A few days ago I received an email from support@github.com1:

I’ll save you the trouble: malware doesn’t have any public activity. It doesn’t have much activity at all, to be honest: I log in and poke around a bit once in a while, but really it’s an account name that I picked up not long ago with the intent of working on some new open source stuff that wasn’t tied to my usual jperras handle.

The reason behind the second account isn’t anything nefarious or special: I simply liked the idea of being able to publish code in various states of readiness without stressing about how it might look on my “professional” online persona.2

Well, that particular cat is out of the bag now.

But why? Why was I now being asked to change the name of the account?

Is it because there wasn’t enough activity on the account and they thought it was being squatted?3 The phrasing of the request seems to rule this out:

for technical reasons we need to remove the username ‘malware’ from being available.

but it’s possible.

Is it because the word malware has negative connotations in the world of software? Am I a victim of a programmer version of a clbuttic filter?4

If this is some form of security-related censorship, where is the line drawn? If I worked in infosec and had a repository or a user named malware-research or malware-examples, would that also trigger a support email that required them to change the relevant entity names to mal-zz-ware-examples?

What about anyone with the word hacker in their username?5

I sent a hasty reply, of which I have transcribed the salient portion:

It seems the reason I have to rename my user account is on a need-to-know basis, and that I, as the owner of that account, do not need to know.

As someone who has been a user of Github since 2009 and a paying user not long after that, I figured that I might get someone to give me an explanation, but I’ve only been met with canned replies or silence.

I know it’s not a big deal: I’m not losing an account name that I’ve invested a lot of time into, and in the grand scheme of things Github is able to curate their own user and repository name blacklists as they see fit.

I just want to know why.

1. I'll leave the name of the support team member out of this, since they are most likely following company policy and are not directly responsible.
2. I'm at a point where I have a bit of anxiety over working on open source software (which is odd because it used to be such a huge part of my life), and thought that a secondary, completely separate Github account might help alleviate some of it.
3. My intention was never to hold on to the account for the sake of holding it. I just hadn't gotten around to publishing a new project; perhaps some lingering anxiety over OSS work was at work, here.
4. Let's be clear: I have never worked on anything that could be considered malware, nor did I have the intention of publishing actual malware to Github.
5. It's perhaps disingenuous to create hypothetical situations that all paint Github as an egregious offender here, but you get the idea.