
Instapaper is temporarily shutting off access for European users due to GDPR - anotherevan
https://www.theverge.com/2018/5/23/17387146/instapaper-gdpr-europe-access-shut-down-privacy-changes
======
bthdonohue
Hey all – Brian from Instapaper here. We worked really hard to try to avoid a
service interruption in the EU, but unfortunately we were unable to. We
continue to work hard to ensure that the service interruption is as brief as
possible.

Let me know if you have any questions...

~~~
princekolt
You know that you're still liable for European customer's data, even if you're
offline, right? Going offline won't change anything. You can't effectively
grab the database and run away.

~~~
dmix
It still seems like the safest option given the massive risk this legislation
is exposing companies. Especially low margin per user businesses like
Instapaper. From The Verge:

> because it’s not entirely clear right now what information residents will
> request, what format that information needs to be in, how to locate it and
> package it, and whether new infrastructure needs to be created to manage
> this request pipeline.

So in the meantime they can at least stop the flow of new data from the EU
into their system until they are 'compliant' and have systems in place to deal
with the existing large amount of EU users/data they already have.

It makes sense to me to be cautious here, plus it has the dual benefit of
drawing attention to the real costs/risks the bill has on smaller firms
without teams of lawyers and internal human resources (developers, CSRs) to
deal with the new obligations imposed on them.

~~~
Hamuko
>It still seems like the safest option given the massive risk this legislation
is exposing companies.

The safest option was actually to comply with the GDPR during the two years it
has been in force now. I refuse to believe that the changes required were
impossible to perform in two years.

I'd love to know when exactly did Instapaper start looking into the GDPR.

~~~
dmix
The founder has said that he underestimated the amount of work it was going to
take. Anyone who has ever worked on software knows how this stuff happens. You
don't truly know how long something is going to take until you dig into the
hairy details of implementation.

Plus there are still tons of unknown variables at play with GDPR... even among
companies who did spend sufficient time beforehand, as I quoted from the
article above. So additionally, the non-obvious requirements further makes the
underestimation make sense.

~~~
greedo
Marco Arment is the founder of Instapaper. He sold it after building it into
one of the first successful iOS applications/services.

------
Fradow
Obviously, IANAL, but my company talked to a few over the past week.

This move is, in my opinion, a bad read on the odds and European culture.

First, culture. The goal (at least in France, but that's probably the same in
other countries) is to get you in compliance, NOT to fine you. What this means
is that before you get lawsuit and fines, someone will talk to you and work
with you to see how you can get compliant.

Second, the odds. Unless you are a big company that thrives on GDPR violations
(doesn't seem to me Instapaper is one, but I could be mistaken as I never used
the service), you aren't likely to be targeted before a while, at least until
a big case is done and over (let's take the odds Facebook is first).

Third, the delay. While the GDPR takes effect tomorrow, you have a grace
period of a year for part of it (for example, getting consent for newsletter).
I would really be surprised if enforcement start tomorrow.

Well, at least that's my read on the situation. And that's how I intend to do
it: pro-actively work into getting in compliance without rushing it too much,
and handle things properly as they come.

~~~
nemothekid
> _Well, at least that 's my read on the situation. And that's how I intend to
> do it: pro-actively work into getting in compliance without rushing it too
> much, and handle things properly as they come._

A lot of the responses to the GDPR shutdowns have been like this - "you don't
need to shutdown, because you won't be fined yet."

But I have to ask, isn't shutting down a better alternative to knowingly
breaking the law? Weather the fine is $2 or $20M, shouldn't following the law
be most important?

~~~
hobbe80
Problem is - a shutdown doesn't really make any difference. Dropping the data
would make a difference, but just shutting down access could potentially (very
unlikely though) mean additional infractions - the customers' requests for
data access, corrections, removals etc. still need to be handled, and this
could be seen as an attempt to skirt those rights.

