this post was submitted on 16 Mar 2024
190 points (97.0% liked)

Privacy

32471 readers
273 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

TL;DR: I got a response from Reddit that basically says they’re not violating anything.

There was a post here 3 weeks ago that talked about the GDPR violations Reddit is committing.

reddit is telling it's future investors with recent news and more info on their IPO, that they're currently selling and looking to sell their user's data to companies wanting to train their LLMs, including Google.

I’m not sure of anyone else has gotten a response from them yet so I thought I’d share the email.

The Email:

Hello,

Thank you for contacting Reddit.

As stated in Reddit's Privacy policy much of the information on the Services is public and accessible to everyone, even without an account. By using the Services, you are directing us to share this information publicly and freely.

Reddit prohibits use of its service to infringe people’s intellectual property rights or any other proprietary rights, and prohibits unauthorized scraping of Reddit content. Please note, however, that when you submit content (including a post, comment, or chat message) to a public part of the Services, any visitors to and users of our Services will be able to see that content, the username associated with the content, and the date and time you originally submitted the content.

Reddit allows moderators to access Reddit content using moderator bots and tools. Reddit also allows other third parties to access public Reddit content using Reddit's developer services, including Reddit Embeds, our APIs, Developer Platform, and similar technologies. We limit third-party access to this content. Reddit's Developer Terms are our standard terms governing how these services are used by third parties.

Please note that you can use the Services without choosing to share information publicly and freely on them, and you can also remove your content from Reddit at your discretion. For more information, please check out our help center articles for more information here

Thank you, Reddit Legal Support

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 107 points 9 months ago (2 children)

Of course they'll say that to you on their platform.

If you file a deletion request, or complaint with a regulator, you should get a better response there.

[–] [email protected] 28 points 9 months ago

I worked at tech companies that were doing obviously illegal things, who will actively deny it to anybody outside the company but then when they finally get a fine, will tell employees, "It's the cost of doing business."

[–] [email protected] 17 points 9 months ago (1 children)

Right to be forgotten applies to personal data. Your posts are not personal data.

[–] [email protected] 2 points 9 months ago (1 children)

That's not true. PII has harsher requirements, but personal data is not just PII

[–] [email protected] 1 points 9 months ago* (last edited 9 months ago) (2 children)

Please provide evidence that a public post you make would be considered personal info.

https://law.stackexchange.com/questions/28276/are-internet-forum-posts-considered-personal-data-under-gdpr

The law is poorly written unfortunately and I don't think we'll know for sure until there's a legal challenge.

[–] [email protected] 5 points 9 months ago (1 children)

I'm saying the personal part doesn't matter. Theres especially difficult rules in place for PII

But right to erasure applies to all user data, not just PII

[–] [email protected] 1 points 9 months ago

Ah Gotcha, but I don't think you're right.

Right to be forgotten: https://gdpr-info.eu/art-17-gdpr/

This talks explicitly about personal data in all contexts.

The definition of personal data is anything that can be used to identify someone: https://gdpr-info.eu/issues/personal-data/

This isn't all user data, just stuff that makes a user identifiable.

load more comments (1 replies)
[–] [email protected] 61 points 9 months ago (1 children)

Complain to your respective GDPR enforcement officer. I should, too.

[–] [email protected] 28 points 9 months ago (1 children)

Already done. Still waiting for a response from them.

[–] [email protected] 9 points 9 months ago

Please tell us whether you'll get a response.

[–] [email protected] 44 points 9 months ago (2 children)

Accessible to everyone ... Ha! Try going to Reddit with a VPN.

[–] [email protected] 18 points 9 months ago (1 children)
[–] [email protected] 14 points 9 months ago

If you replace www with old it still works though

[–] [email protected] 6 points 9 months ago (2 children)
[–] [email protected] 11 points 9 months ago (1 children)

Yeah they don't allow access from VPN unless signed in or if you replace www with old in the URL. They want to know who you are!

[–] [email protected] 9 points 9 months ago (1 children)

Reddit is going to the gutters. RIP

load more comments (1 replies)
[–] [email protected] 2 points 9 months ago

Started a few months ago. But you can bypass it with the old subdomain

[–] [email protected] 40 points 9 months ago (1 children)

By using the Services, you are directing us to share this information publicly and freely.

I'm sure you're aware, but https://gdpr-info.eu/recitals/no-32/ specifically states data collection must be opt-in, emphasis mine:

1 Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her,

[...]

