
GDPR Violation: Scribd acquires PII on 500M users in a deal with LinkedIn - user5994461
https://thehftguy.com/2020/09/01/gdpr-violation-scribd-acquires-pii-on-500m-users-in-a-deal-with-linkedin/
======
ffpip
If anyone from Scirbd is reading this, please fix your mobile website. You
advertise yourself more than the content.

[https://i.ibb.co/2n8HdBx/Screenshot-20200822-030755.jpg](https://i.ibb.co/2n8HdBx/Screenshot-20200822-030755.jpg)

There must be a competition between Imgur,Reddit and Scribd for the worst User
Exp

~~~
tolbish
These websites make their mobile websites good enough so you won't leave, but
bad enough so you feel like you should download the app (such as gigantic
banners that make mobile browsing miserable).

The A/B testing shows that it's a very effective dark pattern.

~~~
ffpip
It makes me go away from their app.

I removed all the banners with uBlock Origin. I had to temporarily get them
back to take the screenshot.

------
babo
The correct order to delete your account is

    
    
      Sign in to SlideShare
      Go to Menu “Account Settings”
      Change Password
      Delete Account
      Yes, Delete my Account

~~~
phkahler
I've never used Slideshare, will I have to sign up?

~~~
user5994461
If you have a LinkedIn account, you were signed up to SlideShare automatically
without your knowledge or consent.

You should be able to login right away, no need to sign up (again). "Login"
button in corner then "Login with LinkedIn" button.

~~~
imglorp
One non-obvious step I encountered. After login with LinkedIn, it doesn't look
like you logged in but you did. You have to hit the "Explore" button on the
top bar and then you'll see your name menu on the upper right, and you can
proceed to settings.

~~~
corford
Another thing: if you've never directly used Slideshare and instead signed in
via your Linkedin in username, you'll need to set a password in order to
delete the account (it prompts you to set one in the delete modal).

~~~
poutrathor
I did not need to do that & never used slideshare

~~~
corford
<shrug> Their site is so full of anti-patterns it's quite possible I
accidentally signed up again and deleted again. Either way, it wanted a real
password before letting me click delete.

------
ErrantX
Scribd have consistently been a horrible company.

They actively "slurped" (their word) as many documents as they could, ignoring
things like copyright, into their archive. They brushed a lot of those
concerns aside which left a really sour taste.

HN actually used to have a feature to switch PDF links to Scribd ones (not
sure if it was manual or automatic)[1]

1\.
[https://news.ycombinator.com/item?id=1124940](https://news.ycombinator.com/item?id=1124940)

~~~
goodbye_twy
What even? Has there been an apology from dang for this? Is this sort of thing
still happening?

I have a rule not to read forums which do shady stuff to the content. Maybe
it's time to adblock the HN homepage.

~~~
plorkyeran
It happened significantly before dang's involvement in HN.

~~~
goodgriefer
It's always the same with VC's. Do what you can (illegal or no), obfuscate and
redirect, ignore when possible, and finally fake-apology ("we're sorry you
feel bad").

Sure the "rules" say to assume with best intentions. That goes along with
"obfuscate and redirect". It's easier to point at rules as a club to make an
example. But in reality, in the end VCs are themselves toxic.

Look no further than the crowd of businesses and partners YC surrounds itself
with.

~~~
yc_yuck
Very true. Unfortunately, too many people ignore this, or don't realize this,
and instead lionize VCs like they're some class of better humans or something.
Quite sickening, really.

~~~
goodgriefer
It is obvious _why_ these people suck up to VC's. It's where the easy money
is.

Banks are super risk adverse (in business 3+ years, with client base and
revenue, and collateral).. Versus some shit VCs who'll encourage to "disrupt"
(eg: dismiss legal or safety regulations to extract quick profit) with a 1 out
of 10 chance of a startup hitting the hockey stick growth.

Lie with the dogs, and you get fleas. I'll leave it to the reader to decide
who the dogs and fleas are.

------
jacquesm
Screw ScribD and the horse they rode in on. Between them and Installmonetizer
it is hard to pick my least favorite YC company. At least new entrants know
that they'll never bottom out in the ethics department since those two got in.

