Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Can we delete our accounts?
177 points by wannabeanon on Nov 27, 2022 | hide | past | favorite | 163 comments
I was checking out a post yesterday that used stylometry to group HN accounts, potentially doxxing the authors:

https://news.ycombinator.com/item?id=33755016

Honestly, it was pretty concerning to be able to locate an old account of mine. Given the potential danger of being doxxed, it would be very nice to be able to delete our accounts and old comments. I think HN is one of the only sites that doesn’t allow you to do that in an automated fashion. Can we request that feature be implemented? I worry that people are building tools to reverse engineering people’s true identities and it seems like an important feature to keep users safe from physical and commercial harm.



See the FAQ [0]:

"Can I delete my account?

We try not to delete entire account histories because that would gut the threads the account had participated in. However, we care about protecting individual users and take care of privacy requests every day, so if we can help, please email hn@ycombinator.com. We don't want anyone to get in trouble from anything they posted to HN. More here [1]."

[0] https://news.ycombinator.com/newsfaq.html

[1] https://news.ycombinator.com/item?id=23623799


Then for the threads to be preserved, the content should remain, but the associated username should just be changed.

I imagine if HN created an account with the username "DELETED" or similar, that a script could just change comment ownership from the account to be deleted to the special "deleted" account - that would be the easiest to implement as well as keep thread continuity.

(Don't delete the comment just delete the connection to the user.)


I don't have a good suggestion here, but I have to point out that that does not fully address OP's stated concern about the use of text analysis techniques to figure out who wrote what, even if the username is different.

(It does probably make those techniques more difficult since it would mix comments together from multiple authors under the "deleted" username, but it doesn't fully remove the danger.)


If all deleted accounts' usernames were replaced with "[deleted]", that would hypothetically do a pretty decent job of defeating text analysis techniques. A single post isn't really enough to characterize someone's writing style, and a sufficiently large pool of deleted accounts would make it quite difficult to reliably pick individuals out of the slush pile and group their comments together.

That said, HN is being archived and mirrored in I-don't-know-how-many-places, and I'm not sure how feasible it is to track all those places down and get them to expunge your userid, too. And this is all assuming nobody comes up with a new de-anonymization technique that deals with it well. That is a rather big assumption considering new ones are being developed all the time.


I imagine the same analysis can be performed on other networks like reddit, twitter, github, linkedin etc to find matches amongst them all, [deleted] is a signal as well. If there’s a strong match across one or more of those and a deleted one here, or vice verse to rule out possible matches, and the others are not anonymized [well enough], then it could probably deanonymonize quite a few deleted accounts here.

I’m sure something like this is available to recruiters or other HR/business admin, I remember seeing browser extensions/SaaSes years ago that were trying to tie together social media identities.


For a few years now I've imagined an AI that can ingest all my writing across platforms, figure out it's me via this type of analysis, find any information I leak, and archive that data in perpetuity. Then it could be used to judge me for whatever purpose its owner deems worthy; which given my age will probably mean selling me boner pills in a decade or two.

It feels like we killed god and then re-invented him. And I think that if you don't want his gaze and judgement to fall on you, then your only option is not to participate in online discussion, and probably not even read it because you can probably learn a lot about someone just from passively tracking the things they follow online.


I think it would decrease the Signal to Noise ratio sufficiently.

That would be different if responses hardcoded mentions of the username.


It does if you can't determine the accounts are the same. Right now HN does nothing to address these concerns. It is ridiculous anyone finds this acceptable.


Really good point. You could estimate if a [deleted] comment might be from [account X], but you'd only have that one comment to compare. The rest might be from other accounts.

So yea, you'd probably end up with a pile of comments that are more likely linked to [account X], but many of them wouldn't actually be. It would add a ton of noise into the system.


You would get some hints. There have been situations where someone said "like AnimalMuppet said upthread..." or something like that. But they weren't very common. Maybe 1% of my comments could be definitely identified like that.

Is that enough to define a "style" to determine the rest of my comments? Is it enough to doxx me from the comments where someone else names my nick?


If you took all the sentences out of all of the books in a library, and mixed the sentences together under one fake author name, I think it would be impossible to correctly attribute 99.99+% of the sentences to a correct author.

I think that is sufficient.


But we're not going to delete everybody's account and mix them all together, are we?

If I took a bunch of "minor" writing and mixed it together under one fake name name, but some of it was written by a famous author under a pen-name, then yes, in theory it could be possible to identify those.


That's a very theoretical problem though, isn't it? Individual comments don't have the length of books, and usually don't individually contain enough text to be unique. Once the account-relationship is gone, it's essentially like splitting all the books up into paragraphs and trying to attribute individual paragraphs. Unless you're Wittgenstein or someone with a similar interest in exploring how long sentences can be, I doubt there's enough there.

Of course, all of that is hardly useful, since HN is very open and lots of people have copies of all comments.


Okay, 1% of the library. I see threads here every-so-often asking about deletion, and I imagine there are more people who would like the opportunity but already know the answer and doesn't ask.


Curious what happens when an HN user inevitably wants their dead-name changed but retain their history, and whether that would be a harder path to march than being deleted for privacy reasons.


I don't understand the question.

Edit: Thank you for the clarification (reply), I was not aware of the term "dead-name" refering to that. I still am not exactly sure what you are asking though. If a replier wrote the original username in an old reply that was written before the name change? In that extremely rare case, it might cause some confusion if a third person reads the old thread, in which case perhaps the user initiating the name change could use the search function for any instances of that, and then email the HN admin?


There is a high incidence of transgender people in our community. Often, names are changed, the old name is referred to as a dead-name. Addressing someone by this deprecated title is the height of disrespect.


If you email hn@ycombinator.com, they'll change your username for you. (Near the bottom of https://news.ycombinator.com/newsfaq.html)


All of those comments were written from the perspective of a person who no longer 'exists' tangibly as they've transitioned.


Then perhaps what the transitioning person is looking for, is just creating a new account to go with their new self?


I'm not one of those who are affected, so unfortunately I'm without a sound rebuttal. You do raise a good point. Given that I'm not, someone who is may have more perspective that'd support one assertion vs the other.


It should not be ONE account, or it wouldn't be possible to distinguish individual users in a conversational thread from one another:

DELETED_USER: I agree.

DELETED_USER: No, that's BS.

DELETED_USER: He has his point.

Better would be:

DELETED_USER_1: I agree.

DELETED_USER_2: No, that's BS.

DELETED_USER_3: He has his point.


Then someone might use an archived version from the trivially scrapable API to recover the information. This is a site for hackers after all.


Probably web.archive has indexed one of your posts _before_ your account name changed to DELETED, so your change will be useless.

The internet never forgets.


Possibly, it doesn't hurt to try to reduce the attack surface though.

A lot of the stuff I wrote on old popular, public websites (that still exist) can no longer be found via search engine, and I did not take any action, it just disappeared on its own.


You can take the possibility out of it when you look at Google's big data. It's not a question of "if it exists out there" or "how often it is updated if it exists out there."

https://console.cloud.google.com/marketplace/details/y-combi... is updated daily.


There is no guarantee that copy will always be available or that they won't remove data.

Just because there happens to be a copy already, doesn't mean that the original can't be removed to prevent others from making copies in the future.


It does actually. At least once a month I go on an multiple hours long quest to find an old thing, and frequently I can't find it.


Then you send them GDPR right to be forgotten requests next. Alternatively, HN can force them to delist to the content.


4chan, that's usually fully anonymous, has on some boards threads IDs. You can see that this is the same perso in that thread, but can't link it to another person in another thread.


So long as the account is permanently locked from ever participating again in any way, I think renaming is great. Otherwise it needs to be left as-is.

But the comments need to remained owned by the account that created them, so that we can consider the history of each commenter when reviewing their comments in the future. Merging them all into DELETED inappropriately coalesces those histories.

I feel for those who are just now realizing that they can be located by their stylistic tendencies. It’s Dejanews all over again.


That still doesn’t account for the stylometry.


Yes it does, not everyone gets a unique "deleted" account. Everyone's comment gets attributed to a single special "deleted" account.


The problem still remains: HN’s “API” is incredibly simple and people have full datasets downloaded locally for every comment. In this case, the OP is already out of luck if he’s looking for anonymity against a hostile entity.


That problem seems like an extreme outlier. Such user protection would prevent "crimes of opportunity". The average person is not going to have a constant backup of HN in case one day they might want to spy on someone's past.


