OC Updated: Reddit is quietly restoring deleted AND overwritten posts and comments

Anahkiasen, 10 months ago

That is such a shitty move. Forcing subreddits to go back up is one thing, but as a european this feels very wrong from a data ownership standpoint and I'm not sure it's ok in the GDPR rules?

glitch, 10 months ago

@Anahkiasen @chri5 almost certainly no bueno under GDPR.

Post content being deemed PII at user digression is already a... questionable stance to take with GDPR but probably grey enough to the point where a DPA won't bother with it while they have bigger fish to fry.

Outright going against user requested data removal tho? Yeah that's a good way to net you GDPR complaints. If the user requests their info removed, you're required to oblige unless you have a reason that amounts to something like "we need this to keep the service operational", which post content almost certainly isn't.

(ie. You're not gonna be able to GDPR your IP address or email off of the banlist.)

albatros, 10 months ago

I'm not sure it's ok in the GDPR rules?

That would probably be related to "right to erasure".

But even this has limits, since sometimes the data can be necessary for a service (for example, you might be unable to get invoice data erased before X years, as a legal requirement)

Since messages on forums can be considered "needed" to understand a thread, it's usually advised to make all messages anonymous if a user requests complete deletion.

I guess here it's a little different, since the messages were removed by users, so it's not a gdpr request. Not sure how it works in that case.

Other issue is if the messages themselves contain personal information... Someone going through my old reddit profile could probably figure out my identity since I mentioned one of my (very uncommon) previous job a few times.

Best way to figure out how it works here would probably be to contact the gdpr authority for your country... And they might have trouble with it too.

masterX244, 10 months ago

But even this has limits, since sometimes the data can be necessary for a service (for example, you might be unable to get invoice data erased before X years, as a legal requirement)

But then it still needs to be marked as a "DO NOT TOUCH". you aren't allowed to use it then for any other purpose.

Celivalg, 10 months ago

Since messages on forums can be considered “needed” to understand a thread, it’s usually advised to make all messages anonymous if a user requests complete deletion.

We have seen [deleted] Comment deleted by user before, so that argument is gonna flop hard

gkd, 10 months ago

What about some of the US likes like the ones in California and Virginia? Curious about that.

Anon2971, 10 months ago (edited 10 months ago)

I think we should actively keep track of Reddit restoring user's content without people's permission. Screenshots, timestamps, everything. Monitor it all.

Maybe if Reddit go ahead with their API change whilst treating their users like such disposable crap, we could reach out to the EU to inform them of Reddit's GDPR breaches. Maybe that'd lead to their new revenue from API charges disappearing into hefty EU fines.

Update: Maybe there's going to be some loophole about actually having to use the data deletion request via Reddit's UI for there to be an actually GDPR breach though thinking about it. Going to ask around some Law friends for advise

juergen_hubert, 10 months ago

That's an excellent idea! EU regulations on the digital rights of users are not to be trifled with, and "the right to be forgotten" is a big one.

megane_kun, 10 months ago

Mightily envious of you guys over there.

booshi, 10 months ago

deleted_by_author

Celivalg, 10 months ago

uhm... political opinion is explicitly considered personal data under GDPR...

And, as another user pointed out here:

Since the definition includes “any information,” one must assume that the term “personal data” should be as broadly interpreted as possible.

So if political opinion is included, I let you consider what else also is.

abff08f4813c, 10 months ago

Yes, it does, and yes, there is, see https://kbin.social/m/reddit@lemmy.ml/t/34167/Reddit-is-restoring-deleted-posts#entry-comment-141186

aceca, 10 months ago (edited 10 months ago)

You're all over this thread saying this, what exactly do you think "right to erasure" means?

From gdpr.info:

Since the definition includes “any information,” one must assume that the term “personal data” should be as broadly interpreted as possible.

Here's a short list of information thought not to be personal which has later been found personal:

• Start end/times at work
• Break times
• Cultural id markers
• Written answers to exam questions
• Mental illness
• Any physical descriptor
• online identifiers (ie your reddit username which may be shared with other sites to identify you)
• and plenty more

The idea that redditors do not have personal information lingering in their comments is absurd, GDPR 100% applies.

atzanteol, 10 months ago

Doesn't seem like these were gdpr requests, just people marking posts as "deleted" which does not delete your post, it marks it as non-viewable.

Make gdpr requests if you want your data deleted.