~~~
SyneRyder
I was about to mention Installmonetizer too. When it happened it prompted me
to leave HN (why should I do anything that might benefit YC?) and I forget why
I came back & gave HN another chance.

Anyone know how to edit the hosts file on an Android device? I already block
HN on my laptops, but I really should fix this once and for all.

~~~
ffpip
Without root, you have to depend on things like Local VPN (blockada, adaway)
or custom DNS (nextdns.io)

With root, use Adaway

~~~
SyneRyder
Ooh, I didn't think of the custom DNS option, and NextDNS looks like it might
be better than OpenDNS now. Thanks for the tip!

------
dominotw
Scribd needs to be bought to justice for all the copyrighted documents they
stole from the users.

What a shady group of people.

~~~
miki123211
What about Google? Archive.org?

~~~
roryokane
ScribD, unlike Google and The Internet Archive, charges you money to read and
download documents. ScribD doesn’t just distribute other people’s work, it
resells their work and keeps all of the profits.

------
fangorn
I just deleted my account, which I shouldn't have had, and I got an email
saying: "We send these emails to help you get the most out of SlideShare.".

Couldn't agree more, that's the most I got out of SlideShare.

------
sseneca
So, I just deleted my account.

15 minutes after I got confirmation of the deletion, I got a "sseneca, welcome
to SlideShare!" email, lol.

~~~
Swenrekcah
Yes, me too. Does this mean LinkedIn signed me up again? I want to beleive
it's a bug but I don't want to click any links in there.

Update: The username is also obviously auto-generated from my name and not
something I would have ever used.

~~~
sseneca
This is what I think is happening.

Pressing "Sign in with LinkedIn" is deceitfully vague, and will create a new
account if you don't have one already. So I actually created an account and
then immediately deleted it afterwards, but their welcome email was delayed
for whatever reason.

Just to be sure, I pressed the "Sign in with LinkedIn" button again and it
made me an account again. I waited for the welcome email to come in, and then
deleted it once more. I hope that's enough.

~~~
user5994461
If you don't have an account, you shall get a popup from LinkedIn warning you
that you're about to sign up and share data with a third party service (a
standard oauth form you also see with Google/Facebook/GitHub auth).

If you get the popup, by all means, do NOT confirm or it will create an
account. Haven't heard of people getting the popup though, strong hint that
all users were magically autocreated.

~~~
sseneca
Yes I didn't get a popup either time so I'm assuming that LinkedIn, in their
infinite benevolence, automatically created an account for me.

------
cheeze
That's YC06 ScribD, no?

------
malisper
IANAL - I don't believe acquiring another company and the PII along with it is
necessary a GDPR violation. Article 14 of GDPR[0] lays out the requirements
for what a company needs to do when a company acquires personal data, not
directly from the data subject. I believe this is what applies when a company
acquires another company. At first glance, it appears the email Scribd sent
does comply with most of article 14 such as:

    
    
        - They notified you they were acquiring your personal data.
        - They notified you are able to opt out.
    

The email _is_ missing a few things such as the legal basis for processing.
The email links to the privacy policy and an FAQ, which _might_ be enough to
provide that information. I'm not sure.

Since Scribd is not processing the data for a purpose other than what it was
collected for (they mention this in the email), continuing to process it for
the original purpose is ok. Presumably SlideShare complied with article 6 of
GDPR[1] and either asked for consent or used one of the other bases for
processing the data before the acquisition.

