Reddit makes it impossible to delete PII, refuses to do it itself violating GDPR
Reddit makes it impossible to delete PII, refuses to do it itself violating GDPR
cross-posted from: https://programming.dev/post/251752
It is important to note that although this may be a result of Reddit's UI not displaying the content users posted to now-private subreddits, it remains a problem. Additionally, I agree with the author's comments in the video description, as it appears strategically unrealistic for Reddit to ask that users manually delete the content themselves.
This is particularly true when considering that many automated methods to accomplish this task will be hindered by Reddit's upcoming API pricing changes. Furthermore, Reddit has demonstrated a recurring pattern of rolling back databases using historical backups, thereby disregarding user deletion requests that were submitted prior to the database rollback.
See similar discussion of this video on Hacker News:
I overwrote then deleted all of my comments a few weeks ago—they were all back in their original form last week. I’ve since run the process again and already old comments are starting to reappear
The best part about this is that the more they do this, the more it costs them. Every action, especially disk transactions, cost them money. Just log in every day, run your deletion utility, and cost them a couple bucks more for being pricks about it.
I believe the reddit API might not allow full discovery of comment history. At least my experience with deletion tools was that once I had the data export to check I found only a small portion of the posts from by 12 years of history were deleted despite the reddit UI and deletion tools not showing any comments remaining.
I had to use a tool to go through the GDPR export to find all the posts and the tool has had problems due to some subs being private due to protests. I suspect a lot of people who thought they deleted their entire comment history may not have done so.
All the little cracks that an angry and motivated audience can discover. It’s like pissing off a sibling…
I don't know about deletions, but I requested my data for takeout more than two weeks ago and I still haven't received it.
Same. I'm in California so I did a CCPA request, according to what I read they have 45 days to comply, which can be extended to 90 with notice. I definitely plan on filing a complaint if they don't comply.
Thank you for the link, I did the same on all of my accounts. I'll be filing a complaint for each one
ifwhen they don't comply.
Same
Same.
I also requested perhaps a bit more than two weeks ago and got it a couple days ago.
Used https://github.com/xavdid/reddit-user-to-sqlite/ to put it into a more structured form. I guess I should give Datasetts a try to easily browse it, the project's README links to it.
ooh, that looks like a handy thing I'd like to store! I'm a bit worried I'll have lost some of my saved links because I think I heard they only keep the most recent ~1000 or so.
Requested it, took more than two weeks but arrived. They do have 30 days though, so i guess you have no recourse but to wait. I'm glad i did so with time to spare though.
Reddit is on a streak of bad decisions!
Does changing your comments to or replacing them with garbled text work if reddit wont delete?
(i realize this shouldnt be necessary but more as a last resort)
Seems like it worked for me. Last I checked my deleted account's comments are still up and display replaced text.
I overwrote my comments with a message that clearly states why I overwrote my comments and deleted my account.
I was thinking of editing mine to be links to information about Lemmy.
I deleted some, but not all of my reddit posts and they're not back yet and some people had their garbled posts restored. So to m the trick might be doing it in batches at different times, delete some, garble some, maybe change some to lorem ipsum.
Found the full transcription for the video from OP author:
Note to self: use
youtube.cominstead ofyoutu.be
for better cross post detection and lemmy integrationDo you know how well youtube-nocookie federates? Its an official Youtube service if you didn't know.
https://www.youtube-nocookie.com/embed/1B0GGsDdyHI
Your video, but on nocookie.
That looks neet. Although I suspect this would succumb to the same cross post discoverability issues where URLs pointing to the same video would not match string for string. A better approach might be to facilitate inline embedding of HTML video players into Lemmy using browser extensions, where user scripts could be used to preview youtube links or re-write them to nocookie, allowing the Lemmy web UI to still avoid the use of cross-origin scripts by default.
Keep inviting people to Fediverse as a positive reaction to this.
as much as I'm sick of reddit, posts and comments are not PII
Not in general, maybe, but if someone posts their first name in one place, post about their neighborhood in another place, and mention their job in a third place that's enough to uniquely identify them. Or who's to say there isn't a comment with someone's full name and address?
Unless they manually scan all comments for PII, there might be PII in any comment. Even something innocuous like a picture of a sign can doxx someone, so it's not obvious, either.
It can be, depending on whether PII was involved. Just being publicly published doesn't make it not be PII. It can be or not be. GDPR counts PII widely, since it also includes stuff that can be combined with other information to make for identifying the person.
Frankly this is one of those cases, where we need a court ruling to set precedent on what is counted in and what is counted out.
I find it hard to believe a court would decide that a post someone intentionally made to a public forum could be considered private information after the fact. But I suppose I'm not vary familiar with the wording of GDPR. It feels a bit like someone giving away business cards with a phone number, and being upset that people don't return them when you ask months later. Obviously it is scummy for reddit to not delete content when requested, but that doesn't seem to be the sort of thing the law is targeted towards