
Ask HN: Is Hacker News GDPR Compliant? - thotaway
Just wondering.
======
gelo
You could answer this by answering: Does Hacker News store personally
identifiable information? Well: 1. Hacker News has no interest in personal
information with regards to its news feed, 2. How does having an email address
on your account change things?

Things get ambiguous when account names are a persons real name, same for the
email address. IP Addresses are also ambigous because of their topical use.

Hacker News may log IP Addresses but there is an argument where these IP
Addresses can be "traced". Trouble is an IP Address is PUBLICALLY identifiable
information. It can be viewed easily and there are no real correlative
relationship between IP and person.

An argument can stand to say "Hang on, I'm sending this message to Hacker News
website via my mobile phone, that has an IP Address mapped to my device,
therefore indirectly my IMEI device number is mapped to an IP Address where
that IMEI number is mapped to an IMSI number on a SIM card which could be
linked to subscriber contract details".

Yes true, but that IP Address is from a pool of addresses assigned to that
mobile device via the connection provider. It changes based on DHCP Leasing
rules.

Passwords are not personally identifiable information. HOWEVER, Hacker News
still has a responsibility to protect that information.

------
jacquesm
If it isn't it is pretty close. No JS includes, they use Cloudflare which has
gone out of their way to be GDPR compliant, you have full control over your
profile and the moderators have so far complied with any reasonable request I
have ever made. On top of that there is an easy way to export your data
through several services.

What specifically would trigger you to wonder?

~~~
krapp
You don't have full control over your profile. You can't download a copy of
your entire posting history, You can't can't edit or delete comments after a
certain window, You can't edit your username, and you can't delete your
account. Full control over your profile would allow you to do all of those
things without needing to contact a moderator or use a third party service.

~~~
jacquesm
> You don't have full control over your profile.

Well, I do.

> You can't download a copy of your entire posting history

Yes you can.

[http://hn.algolia.com/api/v1/search?query=author_:krapp](http://hn.algolia.com/api/v1/search?query=author_:krapp)

> You can't can't edit or delete comments after a certain window

Yes you can, just not automated. You could mail the moderators with a request.

> You can't edit your username

Why would you, that's your HN identity, not your identity in real life. You
ascribe more power to the GDPR than it has.

> you can't delete your account

Have you tried mailing the moderators to ask them to delete your account?

> Full control over your profile would allow you to do all of those things
> without needing to contact a moderator or use a third party service.

No, the GDPR does not say anything about the company having to automate these
things, only that there should be _some_ way to do them. On HN the moderators
are in charge of those things. So if you really want to delete your account
feel free to contact the moderators. And the GDPR also does not forbid for the
company to engage a third party to export the data (though, funny enough, that
third party would have to have a DPA with the company).

~~~
krapp
>> You can't download a copy of your entire posting history >Yes you can.

Fair enough - I wasn't aware of that.

>> You can't can't edit or delete comments after a certain window >Yes you
can, just not automated. You could mail the moderators with a request.

So... no, _you_ can't. _they_ can, if _they_ decide to honor your request when
you ask them, or _they_ might not.

>> You can't edit your username >Why would you, that's your HN identity, not
your identity in real life. You ascribe more power to the GDPR than it has.

Some people's usernames are their real names, which makes them personally
identifiable information. Other people's usernames appear to be the result of
them banging on the keyboard, or a 'throwaway_X' account that they've been
using for several years, or a contextual reference for a specific thread that
no longer applies to anything. Why should users be forced to keep that
arbitrary string in place if everything else can be edited or deleted?

I can change my public facing email, I can change the profile text, I can even
change the color of the top bar, I can ask to have comments deleted, why can't
I change my username?

>No, the GDPR does not say anything about the company having to automate these
things, only that there should be some way to do them.

Fair enough. I think they should be automated, though..

~~~
jacquesm
> I think they should be automated, though..

I agree. But that's mostly a convenience, and if the number of requests is low
enough then you could do it by hand.

With reocities.com I did a hybrid approach, I did allow people to make the
deletion requests in an automated way but then I still manually reviewed them.
The reason is that there the link between the accounts and the users did not
make it when we backed-up as much of Geocities as we could, so to avoid people
requesting the deletion of other people's data or pranksters that would
request 1000's of accounts to be deleted we needed an extra step for
verification.

------
rdlecler1
It looks like they updated their privacy policy but I didn’t see mention that
they assigned an EU representative so. It entirely.

~~~
jacquesm
I'd be honored to supply that service, for free.

