Allow removing account info without content deletion

spec
rfc
privacy

(Jeff Atwood) #1

It may happen that users decide they don’t want an account on your Discourse, even after posting there for months or years.

Problem: if you delete the user, all their content (posts, topics) disappears, leaving holes in conversations and removing other people’s replies to their topics.

So what if we offered an anonymize account or remove account button that:

  • sets all their profile information back to default new user state
  • turns off all notifications
  • picks a large random number and changes the username to anon12345678
  • sets the email address to anon12345678@example.com

… while leaving their posts and content otherwise untouched.

This way the user can leave your Discourse, and have no association with their old Discourse account, without removing all their content and damaging the existing conversations.

The only downside is that this would still be counted as a user, but a user with no activity from the date of last post onward, which is probably correct.


How can a user self-delete?
(Gerhard Schlager) #2
  • Should the username really be changed?
  • What about all the mentions and quotes? Aren’t they the reason why changing the username is currently only possible for a short time?
  • What if someone else registers with the same username? All the mentions would point to that new user. I belief a username shouldn’t be available anymore, if it was used for a certain amount of time and there were at least n posts from that user.

(Mittineague) #3

We’ve had several accounts that we’ve closed after they have made posts.

What we’ve been doing is Suspending them with the reason
"Closed per member’s request"
and leaving the posts in place.

I agree about the mentions and quotes.

When we migrated from vB, threads that had posts made by closed account members were attributed to "System"
Yet, by reading the subsequent posts, it is often a simple matter to determine who “System” was.


(Benjamin Kampmann) #4

This is exactly how we currently handle that in our big deploy to allow users to “leave” the forum. The problem for Europe is that there is “a right to be forgotten” and technically all the content you posted is yours, so you have the right to decide it may or may not be deleted. The way we handle it at the moment is that we mark all posts of that users as deleted, too if they require that – and we are legally obliged to really remove them from our database within 3-6 months. Unfortunately that will break conversations and make things slightly weird. We have not found a way to handle this nicely – maybe keep them as empty posts?

In our context people do actually use real-name related information in the Username ( JohnGrishmay1234 ) and that would make the information linked back to them. Meaning that if I was searching for the username, I’d still find their information and that might simply exactly what the users wants to have prevented. That’s why we are renaming the account so something generic.


Love that this might become a default features of DC!


(Jeff Atwood) #5

There is an analog here for what we used to do with accounts on Stack Exchange and Creative Commons, too – you pull the username and keep the content as it belongs to the community, and removing it might take something of value from the commons.

Note that Creative Commons is also the default for Discourse installs unless site operators specify differently in their ToS:

3) User Content License

User contributions are licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. Without limiting any of those representations or warranties, CDCK has the right (though not the obligation) to, in CDCK’s sole discretion (i) refuse or remove any content that, in CDCK’s reasonable opinion, violates any CDCK policy or is in any way harmful or objectionable, or (ii) terminate or deny access to and use of the Website to any individual or entity for any reason, in CDCK’s sole discretion. CDCK will have no obligation to provide a refund of any amounts previously paid.


Deleting a users posts (with large post count+history)
(Kane York) #6

Note that a Creative Commons license is a “worldwide, royalty-free, non-exclusive, perpetual” license, and the author can’t use the CC license to ask you (or anyone else) to stop redistributing their writing, unless you change the license for the forum.

They can still use the law, as the law overrides contracts. They just can’t use the content license.


I just realized something: You’ll need to rewrite all the posts to remove the username from them in @mentions or [quote=] blocks.


(Gerhard Schlager) #7

How do you handle quotes and mentions? They are still there after deleting the posts, aren’t they?
IMHO the right to be forgotten sounds only nice on paper, but in a digital world it’s nearly impossible to implement.

I’m not against renaming usernames, but it should be done right (mentions, quotes, …) and it should be a feature that (if the admins allow it) should also be available to the users. But I always thought it would be much easier if the old username just redirects to the new one if someone clicks on a renamed username. Obviously that won’t work in this case.


