Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fake delete is real #758

Open
zecamigo opened this issue Mar 8, 2021 · 12 comments
Open

Fake delete is real #758

zecamigo opened this issue Mar 8, 2021 · 12 comments

Comments

@zecamigo
Copy link

zecamigo commented Mar 8, 2021

I'd like to call out that platforms do routinely keep deleted accounts for normal account cancellation requests. This means that you click somewhere "delete account" but this will usually just mean you lost access to your data and it doesn't display publicly.

I know this as an insider.

If your local laws are protective, you might have to direct your communication or write to the data protection officer or the right department. It can also work to mention GDPR or similar law and probably it will reach the right people.

See https://www.mydatadoneright.eu/ for how to contact GDPR officers for protected locals only.

Otherwise you may be misguiding people into losing access to their accounts with no privacy gain.

@zecamigo
Copy link
Author

zecamigo commented Mar 8, 2021

I routinely see "Cancelled" accounts with access to full private personal data.

@tupaschoal
Copy link
Member

Thanks for the heads up. We're aware that some websites might not be doing exactly what they're claiming, but sadly it's a bit out of our reach. Do you have a suggestion?

@zecamigo
Copy link
Author

zecamigo commented Mar 8, 2021

@tupaschoal

My suggestions are

  • direct people covered by decent data protection laws (GDPR, CCPA, etc) to the right channels (e.g DPO), instead of using the "delete" feature might not work to effectively delete your data even on major, law complying platforms.
  • add a disclaimer that it may not work (or only in appearance), and a link to a relevant digital right organization for others users (for campaigning for better rights)

@zecamigo
Copy link
Author

zecamigo commented Mar 8, 2021

@tupaschoal "some websites might not be doing exactly what they're claiming"

Under GDPR, for example, the request must be clearly and correctly formulated. One thing is requesting "close my account", or clicking 'cancel my account', or "deactivate", which allows them to keep your data. Another thing is "delete my data", or "under GDPR I request to delete my account and all associated information" which must be respected. Two separate procedures.

Another thing: some platforms will transparent enough to tell you they will keep the information required by law, or to prevent fraud. This is common practice and they should not be classified lower for this. For example gig economy platforms where people will meet in person, or dating sites have a legal and legitimate interest in keeping some data for some time to keep users safe.

@zecamigo
Copy link
Author

zecamigo commented Mar 8, 2021

E.g. for whatsapp https://www.datarequests.org/company/whatsapp/

@tupaschoal
Copy link
Member

direct people covered by decent data protection laws (GDPR, CCPA, etc) to the right channels (e.g DPO), instead of using the "delete" feature might not work to effectively delete your data even on major, law complying platforms.

I think that it might be hard to cover every ground.

add a disclaimer that it may not work (or only in appearance), and a link to a relevant digital right organization for others users (for campaigning for better rights)

I think that fits right into our footer, wanna give it a try to PR a suggestion in there?

@GuardianLiarus
Copy link
Contributor

GuardianLiarus commented Aug 21, 2021

i can confirm i once tried to delete my account on a site called Keypost, and they confirmed me my account was deleted, but trying to login on it after a day worked completely fine and all my info was still there

@kymckay
Copy link
Contributor

kymckay commented Sep 11, 2021

Along these lines, it might be a nice idea to at least codify in the contributing documents or readme whether the project aims to list methods of deleting just the account or to delete as much associated PII as possible (I figure the latter is always preferable) as there are cases where two different paths of action result in one or the other and contributors may want some clarity when adding entries.

@tupaschoal
Copy link
Member

That's a good point, I think we strive for as much as we can get in terms of information. If a given person has only gone as far as getting how to delete the account, that's fine, but if they also have all the steps on how to delete all the personal information, even better.

@SteffenGivard
Copy link
Contributor

SteffenGivard commented Dec 23, 2021

TL;DR My account wasn't deleted, as I was led to believe, but rather disabled. After chatting with support, I (think) it was deleted.

TL;DR 2 I suggest we make a general guide on how to account for these scenarios.

The tale of how I spotted a "fake delete"

I recently tried to have my account at Reservio deleted.
After doing as instructed by their support, I had seemingly succeeded in deleting the account. Some hours later, though, I start getting e-mails from their system, which means I must not be deleted.
When trying to log in, the login page just refreshed upon submitting my details, which seemed off to me. Figured I'd try the password reset, and just as I had expected, I was sent instructions on how to reset the password of my account — which should no longer exist. After resetting the password, I still couldn't log in, though, so my suspicion was correct: my account was merely deactivated.
I contacted their support, and they quickly deleted my account. Or so I think, at least.

If this was simply a mistake or by intent, I don't know, but below are my suggestions based on what I usually do.

Suggestions

Here's what I usually do, and would recommend others do.

Disclaimer: This will in no way make you certain, that your data is completely gone, but will make it harder to process for the services you're trying to quit.

Obfuscate your data

You cannot know for certain, that your data is actually permanently deleted — although it must be according to the law in most countries. As such, it's a good practice to manually edit any information you have submitted to the service before requesting the account's deletion.

  1. Log in to your account.
  2. Carefully search the service for personal data, and try to alter each instance. (Skip editing your email till last).
    • If you're unable to delete something, change it to something gibberish.
      • If dealing with images that cannot be deleted, replace them with random images.
  3. Finally edit your email address to a disposable one. Keep in mind you'll often need to confirm your new email, so don't enter a dictionary one. (You can create one with ease at m.kuku.lu, which is free and doesn't require anything from you to use).

Common informative data

Below is a list of data I usually look for, which I personally don't wanna leave floating around for no reason.

  • Your name
  • Username
  • Avatar
  • Payment info
  • Invoices
  • Chats
  • Posts (on forums)
  • Uploads (especially on social media and cloud storage)
  • Address
  • Email
  • Phone
  • 3rd party integrations

Check if the account was only disabled

There's an easy check to quickly check if your account has been deleted or simply made inaccessible for you.

  1. Go to the login page.
  2. Find the feature to reset your password.
  3. Enter the email, username, or whatever is requested of the account you've had deleted.
  4. Submit the form.
    • If you're given an error, your account has most likely been deleted.
    • If you're not given an error, go check the email associated with your seemingly deleted account. If you've received an email from them, your account has most likely not been deleted. Contact their support and ask them to permanently delete your account. Repeat the process.

Why you should care

We should maybe add something about why we think, that you should care about not leaving personal data behind. I bet most people care if they're actively trying to delete the accounts, though.
However, this can become quite political, and we might not be interested in that.

@tupaschoal
Copy link
Member

Thanks for the comment, I think one such section would be useful, and it would probably be very close to what you've written. It should probably reside in the About section, or somewhere close to that, my only concern is if people ever get there.

@c0nfigurati0n
Copy link
Contributor

c0nfigurati0n commented Jun 29, 2022

Quick and easy blog post, mentioned at the top of the site, with a link to services like "simplelogin.io", "anonaddy.com", "fakenamegenerator.com" would be a great solution for this problem indeed. The only issue then would be, keeping it up to date. Maybe instead mentioning a website like "thenewoil.org", would also work great. I know the guy running it, and i trust him. Depends all on what you guys wanna do really.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants