I’m one of the founders of this service. We created Your Digital Rights because we believe that privacy matters, and that exercising your right to privacy should be easy. Over the past year thousands of people have used the service to send GDPR erasure requests. We’ve just launched support for the CCPA. I’d love to get your feedback and am happy to answer any questions.
What about 'startup/tech' companies like Telegram? I can't bulk delete data in group chats, which to me seems in violation of my GDPR rights. I also have no idea where they are permanently based or how to properly contact them? They are an immensely shady outfit...
Can you help with this case or am I and others just stuck with the mistake of using them?
I believe they do store data on their servers. Their desktop app doesn't require syncing to your phone.
Can you explain your thinking about why you believe that? I would have interpreted the guidelines in the opposite way.
Telegram does permit individual manual deletion of group conversation messages for all parties, and bulk deletion of 1-1 conversation messages for everyone, just not the group chats. It's incredibly inconsistent even by their own standards.
>Can you explain your thinking about why you believe that?
Reading through the reasons in the "When does the right to erasure apply?" on the link I posted it is not obvious if any of the listed ones apply.
As for the syncing - if they are fully encrypting everything but you have the keys on those devices and they dont have them, what they have is not considered usable by them data. I am not entirely sure how Telegram operate anymore though - if there is no syncing at all, then yes they likely store it in an accessible by them way.
Ah, ok, I think my right lies somewhere in me withdrawing consent and my belief that they lack a 'legitimate interest' (which is somewhat well defined under GDPR) for retaining it. I might contact the ICO and Telegram and see what they say - might be fun :)
Here is their privacy policy https://telegram.org/privacy, not sure if that helps but it designates a subsidiary company to deal with GDPR requests. The details of that company are: Telegram UK Holdings Ltd (71-75 Shelton Street, Covent Garden, London, England, WC2H 9JQ.
Thanks. I might try that. All reports seem to say they are actually based out of Dubai (previously Berlin?). It's all very murky. I'll see if they respond.
I have a list with about 150 data brokers, I'm wondering what would be the best UI to help people interact with the list. Is bulk sending deletion requests to the whole list viable? Is it multiple selection?
Being employed is a useable workaround. I've never had anything other than a blank credit history and that usually just triggers a "Can I see proof you can pay" type question.
or trace back prior fraud. Criminals are using data deletion requests / demands to cover their fraud so they can continue. I don't think as written, this legislation is going to hold up under the onslaught of criminal abuse.
I don't want to be rude, so please tell me if you do, but do you have a source for that? It sounds quite a lot like a "think of the children" argument and whilst I can see people having made that claim elsewhere, I don't see any actual cases of it being reported.
I believe that's incorrect under GDPR. There is a legitimate interest to keep records for fraud use, and also they must not delete anything that's required for regulatory compliance. GDPR is very clear on that.
Exactly! As a site administrator I've received much abuse from users who have used a "service" such as this. Upon doing my job and legally verifying they own the data, I've frequently been subjected to a torrent of abuse and legal threats - companies such as this foster a belief that you can just enter your details, press go and that's he end of the matter.
You have to send the request from an email and if you send it from an unrecognized one they'll probably ignore it, have grounds to do so or will ask you for more information in a follow-up email.
> those manual processes are expensive and likely to be automated away to some hackable business logic
I suppose this depends on who they're manual and expensive for. Some people will probably automate "respond to all agent-based deletion requests with a request for proof of authorization and direct user verification", because it lets them delete as little as possible.
But actually checking that info if its provided? Yeah, that sounds less likely. And I'll bet a lot of companies will just obey anyone claiming to be the actual user and providing some piece of personal info.
CCPA guidelines say that for deletion requests via an "authorized agent", companies can require the consumer to verify their identity directly with the business, and require the agent to furnish written permission from the consumer. (Unless the authorized agent holds power of attorney. Good luck sorting that case out.)
Practically? Yep.
The burden of work and evidence for refusing requests is pretty high, and most companies probably won't handle it. Companies under GDPR have consistently agreed to delete or even reveal info without reasonable evidence. They generally aren't allowed to gather new info to verify you, either - they specifically can't require official ID if they don't require it as part of their normal business. Probably a decent number will require you to confirm the request via the email they have on file, but if you did the work to plead "no longer have access to that email" they'd probably delete anyway.
The only good news is that password-based accounts are different, and the standard for verification is meant to scale based on the damage of a positive mistake. So you could cause bulk deletions from an email list to hurt a company, or target a person for massive inconvenience, but you probably couldn't get hit someone's most important accounts like file backups or online bill payments.