3 Silence, pre-ticked boxes or inactivity should not therefore constitute consent.

4 Consent should cover all processing activities carried out for the same purpose or purposes.

5 When the processing has multiple purposes, consent should be given for all of them.

6 If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

[–] [email protected] 7 points 9 months ago (3 children)

Doeyour post comments constitute "personal data" though?

[–] [email protected] 4 points 9 months ago (1 children)

Long tale short, it depends, but likely yes unless reddit stops what it is doing.

Almost every post will contain experiences that could identify someone, so the wisest move would be to assume yes, or naively try to classify each post as 'bread-crumb' or 'not bread-crumb' for their specific processing then store and sell each separately. Non exhaustive list of personal data criteria:

  • If the comments are tied to, or not stored separately from, your identifiers, (email, IP, handle, site ID, location, etc,) then yes
  • If your comments are not anonymous or include details about you, then yes.
  • If the data will be processed to identify you, then yes.
  • If the data will be used to profile you, then yes.

Unique information about you, such as your subscribed sub-reddits, your browsing habits, the time spent on each link, your writing style, etc may also count as personal data if used to identify or target you.

https://gdpr-info.eu/art-4-gdpr/

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

[...]

(4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;

(5) ‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;

[...]

(15) ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;--

[–] [email protected] 2 points 9 months ago

natural persons. good idea. corporations are not natural persons over there

[–] [email protected] 1 points 9 months ago

If this ever goes to court I doubt Reddit wants to open this can of worms, as well as every other social media company lol

[–] [email protected] 1 points 9 months ago
[–] [email protected] 22 points 9 months ago (1 children)

If you dislike this, keep in mind Lemmy provides a wide-open API for free scraping from pretty much any server (including yours). And if that wasn't enough, people can also set up their own servers to pull upvote and downvote counts, all without vetting.

[–] [email protected] 8 points 9 months ago* (last edited 9 months ago) (2 children)

Yup. Lemmy beats Reddit in a lot of areas, but privacy isn't one of them. In fact, federated services value transparency instead. Lemmy also kind of goes against the idea of anonymity somewhat, since many instances require email validation (you can use a temporary email though).

If you want privacy, don't use social media.

[–] [email protected] 5 points 9 months ago* (last edited 9 months ago)

People really find it hard to grasp that stuff you willingly post online in a public way can be seen by everyone. There was a thread here earlier about people flabbergasted that the admins of email services can read their unencrypted emails you send through their servers. Top response was said admins going "yes we can read your emails, no we don't, we have better things to be doing with our time."

[–] [email protected] 4 points 9 months ago (1 children)

Lemmy (not for profit social media) protects your privacy less than Reddit (corporate social media)

I'd rather not throw up my hands in defeat though thanks

[–] [email protected] 8 points 9 months ago (1 children)

Lemmy isn't trying to protect your privacy, it instead goes completely the other way and makes everything as transparent as possible. For example:

  • mod actions are public
  • votes are semi-public
  • all post history is public (was public on Reddit until the API change)

Those things are "private" on Reddit, but they're private for a different reason, and that reason isn't to protect your privacy.

Social media by its very nature is not privacy friendly, so anything you post should be assumed to be publicly accessible. Lemmy just makes that explicit.

[–] [email protected] 1 points 9 months ago

Except mod actions are capable of hiding a post and all its comments, basically giving Lemmy users the worst of both worlds. I found that out the hard way while replying to a comment in a removed thread.

Lemmy isn't offering a cohesive, open experience. It's very sloppy.

So while fixing the sloppiness they can also try making it less anti-privacy too.

[–] [email protected] 19 points 9 months ago

I do not see where the violation can be if all this data sharing / selling has been explained by reddit and only info that is shared are your posts and comments, not your mail address or IP address.

Why would you even consider that platform where you publicly post things would not be able to do something with that info. Anyone being able to read this comment is also a violation?

[–] [email protected] 14 points 9 months ago (1 children)

No way they can form a proper response to you on GDPR without citing GDPR. This is either utter incompetence or a lie. Wondering if one could sue them just for this reply message.

[–] [email protected] 1 points 9 months ago

Probably they dont have any offices of employees or banks in the EU and are just planning to ignore fees for their violations

[–] [email protected] 10 points 9 months ago

There's a lot of companies that violate GDPR, but people generally don't complain, so they get away with it.

