Ask HN: Is Hacker News GDPR Compliant?
Just wondering. You could answer this by answering: Does Hacker News store personally identifiable information? Well: 1. Hacker News has no interest in personal information with regards to its news feed, 2. How does having an email address on your account change things? Things get ambiguous when account names are a persons real name, same for the email address. IP Addresses are also ambigous because of their topical use. Hacker News may log IP Addresses but there is an argument where these IP Addresses can be "traced". Trouble is an IP Address is PUBLICALLY identifiable information. It can be viewed easily and there are no real correlative relationship between IP and person. An argument can stand to say "Hang on, I'm sending this message to Hacker News website via my mobile phone, that has an IP Address mapped to my device, therefore indirectly my IMEI device number is mapped to an IP Address where that IMEI number is mapped to an IMSI number on a SIM card which could be linked to subscriber contract details". Yes true, but that IP Address is from a pool of addresses assigned to that mobile device via the connection provider. It changes based on DHCP Leasing rules. Passwords are not personally identifiable information. HOWEVER, Hacker News still has a responsibility to protect that information. If it isn't it is pretty close. No JS includes, they use Cloudflare which has gone out of their way to be GDPR compliant, you have full control over your profile and the moderators have so far complied with any reasonable request I have ever made. On top of that there is an easy way to export your data through several services. What specifically would trigger you to wonder? You don't have full control over your profile. You can't download a copy of your entire posting history, You can't can't edit or delete comments after a certain window, You can't edit your username, and you can't delete your account. Full control over your profile would allow you to do all of those things without needing to contact a moderator or use a third party service. > You don't have full control over your profile. Well, I do. > You can't download a copy of your entire posting history Yes you can. http://hn.algolia.com/api/v1/search?query=author_:krapp > You can't can't edit or delete comments after a certain window Yes you can, just not automated. You could mail the moderators with a request. > You can't edit your username Why would you, that's your HN identity, not your identity in real life. You ascribe more power to the GDPR than it has. > you can't delete your account Have you tried mailing the moderators to ask them to delete your account? > Full control over your profile would allow you to do all of those things without needing to contact a moderator or use a third party service. No, the GDPR does not say anything about the company having to automate these things, only that there should be some way to do them. On HN the moderators are in charge of those things. So if you really want to delete your account feel free to contact the moderators. And the GDPR also does not forbid for the company to engage a third party to export the data (though, funny enough, that third party would have to have a DPA with the company). >> You can't download a copy of your entire posting history
>Yes you can. Fair enough - I wasn't aware of that. >> You can't can't edit or delete comments after a certain window
>Yes you can, just not automated. You could mail the moderators with a request. So... no, you can't. they can, if they decide to honor your request when you ask them, or they might not. >> You can't edit your username
>Why would you, that's your HN identity, not your identity in real life. You ascribe more power to the GDPR than it has. Some people's usernames are their real names, which makes them personally identifiable information. Other people's usernames appear to be the result of them banging on the keyboard, or a 'throwaway_X' account that they've been using for several years, or a contextual reference for a specific thread that no longer applies to anything. Why should users be forced to keep that arbitrary string in place if everything else can be edited or deleted? I can change my public facing email, I can change the profile text, I can even change the color of the top bar, I can ask to have comments deleted, why can't I change my username? >No, the GDPR does not say anything about the company having to automate these things, only that there should be some way to do them. Fair enough. I think they should be automated, though.. > I think they should be automated, though.. I agree. But that's mostly a convenience, and if the number of requests is low enough then you could do it by hand. With reocities.com I did a hybrid approach, I did allow people to make the deletion requests in an automated way but then I still manually reviewed them. The reason is that there the link between the accounts and the users did not make it when we backed-up as much of Geocities as we could, so to avoid people requesting the deletion of other people's data or pranksters that would request 1000's of accounts to be deleted we needed an extra step for verification. I get that it's a reply to the 'full control of your profile'. Just double checking, in regards to OP's question, is this a requirement of GDPR? It looks like they updated their privacy policy but I didn’t see mention that they assigned an EU representative so. It entirely. I'd be honored to supply that service, for free.