, 18 tweets, 9 min read
My Authors
Read all threads
Uncovering the Disqus data machine: @disqus shared the personal data of tens of millions of users without them or the websites knowing about it. thread - 1/13
During reporting for @NRKbeta I found that several well-known sites appear to send user data through @disqus . Some of them are: @wirecutter, @9to5mac, @ZDNet, @pcgamer. Political sites were also affected: @thehill, @BreitbartNews, @realDailyWire, and @gatewaypundit 2/13
The company says that 2 billion unique users hit their platform each month, but the number could likely be far lower. Disqus would not disclose the % that have their data shared. 3/13
This is all a result of something called "Disqus data sharing", which I am told, is on by default. The sharing has been activated since at least September 2017, but it could also be longer. 4/13
Due to the #GDPR, Disqus only shares data from users in Europe that have explicitly consented. This is not the case in the US - a test showed that 20 domains likely received personal data. When data sharing is turned on in Europe - far fewer parties also receive data. 5/13
So even though a website has enabled data sharing, EU citizens need to opt in. This is based on the country origin of the IP-address. #GDPR consent form looks like this: 6/13
Finding the setting for websites is not that easy: Rory McCafferty of @thehill had a typical response: "We appreciate you bringing this to our attention. We were also unaware of this setting within Disqus as it is somewhat buried, and we have turned it off". 7/13
Of the top sites I found a conservative estimate of affected users are in the tens of millions, but over the years it would likely have been many more. According to @builtwith 16.000 of the 1million most visited sites uses Disqus. Not sure of the % that enables data sharing 8/13
A positive spin on the story: I reached out to 23 sites - of the 11 that responded - all told me they had removed the data sharing. 9/13
Disqus, through the owner @ZetaGlobal, also admitted that they had processed and shared personal data in violation of the #GDPR. They did not know that Norway, Iceland, and Liechtenstein adopted the privacy law in 2018. 10/13
For the record: That made the Norwegian DPA (@Datatilsynet) quite upset. They said: "you can't murder someone and then say you did not know it was unlawful". @ZetaGlobal fired back: "Comparing data sharing to murder is abhorrent and despicable." 11/13
The company is now deleting data collected without a "lawful basis of processing" in the three countries and have told us that they will from now on be treated as other GDPR countries. 12/13
For the record: "All publishers are provided with Disqus terms of service and always have the option to opt-out at any time. We will further inform publishers that due to the oversight we are clearing all EEA data and users will re-register for consent." 13/13
Article in Norwegian: nrkbeta.no/2019/12/18/dis…
Article in English (Google translate): translate.google.com/translate?sl=n…
UPDATE: 4 of 6 Norwegian sites that shared data through @disqus have removed the service. They tell they don't trust the company, even though users are supposed to be in "privacy mode" by default.
Finally - shout out to @thezedwards who helped solve several parts of the puzzle. @evajarbekk, @sisomm helped with some of the legal confusion (who is it compliant?!), @conzentio for starting the reporting, and @CybotCorp for list of Norwegian Disqus sites.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Martin Gundersen

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!