GitHub on Thursday said it has removed all cookie banners from its website, a decision the company is making in the interest of privacy, despite the claimed popularity of its disclosure interface.
Cookies are files stored in the web browser upon visiting a website. They may be first-party cookies – stored by the visited domain – or third-party cookies – stored on behalf of a third-party, like a digital ad company that has some relationship with the website. They’re generally used for storing client-side data related to identification, advertising, tracking, analytics, and other related purposes.
Privacy laws in the US haven’t gone that far yet but websites anywhere looking to comply with EU law generally include some form of cookie notification/consent banner to alert visitors that their browser will be stuffed with cookies. GitHub did so but no longer does because, as it turns out, the company didn’t really need most of the cookies placed by its website code.
France fines Google, Amazon €135m total for slipping ad cookies into people’s computers without permission
In a blog post published Thursday, GitHub CEO Nat Friedman explains, “At GitHub, we want to protect developer privacy, and we find cookie banners irritating, so we decided to look for a solution. After a brief search, we found one: just don’t use any non-essential cookies. Pretty simple, really.”
The EU rules exempt functional cookies – those necessary for authentication or other technical functions – from the notification requirements. So by getting rid of unnecessary analytics and tracking cookies, GitHub no longer has to present a cookie notice banner.
In an email, a company spokesperson told The Register that GitHub is making this change despite the fact that there’s been praise for the company’s approach. “We recognize that even the best cookie banner is a sub-par user experience, and decided to put developers, their privacy, and experience first,” GitHub’s spokesperson said.
GitHub now sets nine cookies: dotcom_user, _gh_sess, has_recent_activity, __Host-user_session_same_site, user_session, device_id, tz, logged_in, and _octo. These cookies, used for necessary functions like logging in, may be consolidated further in the future.
“We removed cookies from github.com and nearly three dozen subdomains,” GitHub’s spokesperson said. “But this is just the start, and we will carry this commitment forward across all GitHub-owned domains.”
GitHub’s spokesperson said the company does use browser-based storage, like localStorage or IndexedDB, but only for essential purposes. “We use local storage to speed up the loading of assets (CSS, JS), but no information leaves one’s computer,” the company’s spokesperson said.
The company also relies on network requests for specific analytics. For example, it makes POST requests to the
“That endpoint tracks aggregate performance metrics, and does not rely on cookies or other unique identifiers,” GitHub’s spokesperson explained. “It tells us things like how long a given asset took to load, on average, so that we can optimize the performance of our pages.”
The tech industry is trying to be more attentive to privacy, or so online ad companies like to suggest. Mark Zuckerberg, head of Facebook, one of the largest data gathering operations around, declared at his company’s F8 conference in 2019, “The future is private,” perhaps not anticipating his company’s decision to criticize Apple for its tightened iOS app privacy requirements.
Then there’s Google, which has said third-party cookies will be phased out by 2022, assuming the search ad giant doesn’t let that deadline slip to accommodate laggard ad industry allies.
But cookies are not so much going away as evolving into a set of new technologies that purport to provide ad tracking without the privacy problems. Google has put forth a set of proposals which it calls its Privacy Sandbox, much derided by critics of the company, and other ad industry players have offered their own technical specifications for gathering online data, while somehow protecting privacy despite having not done so in the past.
GitHub may be getting rid of cookie banners and weaning itself from cookie-based tracking but not every company is ready for that diet. And if cookies do go out of fashion, expect whatever replaces them to raise a different set of privacy concerns. ®