OC Updated: Reddit is quietly restoring deleted AND overwritten posts and comments

Another update and possibly a solution for some case where posts were not properly deleted. Seems I jumped the gun on this and the restores haven't been intentional - at least not in this particular case.

There is a limitation in the popular Powerdelete that apparently prevents mass editing. Here is a link to a new version with a build-in delay and some other alternatives:
https://www.reddit.com/r/ModCoord/comments/145fico/comment/jnl4xmr/

There are other reported cases where manually deleted post reappeared or other scripts have been used, so this doesn't solve all issues but explains how posts that were both edited and deleted withPowerdelete weren't properly deleted and reappeared after subs went back live.

Update: As some have pointed out: the restores can be rollbacks from the server issues or post haven't been properly deleted due to subs being private during blackouts. Many have experienced the same issue, I can't explain how this happens. I'll just run the script again, try the GDPR request and delete my account.

Also worth noting: according to the ToS Reddit can actually do whatever they want with existing content, apparently we agreed to this when signing up.

!deleted125603,

deleted_by_author

  • Loading...
  • Brkdncr,

    In the US, indicate that you’re in California for the strongest legal option.

    tal,
    tal avatar

    Assuming that this is, in fact, not legal and if they have money that can be gone after, I assume that someone may start a class action suit. In theory, they're worth multiple billions, so...

    An individual probably doesn't care much about whatever harm is done, as the damage is too small. But this is the kind of thing where a lawyer can walk away with a big payday by aggregating cases of many users and then getting a percentage of any payout.

    I am not at all certain that it is not legal, though.

    overzeetop,
    @overzeetop@lemmy.world avatar

    undefined> In theory, they’re worth multiple billions, so…

    wen Lambo?

    CtrlOpenAppleReset, (edited )

    This could be worse than anything else they've done. If they claim they own the data, are they then not responsible for it like newspapers? Is it in their terms and conditions they are free to do whatever with posted information, do they have the rights to edit users comments but in doing so become a content provider and therefore responsible. Kicking mods out doesn't land you in court this seems high risk to be manipulating content. Doesn't matter why it was deleted or edited it was deleted or edited who gets to decide what version to restore. Either you are hands off or you own the data and are responsible for it and upheld to media standards.

    Edit: found a snippit of the terms and conditions in a German GDPR thread, It appears it is their terms and conditions that after you post it they can do with it what they like, even adapt it. Either way that's not a reason to be gone.

    Lowbird,

    There was that kerfuffle ages ago about u/spez editing comments in r/thedonald, iirc. It's not like it would be that much of a stretch for him at least.

    But it looks like from OP's edits it may be unintentional. I'll withhold my rage for now.

    doublejay3000,

    I picked up a permanent ban, after 15 years for saying 'Go outside fatso' to someone who said I couldnt read. Not my proudest moment, but there you go.

    The reason I mention it, is that it adds a different dynamic if they are trying retain (and prevent me from editing) data which they hold about me. They might argue that doesn't extend to post where I've written "cats > dogs" - but anything where I've refered to where I live, whether I have kids, what my political views are, are all clearly personal details which they are not allowed to hold without retaining my consent.

    Clear contraventions on GDPR in EU.

    https://commission.europa.eu/law/law-topic/data-protection/eu-data-protection-rules_en

    pleasemakesense,
    @pleasemakesense@lemmy.world avatar

    ToS like that does often not mean anything, they can write whatever they like but it doesn't mean they can legally enforce it. So if you are an artist posting a painting you made, reddit can't just say 'oop, it's ours now' same with text

    admin,

    This is shitty of them to do but this is what people have been trying to tell us since the dawn of the internet. Nothing on the internet is EVER truly deleted

    reflex,
    reflex avatar

    Nothing on the internet is EVER truly deleted

    Barbara Streisand ♫

    Balssh,
    Balssh avatar

    I think they may underestimate EU's response here.

    jargoggles,

    While this is true, it's sort of like being in a car accident. The other person may be in the wrong, but that doesn't exactly unwreck your car.

    Celivalg,

    oh, but they might have to pay for your car back...

    And that's gonna pull reddit down even more

    Rayspekt,

    DSGVO take the wheel

    booshi, (edited )

    deleted_by_author

  • Loading...
  • Bipta,

    Certainly some of it can be.

    procgen,

    That depends on the content of the post or comment, no?

    Nexclusive,

    Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.