~~~
donarb
I would say that a shutdown essentially freezes the data and prevents it from
being used internally, hacked, misused, disseminated, etc. For all intents and
purposes, at the moment it doesn't exist. Once they believe they are back in
compliance with the law, it will be "unfrozen" and users will be able to
retrieve their data or opt-out completely by cancelling their accounts.

And who's to say that Instapaper did not contact the authorities and discuss a
plan such as this to mitigate the problem temporarily?

~~~
chopin
> And who's to say that Instapaper did not contact the authorities and discuss
> a plan such as this to mitigate the problem temporarily?

If that's the case, why can't they simply tell this?

I side with the GP: Preventing access doesn't absolve you from complying with
the law.

~~~
taysic
Does GDPR make it illegal to shut a site down for a period of time? While they
are shut down, what could be noticeable that they are not complying with?

~~~
kungtotte
GDPR doesn't care about your site, it cares about user data.

The big thing with shutting the site down is it might make it impossible for
users to request information about their data and/or request to have it
deleted. That would violate the GDPR and could land the site in trouble.

------
mstolpm
Asked a lawyer: If Instapaper doesn't delete the data from its EU users
tomorrow, all the rules of the GDPR might still fall on their head. Most
likely, they are then storing EU user data without given consent and have to
follow all the requests about data storage, use, deletion and so on. Denying
service without data deletion is not an option.

~~~
dejv
Also: how they are going to decide who is EU user. GDPR apply to all EU
citizens living abroad.

~~~
BlackFly
GDPR applies to data processors in the EU or for data subjects in the EU.
Citizenship is irrelevant.

~~~
dejv
It might be not. But those falls into weird space and we will see how things
are going to be played out in practice. I still think they have to conform
GDPR, especially having prior data on EU users and involvement of parent
company.

~~~
jkaplowitz
There are many unclear things in the GDPR, but the relevance of citizenship is
not among them: Nothing in the text of the GDPR or any official guidance
mentions citizenship or nationality.

The only sources which do mention those are informal and imprecise third-party
summaries. But yes, this mistake has been spread widely.

The more precise compliance guides from, say, European law firms don't mention
citizenship or nationality either.

------
chewz
My impression is that Instapaper team is terribly understaffed and probably
lost control over it's code base. They had changed hands twice over the years
(Betaworks (Digg) 2013 and Pinterest 2016) with practically zero changes in
code or the app. Zero progress, zero updates. That says something.

And the instapaper.com when downloading is sharing data with third parties
like there is no tomorrow. Simply it is downloading a lot of crap from
original sites (images etc.) which could be used for tracking - no way they
could be compliant with GDPR and let user decide which third parties to share
data with.

~~~
bthdonohue
Hey – Brian from Instapaper here. I've been at Instapaper since the betaworks
acquisition in 2013, so I have a lot of context here.

We've made tons of progress since I joined, redesigning the apps, websites,
launching highlights, rebooting our business model, text-to-speech, speed
reading, re-writing our parser, re-building our full-text search engine. The
list goes on.

We currently don't have an image proxy for Instapaper, so yes when you visit
the site we load the original images. We have discussed adding an image proxy
but felt it would be a lot of overhead in server costs and maintenance for
minimal value.

Additionally, I'm not sure it's fair to represent that fetching images from
the original sources that a user saved is tantamount to sharing data with
third parties, which has a different set of implications.

~~~
chewz
Of course, that was just my impression and not really an accusation based on
facts. I apologize if I got it wrong.

I actually liked it that way, that Instapaper stays the same and reliable
while other feels the urge to 'innovate' giving it's loyal users only trouble.
Scripts that I have written years ago for uploading articles still work and
Instapaper is still my Read-It-Later of choice.

As for images - I had to accept that Instapaper works that way - but always
had been little annoyed that it is possible to turn off images but that's not
persistent option.

------
pfg
> But because the fines are so steep — violating GDPR will cost a company 4
> percent of its global turnover or $20 million, whichever is larger — no one
> really wants to be caught non-compliant.

Can everyone just stop repeating this, pretty please? That is the _maximum_
penalty. You'd have to try really, really hard to get that kind of penalty.
For minor transgressions, you're likely to get away with a reprimand.