The problem doesn’t appear to be that much of an extreme outlier, the thread poster is concerned about a specific tool. That tool has already downloaded the complete data set, he’s already lost.


And there's no guarantee that service will stay around, or that they won't accept requests. I still think it's worthwhile to reduce the attack surface.


And if they do, they're likely to start with Twitter or Facebook - something useful against more of the population. HN users are still very much a minority.


Nothing going forward can help in that case, but we can still weigh impact on other threat models going forward.


"We refuse to help because it's a mild inconvenience to us and we'll justify it by assuming that it won't help without knowing for a fact that it won't."

That's a fascinating stance that you've outlined and that others have parroted. A stance that HN has implied with the reply to OP.


I’m not in charge of anything at HN, so how can my statement say HN won’t do something?


Not completely. For example, if the analyst has a large corpus from someone's main account to build up a profile, it seems plausible to me that they could identify individual comments under the "deleted" user as being written by the same person using a throwaway account, especially if they have a distinctive writing style.


I doubt a single post provides a sufficient amount of information for that.


Or a different deleted_user_<random or hash of post> for every post.

But as the sibling post says... it doesn't solve anything.


So you run the stylometric analysis on each comment to cluster them into inferred user profiles.


I'm okay with someone attempting to do that. I imagine it would be extremely fuzzy and not successful.


It does if the content from ALL deleted users gets merged under the same metauser. Stylometric average of all deleted users' comments is pretty useless.


I disagree.

If a user asks for their comment to be deleted, then the right thing to do is to delete them. Period.


I respectfully disagree that it's always the right thing to do. Outside of issues of safety, I think the balance shifts.

Safety issues are a different matter of course


What makes it the right thing to do?


Just imagine yourself in the position having something to be deleted posted by an earlier you and/or about yourself.

If people ask nicely, can confirm ownership/authorship of the record/data in question, then why would you be in a position to deny such a request?


You imply that the (unconfirmed) harm to the individual is more important to avoid than the harm to the society done by removing potentially insightful comment thread. Why is that?


Not sure - but your question implies that there is harm to the society done, and from your first part of the sentence, isn't that also unconfirmed?


I think it's clear that removing discussions from HN harms everyone, because there are many interesting ideas here.


I saw that but I’m looking for an automated approach that doesn’t involve email, which increases the surface area for doxxing. I feel like this is a pretty humble request, HN is the only site I can think of that doesn’t let users delete their own data. The world is a much different place then it was when HN was founded and it seems like this feature would be important to many people.


"doesn’t let users delete their own data"

I consider my HN comments to be contributions to the HN community. I received some benefit in return for those comments, e.g. responses that improve my thinking.

I may retain copyright over those comments, but by posting them on a public forum I've given that forum licence to publish them.


This is the full license you give for posting to HN:

“By uploading any User Content you hereby grant and will grant Y Combinator and its affiliated companies a nonexclusive, worldwide, royalty free, fully paid up, transferable, sublicensable, perpetual, irrevocable license to copy, display, upload, perform, distribute, store, modify and otherwise use your User Content for any Y Combinator-related purpose in any form, medium or technology now known or later developed.” [1]

[1] https://www.ycombinator.com/legal/


That page links to another page for California residents, which includes:

Exercising Your Rights: California residents can exercise the right to request deletion of Personal Information by contacting us at hn@ycombinator.com.


It almost reads like this forum is designed to be a training set


I just assume that I’m contributing to a variety of machine learning efforts when I post on HN.


Irregardless of your license the site need to comply with local regulations. In gdpr especially consent might be retracted at any time regardless of whether the consent was given or not at the time.


> an automated approach that doesn’t involve email, which increases the surface area for doxxing.

Under what threat model does it meaningfully increase the surface area? If you're worried about HN admins then I think email is the least of your concerns (I'm pretty sure they can see your IP address), and if you're worried about the general public then your email isn't being leaked to them so it shouldn't matter.


HN is put together with lisp-flavored duct tape. It is not reddit or a Discourse forum with robust admin tools.

I had to email dang to change my username (quick response btw!).


While [0] doesn't come across as GDPR-compatible to me (not a lawyer), the further explanation in [1] sounds a lot more compatible with it.

Basically, HN will work with a requester to update the site to give the desired amount of anonymity whilst preserving history as much as possible with those limitations -- including editing past comments.

