GDPR Article 17 - Your right to erasure (by Stinc)

image.png

Did you know that if you ever signed up for a Steem account via steemit.com then they are likely still holding your email address in their database ?

Depending on the exact timing and method of your registration, they could also be holding your phone number or an associated Reddit account. I would speculate that they probably also record associated IP addresses.

The alleged original purpose of collecting this information was to assist with the account recovery process, and to minimize abuse of the signup system.

However, the Steemit Inc that you once signed up with is no more - it's a corrupted shell, Steemit in name only.
The staff have left, the community has left, but the corporate shell and its new owners inherited that big database of user information.

What can we do about Steemit Inc holding on to our private information ?

If you're in the European union you should be covered by the General Data Protection Regulation , and companies like Steemit Inc are obligated under Article 17 of the GDPR to honour your "Right to Erasure".

Individuals can demand that their data be deleted if it's no longer necessary for the purpose it was collected, or there is no ‘compelling’ reason for its continued processing.

According to the Steemit Privacy Policy under the header "Your Rights" the email address to use is privacy@steemit.com .

image.png

Here's an example of a data removal request :

This template is available in other file formats with more explanation on its original source here.
Modify the end section {{ in curled brackets }} to target the request to your specific data (email, username, phone number etc).

To Whom It May Concern:

I am hereby requesting immediate erasure of personal data concerning me according to Article 17 GDPR.

Please erase all personal data concerning me as defined by Article 4(1) GDPR.

I am of the opinion that the requirements set forth in Article 17(1) GDPR are fulfilled. You cannot claim an expectation based on Article 17(3) GDPR either, particularly as I am not a public figure.

If I have given consent to the processing of my personal data (e.g. according to Article 6(1) or Article 9(2) GDPR), I am hereby withdrawing said consent for the entire process.
In addition, I am objecting to the processing of personal data concerning me (which includes profiling), according to Article 21 GDPR. I request that you restrict the processing of the data concerning me pending the verification whether your legitimate grounds override mine, pursuant to Art. 18(1)(d) GDPR.

If you have made the aforementioned data public, you are obliged pursuant to Article 17(2) GDPR to take all reasonable steps to inform other controllers, including search engine operators, who process the personal data listed above, that I have requested the erasure of all links, copies or replications. This applies not only to exact copies of the data concerned, but also to those from which information contained in the data concerned can be derived.

In case you have disclosed the affected personal data to third parties, you have to communicate my request for erasure of the affected personal data, as well as any references to it, to each recipient as laid down in Article 19 GDPR. Please also inform me about those recipients.

If you object to the requested erasure, you have to justify that to me.

My request explicitly includes any other services and companies for which you are the controller as defined by Article 4(7) GDPR.

As laid down in Article 12(3) GDPR, you have to confirm the erasure to me without undue delay and in any event within one month of receipt of the request.

I am including the following information necessary to identify me:

{{ Enter your identification data here - In the case of Steemit you will need to specify what data you'd like removed such as your email address, or data associated with username xyz, phone number 123 etc }}

If you do not answer my request within the stated period, I am reserving the right to take legal action against you and to lodge a complaint with the responsible supervisory authority.

Thank you in advance.

Yours sincerely,
{{ Your name }} 

Alternatively I just discovered this request generator from datarequests.org that allows you to customise the request with a simple form.

Why do this ?

I can see a few incentives for people to do this.

  1. Self Interest / Legitimate privacy concerns due to the corrupt nature of the Stinc shell. Nobody wants the inevitable spam and targetted phishing attempts when STINC sells/leaks/gets hacked for your private information.

  2. Spite / Revenge : It's very likely that none of the original staff that handled this database setup, maintenance and removal requests are available anymore. The GDPR specifically states they need to respond within 1 month of your request, and could be punished with fines for non compliance.

Think of the chaos that would ensue if everyone did this at the same time.

Unfortunately I'm Australian - so none of it applies to me :(

I'm unable to find an Aussie equivalent to the GDPR that could help me here (@apshamilton?)..

Despite them censoring all of my posts at the API level, publicly calling me a criminal hacker and then stealing 28k of my Steem they still get to hold onto my personal info just in case they can use it to fuck me again one day.

It bugs me. Save yourself if you have the option, and let me know in the comments :)

H2
H3
H4
3 columns
2 columns
1 column
53 Comments