Is GitHub Safe for Privacy Projects? The Microsoft Problem
Most privacy projects live on GitHub. That contradiction matters. GitHub has belonged to Microsoft since 2018. Microsoft is a US company subject to FISA 702, National Security Letters, and the CLOUD Act. When you push code, GitHub logs your IP address, commit times, browser fingerprintA profile built from browser attributes like fonts, screen size, plugins, language, and GPU details that can identify a user even without cookies.Glossary →, and account metadataData about data, such as who contacted whom, when, from what device, and from which location. Metadata often remains exposed even when content is encrypted.Glossary →. Microsoft gets hundreds of government data requests each year and cannot disclose many of them.
What GitHub Logs
GitHub's privacy statement says it collects IP addresses for all requests, browser and OS details, pages visited, time spent, referring URLs, and information you hand over directly, including a real name if you give one. For logged-in users, that data ties back to the account. For people browsing a public repo, GitHub still logs the request IP.
Contributor metadata is the weak point for privacy projects. Git commits include an email address by default. If you use a real one, every commit in the repo history carries your identity. Even with a pseudonym address, GitHub still links your account to your IP history, and that data can be subpoenaed.
The Legal Exposure
Microsoft, which runs GitHub, can be compelled under several US legal frameworks:
- FISA 702: allows the NSA to compel US companies to produce data on foreign nationals communicating with US persons. No individual warrant is required.
- National Security Letters (NSLs): FBI-issued administrative subpoenas with gag orders attached. Microsoft cannot disclose that it received one or handed over data.
- CLOUD Act (2018): allows US law enforcement to demand data stored overseas by US companies. It extended the reach of US surveillance law.
Microsoft's 2025 transparency report lists more than 800 government data requests in the US alone. Some involve GitHub. If an NSL covers them, you will never hear about it.
GitHub vs Codeberg
| Factor | GitHub (Microsoft) | Codeberg |
|---|---|---|
| Owner | Microsoft Corp. (US) | Codeberg e.V. (German nonprofit) |
| Jurisdiction | United States | Germany / EU |
| FISA 702 exposure | Yes | No (outside US jurisdiction) |
| NSL gag orders | Yes | No |
| GDPR obligation | Yes (but US-overridable) | Yes (primary jurisdiction) |
| Transparency report | Published annually | Published annually |
| Software | Proprietary | Forgejo (open source Gitea fork) |
| CI/CD | GitHub Actions (proprietary) | Woodpecker CI (open source) |
| Funding | Microsoft revenue | Donations + memberships |
| Pricing | Free / Pro tiers | Free (donation-supported) |
Migrating to Codeberg
Codeberg (codeberg.org) is a German nonprofit running Forgejo, an open-source fork of Gitea. It has no Microsoft, Google, or US corporate owner. German law requires a court order for user data, and GDPR is the main legal framework.
Migration is simple:
- Create an account at codeberg.org (no real name required, no phone number)
- Create a new repository on Codeberg with the same name
- Add Codeberg as a second remote:
git remote add codeberg https://codeberg.org/USERNAME/REPO.git - Push:
git push codeberg main --tags - Optionally archive the GitHub repo (keeps existing links alive) or delete it
For CI/CD, Codeberg supports Woodpecker CI, an open-source pipeline runner that can build, test, and deploy on push. Configuration lives in a .woodpecker.ymlfile with syntax similar to GitHub Actions.
Reducing Exposure on GitHub (If You Stay)
If you cannot leave right away:
- Set your git commit email to a privacy-respecting alias:
git config --global user.email noreply@example.com. GitHub offers a private noreply address in Settings → Email. - Access GitHub over TorThe Tor network uses onion routing to obscure IP addresses and browsing paths by relaying traffic through multiple volunteer-run nodes.Glossary → or a trusted VPNA virtual private network encrypts traffic between your device and a provider-run server, hiding activity from local networks while shifting trust to the VPN operator.Glossary →. Your IP is logged on every request.
- Do not use your real name as your GitHub username or display name on a project you want pseudonymous.
- Use SSH keys rather than HTTPS. SSH does not send your email in requests.
- Keep sensitive development history local and only push cleaned commits.
The Broader Infrastructure Question
GitHub is only one layer. If you deploy a privacy app, look at the full stack: code host, server, DNS, and how each bill gets paid. A Codeberg repo on a FlokiNET VPS paid in XMR, with a domain through Njalla, carries a different risk profile than GitHub, AWS, and Stripe.
Follow the Money
Microsoft's $21.7B in US government cloud contracts create a clear incentive to comply with data requests. Codeberg's budget is about €200K a year. It has no government revenue to protect.