It has the potential to completely change the way tech giants are able to provide their services. Each "purpose" that data is collected for must be individually consented, and it's prohibited for purposes to be withheld if others are not consented to. This allows a user to allow the purposes that are a cost on the company, and deny those that are revenue earners.
Will be very interesting to see how these heavily data based companies adapt.
I applaud regulations promoting user privacy, even if this seems heavy handed. But does anyone else wonder about the implications of applying that regulation to those who collect data on EU residents whether they operate in the EU or not?
Has the US State Department stated a position on the matter?
It is a similar concept to export of physical goods into a country/trade block. Either comply with the local regulations on quality or your goods will not be allowed.
The US State Department does not really get to have a stated position other than diplomatic.
Will I as a developer or US business owner need to proactively disallow all users from outside the US (since I am not familiar with their laws) to avoid potential legal troubles, or will other countries block my site/service without me needing to do anything?
It depends on whether or not you are operating under their jurisdiction or not.
If you are, they can drag you to court. End of story.
If you aren't then they will first rely on your cooperation and if that doesn't work, probably issue arrest orders which will make it a bit inconvenient to enter the EU for a while. And they'll probably tell ISPs to block you, yeah.
"It is a similar concept to export of physical goods into a country/trade block. Either comply with the local regulations on quality or your goods will not be allowed."
That analogy is what I take issue with. It's clear that Facebook, selling ads to European buyers, is doing business there. But is every random web site with a few European users? Does putting up a web site suddenly mean you're doing business in every country in the world, subject to the jurisdiction of all of them simultaneously?
"The US State Department does not really get to have a stated position other than diplomatic."
Diplomacy is what it does, and its diplomatic position on trade issues is relevant.
No, they can show you ads that don't use your data. You'd have to allow them to use your data to give you better ads, but you'd just get worse ads in the meantime.
So I need to explicitly accept targeted ads from every company that shows targeted ads? Does this mean every website that shows targeted ads, or can a blanket large provider (e.g. Google) get a single consent and apply it to all websites hosting Google ads?
This seems like it would give a market advantage to Google, because they have products that people want and can likely get a fair number of people to consent if the consent was among useful consents. But smaller advertising companies would have a much harder time getting consent, especially if people don't recognize the name as providing anything useful.
And how does this apply to logs? It's common for web servers by default to record urls visited and IP addresses. Would that be legal without explicit consent?
> And how does this apply to logs? It's common for web servers by default to record urls visited and IP addresses. Would that be legal without explicit consent?
I'm not certain on the details, but in eg Norway that is already much in line with the GDPR ip addresses are considered personal data, and as such regulated. However, there are provisions for storing such information for auditing purposes (both security, technical and financial/invoicing) - but would likely require explicit consent. ("i accept"/"i will not use this service" - more of an informational confirmation - like signs stating a shop is under camera surveillance - and you could choose not to shop the (even if: good luck finding a shop w/o surveillance cameras)).
In general "personal data" is anything that can significantly help identify a single individual (time/place, ip, phone number/date, address, full name, email, etc).
Ed: regarding logging ips for auditing - there's usually a fixed time limit. It's longest afaik for financial purposes (and the data storage directive explicitly states/stated minimum duration - effectively being lobbied into a tool to go after amateur copyright infringement by forcing isps to keep records longer than before). But from a data protection viewpoint, you can't say/get consent for "we log for auditing" and then keep the data indefinitely . More like 6 or 12 months.
Yes. If the data cannot be tracked to one person, it is not regulated. So anonymous tracking cookies are still OK, but attaching it to an IP/name/phone number etc. is not.
I don’t believe that’s true. “Anonymous” tracking cookies are still unique to the individual and such can easily contribute to identifying them, and so are included as personal.
Only if you can/do meaningfully anonymize the data. Eg, knowing the subnet of most/all Norwegian isps, it's trivial to recover ips that are simply hashed (probably even with salt), similarly Norwegian phone numbers are only eight digits, so any kind of deterministic mapping is likely to be too trivial to actually amount to anonymization.
