- cross-posted to:
- privacy@programming.dev
- RedditMigration@kbin.social
cross-posted from: https://programming.dev/post/251752
It is important to note that although this may be a result of Reddit’s UI not displaying the content users posted to now-private subreddits, it remains a problem. Additionally, I agree with the author’s comments in the video description, as it appears strategically unrealistic for Reddit to ask that users manually delete the content themselves.
This is particularly true when considering that many automated methods to accomplish this task will be hindered by Reddit’s upcoming API pricing changes. Furthermore, Reddit has demonstrated a recurring pattern of rolling back databases using historical backups, thereby disregarding user deletion requests that were submitted prior to the database rollback.
See similar discussion of this video on Hacker News:
- r0bbbo ( @r0bbbo@programming.dev ) English63•1 year ago
I overwrote then deleted all of my comments a few weeks ago—they were all back in their original form last week. I’ve since run the process again and already old comments are starting to reappear
- TemporaryBoyfriend ( @TemporaryBoyfriend@lemmy.ca ) English32•1 year ago
The best part about this is that the more they do this, the more it costs them. Every action, especially disk transactions, cost them money. Just log in every day, run your deletion utility, and cost them a couple bucks more for being pricks about it.
- AggressivelyPassive ( @agressivelyPassive@feddit.de ) English19•1 year ago
That’s peanuts for them.
If you want to hurt them, make the platform unusable. Post real looking, but garbage comments in a semi automated way (random comments every few seconds, while you’re scrolling through. Vote randomly, downvote everything on /new…
- shirro ( @shirro@aussie.zone ) English1•1 year ago
I believe the reddit API might not allow full discovery of comment history. At least my experience with deletion tools was that once I had the data export to check I found only a small portion of the posts from by 12 years of history were deleted despite the reddit UI and deletion tools not showing any comments remaining.
I had to use a tool to go through the GDPR export to find all the posts and the tool has had problems due to some subs being private due to protests. I suspect a lot of people who thought they deleted their entire comment history may not have done so.
- taxet_ ( @taxet_@sopuli.xyz ) English1•1 year ago
I used a small script I made by running it in the Comments and also in Posts section of Profile and it worked fine. So far none of the comments or posts have been restored, but I don’t know if it’s just the fact that I didn’t have that many comments or posts to begin with (like 5-6 posts and around 200-300 comments). Regardless, I’m still keeping my account for a bit so I can monitor for a month or two what happens. Here’s the script I used: https://pastebin.com/1w2nhCn9
Note that my JavaScript skills are not that great, but it should work. Might need to scroll down the page first though since not all the comments/posts are necessarily loaded right away.
- BobQuasit ( @BobQuasit@beehaw.org ) English50•1 year ago
I don’t know about deletions, but I requested my data for takeout more than two weeks ago and I still haven’t received it.
- dannoffs ( @dannoffs@lemmy.sdf.org ) English31•1 year ago
Same. I’m in California so I did a CCPA request, according to what I read they have 45 days to comply, which can be extended to 90 with notice. I definitely plan on filing a complaint if they don’t comply.
- Dusty ( @Dusty@l.dustybeer.com ) English8•1 year ago
Thank you for the link, I did the same on all of my accounts. I’ll be filing a complaint for each one
ifwhen they don’t comply.- dannoffs ( @dannoffs@lemmy.sdf.org ) English4•1 year ago
Yeah, I’m also anticipating that I will have to file a complaint, but at this point they technically have a couple weeks left to comply. These kind of protections are exactly why I don’t want to leave California, it’s pretty shit here but seems worse in the rest of th US.
- The Bard in Green ( @thebardingreen@lemmy.starlightkel.xyz ) English9•1 year ago
Same.
- flux ( @flux@beehaw.org ) English8•1 year ago
I also requested perhaps a bit more than two weeks ago and got it a couple days ago.
Used https://github.com/xavdid/reddit-user-to-sqlite/ to put it into a more structured form. I guess I should give Datasetts a try to easily browse it, the project’s README links to it.
- thepaperpilot ( @thepaperpilot@beehaw.org ) English1•1 year ago
ooh, that looks like a handy thing I’d like to store! I’m a bit worried I’ll have lost some of my saved links because I think I heard they only keep the most recent ~1000 or so.
- HughJanus ( @HughJanus@lemmy.ml ) English8•1 year ago
Same
- jherazob ( @jherazob@beehaw.org ) English7•1 year ago
Requested it, took more than two weeks but arrived. They do have 30 days though, so i guess you have no recourse but to wait. I’m glad i did so with time to spare though.
