Promote "Privacy policy" to users in a better way

[sivaraam]

Currently, submitgit doesn't seem to be promoting it's privacy policy to it's users, well. It requests access to use user's email address to send email addresses using Amazon SES but doesn't specify anything about how it would be used; which is a red alarm to the privacy conscious users.

Further, submitgit could possibly face an increase in usage as a result of it being referenced in the CONTRIBUTING.md file of git/git.

So, it's better if the privacy policy was promoted to users to ensure being in the safe side.

[rtyley]

Currently, submitgit doesn't seem to be promoting it's privacy policy to it's users, well. It requests access to use user's email address to send email addresses using Amazon SES but doesn't specify anything about how it would be used; which is a red alarm to the privacy conscious users.

To make clear what submitgit needs from users, and how it will be used:

• Email registration with Amazon SES allows submitgit to send emails on the user's behalf to the Git mailing list. The Git project currently only accepts emailed patches, and these patches must be very precisely formatted (whitespace, etc), meaning you can't just send these emails from a webmail client. submitgit exists to send those emails on your behalf, generated from GitHub pull requests.
• submitgit will never send a message from a user's email address without that user's direct intervention, ie specifically by them hitting the 'Send' button in the submitgit interface.
• Nothing about this setup allows submitgit to read your email, access to which is still controlled by your email provider.
• It's a general property of email and SMTP that anyone at any time could send email with a From: header containing your email address - they don't need access to your email account to do so. For submitgit the only thing that registering with Amazon SES changes is that Amazon SES adds DKIM headers to the email, specifying that Amazon takes responsibility for sending the message, and Amazon are only willing to do that because you've registered your specific email address with Amazon SES in submitgit's AWS account. Having done all this, your message won't be deleted as spam before it hits the Git mailing list.
• The list of registered emails is stored in Amazon SES and won't be shared, though it would be easy to find most of them by searching through the Git mailing list archives.

[sivaraam]

@rtyley Thanks for the detailed info. Any ways in which users could be made aware of this, which could result in an increase in their confidence level ?