I don't know if there are other companies doing this, but putting privacy and terms of service updates on GitHub seems like a simple way to be transparent. It makes it easy to see what has been added and removed from previous updates.
All it takes is a single person having it cloned, who can call them out because the hash values would have changed. This isn't really a realistic threat.
Imho such legal documents should be kept on machines under more direct control. You want to, at a minimum, be able to pull the plug if someone starts messing with the contract between you and your customers. They can do too much pr damage too quickly. I'm even hesitant to endorse hosting them via clouds.
That's really more of an issue if you are serving them directly via GitHub, or linking to GitHub. Presumably they have a local repo, so if someone did something nefarious with the revision history, it would be easy to detect, but having it online with revision history does make it more transparent.
Really, what we have here is the draft documents from which they publish their policies and guidelines, just like a public source repo is a draft repo from which production is deployed (hopefully).
Arguably, if your code is hosted by a third-party, the legal document is the least of your problems. If someone modified your legal documents without your knowledge, you are likely to be able to fight it as having been a victim of fraud yourself, and you wouldn't be expected to abide by fraudulent contracts created by a third party impersonating you, right? (I don't really know for sure, you are the attorney, but I'd be surprised if you were liable for forged contracts)
On the other hand, if your code is modified, it can exfiltrate data that you are never getting back, no matter what the legal system says. Even credit card numbers are not the worst, since in theory you can end up reversing every single fraudulent transaction made, and insurance might cover your liability. But in the case of Medium, it could, say, leak the real world identity of a blogger or citizen journalist in a place where doing so would put their lives at risk. So if you are already trusting a third party with the lives of your users who are trusting you with their lives (whether they should or not), is having the text of your EULA swapped by the lyrics of "I am never gonna give you up" really a worst case scenario?
At this point, given how many people use it as the authoritative source for their software, GitHub is already critical infrastructure, on par with GPS and the electrical grid of many countries. So if GitHub goes rogue or is compromised, the damage can be pretty catastrophic. Brave new world, ain't it?
>> Arguably, if your code is hosted by a third-party, the legal document is the least of your problems.
It depends on who you talk to. The legal dept would say that code can be replaced. The coding people similarly look down on contracts as paper anachronisms. Which matters more depends on the situation. The one that matter in any moment is whichever has been attacked most recently.
I would say that errors in a contract are more expensive to fix than code. A change to code can be patched once detected. But drop a key line from a contract, perhaps the limitation on jurisdiction or arbitration, and you might be stuck with costly litigation even if you make a change asap.
But would you be actually responsible for it if someone changes your contract without your knowledge? Even if you are the one serving it?
So, if I went to a car dealership with my own modified contract in hand, and surreptitiously changed it for the one being put forth by the dealer and got him to sign it, would he be bound by that contract? (independent of whether or not I am committing a crime in that scenario)
Re: The code can be replaced. Sure, I am not worried about losing code at rest, for anything non-trivial you should have plenty of copies of a git repository anyways. But if modified code gets deployed, then suddenly you can take actions that might cost human lives or leak sensitive data and that genie can't be put back in the bottle, at any cost.
Just in case anybody is wondering why medium's terms of service are at the top of HN right now