Like many unfortunate 26 year olds, I grew up on the old web, responding to “ASL?” in AIM chat rooms with “9/m/somewhere” and hosting [NO CURSING] StarCraft: Brood War Battle.net games on a boxy beige Windows 98 computer. I love reading about this era of the internet. There exist many interesting pieces about it, but mostly by authors older than me, and none that I feel capture the essence of growing up far too young in a far too lawless environment totally inscrutable at the time to adults. Spending nearly every day from age 9 to age 18 on the pre-social media web had a strange and concerning development on my psyche, and the collective psyche of my generation, that I feel still remains unexplored. One of the early defining spaces in my life online was Neopets.
For the uninitiated, Neopets was, and is, a “virtual pet” website created in 1999 by the now-married Adam Powell and Donna Williams, who were 23 and 22 at the time. Players raise their pets – feeding them, grooming them, battling enemies with them, etc. They get coins by playing rudimentary flash games, and congregate by creating guilds, sending each other “neomail”, and communicating on forums. Much has been written about the bizarre and colorful world of Neopets, which is highly anachronistic in today’s highly-networked and hyper-monetized internet. I recommend Neopets: Inside Look at Early 2000s Internet Girl Culture as an exploration of this subculture. My article is not that – it is about my attempts to submit to them a GDPR data retrieval request, acquiring all the personal data kept about me by the site.
This isn’t my first time privacy legislation has affected my Neopets experience. While most of the rest of the internet flagrantly ignored COPPA in the early 2000s, Neopets, I remember, very explicitly blocked me from making an account when I accurately said I was nine years old. For users under 13, Neopets required you to mail them a letter of consent signed by your parents in order to use the site. Being the well-behaved nine year old that I was, I actually did this.
Before we get started, let’s see what waffles_revenge and his Neopets are up to today. I noticed that even in 2019, this company formerly owned by Viacom still does not have HTTPS set up on their server. Fortunately there’s no real risk sending plain text passwords over HTTP and Neopets’ security practices are otherwise extremely robust, so I’m not too worried.
My account is 17 years old, which has earned me this flattering badge:
Harsh. I think when I was nine I didn’t even expect the internet to last 17 more years. I created my account only two months after 9/11.
My dream team of Neopets is cutie_jelly_lover, kikoman333 and Quakers221. Fortunately, despite having hunger levels of “dying,” their fasting has only accelerated their spiritual practice, and by accessing deep states of meditation, they have learned to subsist only through water and sunlight for upwards of ten years, while their moods remain “cheerful.” My crowning achievement on Neopets is my third place Lenny’s Conundrum trophy, which I solved, to my memory, using an Excel spreadsheet and required my uncle to help me calculate the volume of an ellipsoid. (Something to do with serving soup to Neopians with spoons on certain days of the week?)
Let’s take a quick look at the Neoboards. My most vivid memory is of getting in a fight with a veteran poster who absolutely owned my nine year old self by telling me “I bet you don’t even know leet”, in leetspeak. Obviously, I was no internet n00b, so I defended myself by responding along the lines of “And by the way, I do know leet,” also in leetspeak. Shockingly, the boards remain active today, primarily with posts like “remember Neopets?” I particularly appreciate the good old PHP message board emoticons:
Anyway, that’s not the subject of this post. The subject of this post is the journey I took to liberate my data from the clutches of Neopia thanks to the unsung heroic beuracrats in Brussels.
Over in Europe, the General Data Protection Regulation recently went into effect. GDPR more strictly regulates how personal data about people who reside in the European Union can be used by tech companies. You can read a more detailed summary online, but among other things, GDPR forces companies to disclose any personal data that they have stored about you (such as your name, address, email, and so on), and to delete this data upon request. I found myself curious what information an early 2000s virtual pet site had on me and how they would respond to receiving this kind of request, so I sent the following email:
Oct 22, 15:11 MST
I’d like to request a GDRP data retrieval request for all data associated with my account waffles_revenge. Thank you!