Full GDPR compatability would probably require to support complete removal of user name and comment/submission contents as written - but even that seems on the table in [1]. (DanG could simply summarise each comment worth multiple replies and delete all the ones without replies.)


Whilst the intention may be admirable, it doesn't look like this would be compliant with the GDPR right to be forgotten which applies to any natural person who can be identified.


So not GDPR compliant ?


To my understanding they would still be GDPR-compliant if they delete your data upon receiving an email that you would like to exercise this right under GDPR, even if they don't automate that process but IANAL. Perhaps someone can confirm whether this has in fact worked for them in the past.


There is no requirement to automate GDPR requests.

However all organisations must be able to handle GDPR requests via any communication channel. Eg. They need to treat a data deletion request sent via twitter DM as a valid request if they have an official Twitter presence.

It is insufficient to require the customer fill out a special web form.


Isn’t it all organisations _that do business_ in the EU? Since this is a free forum with no paid features, I wonder if it would be excluded?


IANAL but I don't think it matters whether the purpose of collection is specifically to facilitate paid features. From the European Commission:

> The GDPR applies to: [...] > 2. a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.

Assuming account names or the content of comments constitute personal data within GDPR, I think YCombinator falls into this group.

Edit: I forgot HN collects an optional email address too, which is definitely personal data.

Details here: https://www.ycombinator.com/legal/#:~:text=Hacker%20News%20I...


The GDPR applies to the data of people residing in the EU. The location and profitability of the organization collecting the data isn’t a factor. (Though it may introduce questions of enforcement.)


Although many large websites and services allow you to request erasure of your data in an automated way, this is not required by GDPR.

GDPR allows individuals to request erasure verbally or in writing, and the data controller than has one month to respond.


The problem is the data is already archived, indexed, and probably in some machine learning dataset


https://console.cloud.google.com/marketplace/details/y-combi...

> This dataset contains all stories and comments from Hacker News from its launch in 2006 to present. Each story contains a story ID, the author that made the post, when it was written, and the number of points the story received.

> This public dataset is hosted in Google BigQuery and is included in BigQuery's 1TB/mo of free tier processing. This means that each user receives 1TB of free BigQuery processing every month, which can be used to run queries on this public dataset. Watch this short video to learn how to get started quickly using BigQuery to access public datasets.


Just because an attack can already be carried out by one entity, doesn't mean the attack surface shouldn't be reduced for other entities.


Exactly. The first thing that popped into my head was "archive.org".

The only thing that ever helped me was setting my HN comment delay to a non-zero integer. That 1-5 minutes is usually when I want to delete something the most.

I think we are relearning some basics about the internet. HN cannot protect you from yourself. If you press the "reply" button, assume that under that button is a synchronous blocking call wherein your comment + username + timestamp go to a database owned by a 3rd party with questionable intentions.


For any wondering about that 'delay' feature - https://news.ycombinator.com/item?id=231024

It is a field in the settings.


And before long, someone will make a 'deleted comment finder', which highlights only deleted comments.

Could be especially handy for journalists and law enforcers.


The stylometry "attack" doesn't get around plausible deniability. For example, for me, two of the top ten related accounts are actually me - but I don't think you could tell which and even if you could be pretty sure I could always say "no" and I think it would leave either you or an observer uncertain. I don't think my employer or future employer would fire me because an account that's kind of similar, lexically, to mine said bad things about the company - or whatever.

If your threat model is people cancelling you for controversial statements - I don't think there's anything to worry about. If your concern is governments or stalkers coming after you - then deleting your account probably won't solve the issue because they'll be able to access archived versions. These actors don't need to "prove" you said something to anyone but themselves. In this case the solution is just not to post anything sensitive regardless of the name you publish under.


Since nobody has linked it yet, there's a comprehensive document covering this and related topics, here: https://www.ycombinator.com/legal/

YC has multiple in-house lawyers. They're not going to risk their business over this. However, I'm unaware of any law that requires the process be completely automated.


GDPR and similar laws require action within certain timeframes. If the volume of requests increases, it becomes worthwhile to think about automating timeconsuming parts of those processes.


HN doesn’t need to even to delete the posts themselves, just delete the association of posts with an account.


Do other commenting websites (like Reddit, Disqus, ...) allow the user to delete an account and all the associated comments? I think Reddit only shows [deleted] next to a comment, with the comment still there.