~~~
freeone3000
Why would a government impose anything other than the maximum?

~~~
marvin
Because the regulation is meant to enforce lawful behavior, not make the
government richer. If they break out the maximum penalty for a minor
violation, it will _obviously_ stifle business and cause economic harm to the
EU.

But they do need a credible threat to really punish wilful disregard of the
law, for companies that profit from breaking the rules. We see how well it
works when the fine costs less than the profits from breaking the rules. The
EU is making sure that this will not be the case for the GDPR.

~~~
ars
Is what you say actually written into the law, or is it left up to the
discretion of the enforcer?

Because I'm sure EU companies will be given lots of leeway, but non EU
companies will not, and no one wants to be the example.

~~~
stordoff
Fines must be "effective, proportionate and dissuasive", and there are various
factors that the authorities must take into consideration. If you feel they
_haven't_ taking the relevant factors into account, you can take it to the
courts (especially if there is a history of fining non-EU companies more, as
that would suggest they are taking irrelevant factors into consideration.

[https://gdpr-info.eu/art-83-gdpr/](https://gdpr-info.eu/art-83-gdpr/)

~~~
ars
Um, those three words "effective, proportionate and dissuasive" together mean
"as high as possible".

So yah, people are right to block the EU first, and figure out the details
later.

~~~
orf
> Um, those three words "effective, proportionate and dissuasive" together
> mean "as high as possible".

No they absolutely do not.

~~~
ars
Really? "effective" = large amount, so company won't do it again,
"proportionate" = relative to revenue, "dissuasive" = make them an example so
no one else will dare.

I bet you are going to tell me proportionate somehow makes it all better, but
for companies that make money this way, the amount of money they make this way
in proportion to their income is basically all of it.

So you can bet regulators will go for the full amount.

No company in their right mind is going to rely on the mercy of an EU court
toward a non-EU company.

~~~
stordoff
> "effective" = large amount, so company won't do it again

Generally true, but it should be read with proportionate as meaning as large
as necessary to be effective -- if a warning is sufficient to ensure
compliance, then the effective clause suggests a fine is NOT warranted.

> "proportionate" = relative to revenue

_Absolutely_ not - proportionate to the _infringement_. There is no other
reading that makes sense here.

> "dissuasive" = make them an example so no one else will dare.

Dissuasive also encompasses encouraging companies to cooperate with regulators
and make a best effort to comply. If they are going to get the maximum fine
for a minor breach, even if they made a full effort to comply and merely
overlooked something, they are _not_ dissuaded from ignoring the GDPR in its
entirety.

> So you can bet regulators will go for the full amount.

Certainly not. Going for the full amount, regardless of the circumstances and
ignoring the factors they MUST consider, is going to result in the fines being
overturned by the courts, which undermines their position, doesn't fulfill the
purpose of the fine (if the company successfully challenges it), and doesn't
fulfill the aims of the GDPR. Ignoring the law to go for the maximum fine
would be a terrible decision for a regulator to make, and you can look at the
history of enforcement of the DPD to see that regulators _don't_ generally go
for the maximum fine.

------
relics443
I'm still struggling with the fact that the EU can compel me to add what will
be a funnel shattering dialog to my onboarding.

I've shelved a bunch of side projects that I was excited to work on because I
have no interest in dealing with any of this ambiguous law. Implementing it
would most likely cause a large percentage of users to uninstall my app,
because who wants to be greeted with a scary sounding dialog as their first
experience in an app. I know many folks here are privacy oriented, but unless
this tiny slice of the population is willing to fund my app, I have 0 interest
in pandering to them vs the majority of users that would get scared away by
it.

I know that there's an almost 0% chance of any repercussion for not being
compliant in a tiny app that'll probably never get anywhere, but I'm just so
sickened by this whole thing that I don't want to deal with any of it.

