Any EU based users of reddit should immediately file a complaint under GDPR with their supervisory authority for the sale of their data to Google to train their LLMs - reddit - kbin.social
kbin.social
external-link
reddit is telling it's future investors with recent news and more info on their IPO, that they're currently selling and looking to sell their user's data to companies wanting to train their LLMs, including Google....
Exocrinous
link
fedilink
41
edit-2
5M

Fun fact: Reddit is claiming it has full rights to distribute and sell any content posted to Reddit. So if you’ve ever posted to r/gonewild, they’re claiming to have a full licence to do whatever they want with pictures of your naked body.

I mean of course they do. Reddit’s job is literally to redistribute those photos and it is well known that they will be used to generate profit.

Maybe there is a little grey around around “selling” but if they have the right to redistribute them I don’t see why they wouldn’t be able to redistribute them directly for money as opposed to just redistributing them with some ads on the page.

Exocrinous
link
fedilink
25M

The reason Reddit shouldn’t be selling other people’s pornos is that the users didn’t knowingly consent to being a sex worker. The distinction between free sex (in which I include open distribution of nudes) and sex work (in which I include paid distribution of nudes) is emotionally important. And it’s especially important when someone is being pimped without their knowledge.

Yes. “Knowingly” is the hard part here. Reddit will of course say that you agreed to their terms of service and that the terms are reasonable because otherwise they couldn’t operate their service. However it is definitely true that many users didn’t realize that they were giving Reddit permission to sell their content (even if it is the logical conclusion).

Exocrinous
link
fedilink
25M

Actually it’s not the logical conclusion. Reddit’s terms of service violate the GDPR and many other laws. A client can’t sign a contract by logging in to a website, that’s not how contract law works. Legally, these terms of service are utter nonsense. The only reason these companies get away with it is nobody’s sued them yet.

I might be naive, but isn’t that the point of posting them on the internet?

BreakDecks
link
fedilink
115M

The point of posting them is either for fun or for profit. Not to grant an open license for a corporation to sell your content for their profit.

Reddit created a website for people to come and share content and ideas with each other, and now claims to have legal ownership over their users’ content and ideas. Nobody participated because they wanted Reddit to sell their data. People generally figured that seeing advertisements was how they paid for the site, not by selling their souls.

That sounds like wishful thinking. If I leave my private photos and sex videos on the local supermarkets local-ads bench, I can all but hope that they will only be used for innocent fun. But who would actually expect that?

Posting things on the internet is a verbatim open license for your stuff to being used and sold. Perhaps your country has some laws. But nobody is keeping some local vietnamese company in check, or that indian outlet. Or any other place in the world.

The internet is public. Any bot can just parse reddit. All those pictures are being used anyway, with or without reddit making some cash with them. It’s just legal issues and drama. The data is out there, and someone is making money with it. Already. Just without making it public. All this outrcry is just additional marketing.

Exocrinous
link
fedilink
155M

No, many people do sex work on the internet and depend on distribution rights to their own bodies to make an income. I’m not usually a fan of copyright, but I make a big exception for people’s bodies. This also isn’t just a matter of money, it’s a matter of personal dignity and social integrity. Nobody should be coerced into giving up creative rights to their own body. It’s sexual harassment at best. If my nudes are used to train an AI in some way with a profit motive, then I’m engaged in what is essentially prostitution without my own consent.

I think this opinion is so based that I will adopt it. Effective immediately.

I am not sure that you realize how public internet works. Only a few countries participate in copyright.

Even fewer have actual laws about it. Most don’t give a shit about it at all. Your Reddit photos are public, you gave up the rights to them already, in any realistic way imaginable. You only have a case in countries with copyright laws. What about the others? How is that realistically protecting your privacy, if only one billion out of eight billion give a shit?

So yeah, it’s a shitshow. Reddit fucked up their image. I’ll never post anything of consequence there and certainly won’t use it to create a business. Same with Facebook. Or any other public forum. I never have. And nobody should, if they are concerned with privacy or copyright.

There is no war for privacy on the internet. Just an endless battle with companies making money. It can’t be won. Public and Privacy don’t mix. And never will. It’s a game the law-makers play. It has nothing to do with rights.