Rairii, 10 months ago

@Anon2971 @chri5 @Anahkiasen i guess it depends if "just" editing/deleting the post/comment counts as "withdrawing consent" under GDPR?

itsonlybrad, 10 months ago

@Rairii what if you edit with a message stating that? Perhaps that could help but IANAL. Might be worthwhile consulting one and then lobbying tool writers to include it as the default.

pptouchi, 10 months ago

Thats messed up! fuck spez!

Brianala, 10 months ago

Earlier this week I deleted all of my comments except for some in a private sub. I just checked and all the posts I deleted are back 🤬

roofuskit, 10 months ago

Same

megane_kun, 10 months ago

That's awful. I wonder if there's a way to automate deleting all of our posts and replies—and repeatedly run it on a schedule via a cron job or something, maybe once an hour or something. And let it run until their API becomes locked down.

Trebach, 10 months ago

And then replace it with a Selenium script afterwards.

megane_kun, 10 months ago

If only I know enough about programming to do it.

Right now, I'm looking at an option that I can run via command line here which I can add to my cron job queue.

Kwik, 10 months ago

@megane_kun I was thinking something very similar. I'm sure there are keywords they're looking for too, like "third party apps" and "fuck /u/spez" which trigger the restore.

megane_kun, 10 months ago

Probably, though from what I've seen in the linked thread, there's no such keywords present.

What I suspect is that Reddit admins saw a rise in deletions, and put two and two together and thought it's part of the protest. They're not wrong, but still a dick move.

mccord, 10 months ago

deleted_by_author

megane_kun, 10 months ago

Thank you!! I was trying to remember Shreddit but all I managed to remember is that it needed to be installed in one's system.

chri5, 10 months ago

That's not a bad idea actually. The Powerdelete script I used is based on Javascript and needs to be started manually in the browser window, I'll just run the script once a day. But maybe someone with more knowledge can come up with a more automated solution. They can't restore user accounts forever.

Soyaro, 10 months ago

erm... just put the triggering function in a for-loop, together with some conditions so it doesn't run all the time...?

megane_kun, 10 months ago

I am also going to use the power delete script too, but I was still looking for a way to archive my stuff before nuking them.

I remember seeing some solutions that require an installation of a program which the user then runs on their machine.

PS: @mccord Has the solution I was trying to remember. It's Shreddit.

db0, 10 months ago

There's certainly no chance this will backfire...

CynAq, 10 months ago

That's beyond fucked up.

But also very predictable.

I think it's safe to say this fiasco isn't going anywhere without a class action lawsuit or something.

TractorEnjoyer, 10 months ago

There is EU and GDRP which reddit have to comply with.

Reddit CEO is a moron thinking they can avoid getting slapped with a fine.

admin, 10 months ago

This is shitty of them to do but this is what people have been trying to tell us since the dawn of the internet. Nothing on the internet is EVER truly deleted

reflex, 10 months ago

Nothing on the internet is EVER truly deleted

Barbara Streisand ♫

Balssh, 10 months ago

I think they may underestimate EU's response here.

jargoggles, 10 months ago

While this is true, it's sort of like being in a car accident. The other person may be in the wrong, but that doesn't exactly unwreck your car.

Celivalg, 10 months ago

oh, but they might have to pay for your car back...

And that's gonna pull reddit down even more

Rayspekt, 10 months ago

DSGVO take the wheel

booshi, 10 months ago (edited 10 months ago)

deleted_by_author

Bipta, 10 months ago

Certainly some of it can be.

procgen, 10 months ago

That depends on the content of the post or comment, no?

Nexclusive, 10 months ago

Personal data is any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to ID someone from it.

For most people, GDPR probably applies to at least some of their comments on Reddit.

abff08f4813c, 10 months ago

Yes it is, as pointed out here https://kbin.social/m/RedditMigration/t/34112/Updated-Reddit-is-quietly-restoring-deleted-AND-overwritten-posts-and#entry-comment-140833 and here https://kbin.social/m/RedditMigration/t/34112/Updated-Reddit-is-quietly-restoring-deleted-AND-overwritten-posts-and#entry-comment-141285

booshi, 10 months ago

These links are just going to the same post we are on? It's not linking to specific comments for me.

abff08f4813c, 10 months ago

Looks like comment link redirection isn't quite working. Let me just copy over the comment text for now:

Well, people have reported Twitter for failing to remove their tweets and places like the ICO are now actively investigating Twitter over this failure, see https://www.wired.co.uk/article/delete-twitter-dms-gdpr

Someone posted not too long ago that a person who was part of Twitter’s group over the GDPR - pre Musk - said the lawyers came to the conclusion that tweets were protected under the GDPR.