~~~
ewretgg
If you were going to make apps that didn't safeguard the users data, and this
law deterred you from doing so, then the law is working as intended.

~~~
drusepth
I think it's pretty easy to argue that such an intent could be described as
"stifling innovation", if it's preventing people from trying new things
because of the overhead associated with an impact analysis and continued
maintenance of e.g. responding to data requests indefinitely.

~~~
hekfu
I agree, we should also get rid of copyright and property laws in the name of
not "stifling innovation". It is absolutely ridiculous that I can't just walk
into a peoples homes and install my 'adtreckr' eye tracking cameras on their
TVs, even though that has the potential to revolutionise the amount of
engagement and make sure that they only receive the most engaging, most
relevant ads for their tastes./s

Less satirically, you are free to innovate by coming up with new tech, then
selling to people who care enough to deal with regulations. The 'stifling
innovation' copout is so utterly overused by people who want to ignore
negative externalities like pollution or the surveillance state we are
building up. I am starting to think of it as a type of rent seeking: "I am
currently in the privileged situation of having the technology and network
effect necessary to exploit this unguarded treasure of X without dealing with
the fallout. Please don't pass any regulation requiring me to actually pay my
dues"

~~~
drusepth
I think there's a very specific motivator behind people who build tech with
the intent to sell, and that motivator doesn't cover every reason behind other
people who build tech. If I want to start a project and think, "cool, if this
works out, i'll sell it 6 months from now so it can actually do cool stuff",
I'm just not going to work on that project at all.

Honestly though, I would _love_ to live in a world where you could walk into
my home and install your 'adtreckr' eye tracking cameras on my TV. What you're
describing is "trust", and I think the amount of it that each person has (for
people in general, but also for companies) is a big influence in how they view
GDPR (and other regulations that some might argue are unnecessary). Obviously,
we're very far away from that world, so this isn't consent for you to come
waltzing into my home in the near future. :)

In my eyes, the satirical representation of what's happening here (from a
consumer's point of view) is me placing an order for your awesome new eye
tracking cameras, looking forward to the delivery and installation, and then
seeing delays and delays as you repeatedly come back with, "well, are you sure
you want this? are you sure I can enter your home? are you sure I can touch
your TV? are you sure I can modify your TV?" I signed up, I paid for it, I
told you I want it, just do whatever you need to do to give me it.

From a business POV, I already treat user data with utmost regard, and my
users know that. Similarly, I trust that the companies I willingly give my
data to do the same. There are probably some bad actors in the mix, but I
doubt they're going to bother with compliance anyway. Having to go out of my
way to prove that data trust is there to a third party completely uninvolved
with the contract I have with my users, and to spend hours and hours
implementing new workflows and pipelines for out of scope functionality that
needs to be maintained indefinitely -- this is not good for a business. It's
bad for small businesses because it sucks up time, money, and other resources,
and it's bad for big businesses because it opens up such a huge area for
litigating non-issues. It might have some value to users, as I said elsewhere,
but it's a heavy-handed regulation that is too overreaching in its
implementation, in my personal opinion.

~~~
hekfu
> Honestly though, I would _love_ to live in a world where you could walk into
> my home and install your 'adtreckr' eye tracking cameras on my TV. What
> you're describing is "trust", and I think the amount of it that each person
> has (for people in general, but also for companies) is a big influence in
> how they view GDPR (and other regulations that some might argue are
> unnecessary). Obviously, we're very far away from that world, so this isn't
> consent for you to come waltzing into my home in the near future. :)

Anarchy is always ruined by all those people! (I'm a big fan of trust, and not
a big fan of Hayek,but Hayek had an insight when he talked about the micro and
the macro cosma. People are to diverse that we can rely on "trust" to solve
things, we need agreed on official rules)

> In my eyes, the satirical representation of what's happening here (from a
> consumer's point of view) is me placing an order for your awesome new eye
> tracking cameras, looking forward to the delivery and installation, and then
> seeing delays and delays as you repeatedly come back with, "well, are you
> sure you want this? are you sure I can enter your home? are you sure I can
> touch your TV? are you sure I can modify your TV?" I signed up, I paid for
> it, I told you I want it, just do whatever you need to do to give me it.

