Security News > 2023 > August > Amazon AWS withdraws Moq sponsorship amid data collection controversy
Amazon AWS has dropped sponsorship support for open source project Moq after the project drew sharp criticism for its quiet addition of data collection features, as first reported by BleepingComputer.
The inclusion of closed-source SponsorLink package caused Moq to harvest SHA-256 hashes of developer email addresses from local Git configs, and upload these to SponsorLink's CDN. In reaction, several developers either discontinued use of Moq [1, 2] in favor of alternatives, or suggested building tools that would detect and block any projects that run SponsorLink.
More than whether Moq or SponsorLink fell foul of the expectations within open source ecosystems, a pressing concern among users was whether the data collection violated privacy legislation, such as GDPR [1, 2]. A German court has previously ruled that SHA-256 hashing by was is sufficient means of data anonymization.
Amazon AWS, like many, has distanced itself from Moq and ceased endorsing the open source project.
A code change submitted to Moq by Rich Bowen, Amazon AWS' open source advocate, requests that references to AWS be removed from the project, as seen by BleepingComputer.
Popular open source project Moq criticized for quietly collecting data.