I believe it's less straightforward than that. Under GDPR, consent can be withdrawn, you can't give an irrevokable consent.

And from https://mstdn.games/@chris/110553477682106144

Presumably falls under right to erasure (art 17,19 of GDPR). You've withdrawn your consent, so if it isn't exempt under legal obligation, public health, scientific research etc then that's it, really. I guess there might be brave souls who argue that posts on Reddit sometimes don't qualify as or contain personal data, but that would seem irrelevant unless someone is painstakingly anonymising the dataset on a case by case basis, which they surely aren't.

Also, it looks like Twitter may be in some trouble, for failing to delete DMs under the GDPR, see https://techcrunch.com/2023/02/08/elon-musk-twitter-dm-deletion/

Surely, if twitter DMs fall under the GDPR, so do Reddit posts and comments (and note that it's the content of the DMs, and not the personal identifiers, and that the DMs are requested to be deleted from e.g. receipients inboxes as well).

booshi, 10 months ago

There is nothing of fact here - as I said in my comments before and I'll say again - it's a case-by-case basis, but as it stands, this is not covered under GDPR. Everything you linked to is pending actual decisions, as this area of GDPR is still being figured out. Yet, for some reason, people are stating it as fact.

abff08f4813c, 10 months ago

as this area of GDPR is still being figured out.

Interesting. So does that mean you think it COULD be covered by the GDPR, perhaps from a court decision at a future date? That at least it's a possibility, even if unknown right now?

this is not covered under GDPR

Interesting contradiction. I'd say there only three states: it is covered, it is not covered, and it's unknown.

Anyways, here’s a fact:

UK’s Information Commissioner’s Office … told Veale that Twitter’s response “failed to comply with the requirement of the data protection legislation”

Of course you’d be right if you said it hasn’t been taken to court yet and that particular case lacks a court ruling to back it up. So if that’s your requirement for it to count, then that’s fair. Still, I would generally go with the guidance from the ICO here rather than try my luck in court, absent compelling reasons.

I think the case by case thing is addressed somewhat from the Mastodon post. Someone reposting a meme wouldn’t contain any personal info to erase under GDPR, but another post that’s an ask me anything with a person’s picture and other verifiable credentials would be. In the latter case I’m not sure you could anonymize the content without making it unuseful and uninteresting.

And it would take a lot of time and effort to review every post and comment and perform the anonymization. And deanonymization is a legitimate concern too. So I guess Reddit could try to play hardball here but it would probably cost them.

booshi, 10 months ago

lol what - just because a government entity says something, doesn't mean it's fact. You're grasping at straws and undermining actual fights for data privacy.

abff08f4813c, 10 months ago

and undermining actual fights for data privacy.

Care to elaborate? Let's assume for the sake of argument that I actually am wrong and mistaken on this point. How does one get from "being mistaken" to "undermining" ? As a major supporter of data privacy, I'd really like to know this.

lol what - just because a government entity says something, doesn't mean it's fact.

I think I already addressed this earlier when I wrote,

So if that’s your requirement for it to count, then that’s fair.

Even so, the fact that multiple gov't entities charged with enforcing the GDPR seem to have come to the conclusion that failure to delete DMs is a violation of the GDPR is quite telling.

Perhaps they are wrong, and perhaps we won't know for sure until this makes it to the Court of Justice of the European Union / Supreme Court of the United Kingdom for the definitive ruling. It's true that gov't agencies do get it wrong from time to time.

Even so, I think that would be a tough and expensive fight that would give most folks pause. Both potentially illegal and against public opinion?

Perhaps it's possible you misunderstood me. The fact I was pointing out was that the ICO thought Twitter had a potential GDPR violation. But I can agree that it's not confirmed until the relevant courts rule on it - the fact is simply that this is what the ICO has said.

You're grasping at straws

Hmm. So I've cited lots of things to explain why it looks like it's a likely GDPR violation. Can you cite for the opposite - why private DMs and Reddit posts (particularly text body contents) would not ever count?

To sum it up, I find it really interesting how you've not responded to the first question I had in the parent comment:

as this area of GDPR is still being figured out.
Interesting. So does that mean you think it COULD be covered by the GDPR, perhaps from a court decision at a future date? That at least it's a possibility, even if unknown right now?