Are they obliged to delete the comments according to laws like GDPR?


One thing to be aware of for Reddit (and perhaps HN) is there are multiple scrapers archiving it in real time, so even if you delete a post from the main site it's still going to be available to anyone who takes the time to look. I would assume that government agencies archive and index all of that low hanging fruit as well.


I would think this is true though admittedly I think 95% of people just want their comments deleted so co-workers/friends can't stumble upon a semi-political hot take from a few years ago. Not because there is anything illegal or even career ruining.


Tools exist to delete comments as well, although I'd prefer if reddit supported it with the deletion request.

https://old.reddit.com/r/Python/comments/6wfqsv/quick_script...


It's possible to go back and delete individual posts, which hn doesn't allow.


Even if GDPR does not apply, California's CCPA mandates a right to delete. I don't see any way around that.


https://leginfo.legislature.ca.gov/faces/codes_displaySectio...

> A business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records

Is a comment personal information?


https://calawyers.org/antitrust-unfair-competition-law/what-...

> The CCPA definition of personal information can be best understood by analyzing separately each of the four closely intertwined building blocks embedded in it: (i) “information”; (ii) “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked”; (iii) “directly or indirectly”; (iv) “with a particular consumer or household”.

A comment would likely not meet those tests.

A user login maybe - though that is already covered in the faqs - https://news.ycombinator.com/newsfaq.html

> Can I change my username?

> Yes. Email hn@ycombinator.com and we'll help.

Which could then dissociate you sufficiently to pass the tests ii through iv.

That might work for me (my user name is relatively unique and consistent) while throwaway123456 may have difficulty passing any of those tests.


> A comment would likely not meet those tests.

The HN legal page ( linked at the footer of the site ) indicates that Y Combinator considers public submissions to HN (stories and comments) as a category of Personal Information.


Arguably, and in my own view, yes! The stylometry website linked comment texts to persons.

The courts or legislature are the ones to decide this. I believe they could side with my view.


I don’t think hn is subject to GDPR, since hn is based in the us, and GDPR doesn’t have jurisdiction.


At least one US state has a data protection law that gives a similar basis for deletion requests. HN already has to honor these, even though they might or might not be useless for EU citizens.


My understanding of GDPR is that, theoretically, any service which is used by European citizens is subject to GDPR. It's the citizenship of the user, not the location of the hosting or service.


Under the same kind of reasoning, Hong Kong’s security law of a couple of years ago has global reach and European citizens in Europe can be held responsible for violating it if they say the wrong things.


Technically true, but in practice, jurisdictional limitations mean that this is often ignored without consequence by those who do not have a financial presence in the EU.


Y combinator is invested in quite a few EU companies fwiw


The EU can claim whatever they want - ownership of the moon, taxes from Chinese villagers, or that US companies in the US have to follow their little rules. Doesn't mean they have the right, jurisdiction, or authority.


Dang has confirmed via email he doesn't care about GDPR and has no intention to conform to it.


Rule #1 on the internet: if you don’t want something on the internet, don’t post it to the internet because once you do it’s pretty much impossible to remove it.


An optional data retention policy would have the advantage of not exposing HNers to the risk of having their data taken to train a language model that emulates their style (which in the audio medium is called "voice morphing", and in the video medium is called "deepfakes"; it doesn't seem to have a name of its own in the written medium yet).


HN doesn’t care. In the past, I requested this very feature citing both the increasing ease and likelihood of correlating user data since 2006 and the very much increased safety risk of certain speech wrt to various authoritarian world actors.

In an email to hn@ycombinator.com, I wrote:

> ”I understand the user interface doesn't provide for comment removal, but with all due respect it's only a matter of time before that policy contributes to the imprisonment or even death of some of your users.”

> ”It's too late to be entirely safe from historical comments but we have no idea how much the threshold for what is truly dangerous to have said on the internet will change going forward. Even a small decrease in the personal risk going forward is important to me.”

HN’s response was no, because that would “gut the threads the account had participated in”. He then suggested there was upcoming an account renaming feature. Obviously, that feature would do nothing to alleviate the doxxing concerns brought up by the OP.

It was very disappointing.

YC literally put a higher value on maintaining old forum threads than reducing risk former users faced being detained, beaten or killed by religious or political organizations.


