Will Microsoft be able to steal from private Github repositories?

By: (plus.google.com) +David Herron; Date: June 11, 2018

Tags: Microsoft »»»» Github »»»» Open Source

The biggest concern with Microsoft's Github acquisition is whether Microsoft will do something evil with the private repositories stored on Github. Some of Microsoft's competitors use Github, and they should be concerned. Any company has to be worried about leakage of intellectual property -- with Microsoft ownership, does that risk increase?

Let's first answer one question -- Is it technically possible for a Github employee today, or a future Microsoft employee, to access private Github repositories?

Before we get into "Can they" let's spend a moment pondering "Why would they"

If Microsoft were to do something evil with Github

  • How many class action lawsuits?
  • How much reputation damage?
  • How many pissed off developers would be shunning Microsoft?
  • Why would it be worthwhile? (Microsoft has a reputation of not even reusing internal code across projects)

The backlash would be so enormous as to make it so expensive for Microsoft to do such a thing that logic dictates treating Github with the utmost integrity. Consider that Microsoft's developer tools and services for developers (Azure, etc) are already in wide use, and that Microsoft already understands the value in winning and keeping developers trust.

But also notice that there is a presumption that Microsoft is likely to do something evil with Github, because of the assumption that Microsoft is evil. That perception is rooted in the reality of what Microsoft did to the computing industry in the 1980's and 1990's. Microsoft really did have to pay out $billions in damages in at least two major lawsuits over their predatory practices. Microsoft really did violate the Java license resulting in paying $2 billion in damages to Sun Microsystems. Microsoft really did predatorily prevent PC vendors from selling computers bundled with Linux rather than Windows. etc etc etc.

The last few years Microsoft seems to have changed their tune. I am finding myself in the strange position of being a happy user of Microsoft software after years of eschewing anything from Microsoft to avoid Feeding the Beast. Namely, I’m using Visual Studio Code, I am using Node.js for as much as I can (Microsoft makes lots of contributions), and I am pleasantly surprised at how the Windows Subsystem for Linux can make Windows bearable to use.

Er... let's get back to the question

Will Microsoft be able to steal from private Github repositories?

Some services are constructed such that the data is kept encrypted using a password controlled by the owner of that data. The only entity that can unlock that data is the owner of the data, at their request. The owner of the website cannot unlock the data, only the owner of the data. The webservice is merely storing that encrypted data as a convenience.

Github is not constructed that way.

We have the word of a Github employee, Zach Holman, in a Quora answer: (www.quora.com) Can GitHub employees view the contents of private repositories? He says "Yes, but not without your consent." Github employees have a legitimate reason to do so while troubleshooting problems where you've asked for support. However, Holman says the process that's involved ("we have a concept of "unlocking" a repository for ten minutes so we can try to reproduce a problem, but every unlock is timestamped with who performed that action and why they performed that action") is onerous that Github employees prefer to not do so. Instead, they prefer to start with a clean Github repository to try and reproduce the problem.

Holman points to this article: (help.github.com) https://help.github.com/articles/github-security

It's clear that Microsoft understands that IF they perpetrate evil through owning Github, that a whole generation of developers will come away betrayed. That's according to the incoming CEO of Github, who himself is an open source luminary. (medium.com) Microsoft could lose big if it screws up Github acquisition

Microsoft clearly knows that the last few years they’ve been carefully rehabilitating the corporate image. We who remember the 1980’s and 1990’s are slowly warming up to Microsoft.

Microsoft knows it has to treat Github with the utmost respectability and integrity.

Microsoft knows that if this acquisition is screwed up, they’ll lose a whole generation of developers who will feel betrayed similar to the betrayal felt by those of us who started in the 1980’s to 1990’s.

That knowledge may be enough to keep Microsoft from doing anything evil with Github. That remains to be seen, however.

In another Quora answer thread ( (www.quora.com) Can Microsoft steal source code from private GitHub repositories?) In that thread, several Microsoft employees are saying that Microsoft is a reputable company and they wouldn't do such a thing. It's difficult to fully trust those comments, since the writers are surely biased.