Privacy practices with GitHub apps


#1

I’m one of the owners of a very large organization, many of whom focus on privacy issues. GitHub members can express several privacy preferences as relates to identity on GitHub:

  • They can choose to not have their email address displayed publicly.
  • They can choose to be a private member of an organization.

When a GitHub App (or OAuth app) requests access to org membership and email addresses, how are these privacy preferences handled?

Assuming that GitHub does not filter or proxy for those members, are the preferences passed on in the data to the external app?

If the preference is passed on to the external app, is there any text which states the app author is bound to honor such preferences?

Thanks!
-Hal

P.S. I originally thought this question was linked to org permissions, but they are not.


How do "org level permissions" act on a GitHub App configured for specific repositories?
#2

When a GitHub App (or OAuth app) requests access to org membership and email addresses, how are these privacy preferences handled?

Organization-related endpoints don’t include members email addresses in the payloads. In order to access email addresses via the API, apps need to use an OAuth token with the user:email scope (more details here). The organization membership endpoints do include other information about the members, both members who have chosen public and private organization membership. You can see more details about the information included here https://developer.github.com/v3/orgs/.

Assuming that GitHub does not filter or proxy for those members, are the preferences passed on in the data to the external app?

The external app is aware of the the private (concealed) vs. public membership options that members chose in that we provide a list of public members as well as a separate list of all members.

If the preference is passed on to the external app, is there any text which states the app author is bound to honor such preferences?

There is no text explicitly about this topic that I’m aware of, but the API Terms section of our Terms of Service may be of interest.