A really surreal thing, though, is that opt-out-of-sale requests don't even require verification, and they prohibit businesses from asking you to opt back in for a long time. They can only be refused with a "reasonable and documented" belief that the request is fraudulent. What's more, a deletion request that can't be verified is supposed to be treated as a valid opt-out request!
So for targeting a consumer, maybe. But I absolutely expect we'll see someone target a company by taking a multi-million-record email breach and sending deletion/opt-out requests for all of them.
Services like this are disgraceful. You encourage users to GDPR from services via your system, a third party, which then sends the request on. GDPR and data protection require that companies protect user data and so these requests cannot just be processed without verifying the user is who they say they are. Companies cannot communicate with you as you are a third party and so you're just creating an unnecessary step in the chain and fostering the belief in users that using your service is all they have to do. The number of people who have given me abuse as a site administrator because upon receiving an email from you or your competitors, I've had to verify identity, is beyond a joke now!
It's sad that you didn't even bother to try the service, or read the instructions, before posting this comment. All the service does in generate an email which opens up in your local email client. You then send the email on your own. If the company needs any further information they can (and legally have to) reply to your email. We are not a side to this exchange.
If you have an account of some kind with them (cloud services, for example) then I'd imagine they're retaining PII on you (name, billing address, etc).
This form is filled with dark patterns, including ones that are outright illegal, I believe. You cannot exclude your phone number under GDPR unless your country code is UK (+44).
52 comments
[ 2.9 ms ] story [ 47.9 ms ] threadCan you help with this case or am I and others just stuck with the mistake of using them?
As far as I can tell, their use case, in general, isn't covered by the rights to erasure[1]
1. https://ico.org.uk/for-organisations/guide-to-data-protectio...
Can you explain your thinking about why you believe that? I would have interpreted the guidelines in the opposite way.
Telegram does permit individual manual deletion of group conversation messages for all parties, and bulk deletion of 1-1 conversation messages for everyone, just not the group chats. It's incredibly inconsistent even by their own standards.
Reading through the reasons in the "When does the right to erasure apply?" on the link I posted it is not obvious if any of the listed ones apply.
As for the syncing - if they are fully encrypting everything but you have the keys on those devices and they dont have them, what they have is not considered usable by them data. I am not entirely sure how Telegram operate anymore though - if there is no syncing at all, then yes they likely store it in an accessible by them way.
(And those manual processes are expensive and likely to be automated away to some hackable business logic at some point.)
I suppose this depends on who they're manual and expensive for. Some people will probably automate "respond to all agent-based deletion requests with a request for proof of authorization and direct user verification", because it lets them delete as little as possible.
But actually checking that info if its provided? Yeah, that sounds less likely. And I'll bet a lot of companies will just obey anyone claiming to be the actual user and providing some piece of personal info.
CCPA guidelines say that for deletion requests via an "authorized agent", companies can require the consumer to verify their identity directly with the business, and require the agent to furnish written permission from the consumer. (Unless the authorized agent holds power of attorney. Good luck sorting that case out.)
Practically? Yep.
The burden of work and evidence for refusing requests is pretty high, and most companies probably won't handle it. Companies under GDPR have consistently agreed to delete or even reveal info without reasonable evidence. They generally aren't allowed to gather new info to verify you, either - they specifically can't require official ID if they don't require it as part of their normal business. Probably a decent number will require you to confirm the request via the email they have on file, but if you did the work to plead "no longer have access to that email" they'd probably delete anyway.
The only good news is that password-based accounts are different, and the standard for verification is meant to scale based on the damage of a positive mistake. So you could cause bulk deletions from an email list to hurt a company, or target a person for massive inconvenience, but you probably couldn't get hit someone's most important accounts like file backups or online bill payments.
A really surreal thing, though, is that opt-out-of-sale requests don't even require verification, and they prohibit businesses from asking you to opt back in for a long time. They can only be refused with a "reasonable and documented" belief that the request is fraudulent. What's more, a deletion request that can't be verified is supposed to be treated as a valid opt-out request!
So for targeting a consumer, maybe. But I absolutely expect we'll see someone target a company by taking a multi-million-record email breach and sending deletion/opt-out requests for all of them.
I wish it came with a little blurb on /data-brokers as to what a Company does or how they typically use data.
I know I probably 'want' e.g. Experian to have my data but I'd remove any company that is purely ads based for example.
Since the devs are around this thread: it would be nice to have an option to send requests in bulk.
Of all the companies that might be collecting my info via some dark sorcery...theyre not on my worry list
This form is filled with dark patterns, including ones that are outright illegal, I believe. You cannot exclude your phone number under GDPR unless your country code is UK (+44).