Pale Moon’s developers’ strange conception of privacy

I don’t often talk about Pale Moon (or is it Palemoon?), but I still have it installed, even on my last PC which I set up a year ago only. I don’t use it much, but I find it convenient to have it as a default browser, so that shitty surprise link-openers all end up in a dedicated space that never has direct Internet access without my firewall asking me for permission first. The silly things we have to do to compensate Windows’s faults… 🙄

Today was no different, and some random crapware fired up Palemoon to open a surprise link. But for some reason I hung around a bit, and ended up on the Palemoon forums. And a topic caught my eyes: “Remain active to keep your account”. Beside my interest for privacy, a reason why it caught my eyes is that they use phpBB, and I’ve run phpBB for a long time in the past and as far as I remember, account deletion with this has always been a tricky matter (like with most bulletin board software). Although maybe it’s different now with GDPR, I don’t know, my use was a while before this law.

The first post explains, to put it simply, that they now purge inactive accounts after roughly 2 to 3 years (in January every year, accounts inactive for over 2 years are goners). They describe the “purge” as removing all account data except the nickname and the posts, and explain that this comes from their privacy policy.
Gladly, someone eventually called them out on this:

I actually don’t […] understand what this has to do with privacy. If an account […] is removed and the only two things remaining is said nickname and the post(s) attached to it, this doesn’t fulfill the users “Right to be forgotten” but only removes his opportunity to have control over his posted content, eg. deleting or adapting his posts later on.
Thus […] it actually decreases the adherence to the principle of “My data belongs to me” because you lock out the owner […]

The lead developer’s (I think) response is… wild:

There is no “right to be forgotten” as in a right to erase your entire footprint from history. There is only the “right to have your personally-identifiable information removed”. A nickname is not personally-identifiable information.

First, GDPR doesn’t talk about “personally-identifiable information” but simply about “personal data”, plain and simple. Let’s not make up big obscure expressions to try and get people confused. Personal data. Two words, 12 letters, no dash.

Second, Article 4 of the GDPR (Chapter 1) defines personal data very clearly (but broadly): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

With that in mind, a nickname taken purely alone isn’t personal data. But first, it is never alone: at the very least, it is accompanied by “a person with this nickname had an account there”. Second, it is an online identifier which might be linked to an identifiable natural person, for instance if the nickname looks like “FirstnameLastname”), or is something the user used elsewhere too, or if the user included contents that made them identifiable (even indirectly) in their forum posts, or if the forum software keeps IPs and timestamps after the purge (something not indicated, a long time ago phpBB did keep IPs forever, but I don’t know if this is still the case).
In all these cases where the nickname can be linked to a natural person, then all the other data that are kept along with it (and there is always at least a tiny bit of those) are personal data.

The response continues:

Even users with active accounts can’t delete their own posts after a short grace period, so in that respect there is 0 difference, and nothing is “taken away” from users who have their personally-identifiable information removed from the database in a purge.

So this is even worse, and it looks like someone never heard that two wrongs don’t make a right.

And it goes on to my favorite:

On top, as with any website you use with a posted privacy policy, it is your responsibility to be aware of the practices of the websites you make use of, including any data purges that may be part of account management. Ignorance of our privacy policy is no excuse.

That’s very American: “My Terms of Use are Law”. But in some countries, notably where the GDPR comes from, you can’t strip people of their rights via crappy Terms of Service. “Ignorance of our laws is no excuse”, I could say.

Another user then raised other interesting points (but less privacy-oriented), the developer also insisted a bit more on “we do that primarily to protect you / your data / your privacy”, so go have a read if you wish and haven’t already.

That said, that last quote did contain a valid remark: I should read that privacy policy, shouldn’t I? But… where the hell is it? I looked a bit everywhere in the forums, even went to the registration form, because of all places, that’s the one where you are usually welcomed with the whole legal jibber-jabber, and… Nope, not here not there. Not even a mention in the board rules. So much for “you should know our privacy policy” if you keep it hidden, huh?
I did not give up though, and I cheated. It didn’t get me directly there, but I found this post, with a promising link to http://www.palemoon.org/privacy.shtml, but… it’s dead. Ugh. But from here I found a privacy link in the footer, and that was it, yay.

Now I won’t comment it in full because 1) that’s wasn’t quite the point of this post, which just started as a rant about how stupid it is to delete user accounts while retaining their username and posted contents and proudly claim you do that for the sake of protecting their privacy, 2) that privacy policy seems to cover Pale Moon operations as a whole and more particularly the browser and 3) I’m not a lawyer anyway. But 2 things caught my attention.

First, the data pruning part, since this is what started all this. The funny thing about it is that the privacy policy never says precisely what data is purged vs what is kept. You have to go to the forum post I’ve been rambling about here in order to find the details. So much (again) for “you’re supposed to know our privacy policy by heart”: even if you do, you don’t really know what’s going on with the purges…

Second, a juicy part because it’s plain and simple in violation of GDPR. The rest of my rant points out questionable ethics, but nothing absolutely broken, as I assume it may ultimately be treated via human intervention for the most problematic cases. And precisely this part is about human intervention:

You may instruct us to provide you with any personal information we hold about you. Providing said information will be subject to (in that order):
1. The payment of a non-refundable fee (fixed at €10).

I will just copy here Paragraph 5 of Article 12 of GDPR (Chapter 3, Section 1):

Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
(b) refuse to act on the request.
The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.

In case you didn’t know (and didn’t guess either), those Articles 13 to 22 are basically those about the right to access/modify/delete your data. Basically, if you don’t do it too often (and in particular if you do it only once) and you didn’t flood the forums with your personal data, it should MUST be free.

A positive note

Yup, I put the only header in this wall of text here just to catch your attention down there.

All that being said, the privacy policy is otherwise globally sensible and no worse than many, many others, and in particular better than those that massively screw you despite following GDPR to the letter – hurray for the “legitimate interest” loophole. The browser is globally good (otherwise I wouldn’t have it installed…) and, even more importantly, is part of the very exclusive club of “Browsers that are not yet-another-ChromeCrap but are not Lynx either”.
If you had never heard of it, you should give it a try. If it was for you a distant memory, maybe have a quick look at it again. If you’re under 20, maybe run it to see what browsers used to look like when you were in elementary school or kindergarten (or below). If you’re a web developer, try running your projects in it to see how far you’ve strayed from the good old simple web (Pale Moon’s rendering isn’t that outdated, but still you can tell it doesn’t like fancy-fatty front-end frameworks much).

My (much longer than planned) rant was mostly about the attitude rather than big privacy issues. This paternalistic “we do [insert crap here] to protect you because we know what’s good for you [and you don’t]” mindset is bad and terribly annoying, and should remind us all that the road to Hell is paved with good intentions.

Update on 2023-12-29

Something quite hilarious happened to me a few minutes ago. Well it’s not hilarious in itself, but it is when you consider I wrote this lengthy post not even 48h before.
While we have these guys here who find it normal to delete (or, more accurately, deadlock) forum accounts after 2 years, I just visited a forum for the first time since 2 years, 5 months and 5 hours (give or take a few minutes), which was on a different computer, and I… was still logged in!!
And to think that if this had been the Pale Moon forums, my account would be not just logged out, but gone*. Choices, eh. (also congrats Flag Counter, you get the “don’t bother me with forms” platinum medal, please do keep it up)

* okay, this was for the dramatic effect, as technically it might be gone or not be gone, because the purge occurs “around the beginning of the year”

Update part 2: I realized, while writing the small note right above, that they use CloudFlare and they block Tor. But they “care about privacy”. That’s hilarious too.