Not sure how I feel about this one. I think it's a nice gesture to respect someones wishes to delete their contributions regardless of the technical fact of external archives etc.
While I mostly agree with what he said, I think there are some things they could do to give users more control without "gutting" threads.
1. Allow accounts to be deleted, with all of all their comments and submissions reverting to a [deleted] author.
2. If conversations require author continuity, anonymize the author per-thread to something like the Google docs anonymous usernames
3. Include a deletion request with clear guidelines for reasons why something can be deleted.
Of course they won't do these things because 1) it's only two people and these features will require development and maintenance 2) an opaque and uncertain process ensures that they'll only receive requests in the most necessary cases 3) people might think more about what they write if they can't easily take it back
What they could really do is add a warning to the account creation, submission and comment forms telling users that their submissions are not retractable past the grace period.
It’s often the easiest way to comply with GDPR just to allow any of your users to rage quit and delete all their stuff. That way you don’t run afoul of the EC if you accidentally mis-identify an EU citizen as not being from the EU.
EC doesn’t care about conversation continuity.
There are many questions going back on HN itself and the answer had always been no, but from what I understand they have renamed a few accounts. But it isn't something that they will apparently do for everybody.
Personally I don’t think I will ever want to delete my HN account because I’m just some random dude, but I think it should be possible to at least delete your profile and leave your comments/submissions orphaned. Reddit does it.
I do hope people eventually come to the conclusion that everyone says regrettable things on occasion so they can stop digging through endless archives of comments and posts looking for dirt. I feel this is a huge component of why people want deletion.
I don't think that's going to happen until society agrees that such digging is universally immoral. Until then, people are going to listen when the results are publicized.
HN also has a pretty benign sign up process (i.e. relative to most sites, you don’t really give out any infomation, you don’t even _have_ to confirm an email).
I think people feel differently towards HN because HN treats people differently. (Just my 2 cents)
The term "double standard" means two standards are applied to two different things (or group of things) when the differences between the two things are irrelevant to the standard. "You're not allowed to play baseball because you are a girl, but your brother can because he is a boy" is a double standard because gender has no relevance to playing baseball.
Whether a site should programmatically allow the deletion of accounts/comments is surely related to how they handle the collection and pursuit of PII. HN quite obviously is not the same as Facebook in that regard, and unlike the baseball example, that behavior is relevant to the standard being applied.
That said, I could get behind a mechanism where a user can, one-time, change their username, with the effect of disabling their account forever. This would allow people who use their real name as their username to change it to something pseudonymous, without allowing some of the less social behavior a more open name changing system would allow.
 - I'm not the 'real' Clark Griswold. Sorry. :)
My view is that HN should have a clearly stated, and effective, account and content deletion process, and that it's a shame and embarrassment it doesn't.
Imho there's still a massive difference between "potentially personally identifiable" and running a whole business on identifying people and selling that information as Facebook or Google does.
Reddit is a weird middle-ground: Afaik they don't make a business out of selling ad targeting profiles as Facebook or Google do. But due to Reddit's nature with subreddits for even the weirdest of interests, they do have massive potential for it.
In the big picture, subreddits are not that different to Facebook groups surfacing preferences on all kinds of topics, thus analyzing a Reddit users post history  and subreddit preferences (u/leansbot) can also give quite a good profile about somebody.
HN couldn't even compete with that if it tried, HN is pretty much just one big main forum where certain topics simply don't get discussed, as such users don't even have the opportunity to surface personal preferences about them, compromising their own privacy.
It applies to:
1. Processing that takes place in the context of processors and controllers that are in the Union, regardless of whether or not the processing itself takes place in the Union.
2. Processing the data of subjects who are in the Union by controllers or processors who are not in the Union if the processing is related to offering goods or services to such subjects in the Union or the processing is related to monitoring the behavior of such subjects that takes place in the Union.
One of the recital elaborates on offering goods or services to subjects in the Union, and that includes this:
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union. Whereas the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.
I'd guess that HN would argue that they are not in the Union, so don't fall under #1, and not monitoring behavior, so don't fall under the second prong of #2, and that they did not envisage offering goods and services to people in the Union, getting them out of the first prong of #2.
There's a whole world outside of Europe, which does not follow European law.
I guess that means all sites, except HN.
Excuse me, but what information are you referring to?
created: October 6, 2014
This information? That was all I, as a fellow user, could see. Rest of the information is not public.
