90

I would like to know how the acquisition impacts our user data, and specifically private user data.

I am aware that a large part of our contributions could be scraped from the outside (or even, queried through public APIs). My concern is not this obviously public information.

I am interested in the fate of already existing non-published data regarding users. This could include such information that users submitted themselves (including, but not necessarily exhausted in e-mail address and full name entered into a private field), or data that was obtained, recorded, and possibly processed during their usage of the platform, and data that is the end-product of aforementioned processing.

I would like to know:

  • whether the conditions of the acquisition oblige SO / SE to hand over this data
  • if there is no such obligation, whether SO / SE nevertheless plans to hand the data over out of whatever motivation
  • if such a data-handover indeed is planned, I would like to know:
    • whether there is a practical possibility for the individual user to stop the handover of data describing them individually
      • could such data handover be tied to the consent of the user?
        • what consequences should the user count with if they do not consent to the handover?
          • would that effectively lead to the destroying of the data describing them?
            • can a user, or any regulation force the deletion of data describing them in lack of a consent?
          • would that mean that they need to stop using the platform?
          • possibly it could be useful to present a storyboard for this scenario, to manage expectations.
    • are there users who could be impacted differently in this regard due to their geographical location — and due to different regulations applying in that location?
    • how does the new owner intend to use this data?
  • will you issue entirely new announcements in the future, whenever anything changes regarding these questions?

I ask you to:

  • take this question seriously
    • not close this question as a duplicate of any related, but generic one that will not go into depths regarding the topic specific to user data
  • address this question to the fullest extent that could help informing (and possibly reassuring?) all those community-members who may share these or alike concerns.

Update: request for an adequate answer

The comments under the surprisingly terse answer delivered by @Rosie demonstrate how it is open to several — quite different in their consequeces — interpretations.

I see the possibility that this answer means to involve only the legal aspect of the procedure: it merely informs us that SO is confident to go ahead with handling the data however they see it fit.

This however implies that the answer entirely avoids acknowledging and addressing the user privacy aspect: as in, how Prosus will use data describing us privately, and to whom Prosus may sell this data.

As it happens, I have came across a post from @anildash, in which he stated:

I've seen a lot of companies that are dismissive or uncaring about community, and this isn't one, [...]

I hoped that I did not need to clarify that I expected an answer to my question exactly in the spirit of the above quote.

I, and others in this community are still awaiting that answer.