- clearedtoland ( @clearedtoland@lemmy.fmhy.ml ) English44•1 year ago
All the little cracks that an angry and motivated audience can discover. It’s like pissing off a sibling…
- sophs [she/her] ( @s0phia@beehaw.org ) English19•1 year ago
Reddit is on a streak of bad decisions!
Found the full transcription for the video from OP author:
Note to self: use
youtube.com
instead ofyoutu.be
for better cross post detection and lemmy integration- SSUPII ( @SSUPII@sopuli.xyz ) English7•1 year ago
Do you know how well youtube-nocookie federates? Its an official Youtube service if you didn’t know.
https://www.youtube-nocookie.com/embed/1B0GGsDdyHI
Your video, but on nocookie.
That looks neet. Although I suspect this would succumb to the same cross post discoverability issues where URLs pointing to the same video would not match string for string. A better approach might be to facilitate inline embedding of HTML video players into Lemmy using browser extensions, where user scripts could be used to preview youtube links or re-write them to nocookie, allowing the Lemmy web UI to still avoid the use of cross-origin scripts by default.
- matt ( @matt@infosec.pub ) English1•1 year ago
I actually recently learned that the “nocookie” part of the domain refers to it not setting a cookie until you play the video, then you get a cookie[1]. Apparently it’s been like this the entire time? Or at least as far back as 2009 [2]?
[1] https://cloudfour.com/thinks/youtube-no-cookies-adds-cookies/
[2] https://www.cnet.com/news/privacy/youtubes-new-nocookie-feature-continues-to-serve-cookies/
- Storksforlegs ( @storksforlegs@beehaw.org ) English10•1 year ago
Does changing your comments to or replacing them with garbled text work if reddit wont delete?
(i realize this shouldnt be necessary but more as a last resort)
- Lazycog ( @Lazycog@lemmy.one ) English13•1 year ago
Seems like it worked for me. Last I checked my deleted account’s comments are still up and display replaced text.
I overwrote my comments with a message that clearly states why I overwrote my comments and deleted my account.
- Kir ( @Kir@feddit.it ) English4•1 year ago
This is great. If we coul do it somehow automatically, it would greatly damage the platform.
- Tzeentch ( @Tzeentch@beehaw.org ) English13•1 year ago
There is a way, the Power Delete Suite script can overwrite all your comments with any message you give it, and then follow it up with mass deletion if you wish, only catch is that the original doesn’t account for reddits current rate limiting and so misses stuff , but this fork of it seemed to do the trick for me
- Lazycog ( @Lazycog@lemmy.one ) English4•1 year ago
There are programs for that! Even an app AFAIK, but sadly I don’t remember the good ones right now. Maybe someone could pitch in and suggest?
- Em Adespoton ( @adespoton@lemmy.ca ) English2•1 year ago
There’s a Python app called shreddit that apparently works quite well.
python -m pip install -U shreddit
- AggressivelyPassive ( @agressivelyPassive@feddit.de ) English3•1 year ago
That’s probably how they detect it in the first place. A “normale” user won’t delete hundreds of comments in a row.
- The Bard in Green ( @thebardingreen@lemmy.starlightkel.xyz ) English5•1 year ago
I was thinking of editing mine to be links to information about Lemmy.
- GiantBasil ( @GiantBasil@beehaw.org ) English3•1 year ago
I deleted some, but not all of my reddit posts and they’re not back yet and some people had their garbled posts restored. So to m the trick might be doing it in batches at different times, delete some, garble some, maybe change some to lorem ipsum.
- Generator ( @Generator@lemmy.pt ) English9•1 year ago
- knaugh ( @knaugh@frig.social ) English9•1 year ago
as much as I’m sick of reddit, posts and comments are not PII
- philpo ( @philpo@feddit.de ) English44•1 year ago
*Sights. Every time we discuss this. Every fucking time. * Under the GDPR are they are. See §4 part 1.
- knaugh ( @knaugh@frig.social ) English3•1 year ago
Ok? I haven’t discussed this before.
Now you did.
- CCatMan ( @CCatMan@lemmy.one ) English4•1 year ago
What about me? I want to discuss!
- blindsight ( @blindsight@beehaw.org ) English22•1 year ago
Not in general, maybe, but if someone posts their first name in one place, post about their neighborhood in another place, and mention their job in a third place that’s enough to uniquely identify them. Or who’s to say there isn’t a comment with someone’s full name and address?
Unless they manually scan all comments for PII, there might be PII in any comment. Even something innocuous like a picture of a sign can doxx someone, so it’s not obvious, either.
- knaugh ( @knaugh@frig.social ) English4•1 year ago
If that is the case, then lemmy would be illegal by design, right? I can request my home instance delete my content, but it would still exist on any federated instance.