No. If you opt into buying my camera, since it is explicitly necessary to do
all of that stuff, the consent is given as part of the buying contract. I just
need to clearly state and explain that. If you had to gain access Facebook or
instapaper via a huge opt in order form (let's say a pop-up detailing exactly
what happens to your data), then it is equivalent...and that is exactly what
GDPR requires

> From a business POV, I already treat user data with utmost regard, and my
> users know that. Similarly, I trust that the companies I willingly give my
> data to do the same. There are probably some bad actors in the mix, but I
> doubt they're going to bother with compliance anyway. Having to go out of my
> way to prove that data trust is there to a third party completely uninvolved
> with the contract I have with my users, and to spend hours and hours
> implementing new workflows and pipelines for out of scope functionality that
> needs to be maintained indefinitely -- this is not good for a business. It's
> bad for small businesses because it sucks up time, money, and other
> resources, and it's bad for big businesses because it opens up such a huge
> area for litigating non-issues. It might have some value to users, as I said
> elsewhere, but it's a heavy-handed regulation that is too overreaching in
> its implementation, in my personal opinion.

If you already do everything that is commonsense data protection, which is the
bulk of what is required by GDPR, then all you have to do is documen that. If
you cannot guarantee that the data is not shared, then the third party isn't
uninvolved in the contract you do with your users.

Honestly, think of my data as something I own, like my house or my car, and
GDPR becomes easy. Think of it as something you "create" by tracking me on
your site, and your point of view becomes easier. I like my world better

~~~
wilsonnb
I have a hard time seeing any justification for your view. Why would you own
data about yourself? Do you own your name? Do you own the fact that you went
to taco bell for dinner last night? Can you sue someone else for knowing you
went to taco bell last night? Should it be a crime for someone who knows your
name to tell someone else your name? What if they do it for money?

"Owning" data about yourself is a very strange concept to me.

------
Grue3
Jesus christ, these cookie warnings are getting out of control. I'm not in EU,
stop blocking half of my screen with them!

~~~
nicky0
Those of us in the EU hate them too.

~~~
drusepth
I wonder why someone hasn't created a browser extension to just automatically
accept them, yet.

~~~
a3_nm
Because AFAIK there's no standard way to identify them because each website
comes up with its own design...

This is all rather silly, given that the choice to allow/refuse cookies, and
the prompt, could have been better implemented at the level of the Web
browser...

~~~
guitarbill
Like Do Not Track (DNT)? Oh, wait, that exists, and almost all companies
ignore it.

~~~
a3_nm
The cookie warnings are about refusing cookies, which is something that is
completely up to the Web browser.

Specifically, Web browsers could warn when a website sets a cookie and ask for
user consent before storing it (and if the user does not consent then the
website becomes unavailable).

------
rollulus
How does shutting down fix GDPR issues? Does all user data magically disappear
by shutting down?

~~~
latk
It doesn't. But if you notice you might be doing something illegal, it's a
great first step towards compliance to stop doing _more_ of it.

Here, Instapaper is likely not misusing user data, but has to catch up on
compliance documentation and small details (e.g. signing data processing
agreements with services they use, raising the age limit from 13 to 16, …)

~~~
linker3000
Um, no - The GDPR treats the simple act of storing personal data as
'processing', so turning off the service while still keeping the data resolves
nothing. It doesn't even matter if you take the data offline, or temporarily
obfuscate it.

~~~
taysic
But what would you be violating exactly? How could those violations be
detected? It seems if the EU is so generous in not wanting to fine and you and
walking you through the process, then shutting down would look like a
reasonable thing to do if you are still attempting to comply.

~~~
Hamuko
>How could those violations be detected?

