These websites make their mobile websites good enough so you won't leave, but bad enough so you feel like you should download the app (such as gigantic banners that make mobile browsing miserable).
The A/B testing shows that it's a very effective dark pattern.
One non-obvious step I encountered. After login with LinkedIn, it doesn't look like you logged in but you did. You have to hit the "Explore" button on the top bar and then you'll see your name menu on the upper right, and you can proceed to settings.
Another thing: if you've never directly used Slideshare and instead signed in via your Linkedin in username, you'll need to set a password in order to delete the account (it prompts you to set one in the delete modal).
<shrug> Their site is so full of anti-patterns it's quite possible I accidentally signed up again and deleted again. Either way, it wanted a real password before letting me click delete.
How do we know that clicking the "Login with LinkedIn" button doesn't create the account? OpenID Connect/oAuth logins all work the same - if you haven't already signed up, "logging in as <x>" creates the account for you.
To answer you, the account was associated with my real email but had no password. Saw after deleting the account because it sent a deletion confirmation to my real personal email (that it should never have had in the first place).
To answer the parent post, OAuth doesn't automatically associate accounts. The first time you login (signup) to something with linkedin/google/facebook it gives you a popup warning that you're about to authenticate and share data with a third party service, please confirm.
If you see that popup on login, you don't have an account, don't proceed.
They actively "slurped" (their word) as many documents as they could, ignoring things like copyright, into their archive. They brushed a lot of those concerns aside which left a really sour taste.
HN actually used to have a feature to switch PDF links to Scribd ones (not sure if it was manual or automatic)[1]
I don't know what to think about Scribd. I clearly remember all the shady tactics they used with copyrighted pdf's etc, but on the other hand I'm a pretty happy customer of theirs. Where else could I get thousands of ebooks and audiobooks for 7-8 euros per month?
10 years ago pdf was not properly supported in browsers and there was a lot of complaints on each pdf submissions. This was probably seen as a good idea to fix this problem at the time.
It's always the same with VC's. Do what you can (illegal or no), obfuscate and redirect, ignore when possible, and finally fake-apology ("we're sorry you feel bad").
Sure the "rules" say to assume with best intentions. That goes along with "obfuscate and redirect". It's easier to point at rules as a club to make an example. But in reality, in the end VCs are themselves toxic.
Look no further than the crowd of businesses and partners YC surrounds itself with.
Very true. Unfortunately, too many people ignore this, or don't realize this, and instead lionize VCs like they're some class of better humans or something. Quite sickening, really.
It is obvious why these people suck up to VC's. It's where the easy money is.
Banks are super risk adverse (in business 3+ years, with client base and revenue, and collateral).. Versus some shit VCs who'll encourage to "disrupt" (eg: dismiss legal or safety regulations to extract quick profit) with a 1 out of 10 chance of a startup hitting the hockey stick growth.
Lie with the dogs, and you get fleas. I'll leave it to the reader to decide who the dogs and fleas are.
Screw ScribD and the horse they rode in on. Between them and Installmonetizer it is hard to pick my least favorite YC company. At least new entrants know that they'll never bottom out in the ethics department since those two got in.
I remember most of interactions with scribd circa 209-2010 being annoyance that whatever I was looking for was on scribd, but these are only the vaguest of memories.
In the recent past I can't remember actually visiting.
What's surprising is that until that moment and a certain other moment which I've linked to enough about the source of funds YC was strictly speaking 'the good guys'. After that they turned into 'just like the rest, possibly worse'.
That said, if you want to do a funded start-up and you're in the United States nothing will come close to beating YC for effectiveness, even today.
> After that they turned into 'just like the rest, possibly worse'.
If that were true, wouldn't there be a lot more Installmonetizers to berate? I feel like the fact that you guys are talking about one startup from 8 years ago has to count for something. YC has funded thousands of startups since then.
I don't know anything about the backstory to that case but YC has turned down many startups for ethical reasons, so I always wondered what else was going on there. Perhaps they changed what they were doing after they got funded? That happens a lot.
YC is not perfect by any means but the absolutist denunciation of the GP seems a bit excessive.
