present a cookie notification banner – because it's scrapping non-essential cookies

GitHub on Thursday said it has removed all cookie banners from its website, a decision the company is making in the interest of privacy, despite the claimed popularity of its disclosure interface.

Cookies are files stored in the web browser upon visiting a website. They may be first-party cookies – stored by the visited domain – or third-party cookies – stored on behalf of a third-party, like a digital ad company that has some relationship with the website. They're generally used for storing client-side data related to identification, advertising, tracking, analytics, and other related purposes.

Since cookies have privacy implications – they can be used to track people across the web – regulations like the EU's ePrivacy Directive and General Data Protection Regulation (GDPR) require websites to notify online visitors about the site's use of cookies and to obtain opt-in consent.

Privacy laws in the US haven't gone that far yet but websites anywhere looking to comply with EU law generally include some form of cookie notification/consent banner to alert visitors that their browser will be stuffed with cookies. GitHub did so but no longer does because, as it turns out, the Microsoft-owned outfit didn't really need most of the cookies placed by its website code.

In a blog post published Thursday, GitHub CEO Nat Friedman explains, "At GitHub, we want to protect developer privacy, and we find cookie banners irritating, so we decided to look for a solution. After a brief search, we found one: just don’t use any non-essential cookies. Pretty simple, really."

France fines Google, Amazon €135m total for slipping ad cookies into people's computers without permission

READ MORE

The EU rules exempt functional cookies – those necessary for authentication or other technical functions – from the notification requirements. So by getting rid of unnecessary analytics and tracking cookies, GitHub no longer has to present a cookie notice banner.

Friedman says going forward that GitHub will only use cookies necessary to serve GitHub.com. "Developers should not have to sacrifice their privacy to collaborate on GitHub," he said.

In an email, a spokesperson told The Register that GitHub is making this change despite the fact that there's been praise for the company's approach. "We recognize that even the best cookie banner is a sub-par user experience, and decided to put developers, their privacy, and experience first," GitHub's spokesperson said.

GitHub now sets nine cookies: dotcom_user, _gh_sess, has_recent_activity, __Host-user_session_same_site, user_session, device_id, tz, logged_in, and _octo. These cookies, used for necessary functions like logging in, may be consolidated further in the future.

"We removed cookies from github.com and nearly three dozen subdomains," GitHub's spokesperson said. "But this is just the start, and we will carry this commitment forward across all GitHub-owned domains."

The spokesperson said the code-hosting biz does use browser-based storage, like localStorage or IndexedDB, but only for essential purposes. "We use local storage to speed up the loading of assets (CSS, JS), but no information leaves one’s computer," the spokesperson said.

The company also relies on network requests for specific analytics. For example, it makes POST requests to the https://api.github.com/_private/browser/stats endpoint.

"That endpoint tracks aggregate performance metrics, and does not rely on cookies or other unique identifiers," GitHub's spokesperson explained. "It tells us things like how long a given asset took to load, on average, so that we can optimize the performance of our pages."

We use local storage to speed up the loading of assets (CSS, JS), but no information leaves one’s computer

The tech industry is trying to be more attentive to privacy, or so online ad companies like to suggest. Mark Zuckerberg, head of Facebook, one of the largest data gathering operations around, declared at his company's F8 conference in 2019, "The future is private," perhaps not anticipating his antisocial network's decision to criticize Apple for its tightened iOS app privacy requirements.

Then there's Google, which has said third-party cookies will be phased out by 2022, assuming the search ad giant doesn't let that deadline slip to accommodate laggard ad industry allies.

But cookies are not so much going away as evolving into a set of new technologies that purport to provide ad tracking without the privacy problems. Google has put forth a set of proposals which it calls its Privacy Sandbox, much derided by critics of the company, and other ad industry players have offered their own technical specifications for gathering online data, while somehow protecting privacy despite having not done so in the past.

GitHub may be getting rid of cookie banners and weaning itself from cookie-based tracking but not every business is ready for that diet. And if cookies do go out of fashion, expect whatever replaces them to raise a different set of privacy concerns. ®