Tell HN: YC companies scrape GitHub activity, send spam emails to users
YC companies are allegedly scraping GitHub commit data to cold-email developers, sparking a fresh wave of controversy. This practice, often seen as unethical spam, is generating significant pushback from the developer community on Hacker News. The discussion highlights long-standing tensions between aggressive growth-hacking tactics, developer privacy, and the perceived ethical standards of Y Combinator.
The Lowdown
A Hacker News user reported receiving unsolicited marketing emails from Y Combinator-affiliated companies that clearly scraped their GitHub activity. The emails, which claim to have 'found your GitHub' and noted contributions to relevant repositories, suggest a systematic approach to identifying and targeting developers without their consent.
- The primary complaint involves "Run ANywhere" (W26) and "Voice.AI," with the author suspecting they use commit metadata for targeted outreach. This raises concerns about GDPR compliance for recipients in Europe.
- The author has lodged complaints with the companies themselves, GitHub, and YC Ethics, awaiting their responses.
- Other users quickly chimed in, sharing similar experiences with YC companies like "Aden," "Backdrop," and "Cactus Compute," often noting the use of burner domains to protect their main brand's email reputation.
- A GitHub staff member confirmed that such behavior violates their terms of service, stating they take action against offending accounts, though many users expressed skepticism about the effectiveness of such enforcement.
This incident has reignited a perennial debate on Hacker News about startup ethics, developer privacy, and the efficacy of "growth hacking" techniques that border on spam.
The Gossip
YC's Questionable Quests
Many commenters suggest that this spamming reflects a deeper, long-standing issue with Y Combinator's ethos, pointing to their infamous application question about 'hacking some system to your advantage.' This question, they argue, selects for founders willing to operate in legal and ethical gray areas, as seen with early Airbnb or Reddit tactics. Critics assert that YC prioritizes growth and financial gain over ethical conduct, leading to a 'cutthroat business' culture where 'ethics' is a headscratchingly dense idea for an industry tied to certain VC personalities.
GitHub's Guardrails & Grievances
A GitHub staff member clarified that scraping public repository data for spam is against their terms of service and they do take action, including banning accounts. They recommend users utilize GitHub's 'noreply' email feature for commits to protect their privacy. However, many users expressed frustration with GitHub's enforcement, reporting that their spam complaints often go unaddressed or are dismissed as 'off-platform' activity, allowing spammers to continue. There's debate on whether GitHub could implement more robust technical solutions without fundamentally altering Git's distributed nature or annoying legitimate users.
Spam Saga & Solutions
Developers are tired of unsolicited emails derived from their GitHub activity, seeing it as ineffective and damaging to brand reputation. Many shared receiving similar, poorly targeted AI-related spam from various companies, including YC-affiliated ones. Practical advice from the community includes using email aliases (e.g., `myemail+gh@mail.com`) to track origins, reporting spam to email service providers, and simply moving such emails to Gmail's 'Promotions' tab. There's a strong consensus that being spammed actively discourages engagement with the sender's product or company.
The Ethics of Openness
The discussion delves into the ethical and legal implications of scraping publicly available GitHub data. Some argue that if an email address is public (e.g., in commit history), users implicitly consent to being contacted, and GitHub offers privacy features like `noreply` addresses. Others contend that this 'public by default' doesn't equate to consent for marketing spam, especially under GDPR. The debate also touched on the legality of such activities, with some pointing out the challenges of pursuing legal action (e.g., class-action lawsuits or GDPR complaints) due to low damages and cross-border complexities, contrasted with the potential for companies to face penalties under laws like FCRA if operating in certain ways.