I distinctly recall PGs comments regarding installmonetizer. I also recall the interaction with Fred Wilson regarding the source of funding. Those two stand out because they are things that should have never happened. Being clever does not equal having a good ethical model and YC has something of a problem in this respect. The social impact of companies like AirBNB and other YC investments - to me - clearly illustrates that there is no guideline about what kind of lines will not be crossed in order to make a couple of billion. That's fine by me, as I wrote, they are just like the rest in that respect. But YC isn't holy, not by a long shot.
I agree with you though that it is not as if they seek out underhanded ways of making money. But they also don't rule them out a-priori and will not call companies to task - as far as I'm aware of - when certain lines are crossed.
Fortunately there is Watsi to balance out the most horrible cases.
As for why those companies stand out to me: I knew the initial batches quite closely, these days there are so many YC backed companies it is impossible to keep track of them and I'm simply no longer trying.
I was about to mention Installmonetizer too. When it happened it prompted me to leave HN (why should I do anything that might benefit YC?) and I forget why I came back & gave HN another chance.
Anyone know how to edit the hosts file on an Android device? I already block HN on my laptops, but I really should fix this once and for all.
Some adblockers (blokada at least) do a vpn dns loop thing, and allow you to add host file entries manually, but blokada gave me some issues recently, and is pushing the paid option a lot.
ScribD, unlike Google and The Internet Archive, charges you money to read and download documents. ScribD doesn’t just distribute other people’s work, it resells their work and keeps all of the profits.
Pressing "Sign in with LinkedIn" is deceitfully vague, and will create a new account if you don't have one already. So I actually created an account and then immediately deleted it afterwards, but their welcome email was delayed for whatever reason.
Just to be sure, I pressed the "Sign in with LinkedIn" button again and it made me an account again. I waited for the welcome email to come in, and then deleted it once more. I hope that's enough.
If you don't have an account, you shall get a popup from LinkedIn warning you that you're about to sign up and share data with a third party service (a standard oauth form you also see with Google/Facebook/GitHub auth).
If you get the popup, by all means, do NOT confirm or it will create an account. Haven't heard of people getting the popup though, strong hint that all users were magically autocreated.
Isn't this how all of the "Sign in with X" work? It's the same with facebook and google also where you go through the same OAuth flow where it asks if you want to give this third party access to your data.
My experience is that when I sign up to a service with a previous account, the previous account tells me what data the new service will have access to, and then the new service has a couple of more steps to fully create a new account.
In this example it was "Log in with LinkedIn" -> immediately to the front page. I've never had that before.
I hate to be that guy but did you actually read the comment? It said "after". So not the moment he signed in, 15 minutes after where to all intents and purposes that should have been impossible.
After all, we can sign people up in 20 milliseconds, I don't see why marking an account as in the process of deletion should be so hard.
GDPR allows up to a month (or more in special circumstances) to delete the account:
> The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject
IANAL - I don't believe acquiring another company and the PII along with it is necessary a GDPR violation. Article 14 of GDPR[0] lays out the requirements for what a company needs to do when a company acquires personal data, not directly from the data subject. I believe this is what applies when a company acquires another company. At first glance, it appears the email Scribd sent does comply with most of article 14 such as:
- They notified you they were acquiring your personal data.
- They notified you are able to opt out.
The email is missing a few things such as the legal basis for processing. The email links to the privacy policy and an FAQ, which might be enough to provide that information. I'm not sure.
Since Scribd is not processing the data for a purpose other than what it was collected for (they mention this in the email), continuing to process it for the original purpose is ok. Presumably SlideShare complied with article 6 of GDPR[1] and either asked for consent or used one of the other bases for processing the data before the acquisition.
> Since Scribd is not processing the data for a purpose other than what it was collected for
I disagree with that. Also, could you point out the bit in the email where it says so.
If I sign up for LinkedIn and provide PII for that, then the purpose for which the PII can be processed is in order to handle my interaction with LinkedIn. If I signed up to LinkedIn before 2012, and LinkedIn bought Slideshare in 2012, then LinkedIn could only claim that my PII is still being processed for its original purpose when used by Slideshare if Slideshare was made an integral part of LinkedIn. If Slideshare is then sold to a third party, then it definitely is not an integral part of LinkedIn, and applying my PII in its operation is not processing it for the purpose it was originally collected for.
LinkedIn does not have the legal right to bundle my PII in its sale of Slideshare to Scribd, and even if Scribd were to receive my PII, it would not legally be able to use it.