Also rember that one of the goals is to avoid illicit linking - so being able to verify that ip n.n.n.n is the same as slow_hash(salt+other-ip) won't fly as "not storing".
In general, anonymizing data in sparse populations is tricky - where "small" can be quite large. Just imagine building a bitfield of variables like: sex,age +/-50;2 bits. Rough location (easily 6 bits), browser (2 bits), mobile? 1 bit - that's already 12 bits etc. See also NYC taxi dataset, eg (not the article I had in mind, but seems to cover similar points):
The blanket version. Google et al neither sell nor (generally) share your data with advertisers. They make the decision on what to show to you and thus, only they need to get your consent once for that express purpose.
By the way: it's still a topic of heavy debate how much of this can be done through terms and conditions after all.
Disclaimer/source: working for large Google customer, involved in GDPR compliance. Edit: spelling.
But does the website itself where the ads are shown need to get consent?
How about this, what if I own a.com and embed an image from b.com (a completely different organization from me). And then b.com tracks the users' IP addresses, urls, referers, etc. Do I need to get permission for that? I'm not the one doing the tracking. Does b.com need to get permission for that? There's no opportunity for b.com go get permission, the user never is on a website controlled by them, there is never an opportunity to click an accept button for b.com . The user likely has never heard of b.com .
As far as I know, GDPR disallows “bundled” consent. Google will be obligated to provide all the same services even if it cannot use the data for targeted ads.
Yes, but if the consent checkbox is nestled among a lot of other useful checkboxes, the user will likely accept it because they won't notice that it's different at all.
And how granular do these consents have to be? Would there be a page with 100 consent boxes, with a top box saying "accept all" for people too lazy to sort through all of the boxes?
Don't underestimate how bad bad ads can be. I turned off targeted advertising on my Android phone for a while. The result was that around 50% of ad banners I saw were ultra-spammy strobing things--presumably the only ones that will pay for untargeted ads--making apps with built-in ad banners essentially unusable. I wound up changing back. That may have been the intention.
(An Android ad blocker would probably work best, but getting one running on my ancient phone was more hassle than I wanted.)
There are two possible transactions: selling you ads, or selling you to a better class of advertisers.
I see parallels to the 3rd class rail (or coach-class air) problem. If you improve the conditions of the lowest service class, nobody upgrades to higher levels of service. So the lowest class is intentionally bad.
I'd say that highly targeted ads are harmful, as it's more likely to undermine the viewer (eg: political ads tweaked based on current family situation/emergencies derived from data mining). Eg: target people who recently lost loved ones to an attack by one of our times typical "lone gunmen" by ads advertising increased surveillance as a way to mitigate "terrorist" attacks.
Or substituting in first names of friends in paid content ("<person with same name as your friend> give the following reasons to vote x!/buy this").
Not to mention that if advertising works - then it undermines the idea of a free marked where purchases are made by informed independent agents (I think that's a fantasy anyway, but it seems to be a somewhat popular idea).
Is there anything inherently bad about a site using your data to serve you more relevant ads, as long as your data is not passed on to a 3rd party?
Is there anything inherently bad about a stalker passively observing and recording your every move, as long as they don't disturb your daily routine or pass the data along?
Even if you find the stalking behavior (cross-site tracking) of ad companies acceptable, there is a significant risk that your data leaks or is stolen. So, I should be able to decide who I trust with saving intimate data and who I don't.
Show me a site that gathers data about me directly, transparently, and without any creepy cross-site tracking, and I’ll consider your question. Unfortunately that’s not how anyone works.
Except we know that not passing data is a pipe dream. Between hacks and governmental abuses, no company can promise that, no matter how honest they are.
It's been looking really creepy after I purchased a Plush Cuddle Death Star, because now it keeps showing several repeated ads for them right next to each other. I already have one, and now they want me to buy a whole cuddly fleet of them! Oddly enough, I haven't seen any ads for the R2D2 mug I ordered with it.
It appears not - it requires the consent to be freely given, as in, the customer actually wants you to process the data or the data is inherently necessary for the service e.g. a shipping address to ship goods. "'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;"
Article 7.4 "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."