[–] [email protected] 10 points 9 months ago* (last edited 9 months ago) (2 children)

They're not infringing on your copyright, because you agreed to the following:

[...] you grant Reddit the following license to use that Content: When Your Content is created with or submitted to the Services, you grant us a worldwide, royalty-free, perpetual, irrevocable, non-exclusive, transferable, and sublicensable license to use, copy, modify, adapt, prepare derivative works of, distribute, store, perform, and display Your Content and any name, username, voice, or likeness provided in connection with Your Content in all media formats and channels now known or later developed anywhere in the world. This license includes the right for us to make Your Content available for syndication, broadcast, distribution, or publication by other companies, organizations, or individuals who partner with Reddit. You also agree that we may remove metadata associated with Your Content, and you irrevocably waive any claims and assertions of moral rights or attribution with respect to Your Content.

https://www.redditinc.com/policies/user-agreement

[–] [email protected] 52 points 9 months ago (1 children)

That eula is not valid in the EU.

[–] [email protected] 5 points 9 months ago* (last edited 9 months ago) (1 children)

Is that an EULA? I thought that was for buying software? I mean I'm pretty sure we have other forms of contracts here in the EU?! Like Terms of service.

Is that a known fact about Reddit's terms of service / "EULA", or something you made up?

And some EULA's are valid in the EU. Just not the American ones that you get to read after you bought something.

[–] [email protected] 24 points 9 months ago (1 children)

I expect they are talking about the 'irrevocably' part, as one of the core tenets of GDPR is that consent can be withdrawn.

I couldn't say whether or not that applies here.

[–] [email protected] 8 points 9 months ago* (last edited 9 months ago) (1 children)

Ah, that makes more sense. But the GDPR also doesn't regulate the actual content. It is about personal data. You can revoke consent processing that. But that doesn't necessarily touch copyright and the content of some text you licensed to someone. I think copyright is seperate. I mean it's a bit more complicated, there is some overlap...

[–] [email protected] 4 points 9 months ago* (last edited 9 months ago)

I consider most of the stuff I post here to be personal.

[–] [email protected] 6 points 9 months ago (1 children)

The GDPR has nothing to do with copyright

[–] [email protected] 16 points 9 months ago* (last edited 9 months ago)

I think this is the issue here. OP is mixing content copyright with the GDPR. But the GDPR regulates personal data, not copyright on text. And that's what Reddit is trying to sell, the content of posts, not their user's personal data... So the GDPR doesn't apply to that. Hence Reddit say they aren't violating anything, because the copyright is in the ToS.

I think that's also my issue with the original letter. It wants to sound official and legalese, but it confuses several things. Intellectual property, copyright and privacy /data protection laws. I don't think the author(s) understand the GDPR. It includes a definition what personal data is. And the letter is mostly talking about something unrelated. Also there are additional requirements. For example identifiability. And they also fail to address any of that... I also don't like some of the things Reddit does, but I think this is just not a well reasoned argument. If I were in customer support or a lawyer, I'd brush it off, too.

[–] [email protected] 9 points 9 months ago

I have gotten the exact same response word for word.

[–] [email protected] 9 points 9 months ago (1 children)

Public posts on the Internet can be scraped by anyone for free. Reddit is more selling easy to consume access to that information via structured high bandwidth APIs. You should do as they said, and tell them to delete all your data so they aren't allowed to host or profit off it anymore.

[–] [email protected] 2 points 9 months ago (1 children)

If there is commercial gain involved, laws become more applicable.

[–] [email protected] 1 points 9 months ago (1 children)

GDPR doesn't care if they make money on the data. But in practice they do go after the bigger offenders, who often make billions of euros (and have been fined over a billion euros)

load more comments (1 replies)
[–] [email protected] 8 points 9 months ago

How do I wipe my old reddit account?

[–] [email protected] 4 points 9 months ago

"Nuh-uh, am not!" is the ultimate legal defence and you can't convince me otherwise.

[–] [email protected] 3 points 9 months ago

Time to masspost poisoned images

[–] [email protected] 2 points 9 months ago* (last edited 9 months ago)

Typical for dudebro libertarians not to understand what consent is until you file the restraining order.

[–] [email protected] 2 points 9 months ago

maybe one of my "r/CrazyIdeas" will actually be looked at!

load more comments
view more: next ›