I can't even sign in to SlideShare. "Login with LinkedIn" just returns to the home page without logging in. Maybe they panicked that they were losing their customer database and broke the site on purpose? The only thing anyone buys companies for anymore is their user DB. The product itself is probably worthless, so a mass exodus of users isn't something they want to see.
Followup: although the signup UI is broken, I received email welcoming me and was able to delete the account afterwards (although the delete option was in an unintuitive place in the settings). Not sure I even had an account to be concerned with before that.
It wasn't obvious to me how to login to delete my account since I didn't ever create one. For those who don't use social media, there's a "login with LinkedIn" button above the email and password on the login form. I am blind to these buttons because I don't have any type of account that allows this usually. (I didn't even know LinkedIn offered it.)
Also, the workflow was utterly bizarre for me running on macOS Catalina in Safari. I clicked on "Login with LinkedIn" and it opened a smaller window with no address bar and asked for my LinkedIn credentials. I entered them and it loaded LinkedIn in this small window. Was it supposed to go to SlideShare? I went back to the SlideShare window and reloaded, but I still wasn't logged in, despite what others here have reported. I had to go back to the login page, do the whole thing again, then reload, and finally I was actually logged in. Very very bad UX.
TL;DR Follow the instructions at the end of the article to opt-out of all your personal information being transferred, before the company changes ownership in the coming weeks.
It was adopted 4 years ago, enforceable for the past 2 years. Still every single site that even cares about showing a nagbox offers only opt-outs. Those numbers listed are a joke compared to the 4% worldwide revenue stick. What's the point of the big words if we are not prepared to back them up?
1. Most sites are blatantly non compliant, see opt-outs (presets). For example if someone from covered regions does a search on Google right now it presents them with 2 buttons, 'I agree' and 'See more', the former is pre-checked to enable tracking everything, the latter leads into a labyrinth of settings. Not even an opt-out everything is presented (itself non compliant, but still). It is presented everytime, unless they sign up for a Google Account and/or download their browser extension.
This is definitely not how private by default should work.
2. The EU created a stick big enough in theory to go after anyone, yet they refuse to do so for years. Indeed, we are probably interpreting those numbers differently. They are a slap on the wrist at best and anchoring the discussion at the wrong point. For example in the above case the potential fines for Google could be up to ~$6B yet the listings do not add up to $60M, that's two orders of magnitude.
As it stands, GDPR achieved very little so far to protect the average user. Tracking is as bad and invasive as it has been for years.
Another comment mentioned dark patterns and opt-outs. Once they have your data though they also refuse to respond to deletion requests and whatnot.
Even major companies without any reasonable price interest in PII like Atlassian are guilty here. Their position is that if you've created an account and they unilaterally give access control to the account to a third party then since you aren't able to log in there's no way to verify your identity to prove that it's you requesting the PII removal. Proof of identity like a passport doesn't suffice, and proof of account ownership like login credentials also does not suffice.
At the very minimum users should be presented with clear and understandable opt-ins. What we got is an obfuscated mess of legalese and dark patterns of opt-outs.
Until the highest-level engineers who agreed to implement this are personally held liable for some damages, we are unlikely to see change.
GDPR is a good amount of fluff. You can run laps around the competition and stall serious consequences for years. Meanwhile, a well-meaning start-up can shell our millions of dollars if an ornery national regulator decides they’re their pet project. Fine if one has a multi-million dollar L&L budget, though.
> Until the highest-level engineers who agreed to implement this are personally held liable for some damages, we are unlikely to see change.
No need, you just need to add fines that hurt and enforce them. GDPR usually doesn't ("we only want them to feel it a little bit, but it should not hurt"). Increase it so that a clear, intentional violation can actually bankrupt the company and you'll not see them at the large scale. A small player might still do it, but very few 100mm+ companies will risk it all and open themselves individually to law suits from share holders.
Google gets a 50mm fine here or there. Their revenue is 45bn. That's totally worth it.
What a silly title. Obviously if a company acquires another company they will acquire the email contacts and accounts as well. And LinkedIn has the right to connect accounts they own across their web properties.
The rest of the article is bottom tier conspiracy theory that this is a stealthy way for LinkedIn to secretly sell all their PII. This is dumb for a variety of reasons:
1) Linkedin makes all their money selling people ads and recruiting messages, they lose this if they sell direct access to their users.