    For most people, GDPR probably applies to at least some of their comments on Reddit.

    abff08f4813c,
    abff08f4813c avatar
    booshi,

    These links are just going to the same post we are on? It's not linking to specific comments for me.

    abff08f4813c,
    abff08f4813c avatar

    Looks like comment link redirection isn't quite working. Let me just copy over the comment text for now:

    Well, people have reported Twitter for failing to remove their tweets and places like the ICO are now actively investigating Twitter over this failure, see https://www.wired.co.uk/article/delete-twitter-dms-gdpr

    Someone posted not too long ago that a person who was part of Twitter’s group over the GDPR - pre Musk - said the lawyers came to the conclusion that tweets were protected under the GDPR.

    I believe it's less straightforward than that. Under GDPR, consent can be withdrawn, you can't give an irrevokable consent.

    And from https://mstdn.games/@chris/110553477682106144

    Presumably falls under right to erasure (art 17,19 of GDPR). You've withdrawn your consent, so if it isn't exempt under legal obligation, public health, scientific research etc then that's it, really. I guess there might be brave souls who argue that posts on Reddit sometimes don't qualify as or contain personal data, but that would seem irrelevant unless someone is painstakingly anonymising the dataset on a case by case basis, which they surely aren't.

    Also, it looks like Twitter may be in some trouble, for failing to delete DMs under the GDPR, see https://techcrunch.com/2023/02/08/elon-musk-twitter-dm-deletion/

    Surely, if twitter DMs fall under the GDPR, so do Reddit posts and comments (and note that it's the content of the DMs, and not the personal identifiers, and that the DMs are requested to be deleted from e.g. receipients inboxes as well).

    booshi,

    There is nothing of fact here - as I said in my comments before and I'll say again - it's a case-by-case basis, but as it stands, this is not covered under GDPR. Everything you linked to is pending actual decisions, as this area of GDPR is still being figured out. Yet, for some reason, people are stating it as fact.

    abff08f4813c,
    abff08f4813c avatar

    as this area of GDPR is still being figured out.

    Interesting. So does that mean you think it COULD be covered by the GDPR, perhaps from a court decision at a future date? That at least it's a possibility, even if unknown right now?

    this is not covered under GDPR

    Interesting contradiction. I'd say there only three states: it is covered, it is not covered, and it's unknown.

    Anyways, here’s a fact:

    UK’s Information Commissioner’s Office … told Veale that Twitter’s response “failed to comply with the requirement of the data protection legislation”

    Of course you’d be right if you said it hasn’t been taken to court yet and that particular case lacks a court ruling to back it up. So if that’s your requirement for it to count, then that’s fair. Still, I would generally go with the guidance from the ICO here rather than try my luck in court, absent compelling reasons.

    I think the case by case thing is addressed somewhat from the Mastodon post. Someone reposting a meme wouldn’t contain any personal info to erase under GDPR, but another post that’s an ask me anything with a person’s picture and other verifiable credentials would be. In the latter case I’m not sure you could anonymize the content without making it unuseful and uninteresting.

    And it would take a lot of time and effort to review every post and comment and perform the anonymization. And deanonymization is a legitimate concern too. So I guess Reddit could try to play hardball here but it would probably cost them.

    booshi,

    lol what - just because a government entity says something, doesn't mean it's fact. You're grasping at straws and undermining actual fights for data privacy.

    abff08f4813c,
    abff08f4813c avatar

    and undermining actual fights for data privacy.

    Care to elaborate? Let's assume for the sake of argument that I actually am wrong and mistaken on this point. How does one get from "being mistaken" to "undermining" ? As a major supporter of data privacy, I'd really like to know this.

    lol what - just because a government entity says something, doesn't mean it's fact.

    I think I already addressed this earlier when I wrote,

    So if that’s your requirement for it to count, then that’s fair.

    Even so, the fact that multiple gov't entities charged with enforcing the GDPR seem to have come to the conclusion that failure to delete DMs is a violation of the GDPR is quite telling.

    Perhaps they are wrong, and perhaps we won't know for sure until this makes it to the Court of Justice of the European Union / Supreme Court of the United Kingdom for the definitive ruling. It's true that gov't agencies do get it wrong from time to time.

    Even so, I think that would be a tough and expensive fight that would give most folks pause. Both potentially illegal and against public opinion?

    Perhaps it's possible you misunderstood me. The fact I was pointing out was that the ICO thought Twitter had a potential GDPR violation. But I can agree that it's not confirmed until the relevant courts rule on it - the fact is simply that this is what the ICO has said.

    You're grasping at straws

    Hmm. So I've cited lots of things to explain why it looks like it's a likely GDPR violation. Can you cite for the opposite - why private DMs and Reddit posts (particularly text body contents) would not ever count?

    To sum it up, I find it really interesting how you've not responded to the first question I had in the parent comment:

    as this area of GDPR is still being figured out.
    Interesting. So does that mean you think it COULD be covered by the GDPR, perhaps from a court decision at a future date? That at least it's a possibility, even if unknown right now?