Improve this question
17
  • 10
    stackoverflow.com/legal/terms-of-service#provisions might be relevant here. No mention of what happens in the case of acquisition here stackoverflow.com/legal/privacy-policy . Also as a dutch company, the new owner is probably under the GDPR?
    – Journeyman Geek
    Commented Jun 3, 2021 at 4:59
  • 6
    @JourneymanGeek The new owner might be, but SO Inc. is still based in New York. If Prosus has no say in the day-to-day operations, it gets complicated. You'd need a proper lawyer to answer that.
    – Mast
    Commented Jun 3, 2021 at 7:57
  • 6
    Hence ^ is a comment, not an answer. I neither work for SE (in which case I'd want a lawyer to talk), nor am I a lawyer (in which case ... its complicated to say anything) nor do I play one on TV :D
    – Journeyman Geek
    Commented Jun 3, 2021 at 7:59
  • 4
    In principle the privacy policy (stackoverflow.com/legal/privacy-policy/public-network) cannot change without you consenting to it. It doesn't matter who is the current owner, they basically have an obligation to honor all agreements between you and the former owner. Now about the question of sharing your data within the whole new owner conglomerate, which might not be covered by the current terms of service, I guess this is the really interesting part of the question.
    – NoDataDumpNoContribution
    Commented Jun 3, 2021 at 10:59
  • 3
    @JourneymanGeek For purposes of GDPR the location of the company isn’t as relevant as the location of the owners of the PII (other than for enforcement, of course).
    – Konrad Rudolph
    Commented Jun 3, 2021 at 11:07
  • 16
    From the Terms of Service: General Provisions: Stack Overflow reserves the right to assign our rights and obligations under these Public Network Terms (in whole or in part) without your consent to a corporate affiliate, or in connection with a merger, acquisition, corporate restructure or reorganization, or due to the sale of all or substantially all of our assets.
    – BSMP
    Commented Jun 3, 2021 at 19:00
  • 6
    @JourneymanGeek the company isn't Dutch it's South African. It's only registered in the Netherlands for fiscal reasons.
    – bad_coder
    Commented Jun 4, 2021 at 10:37
  • 1
    +1 from me, I think that this is a very important question that I hope gets a detailed answer.
    – EJoshuaS - Stand with Ukraine
    Commented Jun 4, 2021 at 14:38
  • 2
    @Trilarion OTOH, SE has a history of trying to make unilateral changes to pre-existing agreements, so we can't just assume that they'll do the right thing. I certainly hope they will, but previous history doesn't bode very well in that regard.
    – EJoshuaS - Stand with Ukraine
    Commented Jun 4, 2021 at 14:40
  • 3
    @EJoshuaS-ReinstateMonica I don't think it's really a matter of trust. You and SO Inc. made a contract when you registered here. They told you what they'll do with your data and you agreed to it. The new owner must honor this contract and cannot go beyond that unless you agree again, which you don't have to. The only real question remaining is what you actually agreed to when signing up here?
    – NoDataDumpNoContribution
    Commented Jun 4, 2021 at 15:21
  • 4
    Search results for the general case: Mergers and privacy promises or Privacy in M&A Transactions: Personal Data Transfer and Post Closing Liabilities.
    – NoDataDumpNoContribution
    Commented Jun 4, 2021 at 15:29
  • 2
    Is there a section of any of the terms or policies you suspect is unenforceable? FWIW, the section I quoted seems pretty common. There's something similar in either the Privacy Policy or the Terms of Service for Twitter, Flickr, Instagram, Facebook, Reddit, and Tumblr (& Automattic). Google does to but they explicitly state that they'd "...give affected users notice before personal information is transferred or becomes subject to a different privacy policy.".
    – BSMP
    Commented Jun 4, 2021 at 22:09
  • 2
    @BSMP I'm not an expert on this. I just said: let's not forget about the possibility that something could be reviewed in there. I have the impression that when authorities step in, it's typically in defense of the users. Online businesses, in step one, can demand whatever in the terms of services, but sometimes someone needs to rein them in. So the thing I would suggest probing is indeed any part where they would seem to grant themselves unencumbered permissions regarding user data.
    – Levente
    Commented Jun 6, 2021 at 10:58
  • 3
    It doesn't seem like many people know what's in the TOS. Or at least nobody so far refered to it and interpreted it within the legal framework and deduced what is possible to do with the data and what is not. What does it say about our modern legal system? Is it too complicated? Should we all have to make a mandatory education in law?
    – NoDataDumpNoContribution
    Commented Jun 14, 2021 at 10:17
  • 2
    Some important information
    – Ekadh Singh - Reinstate Monica
    Commented Jun 16, 2021 at 19:33

2 Answers 2

Reset to default
37
+100

I fully understand the worries that you and others may be feeling about how private user data may be used and shared with other companies after the acquisition of Stack Overflow by Prosus is completed.

To date, we as a company have always treated maintaining the security and safety of user data as a foundational value in how we architect our sites and interact with the Community. However, in a world where data like this can be a very valuable commodity in its own right, it is natural to inquire as to whether these values will be maintained moving forward.

Last week we had a company-wide AMA where we had the opportunity to pose questions to senior executive leaders within the Prosus EdTech organization. I asked the following question:

Are there plans for Prosus to use private user data from SO/SE and/or share this data with other Prosus-owned companies?

To sum up the answer that I received: “Absolutely not”

I am paraphrasing additional salient points of the response (shared with their approval):

  • Data security and privacy is something that Prosus is very careful about for all of its companies.
  • They just do not engage in practices like taking data (or anything else) from one company and sending it to another company. This is very much against the spirit of their operations.
  • If a request is made of us to share data like this, the expectation from Prosus leadership is that we (Stack Overflow / Community Team) would say “nuh-uh” (direct quote). And we would be supported and backed up in doing so.
  • They want to make sure that each of their companies — which encompass many hundreds of millions of users (including school-age users for whom data privacy is even more paramount) — protects their data vigilantly.

I was quite satisfied with this answer and the presentation of their business philosophy as a whole, and at this point have no hesitation at all in saying that I do not feel that the safety of our private user data is compromised or will be compromised by the upcoming acquisition. Thanks for your question!