2) 500m emails sale value isn't worth jack shit to a company the size of LI/Microsoft (see point 1).
Step 1: Mega Corp buys small company A most of its users don’t give a shit about.
Step 2: Mega Corp shares all its user account info with small company A.
Step 3: Mega Corp sells small company A to ethically questionable company B (yes, I find the entire business model of Scribd very questionable), along with user info of all its users. Now the vast majority of those users who never gave a shit about A nor B are on B’s spam list.
Yes, the casual sales of user info may not mean jack shit to Mega Corp, but it does mean something to B, and users who are completely unrelated to A nor B have a right to be incensed.
(Btw, I haven’t received this as a LinkedIn user, so can’t attest to the accuracy of TFA. Maybe they don’t even have the courtesy to notify non-EU users?)
There's some excellent points in your comment that are not served by the breathless conspiratorial tone of the parent article.
It's also possible that LI didn't share extra info at all with Scribd. The author takes a huge leap and assumes that all 500m LI emails have been transferred to Scribd because he got an email he doesn't recall ever signing up for.
* Never deleted an email from archive
* Don't recall ever registering on either ScribD or Slideshare
* Got the same email as the author, which is the first from either Slideshare or ScribD
* Could log in using my LinkedIn account and saw all my personal information from LinkedIn there
I didn't even receive a LI email, checked my spam as well, yet I can login to slideshare and see my account with full name and profile scraped from my LI account. Great!
By the way, my email is marked private on my linkedin account, but now it's on slideshare. So selling information you marked as private!
I can't quite parse your sentence (typo?) but I think you mean to ask whether it's possible that LinkedIn shared the PII when the user used their LinkedIn account to login to Scribd?
Doing so would in any case (I assume) violate the GDPR if LinkedIn doesn't doesn't have your informed consent for that. Perhaps their trying to weasel this under the "technically necessary" exception, but that strikes me as unlikely to hold water - at best they'd need to share some minimal token (e.g. if you sign in via google or some other auth provider, you get told what data google will share in advance, and it's possible to share fairly little).
The problem is that you might have "force opt. in" into a TOS agreement which states you allow the data transfer. So depending on the sign up with linkedln dialog it might have been legal...
Consent must specifically be freely given; it's not a valid basis if it's "forced opt in" in a TOS. I'm not sure if there's any jurisprudence here (on exactly what freely given means). Even if consent with a TOS were to be considered freely given (I don't think so, but IANAL), it would still need to be clear, and most TOS fail to clear that hurdle. At best it would be a push, and in principle if the legal basis in invalid, punishments can be just as severe as if you hadn't bothered trying at all (although clearly the enforcement at the moment still appears to give violators a lot of chances to repair any issues; so in practice a seemingly reasonable if invalid attempt might at least buy some temporary reprieve if every enforcement comes knocking).
The title and the article seem to me to be factually correct and raise legitimate concerns about the sharing of personal data with third parties in a way that is potentially illegal for a large subset of the users concerned. Whether this is financially significant the the parties involved is beside the point.
> And LinkedIn has the right to connect accounts they own across their web properties.
Your claim is not generally true: EU citizens are protected
from data processing (of their personal data) without seeking prior consent by GDPR. And that is a-priori "opt in", not a-posteriori "opt out".
The contract based exemption applies only to contracts the private person is a party in. If company X signs some contract with company Y, that has no bearing on any consent exemptions.
source: https://gdpr.eu/gdpr-consent-requirements/ on other legal bases for processing: Processing is necessary to satisfy a contract to which the data subject is a party.
The legitimate interest one is pretty fuzzy, what would the legitimate interest be here? "I want their data" isn't enough, I'm pretty sure.
I downvoted because your statement is misleading. A contract has to be lawful to be valid.
A contract could transfer users, assuming regulations are followed and users were acquired legitimately (both of which are debatable here). However a contract that requires to transfer users without notice nor consent is defacto null because it is not lawful.
These are extremely serious considerations for the case at hands. Companies knew what they were doing, the acquisition and PII transfer is not merely accidental, that should be covered in the contract. Depending on the wording and the intent of the companies (and any public backslash that might ensue and bring things to light), either side might lawyer up and reconsider the contract, or a third party like a regulator might jump in (could fine the parties or void the acquisition).
> Obviously if a company acquires another company they will acquire the email contacts and accounts as well. And LinkedIn has the right to connect accounts they own across their web properties.