    I get the impression that you're a hard no here, that you assume once this area of the GDPR is figured out, then it most definitely won't be covered. But, care to elaborate why you think this is the likely outcome?

    abff08f4813c,
    abff08f4813c avatar
    aceca, (edited )

    If a user is commenting they have an online identifier and are thus covered. If a user has ever referenced their relationship status, location or any physical descriptor they are covered. The GDPR -- it applies.

    booshi,

    That's not what an "online identifier" is under GDPR. Those are RFID tags, cookies, device fingerprints, IP addresses, etc: https://gdpr-info.eu/recitals/no-30/

    aceca,

    Usernames are online identifiers:

    https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-data/what-are-identifiers-and-related-factors/

    A non-exhaustive list is included in Recital 30

    An individual’s social media ‘handle’ or username, which may seem anonymous or nonsensical, is still sufficient to identify them as it uniquely identifies that individual. The username is personal data if it distinguishes one individual from another regardless of whether it is possible to link the ‘online’ identity with a ‘real world’ named individual.

    Risk,

    It's not personal or identifiable we can just sell it to advertiser's to precisely target your exact person with things we think you might buy.

    flypenguin,

    please don't state things if you don't know what you're talking about. it absolutely applies. it's a personalized account, with a personalized email address – this is the core of GDPR. it might not apply cause reddit is not within the legislation of the EU. maybe.

    Jon-H558,

    If they have eu users they have to apply it. That is why many places have ip lock outs that just prevent us from.seeing it.

    However if they truly anonymise the content of a post they can keep it

    pleasemakesense,
    @pleasemakesense@lemmy.world avatar

    Doesn't matter, they'll be fined and if they refuse to pay they'll not be allowed to operate in the EU

    booshi,

    Can't be fined for GDPR if you aren't violating GDPR taps temple

    booshi,

    I do - I work with this daily. It would be a massive uphill battle to even prove in a court that your whole post history is considered "identifying". It's a case-by-base basis. On top of that, your data could still be easily stored and simply no longer associated with your email (but still can be kept if the previous cannot be proven about identification). Then this would have to be tested, on a that same case-by-case basis, for every single user that made a request.

    To quote yourself, "please don't state things if you don't know what you're talking about."

    flypenguin,

    ah ... simply no. also now you're going into technicalities and specific scenarios – which might make sense in court, yet doesn't disprove the principle per se. but maybe let's agree to disagree, i don't think this goes somewhere.

    Sleepy_ducky,
    Sleepy_ducky avatar

    Have a read through. It definitely relates to GDPR (and even the Right to be Forgotten). Those are our accounts, linked to our emails. It is content we generate (even Reddit admits the content is owned by the creator). So if I want to delete everything and leave no trace I should be able to.

    https://www.cyberghostvpn.com/en_US/privacyhub/how-to-delete-reddit-account/

    booshi,

    Those are our accounts, linked to our emails, which they are free to de-associate, and freely use for whatever commercial purposes they want.

    BorgDrone,

    That's debatable. Sure. my account doesn't actually contain my name and address, but it contains almost 14 years of posts and comments. Through the years I've probably let slip enough small pieces of information about myself that a motivated person would be able to identify me. This would still make it identifiable information.

    Legisign,
    Legisign avatar

    Sure. my account doesn't actually contain my name and address, but it contains almost 14 years of posts and comments.

    Agreed. If a person’s speaking voice falls under the GDPR (as I have found out being a phonetician and hence doing research on it), surely opinions and comments taken not individually but as a cumulated mass must do so too.

    booshi,

    Debatable? Yes, as that still hasn't been figured out at a higher level, and this is still handled on a case-by-case basis. Otherwise, they are free to keep your data, and simply no longer keep the association with your email.

    aceca,

    The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics

    By definition commenting reddit users are covered, even if they haven't posted anything otherwise identifying -- but most have either way.

    booshi,

    That's not what an "online identifier" is under GDPR. Those are RFID tags, cookies, device fingerprints, IP addresses, etc: https://gdpr-info.eu/recitals/no-30/

    nickajeglin,

    *Looks up GDPR... "EU law"

    Womp womp :(

    booshi,

    There is also CCPA in California - but none of these offer a total blanket/shield of protection like people are positing here. It's still a completely grey area that has, so far, not sided with users of sites.

    Mineroboter,

    deleted_by_author

  • Loading...
  • Jon-H558,

    Yes but if they take the user name off can they keep the comment text up. For most comments they probably could unless you were putting your name or your job title and company or similar in the body of the text.

    booshi,

    Do you understand how trivial it is to anonymize the data so it can still be used and monetized?

    aceca,

    How exactly do you trivially remove all references to the physical, physiological, genetic, mental, economic, cultural or social identity of the person posting?