- variaatio ( @variaatio@sopuli.xyz ) English18•1 year ago
It can be, depending on whether PII was involved. Just being publicly published doesn’t make it not be PII. It can be or not be. GDPR counts PII widely, since it also includes stuff that can be combined with other information to make for identifying the person.
Frankly this is one of those cases, where we need a court ruling to set precedent on what is counted in and what is counted out.
- knaugh ( @knaugh@frig.social ) English1•1 year ago
I find it hard to believe a court would decide that a post someone intentionally made to a public forum could be considered private information after the fact. But I suppose I’m not vary familiar with the wording of GDPR. It feels a bit like someone giving away business cards with a phone number, and being upset that people don’t return them when you ask months later. Obviously it is scummy for reddit to not delete content when requested, but that doesn’t seem to be the sort of thing the law is targeted towards
- variaatio ( @variaatio@sopuli.xyz ) English5•1 year ago
intentionally made to a public forum could be considered private information after the fact
Well that’s the thing. The criterion is Personally identifying information. Not private information.
Remember GDPR includes right to be forgotten. Person is allowed to change their mind. At one point they might have wanted and agreed for that information being readily publicly available. Then they have right to change their mind “Nope, don’t want the information out still”.
As I said. Just because it has been publicly published, doesn’t remove the protection categorization GDPR offers.
It is just then PII you at the moment want to be publicly available. Ofcourse deleting anything completely of the net later is not possible, but the point is when informed of deletion order, that organization is not supposed to be part of the “this persons information is published, when they don’t want it” problem anymore. Company can’t control all of Internet, but they can control their own conduct and within that limit they must comply to privacy order. Even if it doesn’t perfectly swipe the information from all of internet.
It is utterly different mentality and regime from “private/secret” or “public/its gone now” system. In this other system privacy is on going process and scale. It can move two ways instead of just unidirectionally. Person has right to ask and demand for what has been public to be made more private. As they also can choose to make private more public.
EU and its citizens have right to choose what principles they base their privacy laws on and they chose this different kind of regime. Other regions and countries are free to choose otherwise in their own jurisdiction (though EU does this super claim of “EU data subject involved, we claim jurisdiction”)
- knaugh ( @knaugh@frig.social ) English2•1 year ago
Thank you for the more thorough explanation, I’m from the US and not used to these kind of sweeping consumer protection laws lol. Does that mean Lemmy is also in violation? Does deleting a post on my home instance notify federated instances to delete it as well?
- variaatio ( @variaatio@sopuli.xyz ) English1•1 year ago
It could affect lemmy administrators. As I understand lemmy federation does include federated removal propagation. Atleast the original instance can send federated notification to delete post or comment. Whether other instances comply is different matter. Since there is no central authority, it would be instance administrator per instance administrator obligation. Thought GDPR does propagate with data transfers. So theoretically for example EU instances might have to limit themselves to federation with instances committing to honoring GDPR notices. At which point “delete this” is not mere protocol requests, it is legal demand. Instance administrator might be held responsible for federation with GDPR non-complying instance.
Just being nice, free and open source doesn’t free us from legal obligations. However someone would probably have to actively bring GDPR complain for anything to start happen. Free open source project is low on enforcement pole compared to big Internet businesses.
However some GDPR compliance things might have to be implemented. For example formal declarations of adherence to GDPR, messaging of “this deletion notice comes as result of GDPR request, delete or be in violation”.
However I would also note the PII protections are not unlimited. It does have exceptions for legal obligations, legitimate business obligations (you can’t demand business deletes all of their information, if they say need your contact information for still pending billing and so on). There is also public interests exception, aka person can’t gag order just based on “I don’t like this” should it be matter of journalistic/public interest matter. Some others exceptions also, that I don’t remember right now.
- anon_cloud ( @anon_cloud@lemmy.dbzer0.com ) English7•1 year ago
Keep inviting people to Fediverse as a positive reaction to this.
- shirro ( @shirro@aussie.zone ) English3•1 year ago
I finally got my personal data export from reddit and am checking the comments to see what is deleted. I did a lot of passes with powerdelete as subs came out of private until nothing showed up. There are no comments showing in my profile.
Going through the links in the export and powerdelete seems to have cleared out recent comments but if I look at links to ones from ten years ago they are mostly still there so I suspect it couldn’t find them.
Currently running a rust version of shreddit in a container using the gdpr export to edit and delete the comments. Seems to be working though it gets exceptions on some comments behind private subs and I have to delete the entry from the csv and re-run but it will probably be patched soon.