13
  • 10
    Thank you for relaying the question for us!
    – Luuklag
    Commented Jun 17, 2021 at 13:46
  • 2
    So does this mean that the answers to the questions in the OP are "no, no, n/a, yes"? I feel like the question "are there plans" and an answer about the spirit of the operations does not really answer the question as asked, which (taking this answer into account) would be "if Prosus ever changes their mind, can they (legally) use my data or not?".
    – Marijn
    Commented Jun 17, 2021 at 14:37
  • 1
    To clarify: it is not my intent to come accross as a spoilsport or hard-to-please. It's just that I feel that having asked this question, to a degree it now is my duty to remain sharp regarding your answers. With that said, the following comments deliver my immediate observations:
    – Levente
    Commented Jun 17, 2021 at 14:39
  • 2
    1.) "the worries that you and others may be feeling about how private user data may be used and shared with other companies after the acquisition" — no, not only after the acquisition: my concern includes the transitional period as well; as in, the past weeks, right now, and the upcoming duration of time until the acquisition gets finalized.
    – Levente
    Commented Jun 17, 2021 at 14:39
  • 2
    2.) "taking data from one company and sending it to another company." — that, from a technical aspect, seems to not rule out that they could still operate targeting as a service, where they don't hand over the data, but assist advertisers and other entities to target specific persons. (on the long term, such an ongoing service could probably be more profitable than a single sale anyways) 3.) "the expectation from Prosus [...] is that [ SO ] would say 'nuh-uh'" — right, because capitalizing on the data would remain the monopoly of Prosus itself, and not up to subsidiaries.
    – Levente
    Commented Jun 17, 2021 at 14:39
  • 4
    4.) "[...] at this point have no hesitation at all in saying that I do not feel [...]" — well, this post seems to hinge the entire message through your personal perception. Now no-one could hold it against you if you misunderstood something, missed to cross-check on something, or others abandon their words that they issued to you personally. Up to now, this post has no more weight than policies written as "A should do this, B should not to that".
    – Levente
    Commented Jun 17, 2021 at 14:40
  • 1
    5.) I appreciate your personal investment in this issue and your spirited delivery of this information. Now, I think, the next step could be for SO to place a statement that indeed feels like an official statement from an organization that intends to and is capable to remain responsible for the message in that statement. If you now feel that it's very hard to ever achieve that — due to SO being a property, at the whim of someone else — you could as well write that: "we cannot make any promises, as we have no power over it".
    – Levente
    Commented Jun 17, 2021 at 14:40
  • 19
    @Levente My answer was approved by both SO and Prosus leadership - it should be treated as the official answer on the subject (see the Policy Lock). I cannot comment on whether legally any of the data can be shared with Prosus or other Prosus-owned companies based on the current TOS. I can just honestly report on the intentions of SO and of Prosus on the subject.
    – Yaakov Ellis
    Commented Jun 17, 2021 at 14:44
  • 5
    6.) I have never mentioned "Data security" in my question. A lot of your points however give the impression that they are more concerned with a hacker attack than data being offered or exploited through commercial transactions. Your concluding sentence: "I do not feel that the safety of our private user data is compromised or will be compromised by the upcoming acquisition." — this sentence is using data-security terminology. This is not a reassurance about privacy. By the wording of it, this is a reassurance against loosing our data to a hacker attack. I asked A, you answered B.
    – Levente
    Commented Jun 17, 2021 at 20:14
  • 4
    "My answer was approved by both SO and Prosus leadership" — as it is a very convenient statement to publish. "One of our community advocates offers his personal account where he was told something to the effect of 'Absolutely not' 7.) by someone (!) and it convinced him." That's the statement. Who is bound by this? 8.) Compare this to, say Teresa Dietrich herself stating here: a) "no we won't do this" b) "we will do that, but we offer this as a mitigation" c) "we don't yet have a decision on that another thing; an update will follow ASAP". I believe that's the adequate format for this issue.
    – Levente
    Commented Jun 17, 2021 at 20:15
  • 3
    @Levente, the policy lock signifies that this answer is the official answer from the company regardless of which employee got the menial task of posting it or where in the food-chain they are.
    – Bart van Ingen Schenau
    Commented Jun 18, 2021 at 12:42
  • 5
    @BartvanIngenSchenau I respectfully submit that my work on this answer was not menial.
    – Yaakov Ellis
    Commented Jun 21, 2021 at 11:43
  • 1
    @Levente What I wrote was intended to be primarily about both data privacy being maintained, in addition to security (both are mentioned in my answer). Of course we will continue to invest and highly emphasize data security, as we always have done.
    – Yaakov Ellis
    Commented Jun 21, 2021 at 11:47
35

Prosus also owns OLX, a company that happens to have my home address and phone number.

So this raises the question if previously anonymous SE usage now allows for sharing data with OLX-Prosus whose terms-of-service require users to give PII.

Improve this answer
2

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .