Github took down letsencrypt-express, and all of Daplie Labs

by AJ ONeal 2016-12-30

Update: We've moved to GitLab. We're ultimately moving to, but may still be at as you're reading this.

When I started working yesterday...

I saw this

The Daplie organization has been flagged. Because of that, your organization is hidden from the public. If you believe this is a mistake, contact support to have your organization's status reviewed.

Everyone else saw this

Why? No idea.

So I shoot off an email to support immediately and reach out to my network to see if I still know anyone working at github (I don't).

We're in the process of hiring people, training them on our tools, and trying to, y'know, get work done. This is not a good day for this.

Whatever, maybe someone's just punking us for giggles... ?

I've never even noticed a 'report' or 'flag' button, but I start looking around to see if I can find one and hope it might have a little '?' icon with an explanation of how the process works. Nada.

I google (exact quote) "organization has been flagged". 0 hits.

GitHub Responds

A few hours later, here's what I see come back:

Hi AJ,

Thanks for reaching out! The Daplie organization was flagged as spam based on a report from another user. We reviewed the content in your public repositories and are inclined to agree: your organization's use of repository README files as advertising space isn't something we allow.

If you'd like to remove this content from your README files, we'd be happy to reinstate your account. I've attached a screenshot of the content in question. Let me know if you have any questions about this — we're certainly happy to help!

Best, John

At this point it's hours later. I'm on-the-go, in meetings, reading this on my phone and we literally have... mmm.... 73 (counted later) repositories with this banner.

My Hasty Response

I'm in a hurry, but I take a quick look at the Terms of Service and sure enough, there nothing about advertising or self-promotion.

I shoot a message back.

Hey John,

I'll work on that however, if that's not something you allow then will you also update your terms of use to say so?

I don't see why promoting our own company in our own projects should be a problem.

GitHub's Unwritten Rules

Eventually (still haven't had time to go through those 73 repos) I get this:

Hi AJ,

Thanks for taking care of removing that content.

A repository's README file should be used to provide information relevant to the code it contains. This isn't something mentioned in our Terms of Service explicitly, and I apologize this caught you by surprise.

While the code developed in those repositories will go to create a physical device, the README for that project shouldn't be used as an advertising space for that device. If you'd like to link to your website or provide information about your company and its products, your organization's profile is the place for this.

Let me know once that content is removed, or if you run into any troubles with it — I'm happy to lend a hand however I can.

Best, John

We decide what we should do

Once I'm finally able to respond to this I'm actually much more upset than I was initially.

Is this just some $12/hour employee on a power trip? or does Github as a company actually think it has a divine right to tell me how to run my project?

When you use the word "should" it becomes either a legal or a moral argument.

If it's a legal argument, then it should be in the terms of service.

If it's a moral argument, then don't we, as the copyright holders and produces of the content in question (the get to decide what is morally appropriate to include in the content that we produce and own full rights too?

Is what we've done against the Terms of Service (or any other policy)? If it is not, then who is the person in authority to review this incident and overturn the decision?

I recognize that you (Github) own and that it is your right to decide what you will and won't publish on your site and you can change your mind about it at any time without notice and you don't need anyone's permission to do so, but I personally don't feel like that's something you should do. There was no stipulation about how I should use the README when I signed up.

I am upset that while I have contributed to the growth and expansion of your brand both as a company (Daplie) and I as an individual (AJ ONeal) - through many years of word of mouth, building the node.js community, and building other communities - that you've taken down my organization and thousands of people that use repositories like letsencrypt-express on a regular basis now do not have access to it because someone has decided that I shouldn't also take the liberty of promoting my own business as well.

If someone flags us because they don't morally agree with how we've chosen to publish our content, I'd invite them to not use it. And if Github legally or morally doesn't agree with the content that we're publishing, it would be nice if you would have invited me to leave before taking down all of the documentation and web access to our various projects.

And so we wait

Hi AJ,

Thanks for your reply and for sharing your concerns. Our Terms of Service team are reviewing the matter and will respond to you in due course. Please be advised that this will likely be after the holidays as some members of the team are currently out of office.

Cheers, Cameron

Well, I wasn't waiting until Tuesday (5 days of downtime), so we investigated half a dozen other platforms, decided to mirror everything to immediately (because it has a great set of features) and set up our own hosted versions of Gitea (previously Gogs) and GitLab.

Our Problem: Our Messaging

The implicit problem that we, Daplie, created is that some of our messaging isn't resonating with some of our market.

By our estimation we should be exciting people who are using our open source projects (i.e. letsencrypt-express) to support us and help us take back and re-decentralize the web.

If we have many people who see us as an enemy rather than as a teammate, then we need to change our messaging and try a different approach.

That said, we don't see it as GitHub's responsibility to tell us "you're doing your README wrong" - that's something that we'll emperically discover on our own.

It's our mistake to make.

Shutting us down was GitHub's mistake to make.

Although I'm upset, we're an ownership and privacy company. Our end goal was never to give away total control of our assets and pay rent to someone else for access - which is what we're all doing when we use GitHub.

If you pay in dollars you can keep code private, otherwise you pay in bringing GitHub greater brand recognition and source that they're (most likely) free to use for their needs.

It's a pay-to-play world and apparently our self-promotion neutralized the value exchange.

Meh, we figured it out. We're in the big leagues now I guess. We own our code again so... thanks? I guess?

Since when does GitHub decree the Rules of Source?

And if Github is going to tell me what a README should be used for, then are they also going to start telling me what a LICENSE should be used for too? or that I can't use semicolons in my JavaScript?

I the last one is far-fetched, but from this incident I wouldn't be surprised if they decided to be like Google and begin to ban projects with LICENSES they don't like:

The Software shall be used for Good, not Evil (Douglas Crockford's JSON License)

I certainly wouldn't be opposed if they disallowed wantonly obscene licenses like this one:

  1. You just DO WHAT THE F--- YOU WANT TO.

But I would be upset if they started taking down proprietary commercial projects - like some of ours, and various companies that have npm-installable cli tools (similar to the Heroku toolbelt) that are public, but not open source.

This is How Human Relationships Fail

That all said, the big #fail of this situation wasn't that we did something wrong or that some open source fundamentalists didn't like our message or that GitHub beliefs on censorship and how READMEs should be written don't align with ours.

It's communication.

This could have gone much better if

  1. Our message reached our market in the "right way"
  2. GitHub documented their (internal?) policy (or values that create their policy)
  3. GitHub communicated with us as a process, not just shut us down

Perhaps the person who flagged us came across one of our repositories that is still code-empty, but had some keywords in the README that lead them to it. In that case I can see how they would have thought that our template banner was intended as SEO spam, rather than a project that just hasn't made it yet.

(sidenote: now that we're on GitLab, which has private repos, we'll try to do a better job of keeping to our policy of only releasing useful code, and wait to publish our repositories until they're ready for our community to use and develop with)

However, what we did wasn't harmful, obscene, illegal, or even against GitHub's public policies.

They could have communicated their with us and given us time to respond one way or the other before shutting down our ENTIRE organization and all of our repositories.

The way they reacted was damaging to us and also to them. We will no longer be their brand ambassadors personally. We will no longer explicitly share our community with them by hosting our code and documentation on their platform. They've simply lost trust with us and with many of the members of our community.

There's a good chance that when the higher-ups see the situation they'll reinstate our account but... the "Barrier of Convenience" that kept us tied to GitHub in the first place has been removed and we're already gone (just like that one weekend everyone switched from Morpheus to KaZaA).

Anyway, this is how relationships end: Someone begins to enforces their values without having clearly communicated what they are or why and giving the other party the opportunity to respond and to communicate their values.

Goodbye GitHub. It was great while it lasted and we'll always have the memories.

We're Freedom Fighters

Maybe my biggest beef with this situation is perhaps that I fundamentally disagree with most forms of censorship, especially what I deem to be self-righteous hypocrisy - the little sneaky implicit ones that encroach on personal choice (which I'm very hesitant to state because I, of course, also am subject to my own flawed reasoning that results in such attitudes) - but that's why I don't like the GPL or anything else that says "Here's a gift, do whatever you want... as long as it's what I want you to do with it"

Our current focus at Daplie is a secure server. It will be used for good and evil. Our goal isn't to enable people to hide themselves or create false personas, but some will. Our goal is to create the possibility for ownership of the Internet, which in turns re-establishes privacy and in turn enables greater freedom and personal choice.

It seems like a small thing now and most won't get the bigger picture quite yet, but both lives will be saved and lives will be lost - actually, in the real world - by virtue of what we're creating. Like the Internet v1, it's going to shape the future and once it's out of the box, there will be no putting it back in.

AJ ONeal
Mission: Securing the world one home at a time. Weapon(s) of choice: JavaScript (ES5.1), Node.js, GoLang