> YC literally put a higher value on maintaining old forum threads than reducing risk former users faced being detained, beaten or killed by religious or political organizations.

I agree the website should have this feature but the "if you don't implement this feature you're potentially murdering future people" stuff is not a good argument.


Why not?

To me, the possibility of my users facing serious physical harm would be a very compelling concern. If I worked on something of YC’s scale I’d take those kinds of ethical considerations very, very seriously.


Possibilities are imponderable; anything is possible. Probabilities are something you can weigh, and while I see the point you're making I think the probability of anyone incurring serious legal/political exposure via HN is actually quite low. It's easy to obscure your identity if you're so inclined, and awhile old comments can't be deleted, YC equally has no way to prevent them being scraped and archived.


Its a real concern in this case though. Read the news these days on what certain governments do to their activists based on their social media postings.


Everything will remain available on the Wayback Machine even if HN nukes your account


You can email them and they will remove the content. Unlike HN.


You can get them to remove a page without too much difficulty.

It may be more difficult to get them to remove a subset of the content on of every capture of https://web.archive.org/web/20220000000000*/https://news.yco...

That becomes even more difficult if you want to have them find (and remove) all comments from all captures on all pages for a particular user.

Noting that you don't have authoritative control over HN, archive may be a bit reluctant to have {random person} asking for all of the comments that {random account} made on all the captures to be removed.

If archive was able and willing to do that (remove content from a random account as requested by a random person), I believe that it would be abused much more than it was used.


Perhaps the account the OP was concerned about wouldn’t have turned up in the stylometry demonstration it linked to if HN had deleted it one, five or ten years ago.

Yes, there are permanent risks for past posts but that’s no reason to throw up your hands and give up on any and all attempts to mitigate them going forward.


And deleting your account here would signal to bad actors to look there.


you seem to think that because doing something is not perfect, then its not worth doing.

obviously you are wrong.


You know how much it sucks to google something, find a super relevant reddit thread, then because its old and half the accounts are gone it's just one deleted user replying to another? It would be sad to see HN become the same. Some of the most interesting content are old threads that are re-linked in new comments.


Based on HackerNews' current policies, it is impossible to address your concerns surrounding content posted.

HackerNews leadership have chosen to not allow anyone to delete content after a period.

Regardless, it would be pointless given how easy it is to scrape this website (on purpose).


Its rather too late now, the cat is out of the bag.

I think there are many other archives such as one posted above hosted by Google's bigquery.

a better strategy would be to divert your writing to something new and different, defeating simple stylometry analysis.


How come they still didn't doxx Satoshi Nakamoto, with all those smart tools?


Interesting. I'm more concerned with the stylometry showing accounts which don't belong to me saying things that I might not agree with and have never said being accidentally mistaken for one of my own accounts.


Dear Ones, the proverbial horse has long bolted,

rss feeds and easy site scraping has long leaked all your stylometry data which long ago was leached up.

What is the point of deleting your HN account, if multiple third party copies all ready exist?


This makes me glad that I decided a while ago to use only throwaway accounts on HN, to avoid doxxing. One account per thread, and no more. Good luck tracking that, stalkers.


Email suffix.


HN is a project carried out with the motto of zero features. So there is probably no such feature and never will be.


That's absurd. What about the feature of posting a link? Writing a comment? Replying on a thread? Reading the comments? Sorting by new? Voting, flagging... There are lots of features on this site.


You should be able to request your account be deleted if HN is compliant with GDPR https://gdpr-info.eu/art-17-gdpr/


Does HN Follow GDPR?


I hope not. I don't think HN should follow Indian or Cameroonian laws either. Why should it respect EU laws? Are EU laws more important than Republic of Peru laws?


It has nothing to do with more or less important. The EU does not obligate HN to follow European laws when serving users in America or in India. It is only the serving of European users that's under European jurisdiction. HN is free to choose not to follow GDPR, in which case it will not be allowed to serve users in the EU. I guess Peru and India can have similar laws, and if they somehow do conflict -- say, the Indian law says something about what HN should do in Europe -- then it's up to HN to choose which jurisdictions it wants to serve. When a website chooses to serve certain users, it chooses to place those transactions under certain jurisdictions.


If the website serves EU users and collects any personal data then it must follow GDPR. Fwiw, I think following Indian laws isn't an insane thing either seeing as tech is global and India is 4x bigger than the US - although I don't think there's any laws quite like GDPR in India that'd actually matter.


