GitHub CEO: We’re nuking all tracking ‘cookies’ and you should too
Our mission to make business better is fueled by readers like you. To enjoy unlimited access to our journalism, subscribe today.
Last month the team at GitHub, the software code-sharing website, showed its chief executive, Nat Friedman, some new design plans.
The group was tasked with refurbishing the site’s so-called cookie banners. They’re those annoying digital pop-ups that ask visitors to accept the use of “cookies,” a pervasive tracking technology that hitches a ride on Internet browsers to track people’s web-surfing activity.
The designers offered mock-ups. They simplified the disclosures’ ponderous legalese. They made the boxes tinier. They updated the colors to more pleasing hues. All the effort was aimed at making the banners less irritating.
Friedman commended the team’s work, but his verdict was no less harsh for it. “It may be the world’s best cookie banner,” Friedman adjudged. “But it still sucks. Nobody wants to see it.”
“Let’s just get rid of it all together,” Friedman said.
So the team went a different route. GitHub, a business Microsoft acquired for $7.5 billion two years ago, has spent the past few weeks excising all nonessential web trackers and cookies on its site—save for a few that are critical to its operation. A “session” cookie authenticates a logged-in user, for example, and others detect visitors’ time zones and language preferences.
Now that GitHub no longer has any outside trackers or cookies on its site, it doesn’t need to generate a nuisance pop-up the instant someone visits the web page. No outside services can scrutinize what people are up to on GitHub, and that ever-present consent form, ubiquitous around the web, is gone.
The action is a small victory in a bigger war. As the ad-selling duopoly of Google and Facebook comes under fire by antitrust regulators, the biggest tech players are drawing battle lines around companies’ use of people’s data. Apple and Facebook are openly feuding over the future of online profiling and behavior tracking. GitHub’s stance can be viewed as a division of yet another tech giant, Microsoft—another subsidiary of which, LinkedIn, is at least partly an ad-based social network—staking out a position against surveillance.
Cookies can be sorted into a few categories depending on their purpose, but the majority help boost targeted ads, a boon to the businesses like Google and Facebook.
Other types of cookies have different functions, though many of them, too, help serve ads. Some cookies allow certain pieces of content to inhabit a site, such as embedded YouTube videos, Twitter sharing buttons, Facebook log-in forms. Others provide analytics, allowing website operators to scrutinize how people are using their websites.
Since GitHub doesn’t rely on ads to make money—it sells premium products on top of its free developer tools—eradicating cookies was a lighter lift than other websites may find. The job mostly involved scrapping that last category of analytics trackers.
Friedman believes the tradeoff was worth the effort. “We lost some visibility [into how people are using GitHub]. But I think it’s questionable whether that matters,” he said. “I don’t think you need an all-seeing eye to build a good website.”
A screenshot of Mozilla’s Firefox web browser when visiting GitHub.com, where trackers and cookies are no longer present.
Cookie banners proliferated in the wake of the European Union’s adoption of the General Data Protection Regulation, or GDPR, a piece of legislation intended to improve privacy and data transparency on the web. Midas Nouwens, an assistant professor who studies data privacy protection law at Aarhus University in Denmark, said GitHub’s move was a “welcome consequence” of the new rules.
“Companies should consider whether harvesting that kind of data is really worth it if it means they have to implement user-hostile consent interfaces,” Nouwens said.
“It’s like having a lawyer tap you on the shoulder every time you visit a new website,” Friedman said. “This is like, you’re gonna go play miniature golf, and you have to sign like a 25-page liability waiver to play.
“I just think that’s kind of slightly corrosive to your soul, as a human being,” Friedman added.
Do Not Track redux
John Bergmayer, legal director at Public Knowledge Project, a nonprofit Internet advocacy group, called GitHub’s move “admirable.” He added: “The incentives all point toward people collecting more and more data, even if it’s not that useful, because if it’s basically free to collect and there’s no penalties for collecting it or for misusing it.”
Marshall Erwin, chief security officer at Mozilla, maker of the Firefox web browser, also praised GitHub’s action. “There are legitimate use cases for third-party cookies, but the technology and the way that it’s used across the web is pretty pernicious, and it has created an unhealthy web,” he said. “For a large important platform like GitHub to take those steps, I think that is significant.”
An earlier attempt at making the web more private, the “do not track” movement, relied on voluntary participation. When few websites agreed to observe people’s anti-tracking preferences, the initiative fizzled out.
Recently, web browser makers, like Mozilla, became more aggressive, updating their software to block third-party cookies and trackers by default. The nonprofit Tor browser and Apple’s Safari browser have adopted similar policies.
Google’s Chrome browser, widely perceived as dragging its feet on the issue, is aiming for a phaseout by 2022.
Go on and git
While privacy advocates praise GitHub for taking action on the issue, it’s relatively easy for the company to do so. GitHub doesn’t rely on ads to keep the lights on. And the site’s engineers have the coding chops to develop in-house tools to replace the analytics features it lost.
But the move is noteworthy, nonetheless. GitHub represents one of the first websites in a coming wave of cookie phaseouts. The New York Times, the Washington Post, Vox, and other publications are seeking to do the same. (Fortune’s website, on the other hand, uses trackers for the time being.)
“I think more websites should just do it,” Friedman told Fortune. “You don’t need all these cookie banners, you don’t need to use all these cookies, you don’t need to send all your users’ data to third parties. Just focus on building a good product. That’s what people want.”