Protecting your digital privacy can be an overwhelming task these days, especially given the vast number of online accounts many of us maintain. At GitHub we take our responsibility for the data you share with us seriously, and want to make it as easy as possible for you to keep track of it and decide if, how, and for how long it’s used. Below you will find tips and advice on protecting the privacy of your GitHub account and its contents to help you make informed decisions.
Keeping your email address private
All newly created user accounts on GitHub.com now have the
keep my email address private setting enabled by default. This means that unless you explicitly update the setting, no email address will be displayed on your public profile and a
@users.noreply.github.com email will replace your private email in web-based Git operations such as edits and merges. You can also set your GitHub provided noreply email address in Git, which will then become the author of any future commits you push to GitHub from the command line. “Setting your commit email address in git” is a handy guide to help with that.
By taking these steps you can avoid your personal email address being publicly exposed through your GitHub profile or Git operations. For additional reassurance you may also want to select
Block commandline pushes that expose my email, which can be found within the Email section of your user account’s settings.
If you are thinking about updating these privacy settings to make your email address publicly visible, keep in mind that an email address displayed on your profile page can be viewed by anyone, regardless of whether or not they have a GitHub account. It’s also worth considering that whatever email address you use to perform Git operations, whether web-based or from the command line, will be permanently recorded in Git’s commit history.
While it is technically possible to revise the author information in existing commits for a repository that you own, this requires rewriting the entire history of the repository, and can be very disruptive to anyone else collaborating on the repository. We strongly advise against taking this action whenever possible.
Historically, newly created GitHub accounts did not have their email address set to private by default, but any user can still take advantage of this setting, which can also be found in the Emails section of your user settings. As mentioned previously, updating this setting now for your GitHub account and your Git configuration will only affect the author details of your future commits, and will not impact details associated with Git operations made previously.
Keeping track of your personal data
An important aspect of managing your privacy online is knowing what information you’ve shared and with whom. On GitHub you can view and edit the personal data you’ve shared with us while signed in to your account by visiting your profile settings: https://github.com/settings/profile. Here you can make changes, like updating the name we publicly display on your profile (you may want to opt for a pseudonym or even leave the name field blank), and changing your profile picture (see “Setting your profile picture”. When deciding what to display in these fields, again keep in mind that anything displayed on your public profile will be visible to anyone, regardless of whether or not they have a GitHub account or are signed in.
Privacy and security: two sides of the same coin
Without good security, privacy is largely meaningless, and vice versa. As Justin explained in the previous post Getting Started with GitHub: Part 3 — Account security best practices, there is a lot you can do to keep your account as secure as possible, thereby protecting the privacy of the data you have stored within it. The TL;DR is:
- Use strong, unique passwords for all your online accounts
- Take advantage of password managers to keep track of your many complex passwords
- 2FA will exponentially improve the security of your account, but it’s crucial that you configure as many recovery methods as possible, keep those recovery methods secure, and regularly review their validity to minimise the risk of losing access to your account
It’s always a good idea to have at least one backup email address on your account, to minimise the risk of losing the account should you lose access to the primary email address. Check out “Setting a backup email address” for additional guidance. However, if you are thinking of setting your current work email address as a backup, there are a few things you will want to consider first.
Work email addresses are rarely under your full administrative control, and giving them the necessary permissions to reset your password and access your account may potentially put the security of your account and the privacy of its content at risk. Unless you absolutely trust your employer, or whoever has administrative control over your work email address, you may not want to give it permission to be used to reset your account’s password. You should instead select an additional email address fully under your administrative control and set this as your backup email.
You can still go ahead and add your work email address to your GitHub account; as long as you do not select it as your backup email it will not pose any threat to the security of your account.
Keeping your contributions private
All contributions you’ve made to public repositories in the past year will be visible on your profile’s contributions graph, but it’s up to you whether a record of your private contributions is included here as well. By default we will only include public contributions in the graph, and if you choose to update this setting to include private contributions, only anonymized data will be shown. Take a look at “Publicising or hiding your private contributions on your profile”.
Feel free to share any thoughts or general questions about GitHub account privacy below, or reach out to us at firstname.lastname@example.org if you need any assistance or advice specific to your user account.