[0] [https://gdpr-info.eu/art-14-gdpr/](https://gdpr-info.eu/art-14-gdpr/)

[1] [https://gdpr-info.eu/art-6-gdpr/](https://gdpr-info.eu/art-6-gdpr/)

~~~
mnw21cam
> Since Scribd is not processing the data for a purpose other than what it was
> collected for

I disagree with that. Also, could you point out the bit in the email where it
says so.

If I sign up for LinkedIn and provide PII for that, then the purpose for which
the PII can be processed is in order to handle my interaction with LinkedIn.
If I signed up to LinkedIn before 2012, and LinkedIn bought Slideshare in
2012, then LinkedIn could only claim that my PII is still being processed for
its original purpose when used by Slideshare if Slideshare was made an
integral part of LinkedIn. If Slideshare is then sold to a third party, then
it definitely is _not_ an integral part of LinkedIn, and applying my PII in
its operation is not processing it for the purpose it was originally collected
for.

LinkedIn does not have the legal right to bundle my PII in its sale of
Slideshare to Scribd, and even if Scribd were to receive my PII, it would not
legally be able to use it.

------
caymanjim
I can't even sign in to SlideShare. "Login with LinkedIn" just returns to the
home page without logging in. Maybe they panicked that they were losing their
customer database and broke the site on purpose? The only thing anyone buys
companies for anymore is their user DB. The product itself is probably
worthless, so a mass exodus of users isn't something they want to see.

~~~
caymanjim
Followup: although the signup UI is broken, I received email welcoming me and
was able to delete the account afterwards (although the delete option was in
an unintuitive place in the settings). Not sure I even had an account to be
concerned with before that.

------
thewebcount
It wasn't obvious to me how to login to delete my account since I didn't ever
create one. For those who don't use social media, there's a "login with
LinkedIn" button above the email and password on the login form. I am blind to
these buttons because I don't have any type of account that allows this
usually. (I didn't even know LinkedIn offered it.)

Also, the workflow was utterly bizarre for me running on macOS Catalina in
Safari. I clicked on "Login with LinkedIn" and it opened a smaller window with
no address bar and asked for my LinkedIn credentials. I entered them and it
loaded LinkedIn in this small window. Was it supposed to go to SlideShare? I
went back to the SlideShare window and reloaded, but I still wasn't logged in,
despite what others here have reported. I had to go back to the login page, do
the whole thing again, then reload, and finally I was actually logged in. Very
very bad UX.

------
rswail
Well that made it easy to not only close my nonexistent Slideshare account,
but also my linkedin account.

Thanks for the reminder Scribd!

------
nottorp
> If you have a LinkedIn account, you were signed up to SlideShare
> automatically without your knowledge or consent.

This. If you have a linkedin account but never signed up to SlideShare go
delete your SlideShare account NOW.

~~~
harry8
why? To what end?

------
tchalla
The way to delete Slideshare account is Account Settings -> Change Password.
You see a small "Delete Account" button at the below.

------
user5994461
TL;DR Follow the instructions at the end of the article to opt-out of all your
personal information being transferred, before the company changes ownership
in the coming weeks.

~~~
voiper1
I had to click "Change Password" to find the delete option.

------
stjohnswarts
Thanks. This is the quality content I keep coming back for :D

------
arianvanp
This sounds like class-action material to me. Honestly disgusted by this YC-
backed company.

People are commenting they didn't get a notice. My current running theory is
that they only notified people in the EU due to GDPR.

~~~
vertis
I got a notice on Aug 15 (that I missed). My very old SlideShare account was
listed as being in Australia.

------
JumpCrisscross
Does this clearly violate California law?

------
a_imho
Basically every site is violating GDPR. Who cares? The EU does not.