    This is the bar you'd have to clear to ensure someone's comment history were anonymized per GDPR, miss a single one of these factors and your anonymous data is now reversible and thus infringing.

    Girlparts,
    Girlparts avatar

    I believe this is illegal for European (under GDPR).

    shanghaibebop,

    Only if the user files a delete request though.

    Phoeniqz,
    @Phoeniqz@lemmy.dbzer0.com avatar

    Using a platform run like an authoritarian regime feels nice, until it doesn't.

    doublejay3000,

    You can begin your complaint in the UK with the Information Commissioner's Office :

    https://ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/

    TWeaK,

    You should bear in mind, PowerDeleteSuite doesn't get everything. It can only see what's in your reddit profile under New, Top, Hot & Controversial - there will be numerous posts that are too old with only 1 or a few karma that aren't displayed in these lists. In particular, if you go through your top posts of all time, you might find some replies to these posts that you made that the script did not see.

    The GDPR archive gives a full list of all the comments. What we need is a FOSS script that can use these csv files to get everything. Apparently Shreddit can take the csv files, however you have to pay $15 to use this feature.

    rarkgrames,
    @rarkgrames@lemmy.world avatar

    I mass edited my posts to all say fuck /u/spez with redact and most appear to be back. I shall edit them again and if they come back I shall do it again and again. I can play this game as long as it takes.

    forgotmylastusername,

    All posts/comments from shadow banned accounts show as [removed]. Just putting that out there.

    SterlingVapor,

    Here's the thing - everything rots. Code and data included.

    Not participating is more than enough - better that the data is preserved anyways. Restoring it is ice chips to a starving man, it'll help, but not for long

    balance_sheet,

    So it wasn't just me! I was sure I purged everything but for some reason they came back and I had no idea. Fuck you reddit, you're not getting any of anything from me.

    generalpotato,

    Just deleted mine via PDS for an account of over 9yrs. Let’s see if these guys revert it. Might take the GDPR route if they don’t let up.

    MentallyExhausted,

    Shit, just confirmed they restored my comments. I overwrote them and deleted them and deleted the account and they’re still fucking there. Unbelievably scummy, this should make the news.

    abff08f4813c,
    abff08f4813c avatar

    Also worth noting: according to the ToS Reddit can actually do whatever they want with existing content, apparently we agreed to this when signing up.

    Been thinking about that. I don't think that overrules laws like the GDPR though - law triumphs over ToS. And under GDPR, consent can be withdrawn, you can't give an irrevokable consent.

    PixxlMan,

    Totally. When quitting, make sure to file a GDPR takedown request on your account. If reddit doesn't comply, they could be fined quite handsomely.

    booshi,

    So they will delete your email address, and still freely use your content for whatever uses. Oh no!

    Azzu,

    That's not how it works. All content has to be deleted for GDPR compliance.

    Screak42,

    yes and no. unfortunately it’s in many cases not overly difficult for a company to justify the still need this data after sich request. but it’s something at least

    https://gdpr.eu/right-to-be-forgotten/#:~:text=In%20Article%2017%2C%20the%20GDPR,originally%20collected%20or%20processed%20it.

    TWeaK,

    GDPR gives you the right to correct information if it's wrong. Given that the information is typically an opinion of the user, that should give the user the right to remove the information.

    SphereofWreckening,

    IANAL but wouldn't this be on par with creating a contract or NDA with illegal elements? Wherein the contract/NDA are no longer considered valid/become void as a result. Obviously this wouldn't apply to the US and several other countries, and Reddit also has lawyers. Realistically I'm also just some dingus so someone smarter may know

    abff08f4813c,
    abff08f4813c avatar

    It's probably the case that the rest of the ToS applies except for that one specific element, which is severable. This what I've usually read in contracts (IANAL either but I used to work in a business that required a lot of proofing of contracts).

    Iceblade02,

    Wow! Just realized reddit has done this to my comments as well.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • RedditMigration
  • magazineikmin
  • Youngstown
  • mdbf
  • khanakhh
  • slotface
  • tacticalgear
  • thenastyranch
  • kavyap
  • Durango
  • DreamBathrooms
  • rhentai
  • everett
  • rosin
  • InstantRegret
  • bokunoheroacademia
  • ethstaker
  • cisconetworking
  • GTA5RPClips
  • modclub
  • normalnudes
  • relationshipadvice
  • osvaldo12
  • cubers
  • tester
  • Leos
  • HellsKitchen
  • lostlight
  • sketchdaily
  • All magazines