GitHub courts controversy by suspending Tornado Cash developers and reneging on cookie commitments
If you're looking for free speech or privacy, move along
GitHub over the past week has tested the trust of its users by enacting policies that call into question its commitment to free speech and privacy.
On Monday, the Microsoft-owned biz removed the account for virtual currency mixer Tornado Cash after the US Treasury Department sanctioned the service for apparently helping to launder virtual currency since 2019.
GitHub appears to have had no choice but to do so under US law. However, the biz also disabled the personal GitHub accounts of at least three developers who contributed to the Tornado Cash repo, including Roman Semenov, Roman Storm, and Alexey Pertsev.
Via Twitter, Semenov wondered aloud whether writing open source code "is illegal now?"
Several cybersecurity and legal experts insisted that it's not, citing a US court ruling that found code is expressive (Bernstein v. United States) and has the legal status of speech in the context of the First Amendment.
"While Tornado’s code is functional – mixing ETH transactions so they are harder to trace – publishing the code on its own is protected speech, even if that code can be used unlawfully," wrote Kurt Opsahl, deputy executive director and general counsel of the Electronic Frontier Foundation, via Twitter.
"Thirty years of hard legal work to establish First Amendment protections around software distribution, blown up in a day by Github/Microsoft," remarked Matthew Green, a cryptography professor at Johns Hopkins University.
In response to an inquiry from The Register, a GitHub spokesperson suggested the company was obligated to do what it did.
"Trade laws require GitHub to restrict users and customers identified as Specially Designated Nationals (SDNs) or other denied or blocked parties, or that may be using GitHub on behalf of blocked parties," a GitHub spokesperson said in an email.
"At the same time, GitHub’s vision is to be the global platform for developer collaboration. We examine government sanctions thoroughly to be certain that users and customers are not impacted beyond what is required by law."
Yet the US Treasury's sanctions on Tornado Cash do not name Semenov, Storm, or Pertsev as SDNs. In fact, the identifying information on the sanctioned entity provided by the Treasury Department includes no individuals; it lists only Tornado Cash and numerous Ethereum addresses. What's more, the Treasury Department's Sanctions List Search tool does not mention any of the individuals whose accounts GitHub suspended.
The Register has asked GitHub to clarify its actions or cite the US government order naming these developers as SDNs. We've not heard back.
About that privacy thing...
In an unrelated but similarly perplexing decision last week, GitHub backed away from a prior privacy commitment to avoid unnecessary web cookies.
On December 17, GitHub published a blog post promising not to use any non-essential cookies out of concern for user privacy.
"At GitHub, we want to protect developer privacy, and we find cookie banners quite irritating, so we decided to look for a solution," explained Nat Friedman, who was CEO at the time. "After a brief search, we found one: just don’t use any non-essential cookies. Pretty simple, really."
"So, we have removed all non-essential cookies from GitHub, and visiting our website does not send any information to third-party analytics services. (And of course GitHub still does not use any cookies to display ads, or track you across other sites.)"
- FauxPilot: It's like GitHub Copilot but doesn't phone home to Microsoft
- Luca Stealer malware spreads rapidly after code handily appears on GitHub
- GitLab versus The Zombie Repos: An old plot needs a new twist
- Open source body quits GitHub, urges you to do the same
Non-essential cookies are back on the menu for GitHub enterprise marketing subdomains, "to better reach and improve the web experience for enterprise users."
"We are adding non-essential cookies to certain subdomains that specifically market our products to businesses," a GitHub spokesperson explained. "This change is only on subdomains where GitHub markets products and services to enterprise customers, https://GitHub.com and all other GitHub subdomains will continue to operate as-is. These changes will not be implemented until at least September 1st."
In keeping with its rekindled cookie romance, GitHub also qualified its commitment to observe Do Not Track (DNT), a privacy flag available to browser users that website operators can respect or ignore at their discretion.
Previously, the company's privacy statement said, "GitHub responds to browser DNT signals..." That commitment has now been watered-down to read, "Some services may respond to browser DNT signals…"
Noah Berman, a security engineer based in Bristol, UK, is one of many objecting to GitHub's revision of its previous no-cookie commitment.
He wrote, "As someone who uses both GitHub and Github Enterprise on a daily basis for work, I do not appreciate being tracked across one set of offerings – what more could you possibly want to know about us? What data do you not get by knowing everything we do on the platform, our codebase, the way we use CI/CD, and so on?"
"If you want to have a site for people who don't use the product but you want tracking details from them, why not make a separate domain entirely for marketing purposes and send that around? How are we supposed to trust any of Github's other commitments if they won't even stick to no cookies?"
The reaction icons posted to the repo indicate just how unpopular this decision is. At the time this story was filed, there were 41 reactions with the thumbs up emoji and 945 with the thumbs down emoji, not to mention an additional 117 weighing in with the confused emoji. ®