Well, it MUST follow Cameroonian law too then. What if they conflict? "GDPR in India that'd actually matter" Ah. There it is. The EU matters, others don't. Well, I think that is a terrible elitist opinion. I vote HN shouldn't bother enforcing other counties laws.


> What if they conflict

You don't need a hypothetical question for this:

"""The EU–US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States.[1] One of its purposes was to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens.[2] The EU–US Privacy Shield went into effect on 12 July 2016 following its approval by the European Commission. It was put in place to replace the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015.[3] The ECJ declared the EU–US Privacy Shield invalid on 16 July 2020, in the case known as Schrems II.[4]""" - https://en.wikipedia.org/wiki/EU–US_Privacy_Shield

Also see https://en.wikipedia.org/wiki/Max_Schrems

Also, Microsoft had a specific problem with legal jurisdiction, because first the FBI then a US court ordered it to hand over data from a server in Ireland that EU/Irish law prohibited it from handing over: https://www.irishtimes.com/business/technology/microsoft-ire... and https://en.wikipedia.org/wiki/Microsoft_Corp._v._United_Stat...


They must follow the law of countries they make business in.

The conflicts are a well known trouble. Between EU and US for example there is an ongoing dispute between US PATRIOT Act and GDPR, where (simplified) US say they got access to all data and GDPR forbids that. Different treaties which tried to allow some "safe harbor" between the regulations have been invalidated by courts so all operations crossing the atlantic is in a legally questionable state ...

Now for HN the question is if they target EU customers. There is no need for them to actively block Europeans, but the line is unclear. It'd be clear if they were selling swag with prices listed in € or would show europe-specific ads. In case of doubt it's the decision by a court.

Decision by a court then is the other dimension. A European court probably has a hard time to reach anybody for a fine or some other consequences. Companies like Facebook avoided that for a long while, but since they got stronger in their European ad business they are formally reachable by European courts in their subsidiary in Ireland. If a judge is really desperate they might try going via a European subsidiary to a company they invested in and put out arrest warrants against the managers in case they ever touch European ground ... but most judges will probably try to avoid that amount of work involved.


European laws for European residents, Cameroonian law for their residents.

California law for those residents, Massachusetts law for them.

So request deletion before you leave CA.


EU laws applies within the EU, as well as "what people do with EU citizen data online", which makes sense? If you have EU users, your handing of their data is bound by EU law, in the same way that if you have US users, your handling of their data is bound by US laws. (and yes, if Cameroon laws pertaining to data handling then yeah: you're bound to those laws for your Cameroonian users).

This isn't a matter of "the laws are making our life hard": by accepting user data you, as a service, are consenting to following all applicable laws. You have opted in, now you have obligations. Don't want to deal with GDPR? Ask users where they're from and go "sorry, can't let you create an account, we don't want to have to deal with GDPR".

Even if you pretended HN was a "for US only" website (which it of course very much isn't) you still have at least five state laws to comply with (California, Virginia, Colorado, Utah, and Connecticut), and that number's only going to go up.

If you handle data, the easiest way to deal with this whole "oh my god so many laws" is to know where your user data lives, not sell it on without express consent, and have data deletion built in from day one with a "delete all my data (including my account, obviously)" button that users can click themselves. And presto, without any further involvement from your side (unless you lie, and don't actually delete data) you suddenly comply with all data privacy laws, and users don't even need to fill in official request forms relating to specific laws that you then have to deal with within X days. You just have an FAQ entry going "Q: How do I delete my data? A: Go to your account page and click the "remove my account" button".


What about a company with no presence in the EU and no way to be fined. Why would they care about GDPR?


The population of Cameroon is 1/10th of the US so it seems less important.

The population of the EU is almost double the US, and the law encompasses all companies globally that store data of people living there. Seems sensible to follow it else you'll be paying GDPR fines out your nose. If India came out with some consumer-friendly law that Indians can ask Dang to delete their comments, and I'd bet a good percentage of HN are Indian, I'd agree it's something that should be included. This is part of the difficulty of a global website :)


>else you'll be paying GDPR fines out your nose

Who is forcing you to pay the fine? The EU can't force you to pay the fine since you aren't in their jurisdiction.