You can tip off the regulators if you believe that there is a violation and
they will then investigate it.

Instapaper is giving a pretty good reason to be suspicious.

~~~
taysic
What would be in violation exactly? Not clear on this. How would regulators
investigate? Do they require full access to your database/ backend?

------
telson
They had years to prepare for that. I don't feel comfortable with them not
being ready. Time to move to Pocket.

------
cconstantin
I'm sad to see that as I am an avid Instapaper user living in EU. The whole
GDPR issue caused a lot of changes and friction, but hopefully that's a good
thing on the long term

------
msh
One days notice, pretty shitty treatment of customers.

------
protomyth
A general question for the GDPR experts: If user A does a request of their
data and user B added a page their Instapaper account that had user A listed,
does that page have to be included in the response to user A?

------
snissn
Cloud flare needs a feature that let's you ban all EU ips

~~~
jarito
They do. You can do that with their WAF (and maybe without it).

[https://www.cloudflare.com/waf/](https://www.cloudflare.com/waf/)

------
j16sdiz
Not-So-Related question: How can I shut off access for European user to my
service?

Blocking IPs ? Ask if they are European? What if they lie? What if they become
European citizen later but fail to notify me?

------
ahoka
Maybe The Verge should sweep around its own door:
[https://imgur.com/a/0r28SZb](https://imgur.com/a/0r28SZb)

~~~
merlish
Yes - but never mind the requests, what's up with that "GDPR bar"? Where's the
'No, I do not want you to do this' button?

~~~
merlish
Ah, never mind! It's a simple 56-step opt out process:

[https://www.voxmedia.com/pages/cookie-policy#your-cookie-
cho...](https://www.voxmedia.com/pages/cookie-policy#your-cookie-choices-and-
how-to-opt-out)

------
mike
If anyone is looking to export a list of their saved pages the links for this
are on the Settings page:
[https://www.instapaper.com/user](https://www.instapaper.com/user)

A list of all saved pages in all folders can be downloaded in CSV or HTML.

------
dejv
What are good alternatives to Instapaper? There is Pocket, any other
recomendation?

Maybe it is also time for somebody to create new app as tiny side apps owned
by corporations seems to be sunseted sooner or later.

~~~
tobltobs
Creating new apps has just become more effort, while monetization options have
become more difficult.

~~~
danieldk
So? Profit maximization of the developer is not the only thing that matters,
users deserve to be protected as well.

Applications have become terrible in this respect. I use Little Snitch and see
many _paid_ applications report to Google Analytics. I don’t want the
developer to know how often and how I use the application, let alone Google.

Technical users know how to use an application firewall, uBlock or uMatrix.
But the average user was robbed of their privacy without them even knowing,
let alone having any choice. The GDPR finally corrects this.

~~~
freeone3000
Google Analytics isn't usually used as a revenue stream, but instead for
analytics and telemetry.

~~~
danieldk
One motivation for doing analytics/telemetry is being able to set optimal
price points, etc.

For example, i f 80% of your user population uses your app daily, it is more
attractive to switch to a subscription model than if most people use it very
irregularly.

~~~
tobltobs
Oh my god, that sounds like capitalism.

------
ksec
Theoretical Question, If I am a startup now and has an global audience, does
that means I need to enforce GDPR from the get go? Or are there time limit
before I have to comply?

------
apazgo
For people living outside of EU, this should scare you, Instapaper are unable
to take care of your personal data...

------
favadi
I could not find Instapaper addon for firefox anymore, is it somewhat related
to this news?

------
mstolpm
This is a terrible move. They had effectively years to prepare for the GDPR
and they already have some sort of rudimentary export and delete options.

This step removes all the trust in Instapaper that I had in the past: They
either are mismanaged or are not willing to tell the users what data they are
collecting and how they use and monetize this data. And it should worry all
users, not only users from the EU.

~~~
wutbrodo
> They either are mismanaged or are not willing to tell the users what data
> they are collecting and how they use and monetize this data. And it should
> worry all users, not only users from the EU.