(Gerhard Schlager) #8

Ha, you beat me to it. :wink:
Yeah, it’s a lot of work to completely remove a user.
And you have to consider archive.org and all the other archiving systems too. You can’t delete just one user and his posts from there. It’s all or nothing…


(Jens Maier) #9

Luckily, the “Right to be Forgotten” is not (yet) actual law but a recommended aspect of more general privacy laws. More specifically, the forum operator has to remove any personally identifiable information on request, but posts only have to be removed

  • if they contain privacy relevant information,
  • if they violate laws, or
  • if the poster has the copyright on the posted content.

The last case can be easily avoided, so scrubbing personal data from user profiles should be sufficient to satisfy current privacy laws.

Regarding the spec, it’s probably okay to retain the user record in the database, but I don’t like the idea of having a bunch of Anon######### users around, so:

  • Add a global “deleted user” user, similar to the system user.
  • Deleted users’ posts are flagged in the db, are implicitly owned by the “deleted user” user, pretend to have no likes, and cannot be liked.
  • Deleted users’ profiles are inaccessible for users and moderators, and they are excluded from all user lists (featured users, badges, @mention autocompletion), except a “closed accounts” list available only to admins.

(cpradio) #10

I definitely do not mind the existence of a feature, but we’ve only had to do that once so far and we typically wouldn’t fulfill those requests, if asked (the person who did get the request fulfilled just happened to complain loud enough to HQ to get it done).

One of our admins simply went in and renamed his username and we suspended the account indefinitely.

As @Mittineague eluded to, we usually will suspend an account indefinitely rather than delete it. Primarily because we have various wordings in our FAQ and Terms that state the internet is forever so be mindful of what you post.


(Mark Wilkin) #11

That list matches what we did on the last large commercial forum I ran on the rare occasions we had requests to remove a users account. So thumbs up functionality wise.

One question would this button be an admin only thing, or available up front to the user? I’m just wondering how to mitigate occasions where a user might ragequit but regret it later, so adding the delay of having to contact the admin might be useful?


(Erlend Sogge Heggen) #12

Why do you dislike it so much? Does it come down to appearance?

I want to be able to differentiate between these users. It’s also handy to keep it as a unique ID should you want to scrub a specific user and their posts, or a former opt-out wanting to have their account restored.


(TechnoBear) #13

If the member has entered a real name, as well as a username, that would also need to be changed. Even where real names are not displayed in the forum, they are still used in search results.


(Jens Maier) #14

I believe that it should not be possible (for non-admins) to easily find the full set of posts a deleted user has posted. And if one were to bother to disable /users/anon12345/activity/posts, might as well show all anons’ posts as the same anon.
Removing the number-users is a positive side effect.

Perhaps I didn’t describe this right: when I mentioned that posts written by deleted users should be implicitly owned by the new system user. No data would be destroyed, but non-admin users are no longer told the author’s username but only that the author has been deleted.

Identifying a deleted account doesn’t need a unique username. You can hash and store the email address, for instance, and in the admin UI you can just use the database ID.


(Jeff Atwood) #15

Users with 1 post or less with accounts created recently can self-delete any time from their user page (they have a delete button) – there’s nothing to lose in that case.


#16

This would be a great feature and I fully support it. I used to have a ‘delete account’ option for my SMF install and at least four people used it. Some of them simply weren’t interested anymore and others were not happy when I and other members caught them in their self-serving chicanery and decided to flounce/rage quit.

This is a compromise: they want to ‘leave’ and not be associated with the community and I don’t want their posts deleted for the database’s integrity.

I agree with @markwilkin in that admin approval is required to complete the info scrubbing process. I also had one instance where a user wanted to rage quit and my SMF install needed my OK to complete the account deletion. I PMed the user and found out there was a misunderstanding. If SMF auto-approved it, that user would have been gone and I would not have been able to intervene and see if it was a problem that was never there or can be solved.

However, as @codinghorror mentioned, an account with one or two posts should easily be deleted by the user since it has no substantial history with the community

I’ve learned my lesson with the ‘right to be forgotten’ concept and lack of a solid TOS with the lisence clearly stated. Someone wanted to infocide everything and I compromised that I would delete their photos. But it still left out major context for some discussions where the photos were integral to understand the conversations.


(Jeff Atwood) #17

Feature is complete and works well, thanks @neil

This topic is now closed. New replies are no longer allowed.