GDPR is about personal data and extra data (metadata) that is used for non-essential business needs like marketing, so user can ask to remove that extra data. But if the data is required for the entity to do business and by law you can't expect it to be deleted. Like you can't demand some e-commerce site to delete all your order information and associated delivery addresses, phones, contacts, you can however ask them to remove the account, so you lose access to orders and they in theory can't associate it with you anymore, or at least use to build profile on what your buying habits are.
So you can't demand (under GDPR) from HN to remove your data, maybe remove account but handle is not personal data so it is a stretch.
FWIW, this is something HN has to fix, if you ask me.
People often say things that have useful information in them?
The first Usenet posts of Linus regarding Linux, or of Mike Godwin's coinage of Godwin's Law come to mind.
The question of how to determine cultural relevance is a hard one. Ordinarily, say, social utterances or discussions wouldn't qualify. If a participant or subject of that discussion ends up in a socially-significant role (high office, head of a major company, etc.), that might change.
Contexts vary, and can change over time.
At the same time, records are lost with time, there is a forgetting curve, and a few high-water marks stand out, though even those crumble in time.
Looking at HN's top-ever stories is an interesting exercise (either Lists or Algolia's search w/o any terms should give this).
Somehow this problem didn't really exist in forums in the 2000s.
There's always a danger of falsely claiming a double standard when in fact you're just trying to judge one community by the standards of another.
Reddit has a lot of that stuff and their geeky subreddits have the same amount of complaints of FB as HN. There likely is some overlap of users as well. And most likely overlap of the sort of users. There’s no standard being applied at reddit.
Like everything else people most people won't do what they should unless they absolutely have to.
And bosses. And landlords. And insurance companies. And credit reporting agencies. And police departments. And schools. And...
That's the even scarier part. There was a NASCAR driver a couple of years ago who lost his sponsorship because of something his father said before the driver was even born.
In case anyone was curious, this appears to be referring to Conor Daly, as described in the following article:
The way capitalism is supposed to work is that consumers (the capitalist synonym for “people”) avoid companies they don't like for whatever reason. The problem is this assumes consumers are reasonable.
The sponsor has little to gain by doing the ethically correct but publicly outrageous thing and standing by the innocent person, because there are more people in the angry mob than there are who would reward the sponsor for their sound ethics.
“Consumer” isn't a synonym for people in capitalism, it's an economic role that all people assume in capitalism, but not in all interactions. (“Laborer” and “capitalist” are similar, though slightly less universal, roles; because they are less universal, the degree to which one tends to assume them also define economic classes in capitalism.)
- Cardinal Richelieu (supposedly)
I do three things that make it pretty easy: I avoid nearly all social media in the first place; when I do interact online (such as here), I always use a pseudonym; and if any company or governmental body asks for my social media credentials, I tell them I don't have any (which happens to be 99% true).
a) I'm wrong and this is literal
b) The crowd is wrong
Well, you can go back to Usenet, and say that "respectable" people weren't pseudonymous there by and large, but that, one, wasn't universal, and, two, wasn't the practice of the 1990s Web fora which postdated Usenet's high period but predated Facebook. There weren't too many real names on high-period Slashdot, for example.
"Monitoring" is also a qualifier for whether the rules apply, so it could be HN will simply say this disqualifies them, and require someone to take them to court (which YC can afford). But HN does install cookies on your computer, so I think you could still win such a case.
Only to the extent the EU can hurt you.
Do you think every company is subject to US law?
Although I'm sure this community is small and the great team here is responsive enough.
AFAIU dang and sctb alone manage all email requests from all HN accounts, which is a fairly sizeable community.
Step 2: find out data is not actually meant to be deleted
Step 3: shrug, because now you are the CEO
Was any specific reason provided? I don't understand why just marking the user as [deleted] would be something that HN mods would have an issue with. Or is deletion meaning to delete all comments/posts made by the user too?
2016-07-26: check up "Not yet, sorry. There are some technical difficulties because YC uses HN IDs in its internal systems, which are separate, so we need to be extra careful not to make a breaking change. But we'll get there."
2017-02-20: me (falsely) claiming it's a matter of national security "That does sound urgent, so I'm sorry to have to reply this way, but we don't actually have the ability to do this. At some point we will have the ability to rename accounts to something anonymous, but unfortunately we don't have that yet either."
2018-02-22: another check up "Not yet, sorry, but it is coming. Do you want to be on an email list to get notified when it's ready?"