I get the impression that you're a hard no here, that you assume once this area of the GDPR is figured out, then it most definitely won't be covered. But, care to elaborate why you think this is the likely outcome?

abff08f4813c, 10 months ago

Yes it is, as pointed out here https://kbin.social/m/RedditMigration/t/34112/Updated-Reddit-is-quietly-restoring-deleted-AND-overwritten-posts-and#entry-comment-140833 and here https://kbin.social/m/RedditMigration/t/34112/Updated-Reddit-is-quietly-restoring-deleted-AND-overwritten-posts-and#entry-comment-141285

And also see https://kbin.social/m/reddit@lemmy.ml/t/34167/Reddit-is-restoring-deleted-posts#entry-comment-141186

aceca, 10 months ago (edited 10 months ago)

If a user is commenting they have an online identifier and are thus covered. If a user has ever referenced their relationship status, location or any physical descriptor they are covered. The GDPR -- it applies.

booshi, 10 months ago

That's not what an "online identifier" is under GDPR. Those are RFID tags, cookies, device fingerprints, IP addresses, etc: https://gdpr-info.eu/recitals/no-30/

aceca, 10 months ago

Usernames are online identifiers:

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-data/what-are-identifiers-and-related-factors/

A non-exhaustive list is included in Recital 30

An individual’s social media ‘handle’ or username, which may seem anonymous or nonsensical, is still sufficient to identify them as it uniquely identifies that individual. The username is personal data if it distinguishes one individual from another regardless of whether it is possible to link the ‘online’ identity with a ‘real world’ named individual.

Risk, 10 months ago

It's not personal or identifiable we can just sell it to advertiser's to precisely target your exact person with things we think you might buy.

flypenguin, 10 months ago

please don't state things if you don't know what you're talking about. it absolutely applies. it's a personalized account, with a personalized email address – this is the core of GDPR. it might not apply cause reddit is not within the legislation of the EU. maybe.

Jon-H558, 10 months ago

If they have eu users they have to apply it. That is why many places have ip lock outs that just prevent us from.seeing it.

However if they truly anonymise the content of a post they can keep it

pleasemakesense, 10 months ago

Doesn't matter, they'll be fined and if they refuse to pay they'll not be allowed to operate in the EU

booshi, 10 months ago

Can't be fined for GDPR if you aren't violating GDPR taps temple

booshi, 10 months ago

I do - I work with this daily. It would be a massive uphill battle to even prove in a court that your whole post history is considered "identifying". It's a case-by-base basis. On top of that, your data could still be easily stored and simply no longer associated with your email (but still can be kept if the previous cannot be proven about identification). Then this would have to be tested, on a that same case-by-case basis, for every single user that made a request.

To quote yourself, "please don't state things if you don't know what you're talking about."

flypenguin, 10 months ago

ah ... simply no. also now you're going into technicalities and specific scenarios – which might make sense in court, yet doesn't disprove the principle per se. but maybe let's agree to disagree, i don't think this goes somewhere.

Sleepy_ducky, 10 months ago

Have a read through. It definitely relates to GDPR (and even the Right to be Forgotten). Those are our accounts, linked to our emails. It is content we generate (even Reddit admits the content is owned by the creator). So if I want to delete everything and leave no trace I should be able to.

https://www.cyberghostvpn.com/en_US/privacyhub/how-to-delete-reddit-account/

booshi, 10 months ago

Those are our accounts, linked to our emails, which they are free to de-associate, and freely use for whatever commercial purposes they want.

BorgDrone, 10 months ago

That's debatable. Sure. my account doesn't actually contain my name and address, but it contains almost 14 years of posts and comments. Through the years I've probably let slip enough small pieces of information about myself that a motivated person would be able to identify me. This would still make it identifiable information.

Legisign, 10 months ago

Sure. my account doesn't actually contain my name and address, but it contains almost 14 years of posts and comments.

Agreed. If a person’s speaking voice falls under the GDPR (as I have found out being a phonetician and hence doing research on it), surely opinions and comments taken not individually but as a cumulated mass must do so too.

booshi, 10 months ago

Debatable? Yes, as that still hasn't been figured out at a higher level, and this is still handled on a case-by-case basis. Otherwise, they are free to keep your data, and simply no longer keep the association with your email.

aceca, 10 months ago

The data subjects are identifiable if they can be directly or indirectly identified, especially by reference to an identifier such as a name, an identification number, location data, an online identifier or one of several special characteristics

By definition commenting reddit users are covered, even if they haven't posted anything otherwise identifying -- but most have either way.

booshi, 10 months ago

That's not what an "online identifier" is under GDPR. Those are RFID tags, cookies, device fingerprints, IP addresses, etc: https://gdpr-info.eu/recitals/no-30/

nickajeglin, 10 months ago

*Looks up GDPR... "EU law"

Womp womp :(

booshi, 10 months ago

There is also CCPA in California - but none of these offer a total blanket/shield of protection like people are positing here. It's still a completely grey area that has, so far, not sided with users of sites.