I think they were saying that there are no laws in India that are relevant / similar to GDPR. Not that Indian laws don’t matter


> If the website serves EU users and collects any personal data then it must follow GDPR.

The EU really wants you to believe this, but national sovereignty is a real thing and I’m not aware of any law under which any country will extradite their own nationals to the EU for violating EU law. In general, you are only subject to a country’s laws if you are in their jurisdiction.

If you run a website that serves EU users without following GDPR, and you’re not a business with a presence in the EU, what exactly is the EU going to do to you? Arrest you when you vacation in Europe, maybe, but if you don’t do that, it’s not like they have a China-style firewall.


> then it must follow GDPR

Or else what?


You could be fined by the Republic of Congo or China. But, I would delete those emails and sleep just fine.


You get fined - I'm surprised people on HN aren't aware of these laws?

https://cyberprotection-magazine.com/us-companies-face-hefty...


I know the consequences of violating GDPR.

My question was, how would EU fine a company in the US? They have no jurisdiction there. The same way (referring to sibling comments) Cameroon has no power to fine anyone outside Cameroon.

The companies in your article all have presence in the EU.


"it applies to any entity (any person, business, or organization) that collects or processes personal data from any person in the European Union"

It should


Except HN doesn't collect or process personal data.


Pretty sure email addresses and user generated content (comments) are personal data.


HN is a US website. The EU doesn’t have jurisdiction in the US. I’m pretty sure it’s that simple.


You're wrong.

https://www.cookiebot.com/en/gdpr-usa/#:~:text=Does%20the%20....


> The GDPR has extra-territorial scope, which means that websites outside the EU that process data of people inside the EU are obligated to comply with the GDPR.

I see that site makes the same assertions about jurisdiction that the comments here are making. However, it provides no explanation for why the EU can actually claim that jurisdiction, which is my whole point. Why are they obligated? How does the EU have such authority?

I say it doesn’t, for the simple reason given upthread, and you have provided no evidence to the contrary.


Same reason Americans can sue companies from other countries in American courts: treaty recognition of legal judgments.


Yeah, but AFAIK there is no such treaty.


One weird GDPR implication our team considered during initial implementation of our solution was US citizens traveling to Europe, and even people visiting embassies of EU countries in the US, would seemingly trigger all applicable constraints of the legislation.

Personally, I still view GDPR more akin to regulatory capture than actual consumer protections; although, I do admit, more than anything, the Internet needs more consumer protection.


It has to follow the CCPA presumably, which is very similar.


If you live in CA.


Why does it have to follow the CCPA?


Headquartered in Mountain View, California


Oh cool, didn't know. How do you know?


Their Wikipedia page, their Twitter account, and that they're famously a Silicon Valley startup accelerator.


Dang has confirmed via email he doesn't care about GDPR and has no intention to conform to it.


There is also a psychological aspect of account deletion: Deleting an account can provide closure and make it clear to yourself and others that you distance yourself from a site - even if your old comments stay up.

By preventing users from closing accounts, HN is deliberately blurring the lines of who is still active on the platform and who isn't.

Lastly, if it really turns out there is a reliable method to associate HN accounts with a real-world identity, HN will get in trouble with the GDPR.

Really guys, leave the comments up if you have to, but give people a way to remove their account from it.


> HN’s response was no, because that would “gut the threads the account had participated in”

I participate at Flyertalk, and a good friend of mine had a major falling-out with them a few years ago.

As a leaving gift, he wrote a script to edit every single comment he'd ever made over the [many] years he'd been contributing, to remove his many many thousands of comments.

As a result, there are thousands of removed comments, and of course, many thousands of threads which are, well, gutted.

In our new GDPR-aware world, isn't that his right?


or at the very least be able to change your user name to something that is obfuscated


I don't think that technique works too well. The bigtable dataset (and I believe firebase as well) both keep the original comment and original username. If you change your username, then someone can trivially check old comments on bigtable and see how HN currently renders those same comments today to learn the new name.

Although increasing the complexity of doxing is a worthwhile goal.


It's always funny people don't seem to get you don't own your data on HN.

The algorithms used are also not transparent.

Whether that's good or bad is a moot point to discuss while people are to stupid to even get the basics.

Let's talk about whether the cia could scape archive.org and use stylometry on single comments on a system we don't even get the basics on.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: