On getting my GitHub account "hidden" for about fifteen minutes

I had posted a new issue on GitHub, and then suddenly there was a warning that GitHub's mostly harmless robots had decided I was not human and had automattically hidden my account. I could still see my posts, but no one else could.

This is in response to a question by Chris Hills about an event my GitHub account got hidden for about ten or fifteen minutes after I posted a new issue (until the account was unhidden after I requested they restore it). His question: http://ma.tt/2015/11/dance-to-calypso/#comment-584962

Thanks for asking, Chris. Andrew at GitHub had written back to me, saying: "Sorry about that! Sometimes our spam-detecting robots get a little overzealous and need to be reprogrammed. I've reset your profile, so your repositories and gists should be available again, and you shouldn't see that message anymore."

So, that's all I know. I assume it was because it was a long text with various links to discussions on Hacker News and elsewhere discussing the React licensing issue. But it may well be that in content with some key words or phrases. I don't expect them to give a full explanation for reason of not making life easier for spammers who would then avoid specific patterns.

More reflections on the experience including how it relates to possible Calypso enhancements

While I obviously did not like what happened, I'm thankful GitHub did it in the sense that it shows GitHub is trying hard to keep GitHub spam-free and useful. That being said, it is still a wakeup call for me and an example of what can happen when you keep all your eggs in one pretty useful basket. I could have moved all the repositories elsewhere given git itself is distributed and I have local copies of the code, but that would have been a big mess with my having told a lot of people over the years about the links and such. I'd also have had to recreate all the issues in some new system (thankfully the issue content was still accessible to me when logged into GitHub, even if no one else could see it). Compare that to me hosting my repositories and issues via a WordPress plugin on a site where I control the DNS pointing to the server and can just move a WordPress blog from one provide to another if needed. Of course, even DNS accounts can have issues or get hacked, so that is not a perfect solution either.

GitHub has become the defacto hub now for FOSS development -- no doubt a big reason Automattic has reasonably chosen it for Calypso development. So, losing an account there would be very worrisome for any developer. I've read about (non-spammer) people seeing their their Google accounts and gmail suddenly disappear for whatever reason, but you never think it could happen to you until it does. I assume WordPress.com may do the same thing perhaps, so again, I understand it as a cost or risk of using such services. It perhaps comes down to how much faith you have that the system operators will do (in your opinion) the right thing now and in the future. I had some faith in GitHub, and it proved well-founded. Still, the net change for me is a chilling effect, given I obviously don't want this to happen again perhaps with a different outcome. For example, I did not want to edit the original GitHub post, in case it triggered the system again.

Even in a distributed system like a hypothetical social semantic desktop mentioned above, dealing with spam and such will be a big issue -- Akismet as a spam filtering system is how Automattic got started. Community management is a complex topic though. In "A Group Is Its Own Worst Enemy" Clay Shirky writes about one group that let itself disappear by refusing to deal with community issues as it could not balance free speech and community processes when it got an influx of new users. Like Doug Engelbart, Clay Shirky essentially says communities need to co-evolve with their tools, content, and social processes. As Shirky says in that essay: "Writing social software is hard. And, as I said, the act of writing social software is more like the work of an economist or a political scientist. And the act of hosting social software, the relationship of someone who hosts it is more like a relationship of landlords to tenants than owners to boxes in a warehouse." So, to me, seeing my account at GitHub suddenly disappear felt like getting home from the store and finding your landlord has changed the locks on your apartment with no notice while you were out with all your stuff still inside. To GitHub, they might just feel like they moved a box around, one out of millions of boxes they manage every day, and which in general they do a pretty good job with.

One way to help deal with that, say in a future version of Calypso/WordPress, is to have people digitally sign comments (and in general, sign any kind of messages that define content, even drawings). People could have their ID essentially be their public key (or perhaps, have their WordPress ID be linked to a public key). People could either post content as comments on other people's blogs or they could always post content on their local blogs which could then be federated in various ways via a search facility hosted by Automattic (as with "Smallest Federated Wiki"). Then users could filter on signed items, and people can do local bans or use software that consults various community-maintained lists of whitelisted and blacklisted signatures (similar to antispam lists for email, with their being multiple ones to choose from). IDs could also be based on characteristics (maybe even automatically by some services). I'd obviously be tagged "long poster" :-) and some people could just hide everything by someone like me by default. Slashdot-like moderation points could perhaps also be linked to these IDs within specific sites; you might prefer to follow the moderation points of certain people you trust. It could help (arguably), if, as with Minecraft, people paid US$20 (or more) for an ID (maybe less in materially poorer countries), which makes people a bit less likely to create lots of them for spamming (or griefing as the Minecraft equivalent). But even if such IDs are self-generated, whitelists and blacklists of them could help. Although then private keys could get compromised, creating another issue to deal with (unless the IDs were tied to a WordPress.com ID, but then that has different issues as a single point of failure). So, no easy answers, although I kind of have a sketch in my mind of something that feels like it might work in a distributed system (a sketch which may be completely inadequate of course). Now that Calypso is showing millions of people what is possible as Calypso starts to blur the distinction between desktop and web, and now that Calypso shows people how JavaScript can bring an immediacy to both "surfing" and "making" the web, and also now that Calypso itself might make it easier to post WordPress comments, I expect we will see a lot of innovation in this area.

My original post on this issue was here:

While conceptually I applaud Calypso as a huge advance for WordPress, as far as underlying technological choices, one big reason I chose Mithril over React for a big project was Facebook’s overly-broad patent termination policy for React. Hopefully Automattic has reviewed that policy in detail and fully assessed the legal risks to Automattic and the WordPress community versus technical benefits of using React in Calypso versus other workable technical alternatives like Mithril? If picking React was not a fully-informed choice accepting a substantial theoretical long-term legal risk in exchange for short-term practical benefits or various community momentum effects, I’d suggest starting to convert Calypso from React to Mithril (or a similar system) *today*. Switching the codebase to TypeScript 1.6+ first might facilitate that refactoring.

-- Ironic consequence

I tried to post a longer version of this and it did not go through, probably because of too many supporting links. You can see that version there:

Feel free to delete the long version I posted here previously which may well be awaiting moderation and is essentially identical to that issue.

Ironically, immediately after posting that issue to GitHub about patent risks of Facebook and React cutting off free speech about patents on the internet, GitHub decide I was not human and has now hidden my profile. :-( This also hides all the free software I’ve developed and published on GitHub. :-( That may well in practice ruin my career etc. unless GitHub decides to reinstate my profile. :-( I asked nicely just now, so I can be hopeful. :-) I guess it’s really true that no good deed goes unpunished — but I guess you still have to do them anyway. :-) And what kind of good career could it be if I foolishly let it become dependent on one centralized service like GitHub? :-)

Anyway, that issue will not be available for viewing by others unless GitHub decides to reinstate my profile.

My reply to myself as an update was here:

Thankfully, Andrew at GitHub has decided to reinstate my profile. Whew. :-) So that link mentioned above is now working for others who are interested in Facebook-scale licensing issue and React vs. Mithril. It was obviously disconcerting to see years of work disappear in terms of telling people to go to some place to get code or talk about it. That experience is something to reflect further on for everyone — how easy it is for a big centralized service you’ve become dependent on to suddenly cut you off or disappear (whether it folds for business reasons or for legal reasons like patents, or whether it cuts you off because of something you said that a spam-detecting robot did not like). Decentralization is one reason I like WordPress so much over, say, Facebook or Google+. Even when hosting at WordPress.com, you can move the site to other hosting and it will look pretty much the same (well, with some needed plugins perhaps). WordPress.com will even help you do that (for a fee). You can’t do that with Facebook, Google+, or even GitHub.

For example, months ago I asked GitHub why I could not get copies of issues or posts that I had made emailed to me as notifications as I created them. They did not have much of an answer for me. Their position seems to be that the current system only “notifies” you about changes you did not make (because any change you made you already know about, so their is no point in “notifying” you about it). Which conveniently contributes to vendor lock in as well, since it is not easily possible to have a full record of a GitHub project maintained as changes are made — unlike, say, WordPress where you can be asked to be emailed about all changes to a site. (Although it is true you can manually download web pages from GitHub with issues.) I did choose to use GitHub issues for one project, but I can wonder if that will ultimately turn out to be a mistake, as like above, when the whole thing just disappears and I don’t have a complete record of all issues? As Mr. Rogers sings: “What do you do with the mad that you feel?” That is true even when you feel mad with yourself about some dumb decision you made out of convenience without enough forethought… :-)

To link this back to the Calypso project, imagine something like GitHub but running as decentralized social semantic desktop software under Calypso where you could easily move the entire project from one hosting provide to another, issues and all. :-) And maybe with just a little Domain Name System (DNS) magic similar to moving web hosting providers. To me, that is the ultimate potential of something like Calypso when considered broadly — to make all sorts of sophisticated collaborative software easier to write and maintain.