·

Transparency Isn’t a Feature. It’s the Floor.

What GitHub just decided about your code tells you everything about how modern companies think about consent and why Trevean is built on the opposite premise.

TL;DR

On April 24, 2026, GitHub begins using individual GitHub users’ code to train Microsoft’s AI models by default, while Business and Enterprise customers stay exempt by contract. That “consent-by-tier” pattern mirrors how the spice industry operates: institutional buyers receive certificates of analysis and full traceability, while retail consumers get an opaque jar. Every jar of Trevean Spice Kyoto Garden, Persian Sunrise, North African Night Market, Caribbean Sunset, and The Silk Road ships with the farmer’s name, the farm, the harvest date, the lot number, and an NFC tag exposing the entire supply chain. Transparency isn’t a premium feature. It’s the floor.

Key Takeaways

Today, April 24, 2026, GitHub begins using interaction data from individual GitHub users (Free, Pro, and Pro+) to train Microsoft’s AI models by default, unless users find the buried opt-out toggle in account settings after the March 25 announcement. This highlights how companies treat user consent as optional, unlike Trevean’s approach to supply chain transparency.

GitHub Business and Enterprise customers? Exempt by contract. Their code remains untouched. The policy designed for these higher-tier clients reflects the respect for explicit consent that individual developers are denied, exposing the industry’s double standards.

Brad Feld wrote the essay I wish I’d written first. I agree with nearly all of it. But I want to take his argument somewhere else, because what GitHub did last month isn’t a tech story. It’s a pattern, and we’re running a spice company built explicitly to refuse it.

Consent as a Product Tier

Notice the shape of the deal. If you can afford an enterprise contract, GitHub treats you as a party with rights. Your data is governed by negotiated terms. You explicitly consent, or you don’t, and the company honors your choice.

If you’re an individual, a hobbyist, a student, a solo founder, a developer paying $10 a month for Pro, you’re an input. The consent mechanism is designed to be missed. The notification email didn’t link to the opt-out directly. The setting is buried. Microsoft knew that if they’d asked, most people would say no.

This isn’t unique to GitHub. Anthropic made the same move in August 2025; consumer users on Free, Pro, and Max had to actively opt out by October 8, or their chats with Claude would become training data retained for 5 years. Commercial customers were exempt. JetBrains does it too. Default-on for individuals; explicit opt-in required for commercial users.

I use Claude every day to run Trevean. I like what Anthropic is building. And I will still say this plainly: the industry has settled on a norm where consent is a product tier. If you pay enough, you get respect. If you don’t, you get a dark pattern with a legal alibi.

That’s not a privacy policy. It’s a caste system with a settings page.

The Spice Industry Has Its Own Version

At first glance, code and cardamom seem unrelated, but both industries rely on the same asymmetry-where enterprise buyers get full transparency, and retail consumers are left with opaque jars.

Walk into any grocery store in the country and pick up a jar labeled “paprika.” That jar tells you almost nothing. Not the country. Not the farm. Not the harvest year. Not what’s actually in it. The global spice trade saw 28 documented fraud incidents in 2024 alone, including Sudan red dye in chili powder, wood powder in oregano, turmeric cut with starch, and lead chromate. The word “spices” on an ingredient list can legally mean a dozen things you never agreed to eat.

Meanwhile, the enterprise buyer, the restaurant group, the CPG manufacturer, and the national food-service distributor get certificates of analysis, third-party audit reports, supplier-specific traceability, and contractual guarantees. If adulteration is found, there’s a legal hook.

The home cook gets a jar.

The FDA’s Food Traceability Final Rule, FSMA 204, was supposed to narrow that gap. Originally effective January 20, 2026. It’s now been delayed thirty months, to July 2028. The industry’s default is opacity. Transparency is the upgrade you pay for.

If GitHub’s opt-out toggle is the software version of this problem, the grocery-aisle spice jar is the physical version. Same logic. Same victims. For the same reason, the companies doing it keep doing it: asking first is expensive, and nobody makes them.

What We Will Actually Ship

Trevean exists because we think the floor should be higher than that, not as a marketing claim, but as an operational decision every member of our team is accountable to.

Every jar of Kyoto Garden, Persian Sunrise, North African Night Market, Caribbean Sunset, and The Silk Road ships with four things that most of the industry treats as premium, confidential, or enterprise-only:

The farmer. Not a logo of a smiling stock-photo grower, but the actual farm and the actual farmer. Nadia in the High Atlas, who grows the cumin in the North African Night Market. Javier in Veracruz, who grows the allspice in Caribbean Sunset. We work with over 25 direct-trade partners, and we name them on the jar because that’s how accountability works. If one of our blends tastes off or gets contaminated, you should know who to look at, starting with us.

The harvest date and lot. Not a “best by” sticker. The actual month and year it came out of the ground, and the lot number that lets anyone, regulator, retailer, customer, or us trace it back to a single batch on a single farm. This is the information enterprise buyers demand and the rest of the market never sees.

The NFC tag. Tap your phone on any Trevean jar to see the supply chain. Not a marketing video. The data. Farm, harvest, processing facility, testing results, transit. The same information that an institutional buyer would negotiate into a supplier contract is handed to the person who’s actually going to cook with it.

The chain of custody. We record origin-to-kitchen traceability on a blockchain ledger, not because blockchain is a magic word, but because it’s auditable by people who aren’t us. That’s the point. Transparency that a company can revise at will isn’t transparency. It’s a brand voice.

None of this is gated by tier. There is no Trevean Enterprise that gets the real information, and a Trevean Consumer that gets a gesture. The person who buys a single jar gets the same disclosure as the restaurant that buys a case.

The Principle

Two things I want to say plainly, because I think they generalize well past spice.

Transparency that depends on what you pay is not transparency. It’s a premium feature dressed in ethical language. If the version of your product that respects people’s rights costs more, you have admitted that the default version doesn’t.

Consent buried in a settings page is not consent. It’s an extraction with a legal alibi. If your business model requires most users to never find the opt-out, you have designed a coercion mechanism and called it a choice.

Brad Feld used the word enshittification and I think he’s right. The industry-wide drift toward “take by default, opt out if you’re paying attention, carve out the enterprise customers who can hire lawyers” is a pattern that deserves to be named every time it shows up in code, in cumin, in anything else.

What We Promise

Trevean can’t fix the software industry, and I won’t pretend otherwise. We use Claude, we ship on AWS, we write code in editors that phone home. We are a participant in the same systems I just criticized, and I don’t want to be cute about that.

What I can promise is the part we do control.

On every jar we ship, you will know the farm it came from, the person who grew it, the date it was harvested, and every hand it passed through on the way to your kitchen. Not because we priced up the transparency tier. Because that’s the floor.

If someday we build features that rely on customer data, and we probably will, we’re a technology company, the consent for that will be opt-in, in plain language, with something meaningful offered in return. Not a buried toggle. Not a policy update email that forgets to include the link.

Microsoft is a three-trillion-dollar company. They can afford to ask.

So can we. So can everyone.

Dan Blizinski is the founder of Trevean Spice. Trevean ships direct-trade spice blends with NFC-enabled packaging and full origin traceability on every jar.

Frequently Asked Questions

What exactly is changing with GitHub Copilot on April 24, 2026?

Starting April 24, 2026, GitHub will, by default, use interaction data from Free, Pro, and Pro+ subscribers’ code snippets, file names, navigation patterns, comments, and documentation to train and improve Microsoft’s AI models. Users must actively opt out in account settings under Privacy to prevent it.

Why are GitHub Business and Enterprise customers exempt?

Business and Enterprise agreements include contractual commitments prohibiting the use of customer interaction data for AI training. GitHub has honored those commitments. Individual users on Free, Pro, and Pro+ tiers do not have those contracts, so they receive weaker default protections.

Is this the same pattern Anthropic and JetBrains use?

Yes. Anthropic moved to opt-out defaults for Claude Free, Pro, and Max consumer plans in August 2025, with commercial tiers (Claude for Work, API, Government, Education) exempt. JetBrains AI Assistant enables detailed data collection by default for non-commercial users while requiring explicit informed consent from commercial users. The industry is settling on consent as a product tier.

How do I opt out of GitHub Copilot AI training?

In GitHub, go to Settings → Copilot → Privacy, and disable the option that allows interaction data to be used for model training. If you previously opted out of data collection for product improvements, GitHub says that preference has been retained, but it is worth confirming directly in the settings.

What does GitHub’s decision have to do with spices?

The spice industry has used a two-tier transparency model for decades. Enterprise buyers, restaurant groups, CPG manufacturers, and distributors negotiate certificates of analysis, supplier audits, and traceability into their contracts. Retail consumers get a jar that often omits the country of origin, farm, harvest date, and exact composition. The same asymmetry that GitHub just codified for code, the spice trade has long codified for food.

What is FSMA 204, and why does its delay matter?

FSMA 204 is Section 204 of the FDA’s Food Safety Modernization Act, the Food Traceability Final Rule. It requires enhanced recordkeeping for foods on the FDA’s Food Traceability List to enable rapid identification and removal of contaminated food. Originally effective January 20, 2026, it was delayed 30 months to July 20, 2028. The delay means the regulatory floor for retail traceability remains well below enterprise norms for another two years.

What does Trevean actually disclose on every jar?

Every jar of Trevean Spice Kyoto Garden, Persian Sunrise, North African Night Market, Caribbean Sunset, and The Silk Road discloses the farm and farmer, the harvest date and lot number, and includes an NFC tag you can tap to see the full supply chain: processing facility, testing results, and chain of custody. This is the same information enterprise buyers typically negotiate into supplier contracts, surfaced for the home cook by default.

Does Trevean use customer data to train AI?

We are developing Trevean’s AI recommendation engine that runs on aggregated, consented taste-preference data. Any future feature requiring personal usage data will be opt-in, in plain language, with something meaningful offered in return, never a buried toggle.

Who is Dan Blizinski?

Dan Blizinski is the founder and CEO of Trevean Spice, a pre-seed spice-tech company combining direct-trade sourcing with NFC-enabled smart packaging and blockchain-based supply-chain traceability.

Glossary

Interaction data in GitHub’s policy includes the inputs, outputs, code snippets, file names, navigation patterns, comments, and documentation generated while using Copilot.

Opt-in vs. opt-out consent. Opt-in requires an affirmative action before data is used; opt-out uses the data by default unless the user actively disables it. Opt-in produces far lower participation rates, which is why companies with commercially valuable data typically choose opt-out defaults.

FSMA 204 Section 204 of the Food Safety Modernization Act, also called the Food Traceability Final Rule. Enhanced recordkeeping for foods on the FDA’s Food Traceability List. Compliance date extended from January 2026 to July 2028.

Adulteration: Substitution or dilution of a food product with unauthorized substances. In spices, common adulterants include synthetic dyes (Sudan red, auramine-O), botanical fillers (wood powder, rice flour), and heavy-metal colorants (lead chromate).

Direct trade is a sourcing model in which the buyer has a named relationship with the farm or grower cooperative, typically including fair-price contracts and multi-year agreements, as opposed to commodity-broker sourcing, where the origin is obscured.

NFC packaging: Near-field communication tags embedded in packaging that let a customer tap a smartphone on the jar to access authenticated product data: origin, harvest, testing, chain of custody.

Chain of custody: The documented record of every party that handled a product from origin to end user, used to verify authenticity and enable rapid recall response.

Consent-by-tier: The pattern of offering stronger privacy or transparency protections only to customers on higher-priced commercial tiers, while leaving individual consumers on weaker default terms.

Sources