Let's assume this is true, and see where it can take us. Let's imagine every online company in the US takes turns buying another such company, consolidating the user accounts, then splitting off/re-selling the other company. Eventually anybody that had an account with any company would have an account with every company, and this would be perfectly legal despite no users ever having been asked if their personal information could be shared?
I think this is the rub: "And LinkedIn has the right to connect accounts they own across their web properties" I cannot speak to US law, but that is not true of the GDPR - collection of personally identifiable information requires consent, and that consent must be given for a specific purpose. Use of that information outside of the initial purpose that was consented to requires the user to re-consent to the additional uses. So no, a company is not allowed to just transfer my PII to a different business unit that provides a different service without my consent (and optionally then sell off that business unit like they did in the linked post).
Even GDPR does not require fresh consent for every new product and service. You have to have to update the privacy policy, inform users you're doing so, and let them opt out if they want (no objection rule). Which is exactly what LI is doing here.
Keep in mind LI is NOT using this as a scheme like you describe to sell 500m emails.
I don't believe there is such a no objection rule - or perhaps I'm looking at it from a different angle - can you be more specific?
Products and services aren't the issue; it's how you use+process users' data. Many products and services don't materially affect that, so won't require additional consent (e.g. if you're a company that sends news-updates by email to users that opted in, I don't believe sending them other updates is a PII issue - course, it might be spam, and IANAL). Also, products and services you're explicitly contracted for are exempt anyhow (e.g. if the user is paying you to remind them to take their meds on time, you don't need additional GDPR consent to store and process their sensitive personal data to the extent necessary to fulfill that contract - though other laws almost certainly apply to medical data).
This isn't "a service" though, it's a different company (which LinkedIn owns). That's a third party with regards to GDPR, because, as it now happens, you can sell that company.
If it was a LinkedIn-asset, that could look different (e.g. you can access YouTube with your Google Account created for GMail). But that would create another problem: if it was an asset (and not a company), you'd need opt-in from every user to transfer their user data over to the buyer, because the buyer would be a third party.
It's either a company or an asset, it can't be both at the same time.
It is not obvious the GDPR doesn't allow this. Transfer of data during sale of a business is allowed under the GDPR. Notification of a change in controller is required but there is no opt-in requirement. If the deal is structured so that it is a transfer of shares there is no need to even notify because the controller is considers to be the same.
You'd need to get opt-in for sharing the data from LinkedIn with SlideShare though, because the contract between LinkedIn and the user does not extend to SlideShare as a different entity.
In my understanding: either they violated GDPR by sharing data with SlideShare, or they violate it by selling SlideShare to Scribd.
Each use case of processing of personal information must satisfy the GDPR necessary requirement or have a priori informed consent.
During merger of Scribd into LinkenIn, they can argue that it is necessary to treat the databases as a single controller as a cost cutting measure. However, if they are going to treat Scribd as a separate severable entity, then it cannot be argued that it is necessary to process personal information into the Scribd databases which going forward will only process data in a manner not consented to.
If Scribd is not able to distinguish at that point original users that have meaningfully consented to being processed by Scribd from LinkedIn users who have not meaningfully consented to being processed, then they have no meaningful consent at all and therefore no real lawful user data because not knowing if a user has meaningfully consented or not is equivalent to not having meaningful consent for that user.
The most similar scenario is when GDPR took effect and many companies essentially had no meaningful consent for their userbase. During the grace period between GDPR taking effect and GDPR fines being enforceable, companies contacted their userbase to acquire consent and the diligent companies destroyed the user records of the users that did not contact them back since meaningful consent cannot be opt out. Of course, many companies were not diligent and held onto user records nevertheless and are waiting to see if they will have to pay the piper or not.
This is easily distinct from change of a controller when the new controller will continue the business: consent to have data processed in a particular way was acquired. In this case the separated entity will process data in a manner which was not consented to. Unless Scribd is somehow going to try to convince recruiters to use their service to find users who are going to manicure CV like profiles, which is more or less what LinkedIn users consent to.
But at least at this point Scribd has announced that they intend to run Slideshare as a separate entity and the database will not be integrated with the Scribd database.
https://i.ibb.co/2n8HdBx/Screenshot-20200822-030755.jpg
There must be a competition between Imgur,Reddit and Scribd for the worst User Exp