Recital 43 "...Consent is presumed not to be freely given if [...] or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance."
Companies can deny services that cost them money unless you pay; but if you make "consent" as a condition for everyone then it's assumed that it's not freely given consent. You can deny service to everyone, but you can't require consent from everyone. That's not a new thing - that's exactly how the law works already regarding e.g. spam restrictions; you can have opt-in confirmation only if it's optional, if you make it mandatory to "opt-in" (e.g. deny registration unless the opt-in is checked) then it's not consent.
Also, even if you have consent, it can be revoked at any time (e.g. 5 minutes after the user received what they wanted), and you have to unconditionally remove the private information from your systems, even if you gave them a discount because they had "consented" at that moment.
Also, the customer may give you consent to process their data as such (e.g. include in your service) but object to their use in targeted marketing.
Article 21 (Right to object) "... (2) Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. (3) Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes." - so it should be expected that even if you have consensually obtained the data, then you cannot use it freely, you can use it only for particular purposes; and things like EULAs can't override that.
It seems a bit naive to think that a service provider would scrub their systems on individual requests.
It's not practical to perform a delete in some environments. It's certainly not practical to go through backup files and delete references in others. Everybody goes through a data recovery scenario at some point.
What you should expect is best effort. Nobody is going to re-train their neural networks that referenced your data. It's doubtful that any provider would delete what they have gleaned about you simply because you wanted your account removed.
Then there's the practicality of things. If you delete your account here on HN, would you expect all conversations that you participated in to be removed? All references to your comments? Or all comments that you made removed? Do you expect them to push that change out to google? Do you expect your references in access logs removed? There's always a trail.
Facebook isn't uniquely evil. They have the same problems as everyone else, and they have those problems at an incredible scale.
People think about these things as if they are files or entries in a simple SQL database that can simply be removed. They may use databases, but to think that all of your data exists in a singular database or that all of your data only exists in databases is simply not extrapolating what you know about technology to their environment.
If google were to remove a website from their index, how long would it take for all of their environments to no longer have a record of it? And would that actually be desirable? There aren't faceless drones working on these kinds of problems. There are very smart people and most of them have a conscience and care about end users. I don't think you would find that any large group of people at facebook, google, amazon, microsoft, or any of the big companies are completely apathetic to end user concerns. I'm sure plenty are far too busy to address individuals directly, but they certainly are not apathetic.
<sorry... I seem to have rambled off on a tangent>
> Then there's the practicality of things. If you delete your account here on HN, would you expect all conversations that you participated in to be removed? All references to your comments? Or all comments that you made removed?
There's been few debates here about the definition of to 'delete' which I won't get into. However, as a user, it rubs me wrong when companies equate simple username disassociation with deletion. It's not a user's place to wonder about the practicality of deletion at scale. A user has the right to have removed all content they've produced regardless of whether it's linked with other posts.
> A user has the right to have removed all content they've produced regardless of whether it's linked with other posts.
Do they though? Maybe I'm understanding it wrong, but I thought the GDPR only applies to personally identifying information, not all data ever generated by a user. So by disassociating the user name and the post, the post has suddenly ceased to be personally identifying information and no longer needs to be deleted.
Yeah I think that these arguments will just lead to a company getting a fine.
My data is mine not yours. If I withdraw my consent to you having it just delete it. If you can't do this then don't collect my data in the first place.
The single source of truths, all the core Facebook users data (except messages) is stored in MySQL cluster. The issue you describe is that the same data is also cached in Memcached and by other means. But deleting is entirely possible, though it's against their business model, so they make real deleting as hard to find and do as possible, and scare people away with info like "you cannot register again".
Training of neural networks is probably a gray area, and a potential issue for many companies. Example: Think of the recorded audio messages from Siri/GoogleNow/Cortana that gets processes and potentially stored and not deleted thereafter on their (and third parties like Nuance) servers. If one deletes an account, one would assume it also and especially also deletes all private data like messages, voice and video recording.
> make real deleting as hard to find and do as possible, and scare people away with info like "you cannot register again".