2018-09-06: no email. another check up after a small stalker scenario, and also a business associate mentioning they saw my HN profile while doing a Windows search for my contact info (thanks Cortana /s) "Yes—we can do account renaming now. Haven't announced it yet, but that's coming." rejoice
2019-04-18: check up on deleting "Hacker News doesn’t delete entire posting histories, and we don’t plan to because that would gut the threads others participated in. The intention is to address privacy concerns with account renaming or redacting personal information. "
This means it's not impossible as the claim states. Impossible means you can't even email anybody to delete your account.
In regards to deleting accounts that is a good question above my responsibilities as a fellow user to answer. I would love to hear from mods about it. It certainly would suck if we see old convos lose context / content over the years.
HN moderation is very secretive and manual, and that introduces a lot of opportunity for bias.
Edit: it's interesting that you cannot delete a comment with a reply, but you can edit it into nothing. I never noticed that. Seems like a useless distinction. So you can also force a comment to exist by just replying quickly so they cannot delete it. Neat trick.
Edit: apparently you can delete a comment if the child comment is deleted.
How do they deal with your delete account request? Do they just remove your account resulting in 'NULL' appearing against all your previous comments and posts? Do they remove all your previous posts and comments as well? This could result in broken comment threads - a workaround would be to replace your comments and posts with '[Deleted]' which could then make child comments lose their context.
If the whole thing was automated, what stops people abusing the system by creating, posting abuse, and then deleting the account? So many questions, and no easy/simple answers.
Deleting an active account on a busy site is rarely just a case of removing the user record from the users table.
StackOverflow does the same.
Go get all your comments, and submit them to the copyright office. Remember, you have innate copyright even if it's not registered. But registering ALL your comments on HN can be done for $50.
Then file a DMCA against your content. If they don't remove, then you can sue up to $135k/violation.
You can also register as much content as one shot. So if you have the time, cover all your content, everywhere. And if some org gives you the run-around, DMCA'em.
Also technically, you can DMCA them without a copyright filing. But having that legal backing has real teeth.
> By uploading any User Content you hereby grant and will grant Y Combinator and its affiliated companies a nonexclusive, worldwide, royalty free, fully paid up, transferable, sublicensable, perpetual, irrevocable license to copy, display, upload, perform, distribute, store, modify and otherwise use your User Content for any Y Combinator-related purpose in any form, medium or technology now known or later developed.
When you send someone a DMCA takedown you need to include "A statement that the complaining party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law" and "a statement that the information in the notification is accurate, and under penalty of perjury".  So you probably don't want to send someone a DMCA request after giving them a license to use your comments!
The actively maintained community fork can be found at https://justdeleteme.xyz.
Logout (or anything else that triggers changes of any kind) shouldn't be a GET request.
But yes in general making actions happen in response to a GET request is generally a bad idea, since these are often cached and considered "safe" to retry.
For a large IDP like Google, Facebook, Microsoft, etc, you start to want* logout via cross-site requests, but it needs to be protected against DoS attacks like the link provided. So you need some other proof that the requesting site has a session - a session ID, an ID token, a unique identifier for one of the users in session (this is the least bulletproof one).
* well, standards wise at least. Google doesn't document a logout url anymore.
Currently, you can also get a similar protection by requiring headers such as "Content-Type: application/json", since other sites will not be able to make that request.
Referer does work in some cases, but it is fairly common for users to disable the Referer, so relying on it for site functionality is not ideal.
Thinking about it, you could probably use CORS and some methods like X-Frame-Options to protect your nonce. But then you could just use that on the whole deletion page and avoid the nonce, I guess?
EDIT: Nonces are better, ignore this reply.
>If this is to ‘unsay’ stuff that you wrote in the past then that’s a good reminder to think twice before you hit that submit button lest you cause someone needless work.
It sounds like a big "screw you" to me. It would have been way nicer to say something like "sorry we don't have time/resources to add this feature".
get an affiliate link for something like gambling or anything spammy
post it as many places possible as fast as possible
in fact, merely posting any link over and over will nuke your account, guaranteed.
within minutes or hour max Facebook or Twitter will lockout and ghost your account for good, erasing all traces of it from existence. That way your account is gone and maybe you will make some extra $ in the process too.
Worth a listen; the focus is mainly on Cleveland'com's right to be forgotten experiment, where they are redacting or deleting old content when requested on a case-by-case basis. Regardless of how you feel about right to be forgotten, the episode makes a number of points both for and against that are worth hearing.
I'm personally undecided on the issue, but I did come away from that podcast with one very strong opinion: I hope we as a society make a decision, either way, and codify it into law (much as the EU has done). Without those laws, we're forming kangaroo courts where small groups of biased individuals get to decide _who_ has the right to be forgotten. Yikes.