Mineroboter, 10 months ago

deleted_by_author

Jon-H558, 10 months ago

Yes but if they take the user name off can they keep the comment text up. For most comments they probably could unless you were putting your name or your job title and company or similar in the body of the text.

booshi, 10 months ago

Do you understand how trivial it is to anonymize the data so it can still be used and monetized?

aceca, 10 months ago

How exactly do you trivially remove all references to the physical, physiological, genetic, mental, economic, cultural or social identity of the person posting?

This is the bar you'd have to clear to ensure someone's comment history were anonymized per GDPR, miss a single one of these factors and your anonymous data is now reversible and thus infringing.

asjmcguire, 10 months ago

Currently I only have 2 comments still visible which for some reason the Power Delete tool couldn't remove. I will check back in a week though if someone can remind me, and see if any of mine have magically reappeared.

HeartyBeast, 10 months ago

!RemindMe .... oh, no.

Lasairiona, 10 months ago

I feel ya... Put in a feature request?

firebat, 10 months ago

They are going full send on pissing everyone off at this point

LChitman, 10 months ago

Would this actually be a GDPR breach? I was thinking about the right to erasure/to be forgotten earlier in relation to a post I saw about how your posts aren't deleted on other federated instances, if you delete them on your home server. But I figured it wasn't applicable because it's not personal data and I'm thinking the same about this Reddit issue. Can anyone set me straight?

abff08f4813c, 10 months ago

Well, people have reported Twitter for failing to remove their tweets and places like the ICO are now actively investigating Twitter over this failure, see https://www.wired.co.uk/article/delete-twitter-dms-gdpr

Someone posted not too long ago that a person who was part of Twitter’s group over the GDPR - pre Musk - said the lawyers came to the conclusion that tweets were protected under the GDPR.

LChitman, 10 months ago

Thanks, that's a good point and sets a precedent. I had a reply in another thread with the definition of personal data from GDPR and it would seem to include social media posts:

'personal data' means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

https://kbin.social/m/reddit@lemmy.ml/t/34167/Reddit-is-restoring-deleted-posts#entry-comment-141186

PabloDiscobar, 10 months ago (edited 10 months ago)

I deleted all my content but I did it over the span of a few days, to let the different caches around reddit to update with the new void, and my content is still deleted (so far).

I said it before and I say it again: if you have the patience to do so then make sure you overwrite your content with chatgpt generated content, as the future AI that will feed on your post HATE feeding on already AI generated stuff. It makes the AI diverge.

edit: Filling your previous content with random generated content also make it harder to restore because it is harder to spot, compared with the comments which are simply "deleted". Also, if all of it is really true, congratulation to reddit for demonstrating to everyone and specially the USA how useful the GDPR is for the citizen.

HeartyBeast, 10 months ago

Perhaps delete and replace the comment with text that explicitly claims copyright on the deleted message and denies Reddit a license to use the deleted content? It would be good to get a legal eagle willing to look at the Reddit user agreement and content licensing and see if there is a legally literate way of denying them use deleted content once it has been submitted.

Trebach, 10 months ago

If you're in the EU, submit a request to have it purged. If they refuse, that's a violation of the GDPR.

flybynightpotato, 10 months ago

Under the law, they also HAVE to respond to all requests within a month, regardless of whether they intend to comply. So it seems like it would be possible to completely overwhelm them with GDPR erasure requests and let them panic.

Varyag, 10 months ago

Motherfucker! I just checked my profile, and they DID restore the posts I edited+deleted with PowerDeleteSuite. Thankfully it's just the posts from the past week or so, I had deleted my entire 8 year history before that, and that stayed deleted. I'm assuming they monitored other API access calls past the days where the blackout started to restore those.

Brianala, 10 months ago

Same here. I’m a 12 year account on Reddit and I had been in the habit of deleting my history regularly due to an ex that likes to stalk my posts. Everything recent that I deleted this week is back but the stuff I deleted prior to that is still gone.

I just went back and edited it all again to state it’s been removed in protest in favor of moving to the fediverse.

Balssh, 10 months ago

They really want to fuck around GDPR? Are they really Musk level morons?

sternail, 10 months ago

I used Redact to schedule a daily deletion of my comments and posts. Hope it works. Also, I will report it.