Oct 28, 14:05 MST
Sorry I meant GDPR. Hope to hear from you soon.
Now I hadn’t heard from them for almost two weeks. Possibly because I’m being annoying and petty and wasting everyone’s time, possibly because this 20 year old internet company doesn’t have a GDPR process in place. Regardless, as of this writing, GDPR has a 30 day deadline, so the clock was ticking on my Neopian friends. I decided to send a gentle reminder:
Nov 3, 07:54 MST
Could you get back to me about this as soon as possible? Thanks again,
And finally I hear back:
Nov 7, 14:21 MST
Thanks for writing in.
We would need to verify you as the creator of that account first. Please provide the email (original used to create account and current (if different)) birthday on account previously used passwords and pins
I’m not sure what email I used to open my email account, as this was four or five emails ago. Of course these days, like any normal person, I pay $20 a year for a domain named after me and 9 Euros a month for a Protonmail Gold subscription. I know I had a Yahoo Mail account, but Yahoo deleted everyone’s accounts relatively quickly and with little warning, because tech companies are ethical actors and will always put the integrity of their users’ data before short-term profits. So I guessed:
Nov 7, 16:44 MST
Rico, thank you.
Current email is [REDACTED] (I can email from there if you need). Birthday is [REDACTED]. I believe the original email was [REDACTED]@charter.net but I haven’t used that email in over a decade, I could probably find it if you need it. I could also log into the account and click some verification link or something.
To which he replied:
Nov 7, 17:10 MST
Thanks for writing back. Unfortunately the GDPR is a law for European user only. Sorry about that.
Now this of course would not stand. I refused to let the unfortunate situation of living in a country with an absolutely toothless internet regulatory framework (except, of course, when it comes to endangering sex workers) prevent me from enjoying the benefits of GDPR.
Forunately, I learned the following (I am not a lawyer, I just have Google and a lot of hubris, so take this with a grain of salt):
- GDPR protections apply to anyone physically located in an EU country, not necessarily an EU citizen.
- Some GDPR protections apply retroactively.
- For a month in 2009, I was in a European Union country.
Based on this astoundingly brilliant legal interpretation, I replied:
Nov 7, 17:56 MST
I resided in Europe for at least part of the time that I have had a Neopets account. My understanding of GDPR is that it would apply in these circumstances.
Rico (a little skeptical, but still blown away by my impressive legal scholarship) replied:
Nov 7, 18:40 MST
Thanks for writing back. The information we have doesn’t show any links to Europe. That being said, we’ll be happy to share with you what we have as a courtesy.
Name: Me (no actual name was given)
IP address: [Redacted]
Address: blank (we do not have this information)
And there you have it. Neopets stored my email, IP address, name, birthday, and address. Fortunately nine year old Alex was clever enough to fool the surveillance capitalists by putting “Me” in the name field. Drunk with power, I tried to get some more information out of the deal:
Nov 8, 08:24 MST Rico, thank you so much! Could I get an archive of my other data – such as DMs and forum posts?
All the best,
Nov 21, 15:00 MST
Thanks for writing back. We don’t store board posts past a few days so we don’t have any data under your account at this time. For neomail, you have access to that already via your account. You don’t have any at this time though. Thank you!
I considered trying to see if I could persuasively argue that any analytics data about my Neopoints, items, and so on were “personally identifiable data” but I decided not to waste any more of Rico’s time.
I hope you all enjoyed this exploration and feel personally empowered to annoy support teams at early 2000s tech companies and discover what secrets they are hiding about you. I joke, but legislation like GDPR is sorely needed in the United States, and the damage of unaccountable, centralized control of people’s personal data is concerning, especially as technology becomes an increasingly large presence in our lives, our homes, and even our bodies. Any company dealing with users’ personal data ought to treat that data with utmost respect and care, even if not legally obligated to through GDPR. Rico, if you’re reading this, thank you for going through this journey with me.
Anyway, add me as a neofriend.