~~~
asddubs
elaborate?

~~~
hansvm
Another comment mentioned dark patterns and opt-outs. Once they have your data
though they also refuse to respond to deletion requests and whatnot.

Even major companies without any reasonable price interest in PII like
Atlassian are guilty here. Their position is that if you've created an account
and they unilaterally give access control to the account to a third party then
since you aren't able to log in there's no way to verify your identity to
prove that it's you requesting the PII removal. Proof of identity like a
passport doesn't suffice, and proof of account ownership like login
credentials also does not suffice.

------
JumpCrisscross
Until the highest-level engineers who agreed to implement this are personally
held liable for some damages, we are unlikely to see change.

GDPR is a good amount of fluff. You can run laps around the competition and
stall serious consequences for years. Meanwhile, a well-meaning start-up can
shell our millions of dollars if an ornery national regulator decides they’re
their pet project. Fine if one has a multi-million dollar L&L budget, though.

~~~
luckylion
> Until the highest-level engineers who agreed to implement this are
> personally held liable for some damages, we are unlikely to see change.

No need, you just need to add fines that hurt _and_ enforce them. GDPR usually
doesn't ("we only want them to feel it a little bit, but it should not hurt").
Increase it so that a clear, intentional violation can actually bankrupt the
company and you'll not see them at the large scale. A small player might still
do it, but very few 100mm+ companies will risk it all and open themselves
individually to law suits from share holders.

Google gets a 50mm fine here or there. Their revenue is 45bn. That's totally
worth it.

------
cm2012
What a silly title. Obviously if a company acquires another company they will
acquire the email contacts and accounts as well. And LinkedIn has the right to
connect accounts they own across their web properties.

The rest of the article is bottom tier conspiracy theory that this is a
stealthy way for LinkedIn to secretly sell all their PII. This is dumb for a
variety of reasons:

1) Linkedin makes all their money selling people ads and recruiting messages,
they lose this if they sell direct access to their users.

2) 500m emails sale value isn't worth jack shit to a company the size of
LI/Microsoft (see point 1).

~~~
guitarbill
The GDPR "obviously" doesn't allow this, and as the blog says, this is a
developer in London.

~~~
tssva
It is not obvious the GDPR doesn't allow this. Transfer of data during sale of
a business is allowed under the GDPR. Notification of a change in controller
is required but there is no opt-in requirement. If the deal is structured so
that it is a transfer of shares there is no need to even notify because the
controller is considers to be the same.

~~~
BlackFly
No, it seems pretty obvious.

Each use case of processing of personal information must satisfy the GDPR
necessary requirement or have a priori informed consent.

During merger of Scribd into LinkenIn, they can argue that it is necessary to
treat the databases as a single controller as a cost cutting measure. However,
if they are going to treat Scribd as a separate severable entity, then it
cannot be argued that it is necessary to process personal information into the
Scribd databases which going forward will only process data in a manner not
consented to.

If Scribd is not able to distinguish at that point original users that have
meaningfully consented to being processed by Scribd from LinkedIn users who
have not meaningfully consented to being processed, then they have no
meaningful consent at all and therefore no real lawful user data because not
knowing if a user has meaningfully consented or not is equivalent to not
having meaningful consent for that user.

The most similar scenario is when GDPR took effect and many companies
essentially had no meaningful consent for their userbase. During the grace
period between GDPR taking effect and GDPR fines being enforceable, companies
contacted their userbase to acquire consent and the diligent companies
destroyed the user records of the users that did not contact them back since
meaningful consent cannot be opt out. Of course, many companies were not
diligent and held onto user records nevertheless and are waiting to see if
they will have to pay the piper or not.

This is easily distinct from change of a controller when the new controller
will continue the business: consent to have data processed in a particular way
was acquired. In this case the separated entity will process data in a manner
which was not consented to. Unless Scribd is somehow going to try to convince
recruiters to use their service to find users who are going to manicure CV
like profiles, which is more or less what LinkedIn users consent to.

~~~
tssva
But at least at this point Scribd has announced that they intend to run
Slideshare as a separate entity and the database will not be integrated with
the Scribd database.

~~~
nottorp
But every Linkedin user was signed up to SlideShare automatically.

