#GamerGate, I have sent an open letter to @GitHub about the misuse of my data.
To Whomever it may concern,
I recently contacted GitHub via a contact form in regards to a specific complaint regarding the conduct of a staff member, and the removal of a repository. The complaint was sent at approximately 2:55am UK time, from this email address (XXX@me.com). At 3:03am, I received an email notification from a website called www.emailsherlock.com. This notification informed me of the following:
"Someone from San Francisco, CA, United States searched your email and found your social media profile(s). To see what they found out about you, click here."
After clicking the link, I was redirected to a page, to my horror, detailing all of my online profiles associated with the email address I had used to contact Github, which is my primary email address. One of the sites linked potentially contained my personal details. As to my searcher, the site elaborated:
"On Oct 03,2014 at 10:02 pm* someone from San Francisco, CA, United States searched for XXX@me.com through our website. Most probably the person that searched for you has a phone number starting with 415 area code."
*Eastern Time Zone.
Upon testing the legitimacy of this website, by searching for an alternative email of mine, I noted that it does not inform the searcher that the subject of the search is notified a search has been conducted. This means that whoever searched for me did not intend for me to be informed. This is done automatically, without the searcher’s consent or knowledge. I also noted, from searching for my alternative email address, that it accurately identified the city from which I conducted the search.
In essence, I feel confident in the validity of the information the website provided me in regards to the location of the person who searched for me. I also feel confident that the person did not know I would be informed a search had been conducted, nor that I would know where the search was conducted from.
Now. This search against me was conducted only minutes after I had submitted a complaint against GitHub, and a member of GitHub’s staff in particular. This search was conducted from the county in which GitHub is stationed. Based upon these two facts, I am left to conclude that the person who searched for, and assumedly through, my social media profiles was in fact an employee of GitHub, and likely the person who received my email of complaint.
"We collect the e-mail addresses of those who communicate with us via e-mail, aggregate information on what pages consumers access or visit, and information volunteered by the consumer (such as survey information and/or site registrations). The information we collect is used to improve the content of our Web pages and the quality of our service, and is not shared with or sold to other organizations for commercial purposes, except to provide products or services you've requested, when we have your permission, or under the following circumstances:
• It is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Terms of Service, or as otherwise required by law.
I request that this matter is looked into immediately, and would like several questions answered:
How does the company intend to investigate this?
Why was I targeted to be searched?
What action will the company be taking should a guilty party be discovered?
If a guilty party is not discovered, given the evidence, how can the company be confident that they have simply failed to find the offending party?
Should a guilty party be discovered, how can GitHub assure its customers that their data is safe, and not being negligently handled, or outright abused?
Should a guilty party be discovered, is there any suggestion that he or she holds malicious intent toward me?
Any claim made in this letter can be evidenced, should the company require it. Feel free to get in touch.
PS- this letter is written as an open letter and will be shared online with all private information redacted, as will the response.