Chríss · @Chriss_m
4th Oct 2014 from TwitLonger
#GamerGate, I have sent an open letter to @GitHub about the misuse of my data.
To Whomever it may concern,
I recently contacted GitHub via a contact form in regards to a specific complaint regarding the conduct of a staff member, and the removal of a repository. The complaint was sent at approximately 2:55am UK time, from this email address (XXX@me.com). At 3:03am, I received an email notification from a website called www.emailsherlock.com. This notification informed me of the following:
"Someone from San Francisco, CA, United States searched your email and found your social media profile(s). To see what they found out about you, click here."
After clicking the link, I was redirected to a page, to my horror, detailing all of my online profiles associated with the email address I had used to contact Github, which is my primary email address. One of the sites linked potentially contained my personal details. As to my searcher, the site elaborated:
"On Oct 03,2014 at 10:02 pm* someone from San Francisco, CA, United States searched for XXX@me.com through our website. Most probably the person that searched for you has a phone number starting with 415 area code."
*Eastern Time Zone.
Upon testing the legitimacy of this website, by searching for an alternative email of mine, I noted that it does not inform the searcher that the subject of the search is notified a search has been conducted. This means that whoever searched for me did not intend for me to be informed. This is done automatically, without the searcher’s consent or knowledge. I also noted, from searching for my alternative email address, that it accurately identified the city from which I conducted the search.
In essence, I feel confident in the validity of the information the website provided me in regards to the location of the person who searched for me. I also feel confident that the person did not know I would be informed a search had been conducted, nor that I would know where the search was conducted from.
Now. This search against me was conducted only minutes after I had submitted a complaint against GitHub, and a member of GitHub’s staff in particular. This search was conducted from the county in which GitHub is stationed. Based upon these two facts, I am left to conclude that the person who searched for, and assumedly through, my social media profiles was in fact an employee of GitHub, and likely the person who received my email of complaint.
Before I continue, I would like to draw your attention to GitHub’s privacy policy:
"We collect the e-mail addresses of those who communicate with us via e-mail, aggregate information on what pages consumers access or visit, and information volunteered by the consumer (such as survey information and/or site registrations). The information we collect is used to improve the content of our Web pages and the quality of our service, and is not shared with or sold to other organizations for commercial purposes, except to provide products or services you've requested, when we have your permission, or under the following circumstances:
• It is necessary to share information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of Terms of Service, or as otherwise required by law.
• We transfer information about you if GitHub is acquired by or merged with another company. In this event, GitHub will notify you before information about you is transferred and becomes subject to a different privacy policy."
Nowhere within the privacy policy does it state that my private email address will be used by a member of staff to search through my social media profiles when I submit a complaint. However, it does link to the Terms of Service, so on the off chance this was one of the terms of submitting a complaint, I decided to read them. It was not.
Weighing the evidence up, I find it to be likely that I have fell victim to, what I consider, a gross violation of my privacy at the hands of a GitHub employee - whom has obviously acted in a manner which is an egregious breach of the site’s privacy policy.
I request that this matter is looked into immediately, and would like several questions answered:
How does the company intend to investigate this?
Why was I targeted to be searched?
What action will the company be taking should a guilty party be discovered?
If a guilty party is not discovered, given the evidence, how can the company be confident that they have simply failed to find the offending party?
Should a guilty party be discovered, how can GitHub assure its customers that their data is safe, and not being negligently handled, or outright abused?
Should a guilty party be discovered, is there any suggestion that he or she holds malicious intent toward me?
Any claim made in this letter can be evidenced, should the company require it. Feel free to get in touch.
Regards,
Chris XXX
PS- this letter is written as an open letter and will be shared online with all private information redacted, as will the response.