Alex - NeuroQueer Dapper Skeleton
Follow

Tumblr tried to sneak in data collection under the radar. After a few taps, you can get a list of who they're sharing data with.

The list takes 19 screenshots to see all the names on my phone.

NINETEEN.

List of names of the "partners" Tumblr shares your data with

1/5

List of names of the "partners" Tumblr shares your data with

2/5

List of names of the "partners" Tumblr shares your data with

3/5

List of names of the "partners" Tumblr shares your data with

4/5

List of names of the "partners" Tumblr shares your data with

5/5

Also worth mentioning a very nice (no) dark pattern. The last name in the list is always behind the gradient block, which means you can never untick it.

That's Oath, the new owners.

Go read they shitty website in which they try to justify their invasion of your privacy, and also minimize the rights you have to control that data: oath.com/en-gb/my-data/

The deletion right is barely mentioned, at the very end, and they don't even give you a link to do so.

You gotta figure that one out yourself, I guess?

Let's also analyze for a bit the UI of their mandatory privacy disclaimer. Keep in mind the spirit of the GDPR is all about the need to have "informed consent" to collect data about a user.

First of all, you get a massive wall of text. Please excuse the french, but notice how faded (light grey one white) the button to modify the settings is.

That's the first dark pattern of this flow. Clearly the goal is to put everyone to sleep and hope everyone will blindly click on the bright blue button to simply accept everything.

If you do click the button to have more options, the next screen still tries to make you click the "OK" button, and the actual settings are a link on the side, barely more visible than a regular link.

And if you do click that link, you are taken to a third page that still tries to make you accept the new conditions without actually giving you control.

You need to click the "display" links to have some control.

And finally, you can control who gets what.

Note the list of partner consists of 322 (not a typo: three hundreds and thirty two) entries. You have to uncheck them one by one.

If I wanted to copy/paste the name of each partner that receive data from Tumblr, I would need nine standard-sized toots of 500 characters.

@skiant
Glad not to be on tumblr. Guess i still have to leave fb tho

@skiant this is so depressing. It’s a massive regression. I’m so done with all these sites, I’m about to delete my tumblr. Thanks for pointing this out

To finish up, here's how to uncheck everything in one go, using a desktop browser (Firefox/Chrome).

While on the page with the 322 checkboxes, open up your web console (Chrome: developers.google.com/web/tool, Firefox: developer.mozilla.org/en-US/do)
and copy-paste this : 

document.querySelectorAll('input[type=checkbox]').forEach((input) => input.checked = false)

Then press enter.
All checks should be checked out.

@skiant Thanks! It was very boring to uncheck them ONE BY ONE with Tab-Space-Tab-Space… My wrist hurt!

@skiant my first act of summer break will be to delete my tumblr accounts.

@skiant Ftr, i would expect checking "off" on all the first checkboxes (checking what is delivered how) would make the rest of the checkboxe's uses moot.

Also, expecting them to have a nice big lawsuit :)

@skiant A mistake of mine was, after unchecking all the boxes, going to the Tumblr privacy settings and unchecking the “Cookie consent” checkbox.

It's a fake option: If you just click on the box to unselect it, you are brought back to the Oath privacy disclaimer, but this time ALL the checkboxes are checked back again!

@miramarco @skiant That happened to me without my changing anything. The Tumblr app reopened itself unprompted, at the start of the Oath process, and sure enough, everything was rechecked.

@skiant All hail the #Firefox inspector and JS console, I could write a short script that clicked each of them. 🙏

@skiant oh you did that too, nice!

Too bad the regular users won't know how to do it and by now a lot of them has probably just clicked "accept" out of frustration. :blobsad:

But maybe that addon thing wouldn't be late??

@skiant that is not GDPR compliant. It has to be opt in, not opt out.

@skiant this is why i gave up on the engagement(?) site

@skiant Trying to find this screen from Tumblr, I had to go through an Oath login screen, which said "Please wait while we collect your data"

how about no

@skiant Actually, how the hell do you even get to these screens?

@varx
Only in the EU because of GDPR. I assume non EU citizen have the same tracking but no control over it.

@skiant Except... they don't know if I'm an EU citizen or not. :-/

@skiant I've basically stopped using any "Oath" websites now, and I rely on that giant pop-up as a cue to tell me that's what the site relies on.

Also clicking on this link in Chrome on Android messed with my back button, because tapping it brought me back to the previous section heading instead of letting me dismiss the page and return to Tusky, so I had to keep tapping it until it returned to the top of the page 🤦‍♂️

@skiant gross... how did you get to those screens by the way? i'd like to go un-tick all the ones i can

@gingerrroot There's a splash with these in the EU. Friends in the US don't seem to see them, not access them with a direct link.

@skiant yeah i don't see any way to access it from mobile or browser here in the US. interesting.

@skiant @gingerrroot why even give us the options if they don't have to? selling our data is the business model, and the US doesn't grant fancy things like rights

@skiant @gingerrroot Wonder what happens if you use a VPN based in Europe, change the settings, and then shut the VPN off.

@skiant You technically can, but only on a desktop computer.

And considering how much Internet use skews towards phones these days... 🙃

@skiant After multiple tries I narrowly managed to uncheck it on a Galaxy Note 8--that is, a 'phone set up for stylus use (there must be a clickable sliver at the top of the checkbox). Which doesn't make it remotely defensible of course.

@skiant where do you get that list? (I assume to turn them all off)

Oh. It's because I'm in the US so GDPR doesn't apply, doesn't it?

@dconley Probably yeah. It was in a splash screen when trying to open up the app.

I just realized they do the same on desktop too.

@Salixj Those pages don't seem to be available outside of the EU.

They splash when you try to connect otherwise.

@skiant can you share the link? I got lost on oauth's website

@skiant can I access those settings from the web or do I have to install the app to be worthy?

@skiant the answer is YES. I can now select the "partners" on the web browser.

Also, the dark pattern doesn't exist in this one. Looks more like bad programming than intentional design, frankly.

@skiant do you mind if I post this thread to tumblr?

Sign in to participate in the conversation
Mastocafé

This is an open mastodon instance for social justice activists, LGBTQIA+ people, and people who are aware of such subjects and care about them.

See the Goals, rules, and technical details for more information