Blog: March 2024

Most of these posts were originally posted somewhere else and link to the originals. While this blog is not set up for comments, the original locations generally are, and I welcome comments there. Sorry for the inconvenience.

Glassdoor updates

Some updates on Glassdoor's privacy violations:

Use https://help.glassdoor.com/s/privacyrequest?language=en_US to request deletion of your data. Deactivating your account doesn't delete data. This might not either (no way to verify), but it's the strongest request you can make.

Media coverage: Ars Technica: Users ditch Glassdoor, stunned by site adding real names without consent, Wired: Glassdoor wants to know your real name. The Ars story is more detailed.

It seems that Glassdoor updated its terms of use on February 17, 2024. I did not receive email notification (my last TOS update from them was December 2022). Some salient bits from the current version:

We may update your Profile with information we obtain from third parties. We may also use personal data you provide to us via your resume(s) or our other services. You can read more about how we collect and process your data in our Privacy Policy.

I never provided a resume. I never typed my name into their site, nor did I use a social-media or Google identity. I created the account with an email address (~10 years ago). That part about "obtain from third parties" means they can try to match you up with LinkedIn, use your email headers if you should ever send them email, try to reconcile your account with Indeed if you're there (the same company owns both Glassdoor and Indeed), and whatever else they come up with.

Also, sometimes the information they add is incorrect. From Ars Technica:

As Monica's blog spread widely online, another Glassdoor user, Josh Simmons, commented to confirm that Glassdoor had "already auto-populated details" on his account, too. But instead of correcting Simmons' information, Glassdoor seemed to be adding mistakes to his profile.

Simmons, who requested to use his real name and share his employer information, is a managing director of Matrix.org Foundation. He discovered that Glassdoor had not only messed up his employer's name but also claimed that he was based in London, while he is actually located in California.

"It was bizarre, because I had never provided that information, and it was a somewhat incoherent mix of details," Simmons told Ars.

Back to the terms of use:

We may attempt to verify your employment history or status through various methods, including third party integrations or services. We may also utilize signals we receive from your current or former employer. Glassdoor is not responsible to you or any third party if we are unable to or inaccurately verify your employment history or status.

I don't know what "we may utilize signals we receive from your employer" means, but it sure sounds like "we might ask your employer if you work there", because your employer knowing you've posted Glassdoor reviews to prompt that question would be a "you" problem, not a "Glassdoor" problem.

(This information is repeated in the privacy policy.)

In order to provide you with access to features across our services, we may create and link different services’ accounts for you.

This is the part about them automatically creating a Fishbowl (social media) account on your behalf, without you explicitly doing anything and apparently without direct notification.

A portion of your Profile on our community and conversation services (e.g., Fishbowl and community and conversation features across our services) is always public. Therefore, your profile picture, company name, title, and other general information (but not including your semi-/anonymous Content submissions) will be visible to the public and available via search.. Content submitted with semi-/anonymous identifiers such as your company name or job title is not associated with the publicly-visible portion of your Profile.

So they added my name to my Glassdoor profile without consent, then propagated that to Fishbowl, and the Fishbowl profile was public?!

Glassdoor responded to Ars:

"We vigorously defend our users’ right to anonymous free speech and will appear in court to oppose and defeat requests for user information," Glassdoor's spokesperson said. "In fact, courts have almost always ruled in favor of Glassdoor and its users when we’ve fought to protect their anonymity. With the addition of Fishbowl’s community features to Glassdoor, our commitment to user privacy remains ironclad, and we will continue to defend our users from employers who seek to unmask their identity."

They "vigorously defend" privacy, yet they collect and store information that violates privacy. Also, note that what they're saying is that they'll defend outside requests for data ("almost" always successfully), but they say nothing about their own proactive use of that data -- like selling it to employers.

That data-deletion link once again: https://help.glassdoor.com/s/privacyrequest?language=en_US.

Time to delete your Glassdoor account

Recently I contacted Glassdoor for an account-related issue. This led to them sending me email that I had to respond to. Big mistake.

The TL;DR is: Glassdoor now requires your real name and will add it to older accounts without your consent if they learn it, and your only option is to delete your account. They do not care that this puts people at risk with their employers. They do not care that this seems to run counter to their own data-privacy policies. Read more…

Pobox in the 21st century

I've been using pobox.com since (checks...) 1996, when I needed to change email addresses and wanted to avert the hassle of getting updates pushed out the next time I had to do that. Pobox does two things: it gives me an email address that I can redirect wherever I want, and it gives me URL forwarding: a Pobox account comes with the ability to redirect http://www.pobox.com/~your-name to wherever you want.

I got email from Pobox today announcing that URL redirection will be discontinued in a couple months:

[...] Pobox alias URLs once served the same purpose as Pobox email aliases: you could get one URL and have it follow you as your web page moved. Over time, though, personal domains have taken over this use case, and Pobox’s URL redirection service is almost entirely unused. Upcoming changes to our web interface make this feature much harder to continue offering, and we have decided to retire it.

Your account’s URL is one of the few that has seen traffic in the last six months. Maybe that’s a fluke, and you’ve stopped using this URL, and it redirects to some long-abandoned page you owned in the 1990s. On the other hand, you might still be using this URL. If that’s the case, you should begin updating links to your Pobox URL and instead link directly to the target resource, or some other redirection service. [...]

As it happens, I am using that URL, and updating links kind of depends on knowing where the links are. (I mean, updating my own links is easy, but that's not why one uses redirection.) I use the domain I acquired in 2017 for all new stuff, and I've been migrating old stuff intermittently. But I didn't finish and cut over, because there are links to my old SCA stuff (in particular) all over the place out there, and I couldn't figure out how to cleanly make all the URLs work -- Pobox gives me one top-level redirect, but if I can't exactly preserve the structure under that, I'm into the realm of individual redirects and that's a big hassle.

Well ok, then -- Pobox is forcing my hand (and I don't really blame them if usage is that low), so I'll just rip that band-aid off and not worry about making the soon-to-be-dead URLs work on the new site. I also hit the Wayback Machine and archive.today with some pages I know are linked, and I asked Pobox if they could give me referrer logs so I can see if there's anyone I ought to notify. Beyond that, I'll just have to assume that search engines will eventually index the new locations and anyone who really cares will search.

Tonight I migrated my SCA pages, which are mainly the page (and many pictures) for the Pennsic house, since Greg Lindahl is already hosting most of my music (and Joy & Jealousy). I also had a bunch of stuff related to the Board crisis of 1994; rather than port all the individual pages, I archived it online and then dropped a ZIP file on my site. It was 30 years ago; I suspect very few people are interested, and those who are won't mind downloading the bundle.

My Pobox account next renews in 2029. I have email through my domain but, again, a lot of people use my Pobox address and updates are hard. But perhaps in the next five years I should attempt to put that change in place, because who knows if email forwarding will go the way of URL redirection by then?