I don't know a ton about GDPR, but the article makes it look like it has less
to do with Instapaper (aside from risk tolerance) and more to do with the
ambiguity of the law. Some relevant quotes:

> it’s more than likely to be the GDPR’s data subject access request, which
> allows any EU resident to request any and all data collected and stored
> about them. As The Verge reported yesterday, that’s causing companies
> trouble because it’s not entirely clear right now what information residents
> will request, what format that information needs to be in, how to locate it
> and package it, and whether new infrastructure needs to be created to manage
> this request pipeline. Personal info is a somewhat nebulous concept, and the
> fact that experts are describing the GDPR as “staggeringly complex” is not
> making it easy to cover all the bases.

> It’s clear that few companies, if any, will be 100 percent compliant when
> the law goes into effect. But because the fines are so steep — violating
> GDPR will cost a company 4 percent of its global turnover or $20 million,
> whichever is larger — no one really wants to be caught non-compliant. So
> that’s why companies are rushing and, in the case of Instapaper, literally
> shutting down.

~~~
raverbashing
> it’s not entirely clear right now what information residents will request,

If they ask for something specific in an informal way, that can be provided

But from the GDPRs data portability point of view, it's everything that's
linked to the account. Export your Facebook data for a good example of this.

HN example: it would be the information in your profile, the links/text you
submitted (but not the content of the link itself), the comments (the comment
IDs) you upvoted, stories flagged/upvoted (for the lenght of time this is
kept, for example, if after a while user ids that upvoted a comment are erased
and only the score is kept, that's fine) and maybe some other background
information (for example: password hashes/access logs/etc)

> what format that information needs to be in,

Machine readable format. HTML/XML/JSON is fine.

> how to locate it and package it, and whether new infrastructure needs to be
> created to manage this request pipeline.

Well that's not the problem of the law, is it?

You know your data scheme. You know whether you can run this in your existing
infrastructure or not.

    
    
        for TABLE in YOUR_TABLES
            SELECT * from TABLE where UserID == $user_id;
        end for

~~~
kodablah
From the HN example, does this include other comments that referenced my
username? What about comments that might have linked to my GitHub profile?
What if there are server logs that include my IP and a time which can
correlate to when I posted a comment or something? What about this information
on Algolia, must I contact them separately? Also, I wasn't aware...I can ask
for my password hash? Can I request all of this information be deleted?
(genuine questions btw assuming I were in the EU, not trolling)

~~~
raverbashing
Starting from the end

> Can I request all of this information be deleted?

Yes, the ones that are on HN. I'm not sure how it works for 3rd parties that
obtain your data

> does this include other comments that referenced my username?

I don't think so, this is unlikely, especially as you didn't create it and HN
doesn't link this (as opposed to reddit)

> What about comments that might have linked to my GitHub profile?

I'd say that being required is even less likely as HN has no way of knowing
what's your GH profile

GDPR is what they _know_ about you. If they're actively trying to link pasted
GH profiles and usernames then this would apply, otherwise no.

> What if there are server logs that include my IP and a time which can
> correlate to when I posted a comment or something?

That thing with IPs being PII I'd say this would apply, but then again, this
doesn't bring any new information.

So if they keep track of users access times then yes, but if this information
is rotated, sent to /dev/null then no.

You're not obligated to connect all the dots, or track user login times. That
being said, IP (especially + times) are PII so better anonymize it and discard
once not needed.

------
pmarin
_that’s causing companies trouble because it’s not entirely clear right now
what information residents will request, what format that information needs to
be in, how to locate it and package it, and whether new infrastructure needs
to be created to manage this request pipeline. Personal info is a somewhat
nebulous concept, and the fact that experts are describing the GDPR as
“staggeringly complex” is not making it easy to cover all the bases. (Granted,
companies have had two years to prepare for this.)_

That is bollocks. The most stupid excuse I have ever read.