This is reality versus Living inside your head. Prostitution? Coerced? Sexual Harassment? Dude, you are mangling those words into perversions of themselves.

An ai is using hundreds of thousands of nudes for training. Your body is used for normalizing the process, not as a template for porn. How special do you and your celestial body feel? You probably have 10000+ natural look-a-likes. Meh.

I honestly figure they do have the rights. I will be bum fucked if I ever read those terms and conditions.

What will they do with my lewd pics anyhow?

Under GDPR they have to prove that you read the terms and conditions, not just accepted them.

GDPR is a god send for the EU and UK.

Maybe a dumb question here from across the pond. Does GDPR even apply to the UK after Brexit?

Dr Pen
link
fedilink
65M

@BurningRiver @soggy_kitty Not directly, but the UK Data Protection Act adopts nearly every aspect of GDPR to allow for data portability. Eg this is especially important for fintech data but there’s good support for open science and open data in the UK too. https://www.gov.uk/data-protection

Thank you very much for that. I work in an industry (in the US), but we have increasingly detailed training on GDPR, HIPAA (US healthcare information regulations), CCPA (California’s version of GDPR) and on and on. I didn’t know the UK had their own version.

The lack of uniformity in the US is making it increasingly difficult to comply with everything over here, with states constantly passing their own laws on digital privacy, but those penalties for non compliance vary so greatly it’s almost impossible to follow.

Exocrinous
link
fedilink
35M

Feed them to Google’s AI for data. Your boobs will be source material for the next generation of AI porn.

PSA: GDPR still applies in law in the UK too; it has not been repealed

Ahri Boy
link
fedilink
105M

*UK GDPR. Because all EU legislations prior to Brexit have been made into domestic equivalents when the UK left the bloc.

yet.

Is there a way to export my data from reddit and archive it on Lemmy instead? I dont want my valuable contributions of difficult-to-find information to be lost forever by just deleting it

You can export your reddit data. There’s no simple, existing way to replicate it on Lemmy though.

The export is machine readable, so scripting a loop that creates posts from it would be viable and reasonably doable.

Honestly you can just leave it be. If you stop generating new content the value of Reddit will drop.

Isn’t it a violation once they do something?

Maybe its illegal to make impossible promises to investors, but the GDPR supervisor authority wouldn’t be the place to make that complaint…

Ephera
link
fedilink
85M

Yeah, a formal complaint isn’t quite intended for this purpose. Just writing to your data protection authority/officer to let them know that this is important to look after, will do the same here. They can then hand out a warning to Reddit.

AlteredStateBlob
creator
link
fedilink
165M

It is not clear if reddit has already engaged in this with Google, or if it is something that’s only starting. However, as outlined in my post, they might have to consult with a DPA before engaging in this anyway, which I doubt they have done. So, no, DPAs are absolutely the right place to make that complaint.

Even if they hadn’t started yet, might as well get their eyes on it, and force them to do it right from the get go (which they cannot do, as it currently stands).

You really believe a large Corp like reddit decided on something as big as this without consulting with their lawyers? Fuck spez, but there’s no way not a single lawyer working with reddit remembered the massive legislation that has by far had the largest impact on the internet in years.

AlteredStateBlob
creator
link
fedilink
35M

Especially US companies usually just do things and are willing to engage in lenghty legal battles after the fact.they are very, very litigous.

Another issue to consider is that the GPDR is held vague on purpose since it applies to your neighborhood yoga studio as well as Google or reddit. Entirely different use cases. So there is a lot of room for interpretation.

Looking at the conduct just within Europe, yes, I think it is possible GDPR considerations were either ignored or downplayed to the point of irrelevance. There was a recent study by noyb.eu which showed that DPOs are still often pressured to make recommendations that do not align with GDPR principles.

Either way, the DPAs will have to decide if the complaint has merit. Given new technologies are specifically mentioned im the GDPR, I am at least very curious to see how it turns out.

Ephera
link
fedilink
6
edit-2
5M

Corporate lawyers tend to be …optimistic. And then management will put a risk calculation on top of that. As a result, most larger companies violate the GDPR. See the popular use of Google Analytics or Microsoft 365, for example, which are illegal in the EU, if you ask a DPA¹. Giving them a reality check is never a bad idea.