I would also add the addendum, specifically for the HN audience who more often than most understand the concept that the "internet forgets nothing." Don't let the perfect be the enemy of the good. If we do believe the right to be forgotten is an overall good thing, let's do it, even if the system won't wipe out _all_ instances of a piece of information. There's a tangible difference between something being the first Google result versus being on the second page.
At first, it failed and threw an error message about enabling cookies which made no sense. Then I got a pathetic error message stating "Sorry, you can only disable your account once a week. Try again in a few days." Pretty pathetic.
I know it's not the same, but might be good enough for some purposes.
Perhaps if the service still doesn't close your account upon request, they may still do it due to terms-of-use violations or service abuse. (evil smirk)
I've been on the Internet for almost 30 years, they accumulate.
Edit: Just tried hitting forgot password on the first 10 sites. Surprising how many directly tell you that account doesn't exist.
And then another one for "you are now subscribed to our newsletter" lol
Interestingly, with few exceptions, the worse user experience correlates with the hardest it is to delete a profile.
> GoDaddy Accounts are apparently retained “to comply with [their] legal obligations” though you are able to clear out most of your information by editing your profile.
That's always a good idea.
It's a time saver
When someone clicks on one of the links, make sure it opens in a new window.
Could be cool
But I have a big problem with deletion of content, outside of a window of time similar to that of editing posts.
My opinion is, if you write it, you publish it, then you don't have the right to leave such a big hole in a discussion. I'm sick of being on various social media and seeing "deleted" "deleted" "deleted".
I'm fine with removing your name from the posts, but other than that, if you say it, you shouldn't be able to run from it.
GDPR isn't some shining beacon of light, it's just a framework of policies set forth by people of power. GDPR has the potential to be just as damaging as the improper uses of PII (for example, look at what happened to the comments on a crapton of MS blogs when they transitioned to a different backend - all the comments were wiped because it was too much work to both preserve those comments and ensure GDPR compliance).
I don't see no issue with forums and similar sites not allowing contributions to be deleted.
P.S. Also, for the longest time, most forums didn't even allow account deletions. Kinda curious when the expectations changed there, since I distinctly recall the likes of vBulletin and XenForo not letting members remove accounts or content.
So, if such a right existed, people would have to get killed, or at least being hit strong enough in the head so that they forget the holder of the right.
There are few ideas more totalitarian than a right to control someone else's memory.
Now this is disappointing for a backup company. Hope yevp sees this and weighs in. Is it even impossible for a EU citizen filing a GDPR request?
Also some companies always had the option for years.
One good test might be to create Facebook and instagram accounts, then upload images, save direct links to those images. Delete the accounts and see.... If the links work after clearing cache / a few days / weeks / months... Then yeah they just keep your data but detach it from friends and your email / password.
update account set date_deleted = now() where account_id = 123
why is a backgroundcheck company the right sponsor for a deletion directory?
The list had been curated by ... some process not fully explained to me. A small number of spot checks convinced me that I didn't want to run any further validations myself, and I've rarely shredded any files harder.
The total set of images numbered in the millions, with each source image resulting in numerous thumbnail and preview sizes, as well as differing versions of the service app resulting in different naming patterns, paths, and locations. All of which were fronted by a CDN that had its own deletion mechanisms which I had to learn and adapt. The project involved conferences with the CDN's engineers.
I rapdily got the sense that large-scale bulk deletes weren't a frequently-encountered use case, as the default was to use a web form. That would have taken centuries to complete.
Some simple shell and awk could generate all the potential patterns, and batch the deletions (about 200 per request, with a return code indicating whether or not the request was accepted or the queue was full).
Documentation and initial tests suggested that it might take weeks, possibly months, to complete the deletions from the CDN. Residency on the CDN in any event was ~9 - 18 months, though no clear guarantees of deletion.
In practice, I kicked off the job on a Friday afternoon, and it completed over the weekend. The same initial request-generating code could be used to spot-check (random sampling), and eventually exhaustively search the space to confirm that all deleted content was now 404.
This was well before GDPR, and though the network userbase numbered in the tens of millions, the engineering staff was small (technology is an interesting multiplier lever, useful when deploying, problematic when dealing with issues at scale).
Upshot: deletion can be complicated. It's generally possible, however.
(A full scrub would have involved backups. I believe that the technical solution to that problem was not having any in the first place. Largely confirmed when the service fell over completely a few years later. Another warning regards online SAAS.)