Harvesting user email addresses without any form of consent is against GDPR regulation

[njannink]

The SponsorLink addin is sending user email addresses without any consent to a cloud API. When used inside a corporate environment is is unacceptable. Next to this its also against EU GDPR regulations and probably most corporate environments.

Developers won't use their private github account to do contributions to the corporate git repository, so the sponsorlink will never work for them either

[kzu]

Thanks for your comment!

From the readme in this very repo, perhaps you missed this important note:

NOTE: the actual email is never sent. It's hashed with SHA256, then Base62-encoded. The only moment SponsorLink actually gets your email address, is after you install the SponsorLink GitHub app and give it explicit permission to do so.

We never get the actual email address until the user actually consents to that by installing the SponsorLink app.

[iamdavidfrancis]

@kzu a SHA256 of the email is not sufficient for GDPR compliance:

Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person.

https://www.privacy-regulation.eu/en/recital-26-GDPR.htm

[V0ldek]

The resulting opaque string (which can never reveal the originating email) is the only thing used.
(emph. mine)

This is completely incorrect, and not GDPR compliant.

It's not GDPR compliant due to the paragraph linked by @iamdavidfrancis.

It's trivially exploitable, since you could

1. scrap all email addresses from all GitHub commits
2. SHA256-hash them
3. compare records from SponsorLink with the resulting dictionary

Since you don't use any salt when hashing, this is privacy-unsecure basically by design.

Even if this was somehow legal from the standpoint of GDPR, it's so obviously and blatantly unethical that I can't even believe we need to have this discussion.