Before migrating to Lemmy, I decided to request a copy of the data Reddit has on me.
To my surprise, the export includes a file ip_logs.csv
with a list of all IP addresses that I used to connect to Reddit for the last 3-4 months!!
That seems quite unnecessary.
Got news for you. 4 months is on the short side. Any place that processes credit card or other transactional data will most likely keep it around 13 months if not longer. And yes you guys can quote “well actually it’s not required”, no, no it’s not, but I’ve worked with enough companies to know they hoover and keep IP, user agent string ,etc for quite a while.
The credit card companies don’t ban me from buying chicken tendies because I hurt their feelings.
If they did, why would you keep using them?
Because I enjoy being punished.
deleted by creator
Under GDPR they have 30 days to comply or you can report them. More details here.
deleted by creator
I’d like to know, as well. Been 10-ish days since I requested it, still nothing
edit: finally got mine, could’ve been better, could’ve been worse
Mine took almost the whole 30. They will pm you on reddit once it’s ready
About a week
Where did you find instructions for requesting all your data?
Not OP but took mine 29 days.
They also use various browser fingerprinting techniques, and who knows how long they keep that for.
I imagine they use it to keep track of alts and ban evasion, not surprising to me and you should probably assume that any site you visit will store your IP forever.
They also track your hardware, if possible. I had to replace a few laptops over the year.
Does my browser supply details about my hardware? Is there anything on Android that can prevent sending hardware information?
When using a browser they can get your user agent (https://www.whatsmyua.info) They can also get some information about your device, like pixel resolution, screen size (https://www.whatismyscreenresolution.org), gpu (https://hardwaretester.com/gpu) etc…
All of those data combined make a fingerprint for your browser, that can be more or less unique.
I recommend having a look here for more information about how fingerprinting works and how to protect from it, and to see how “unique” your browser is (https://coveryourtracks.eff.org).
When using an app, it’s a whole lot more complicated to escape from it, but one step I can recommend, is to delete your phone advertisement id (https://www.eff.org/deeplinks/2022/05/how-disable-ad-id-tracking-ios-and-android-and-why-you-should-do-it-now).
That been said, from my own reddit gdpr export, it doesn’t look like reddit is doing any fingerprinting of that sort. I haven’t looked so close at it yet, however.
For the love of god use Tor with tails, or at least just Tor on its own. Even that’s probably overkill, but with telemetry monsters like Reddit it doesn’t hurt to go above and beyond.
Generally the tracking Reddit does is this:
-
Cookies
-
Cross site tracking (just like Facebook does)
-
Canvas Data and User agent (including browser window size)
-
IP address (generally the last thing they target to prevent cross-bans on public WiFi and universities)
Replacing a laptop isn’t necessary to get around it, this is a lie spread by moderators (and also admins in some cases) trying to mystify the ban evasion detection system in an effort to curb ban evasion. Using a private browser that limits information is usually sufficient, using Tor is very effective, and using Tor with tails is insanely effective if maybe a tiny bit overkill.
-
Well then.
crontab -e
0 0 1 * * /home/rtxn/scripts/reddit_gdpr_request_mail.sh
:wq
Thank you! Finally managed to quit vim!
Excuse me for asking but… So? Why should I care about this?
Because collecting data that is not strictly necessary is almost always a bad move. IP addresses might be relatively harmless, but might link you to other activities.
You personally might be okay with reddit knowing your IP addresses, but some people might get into trouble.
Take the insane anti-abortion laws in some US states. If an IP address from those states accesses pro-choice subreddits, that might be enough for law enforcement to start harassing someone.
Not 100% applicable here, but some websites use stored ip addresses as a safety measure, since a stored ip address’ location can be compared against that of the current login attempt. This way, a guy trying to steal your account from the other side of the world would be flagged and you’d be alerted via email and such.
You’re asolutely right, IP addresses are kind of a grey area since the are needed for lot of troubleshooting and debugging.
Nevertheless, you can always strive to reduce the stored data.
For your application, you wouldn’t even need to store the historic IP adresses, just a rough geo-location and maybe a mobile/landline/whatever-flag and comparing the current login attempt to that. Even saves you some performance by not repeating the geo-lookups everytime.
Implement your failed-login counter separately by account and source IP and you’ve got decent security without linking an account to an IP.
What your IP address was at any given time cam be used by the people they sell this data to. They will look at a certain date at what your IP was and then pair that up with any other IP address they have from other sites. With that they can pair up this information to build a profile on you.
They could for example take Facebooks IP data which is easily linked directly to you, and match that with your Reddit profile. Now they know which Facebook user has which Reddit account and they can track your engagement across the two. Then add in the trackers in reddits advertising and they know what ads you have seen. Then add in Amazon’s data and they know what you have bought after seeing which ads on Reddit
It’s all part of the web of information that companies will collate and cross reference to build up detailed information on you to sell to 3rd parties
aw crap I deleted my account before they responded with all my data after requesting it
Oh no! Not me Eye Pees! I needs them!