They do that? And is that legal? How will facebook prevent me from registering again, if they deleted all PII that they had on me? That'd be clear proof that they didn't respect my GDPR request for deletion, and I could sue them easily.
"This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it."
"When you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer. However, you understand that removed content may persist in backup copies for a reasonable period of time (but will not be available to others)."
This sounds like they properly delete it but only so long as you haven't given another user a copy of it (such as sending a message perhaps).
Also while the US has essentially no privacy protections whatsoever, I don't think a "deleted=true" would fly under EU regulations.
How do we really know that this is actual deletion and not a deleted="true" in their databases?
We don't know that. If you're feeling charitable you could believe they're being honest, but if you not then you just have to wonder. There is no way Facebook could prove they don't have a secret server with your data on it somewhere. Proving that would be impossible.
It’s the regulation. I work on EU GDPR tech stuff currently (this stuff is HOT at the moment and I have a feeling that even many large companies are quite late on the train!) in financial services sector and while some data needs to be kept for x years according to the law anyway, rest really needs to be deleted and at least my current client really doesn’t want to play with the financial risks involved with getting caught in a possible EU GDPR compliance audit.
They could be explicit about exactly what they do with the data - that way there is some PR risk to them if they get caught out "recycle binning" data.
Back in 2004 during the first months of Facebook, I deleted my account. When I signed up again a few days later, everything was still there with profile picture and everything.
The standard flow for "deleting" your account actually says "deactivate your account", and the fine print is explicit in that everything comes straight back when you log in again.
There's also a hidden link in the support pages somewhere that's supposed to actually delete your account (which is what's linked here)
I “deleted” my account years ago using this link (back in 2014), came back last year and found that it was never really deleted. I happened to click “login” when I realized my password manager was still filling in my password (to be expected), and it logged me in just fine, same profile page... it was as if I never clicked delete.
I deleted it again, and it finally “took” this time, but I have no idea what happened before. My best guess is that iOS was still logged into it through its facebook integration and that counted me as having logged in before the grace period expired. Either way it left a really bad taste in my mouth.
(I was a facebook user in 2005 and kinda stopped using it around the time they stopped letting you have your “news feed” just be a simple time-sorted list of your friends’ posts. Neither of my attempts to delete my account were any kind of statement — the site was just boring to me and I never found myself posting much.)
There are 2 different actions: one that deactivates your account and one that actually deletes it. You've probably used the deactivate functionality, because the other one needs more digging in order to find it.
I did not know they really had this as an option. I'm glad to hear it's available.
I'd like to know how thorough they are with deleting you, however. With stories of "ghost" profiles that they build on individuals who don't have accounts (and/or are not logged in), I would be surprised if they actually delete everything they know about you.
Most of the big services whose stuff I've actually read have a clause somewhere in the ToS or privacy policy saying that "deleted" data is not necessarily deleted from all copies in their possession. I suspect the primary purpose of this is to allow them to have append-only or offline backups, since that's incompatible with users being able to reach in and nuke all their stuff.
At the time when I deleted my Facebook account, in Fall 2014, the ToS said that if I delete (not deactivate) my account, then Facebook must delete my data "within a reasonable amount of time".
I have not read the Facebook ToS since then; assuming that line remains the same, if they do not delete your data and you decide to sue, it's about whose lawyers cam make a better case for whether a reasonable amount of time has passed.
Hard to say what data they still retain and for how long. However, the sooner you delete your FB account, the less data FB is likely to have on you in 5 or 10 years, assuming data retention periods, etc.
I found the process easy to complete using the directions in the link. It was quite liberating to have my account deleted, actually. Don't miss it at all, although it left some friends and my mom scratching their heads.
The option is a lie, I did this the fall after the Snowden releases, and then this past summer decided to see if the delete actually happened after the two week period that was part of that process then, everything from my account was still there, nothing was deleted.
fwiw I did this and it worked for me. It can take more than two weeks and if you login the process is interrupted. A good bet is to ask your friends when your messages appear as "facebook user". After that my login didn't work anymore.
It's kinda ironic that all the people here are complaining that facebook might not actually really delete literally every single bit of information that you have, while hacker news doesn't allow you to edit your comments, delete them, or delete your profile. This sort of functionality should exist on every platform that even has accounts.
Does anyone know if GDPR (or similar law in the future) will actually force HN and other sites that don't have this feature, to remove accounts, at least EU ones, upon request?
I understand your sentiment but I don't think deleting comments would make sites like these (community driven) appealing. Missing comments creates a big hole to a comment train, look at reddit. Missing/Deleted comments make the whole comment tree below it quite meaningless.
HN would invite a lot of trolls with this an would make it really difficult to create a submission archive that makes sense.
Now I don't know how it handles account deletion but reddit handles that well, a deleted account will retain its comments without a name if the user hasn't deleted all their comments. That makes sense and works well.
Deleted accounts could retain the comments but anonymise the accounts.
Also I don't think having the ability to delete your profile invites trolls. Usually one deletes their account because they post something wrong but which they genuinely believe is true then get downvoted and / or trolled into oblivion. These people we should probably be working to retain because while they might have been wrong, their contribution did improve the content on the site due to the corrections that followed. However sometimes the negative rep and / or harshness of the replies can make the corrections a bitter pill to swallow. So I think there should be a downvote cap for incorrect posts (or even disallowing downvoting for all but rudeness and spam) and working harder on improving forum etiquette.
I left after being hounded by trolls and sock puppets and, a year later, far from being deleted (as requested twice by email) my account was instead shadow banned.
Of course, likely as not this post itself is invisible. Likely as not the GDPR is as uninteresting as user's needs. Likely as not, Hanlon's razor applies. Although I would not brag about the last possibility.
The GDPR does force anyone who stores user data to delete it upon request.
However, IIRC, there is not much of a requirement of having a dedicated form of it. An email is sufficient notification you want this to happen (and you're of course free to ensure the user's identity).
After that they have to delete all data and take note of the deleted datasets so in case of a backup recovery the data will stay deleted.
If you have left a lot of personal information on Facebook, it is kind of the nature of the beast. They require your real name. They ask lots of personal details upon sign up. The profile grills you about your entire life, from where you were born to where you went to school to where you live and work.
HN does none of that. So, to me, it seems like a really different situation.
> Does anyone know if GDPR (or similar law in the future) will actually force HN and other sites that don't have this feature, to remove accounts, at least EU ones, upon request?
As far as I know, the GDPR is more of a clarification (along with some explicit guidelines for fines), than it is new legislation - so hn and similar sites would already be in breach, if they didn't allow the deletion of all profile data. I'm not certain that having to email someone at hn to do it, would be in breach of current data protection regulation. It may be that not clearly stating: "to get a record of all data hn has stored on you, make correction or delete all data - please email (...)" will be in breach of GDPR.
But afaik hn does no business in the EU - so it's not clear what sanctions would be applicable.
It's different for companies that does business in the EU / EEC.
No. EU laws/regulations dont't apply outside its jurisdiction. GPDR will affect Facebook, Google etc. just because they are operating in EU market[0]:
"This won't apply to every U.S. business — just the ones that are knowingly, and actively, conducting business in the EU. In this vein, EU courts have the discretionary ability to determine if a U.S. company was purposely collecting EU resident data and subverting GDPR compliance."
I respectfully disagree. As you can see at [0], quote, "as [the GDPR] applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location [...] Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU."
edit: This means it applies to EU citizens regardless of where the processor is located and to non-EU citizens if they are currently in the EU
Yes, but I'm sure this will only be valid for big enough companies (read serving millions of EU citizens) as it's subjective what "processing the data of EU citizens" actually means. It's not realistic to expect every minor mom&pop eshop or minor online service worldwide to appoint a representative in the EU. Furthermore, enforcing these rules will highly depend on international relations as it's outside of EU jurisdiction and it can only reach non-EU companies by collaboration and signing treaties with other governments, so this means USA and maybe Canada, but I highly doubt to see companies from China or Russia etc. to be held accountable.
Well, only time will tell, I just relayed what I've heard from people much more knowledgeable in this area than me. How I understand this is that if you serve many enough EU citizens, please be kind, open a branch in EU or at least send a representative, because you are de-facto doing business here. Mainly this is to avoid situations where, for example Facebook, closes its EU offices and pretend to have no EU presence (and no need to abide EU regulations) despite hundreds of millions EU citizens use their services.
Sure, it technically applies - but I doubt it will have any effect. Compare it to hacking across border where there is no extradition. At least until some form of GDPR is rolled into international trade treaties.
I very much doubt GDPR penalties will be levied at individuals - even when a business entity is wholly controlled by an individual. Blocking of criminal services does seem probable in extreme cases - but so far most of Europe has been pretty lenient wrt outright censorship as far as I know. Filtering certain child pornografi content being an exception.
On a side note, the cp filter is scary - as the infrastructure implies the existence of censorship infrastructure ready for abuse in the event of a power shift.
Not really. It enforces a quality and rigor when entering comments. I have been to forums where people were altering their posts long after the discussion continues. That makes the threads loose meaning.
> Does anyone know if GDPR (or similar law in the future) will actually force HN and other sites that don't have this feature, to remove accounts, at least EU ones, upon request?
GDPR only covers personal information. So it only covers the IP and username in case of hackernews (unless someone adds their name into some sort of signature)
Why is it ironic, you are user "a254613e" that's literally all anybody on NF knows about you. That's pretty anonymous no? HN has no real name policy or even requirement of a verified email to participate.
That's great if you sign up with the intention of posting anonymously, but if you post here for years using your name or your chosen alias (eg I'm onion2k on everything; it's trivial to find out who I am), and then decide you don't want to be associated with your HN history it's not so helpful. Also forensic tools are clever enough to take someone's comment history and use the little information in there to work out who you are. We leak information all over the place. A user name isn't the only way to find someone.
It's fair for people to change their mind and ask for functionality to delete data that's associated with them. I don't think the internet would be nearly as useful as it is now if everyone had to be anonymous from the start in case they want to stop other people seeing the content they created later.
However, that said, it's also reasonable to suggest people shouldn't be able to say appalling things and just delete their account later with impunity. There's a strong argument that someone's internet history should be available as a record.
That's pretty naive. When you have an account for a while, a lot can be deduced from the comments you make - both from what you say, how you say it, and when.
There's nothing at all naive about self-censoring certain personal information and modulating your behavior. Guess what, the physical world is the same way.
GDPR will cover anyone in the EU. Doesn't cover citizens outside of the EU, and does cover visitors to the EU while they are there.
EDIT: But it's also likely that they will enable the protections for everyone in the world, because the risk of accidental non compliance is huge. Similar to how the cookie notification is just displayed everywhere now.
Actually, my experience in Europe is that some organizations only remove data that is visible by others on the same continent or even just a single country in the EU, while allowing that content to remain visible outside the EU.
somewhat related - if anyone else is still using the browser version of Facebook on their mobile phones (m.facebook.com) instead of downloading the app, it doesn't let you view messages and gives you an unskippable prompt to download Messenger, but this restriction is not there if you use the mobile basic interface (which also uses less data! mbasic.facebook.com)
Last I checked, this doesn't permanently delete your account. You can still return with the same email and have all your old contacts (and post history, etc?).
If I remember correctly, this option does delete your account[0], but not right away. If you change your mind and log in within the grace period, it stops it from being deleted.
[0] At least to all appearances. Of course, Facebook could secretly be keeping it, as is discussed elsewhere in this thread.
Not defending facebook, but almost every social site these days, and even SaaS applications, make it impossible to DELETE your account out of their systems.
Unless laws are passed in the US to force their hand, this sort of behaviour will continue.
Anything and everything you post on the internet, is FOREVER.
Because chances are some dev somewhere has simply flipped an IsDeleted bit to true / 1 in the site's database :)
I went through all the steps to "permanently" delete my account in 2010, did not log in for 4 years, then tried to see what would happen, and my account and all its data was fully restored.
>Some of the things you do on Facebook aren’t stored in your account. For example, a friend may still have messages from you even after you delete your account. That information remains after you delete your account.
I’m all for the ability to delete Facebook accounts, but I think that once you’ve willfully shared a message with someone, deleting your account shouldn’t delete your messages. Chats feel like “shared” ownership of the messages in them.
But by that logic literally any post on Facebook should be preserved. Commenting on a status is a “willfully shared message” right? What makes Messenger different? Just the limited audience?
It's pretty obvious: A message between two people exists as two separate units in two separate locations. Deleting the account deletes only one copy, namely the copy that exists on your end. The digital analogue is a text message -- deleting the text message locally, say by physically destroying your phone, doesn't actually erase the message on the other side.
It's probably not literally true that Facebook stores two copies of each message (or three or more copies for group chats), but it makes sense for Facebook to act like it does because that's how email and text messages work.
See my above comment. I don’t see how Facebook can reconcile deleting your comments on things like statuses and preserving messages in the Messenger app. Maybe that just means they aren’t actually deleting your comments.
Ever since deleting facebook I've felt so much ___. It's only once I quit the site I was able to take a long hard look at my perception of ____ and realized that everyone else does ____ while I should do _____. I realized that I'm actually ____, not ____. I started handling my _____ relationships in a healthier, more ____ manner.
90 days to delete my data? Is a real person going to every server and manually changing the bits that store it? :) ... I wonder if this is an artificially inflated time period, just like the 'Unsubscribe' feature from unsolicited emails that tell you it might take "7 to 10 days" to unsubscribe your email address, when it should take less than a second.
Some years back working with another social service, a major issue was cached data through third-party providers (think Akamai, Limelight, Cloudflare, etc.). These are systems 1) outside the primary service's immediate control and 2) with their own data-retention policies and 3) data management tools.
Someone I knew was tasked with removing large quantities of image data that had proved inopportune. There was limited support for doing this, though a method was developed. My understanding is that the caching service provider hadn't had to deal with such matters at that scale previously, though this information is incomplete. I strongly suspect that this is more frequently encountered now.
I'm not excusing Facebook (and generally avoid doing so), but one of the interesting things about scale is, well, its sheer scale, and what seem like simple operations become complex.
Maybe they have different tiers of backup systems, and manually trying to go in there and deleting one person's data on demand can be "expensive", so they do it in batches. You're only guaranteed to be fully wiped off after a certain amount of time.
I think what's also interesting is that some sites/apps have purposely made their UI/UX flow for account deletion very frustrating for the user. They do this to lower the probability of user completing account deletion
You do it from settings, from the main settings page. I just did it myself, it's quite terrifying how much data they have on me. I also discovered that all my contacts from my phone have been synced to Facebook, despite my trying to avoid that.
EDIT: I'm not complaining, I'm literally asking what there is that people find interesting about this link, since I feel like I must have missed it. Though feel free to keep downvoting through the floor.
In addition to what everyone else says, it is currently a national holiday in the US and there are relatively few submissions being posted now, so new submissions can rise much easier.
Sad that Apple does not allow you to delete your account. Even Facebook does?
PS; if you think I am wrong post a direct link how to delete within Apple's domain. Trust me it does not exist.
Actually there’s some security reasons why. An iCloud id have muliple purposes in the Apple ecosystem. You can use it like an e-mail address or caller/messaging contact id. Now imagine if they will free up your username and later someone else will register it. Or worst, you used that e-mail address to register in some other services.
Why if you request your account deleted can you not create a new account at a later time?
This might sound a little over the top and conspiracy theorist, but this is all part of Facebook's and rain man Zuckerberg's psychological warfare. Facebook hires people who work in the gambling industry to make their product more addictive. Zuckerberg is playing us all. Facebook is a major (if not number one) contributing factor to the polarization, narcissism, depression, constant outrage (both sides), and dividing of the US and frankly world.
https://en.wikipedia.org/wiki/General_Data_Protection_Regula...
It has the potential to completely change the way tech giants are able to provide their services. Each "purpose" that data is collected for must be individually consented, and it's prohibited for purposes to be withheld if others are not consented to. This allows a user to allow the purposes that are a cost on the company, and deny those that are revenue earners.
Will be very interesting to see how these heavily data based companies adapt.