¹) https://www.imy.se/en/news/four-companies-must-stop-using-google-analytics/
https://news.itsfoss.com/microsoft-office-365-illegal-germany/

promitheas
link
fedilink
215M

Ive been engaged in discussion with my country’s data protection officer since the summer, and the reply I got was that I should delete comments myself. There are 2 comments that appear on my profile only if viewed while I am signed out, and when I raised the concerns with her I basically got the reply that “there is no personal information contained within and once you delete your account there is no username attached to them so you cant be linked with them”. Is she right, and how do I handle this situation?

As I understand it:

As long as the link between data and user is severed, they are compliant with GDPR. Anonymising data (proper non-reversable anonymisation, rather than pseudo-anonymisation) is as good as deleting. As long as it’s not personally identifiable, it’s OK.

I suspect anyone else expecting the EU to purge reddit of their comments will be equally disappointed.

As long as the link between data and user is severed, they are compliant with GDPR. […] As long as it’s not personally identifiable, it’s OK.

Wrong.

In the US, data protection refers to “personally identifiable” data, so severing the link is enough. Under the GDPR, all “personal” data is protected, doesn’t matter if it has a link or not to identify the person.

The test under the GDPR, will be whether a comment has any personal data in it. If it’s a generic “LMAO”, then leaving it anonymous might be enough; if it is a “look at me [photo attached]” or an “AITA [personal story]”, then the person can ask for it to be removed, not just anonymized.

@LWD@lemm.ee
link
fedilink
15M

removed by mod

@jarfil@beehaw.org
link
fedilink
2
edit-2
5M

places an undue burden onto the user to determine and explain why data might be personal

The other way around: all data originating from a person, is by default “personal data”, and the burden of explaining which one is not, lies with whoever is keeping it.

you can’t look at any messages in any rooms you’ve been kicked out of

If they’re keeping them, then you can request a GDPR export of ALL your data. Doesn’t matter whether some interface or application allows you access to the data or not, or even if you’ve been banned from the whole platform; as long as they keep the data, they have an obligation to honor your rights of:

  • Access
  • Correction/Modification
  • Removal

Even during obligatory data retention periods, when they can’t remove the data and only make it inaccessible, you still have the right to get a copy of your own personal data.

@LWD@lemm.ee
link
fedilink
15M

removed by mod

I’ve had to deal with this on the data collection end, and it’s a PITA to build in the mechanisms to fully follow the law. If you’re an EU resident, and especially if the server is in the EU or has to follow EU agreements, then they’d risk some quite high penalties if they didn’t follow it.

what about the whole knowing who is who based on word pattern/habit, and connected content and/or opinion?

None of that really seems to count for GDPR. And good luck picking any one person out of a sea of a million orphaned comments.

@LWD@lemm.ee
link
fedilink
35M

removed by mod

wrong because “deleting” your data doesn’t make it disappear

Which country?

promitheas
link
fedilink
25M

Cyprus

AlteredStateBlob
creator
link
fedilink
85M

The DPAs have discretion on how they interpret the laws and what guidance they give. This is something you could only really pursue through litigation beyond what reply you’re getting from your DPA. Personally, I am not trusting reddit to actually, truly delete anything. But there would need to be proof for that, beyond my suspicions.

If deleted was truly deleted, I’d say they’re right on an individual case.

The issue I’m outlining is however of a different nature, so I am somewhat hopeful at least some DPA will take this issue on.

Could we sabotage the LLM training so the data became worthless?

Like adding to our comments stuff like “2+2=5” “Abraham Lincoln discovered America” and whatever silly statement you can think of

@jarfil@beehaw.org
link
fedilink
3
edit-2
5M

IIRC, one of the LLMs (was it OpenAI?) that crawled Reddit, had to manually remove subs like r/counting because they were messing with the training.

“Wipe out all of Europe”

Someone less lazy than me should use a script to feed existing comments into an LLM, which then reproduces a convincing sentence structure but incorrect gibberish content, and then edit all a user’s comments - gradually, not all at once - to the poisoned content. Like 4chan did with the original captcha, but on a wider scale.

I think reddit is already sufficently full of misinformation that you dont need to add to it

Gamma
link
fedilink
205M

Google’s LLMs are going to get real good at gaslighting and hating minorities in the next few years

Google is already a pro at gaslighting even without LLMs trained on Reddit’s garbage.

“Web integrity is for your privacy and security” my cute ass.

Yep. Ask them if Palestine committed a genocide and they’ll parrot back the Isrsel-funded disinformation spread all over reddit “no. Israel has a right to defend itself”

If people actually turn to LLMs for information, we’re heading to a dark place.

Israel committing war crimes

Israel has a right to self-defense

Did you know that both of these statements can be true at the same time?

Thats like saying “all lives matter” to the BLM folks.

Of course Israel has the right to defend itself, but the point is that 99% of their activity is offensive and they are the oppressor. that argument is double-speak.

Israel is committing a genocide and you think that’s a reasonable response?

@crispy_kilt@feddit.de
cake
link
fedilink
2
edit-2
5M

Your reply made little sense to me, I only just now understood where it comes from.

You probably think I am arguing in bad faith, just like the racists saying “all lives matter” as a dog whistle. I assure you, this is not the case. The crimes of Israel are terrible war crimes and those responsible need to be tried in an international court of human rights. The same goes for those responsible for the concert massacre.

I am saddened that people feel compelled to pick a side in this stupid an unnecessary war and then ignore, or at the very least excuse, the crimes of the side they picked.

The assholes of both the Israeli and the Hamas leaderships are complete and utter cunts. Normal people suffer because of their power politics. I hope you can see that.

Icalasari
link
fedilink
35M

The far right multimedia group Gab released an LLM for people to get answers which “the government and liberal elite keep secret”, so already happening

Hilariously easy to jailbreak though, so I imagine it’s also piss easy to poison

Clay_pidgin
link
fedilink
45M

Are there any comment shredding utilities that still work after the API apocalypse? I’m an American, so I can only look at you GDPR-havers in jealousy.

Use a VPN to exit from an Irish proxy and make the report in Ireland.

Done. Screw Reddit.

Even threatening with a GDPR request was taken seriously by them half a year æg when I deleted my account.

Eggyhead
link
fedilink
345M

Reddit definitely doesn’t seem like the kind of business that might utterly disregard such requests while insisting outwardly that they are complying.

AlteredStateBlob
creator
link
fedilink
175M

The requests don’t go to reddit, but the supervisory authorities. They can try and ignore those requests, but since they have offices in the EU, those can and will be slapped around - if any DPA takes action, that is.

Where do one make gdpr requests to reddit?

If you reside in the EU, here “dpo@reddit.com

SteefLem
link
fedilink
265M

Done. Simple process and can do it “anonymously”

Where?

SteefLem
link
fedilink
16
edit-2
5M

For the dutch its: https://www.autoriteitpersoonsgegevens.nl/een-tip-of-klacht-indienen-bij-de-ap

But to be honest I think its already on their radar since its also in the news here (some) but every bit helps (i think)

Like the topic says in the last paragraph “ Find your supervisory authority (just use google, for added irony) by searching for “Data Protection supervisory authority [the state you live in]”. but with state you should fill in your country.

…Any chance you could share what you wrote, for the truly lazy among us? Asking for a friend.

SteefLem
link
fedilink
2
edit-2
5M

Sorry didnt copy what i wrote. Some along the line of well what they are selling and to whom and pasted the url from this article in the box. Nothing to lengthy, so its not a bother to read, just the facts, as far as i know them that is. Keep it short and simple. You can also attach documents if you have any.

Any based users in general, really

I see no difference between most big tech companies and Reddit in terms of selling user data. Reddit is just being more forthcoming with it instead of allowing users to figure it out eventually.

They undeleted a bunch of content that they had no right to undelete, and are using EU citizens’ data without consent. They’re in violation of GDPR, and the EU is going to take a very dim view of that indeed.

A Reddit account a lot of years ago, no relevant occassional posts, made with other PC from other city, no personal data. I don’t think I’m going to bother connecting again to search and delete the few posts from then, the remedy would be worse than the problem.

Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 57 users / day
  • 383 users / week
  • 1.5K users / month
  • 5.7K users / 6 months
  • 1 subscriber
  • 2.56K Posts
  • 61.9K Comments
  • Modlog