I would like to address this issue again, because in a forum I use there are also problems with deletion requests from users.
I would like to understand more about this.
Why is it not possible in discourse to delete your own profile with a few clicks?
Is there any background to this that I don’t understand or has not been disclosed yet? I would assume that the technical implementation is not the problem.
Are there any reasons from a user experience perspective that support this?
Or is it already planned that there will be an easy way for all users to delete their own account on their own?
Can there be problems in relation to the GDPR if no transparent communication and possibility is offered regarding the deletion of one’s own account?
I am already familiar with the two links. Unfortunately, they do not explain why this function does not yet exist or whether there are plans to implement such a function. I am acting here purely from a UX point of view and would also like to leave the legal glasses off.
User Story: As a Discourse user, I would like to delete my account quickly and easily and receive immediate positive feedback.
The question remains: What are the arguments against adding a button that does just that?
This is the part that got my attention. My understanding is that deleting a user deletes all their message and lead to incomplete topics with “holes” in the remaining information on the forum. And it wouldn’t delete parts of the user’s messages quoted by other users, so the information quality would be decreased even more (and still could be linked to the user even after deletion if the user’s name or any other public information they shared was quoted by others).
Again, that’s what I understand but I could be wrong, and also I completely understand your concerns.
Disruptive is a bit harsh in my view in this context. No one insists that all posts must be deleted in the process. Only the username would have to be removed and instead “Deleted user” should be displayed.
Users can report posts here, like, bookmark, share and so on although this is not required by law. So there is also functionality here that makes it easier for a user to use the software, even though this is not required by law. So why not delete your own account via button or at least anonymize it and block the login?
That is what the “anonymize user” functionality does and why it was created
As for why anonymize user isn’t self service, there are several reasons and I don’t remember all of them right now. What I can think of:
GDPR, obviously, demands that deletion is accomplished within 30 days of you giving proper notice. 30 days is plenty of time for a human response and does not demand user-accessible automation (… that’s why they wrote the law like that …).
Mistakes. This would be a button that stops you from ever logging into the account again. It’s notable that Facebook, Twitter, etc account deactivation is reversible (though Facebook makes reactivation too smooth). In general, the “destroy my data button” is something the software engineering industry has started to realize is a Bad Idea.
The human touch is actually nice sometimes, which ties into…
Wanting to leave a community so badly you don’t want your name associated with it at all is something that the admins should know about and feel when it happens. Can they fix the cause for the next person?
The conversation is a chance to offer alternative remedies, such as timed suspension (for people worried that they’re addicted to the forum) or performing a detailed scrub of sensitive information in posts.
Account hijacking attacks are a thing that can happen. If we suppose a widespread account hijacking incident that doesn’t nab any moderator accounts, Anonymize Account is easily the most destructive available action after this proposal. This is one of the major reasons that individual post deletion is rate limited.
SSO - the user’s data might be replicated to other systems that Discourse doesn’t know about that the moderators also need to trigger cleaning in.
None of these are “hard never” reasons, but I hope this gives you a good sense of the balance of concerns.
Adding my 2 cents to this feature request. The decision as to whether users should be allowed to delete their own accounts (irrespective of how long they’ve been around etc) should ultimately lie with the site administrator. The responsible thing to do would be to allow the administrator to allow or disallow account deletion (or anonymization) to comply with regulations and company policies. It shouldn’t be forced upon them by discourse (or made to do hoops to achieve this basic feature).
Cross linking, 2 options that are sorely required in discourse to comply with regulations and company policy:
I see critical issues with all those shiny arguments.
Holes in the Threads are annoying, that’s understandable but the “right to be forgotten” (GDPR) is above all in the law sense (privacy > comfort / functionality)
Self-service is unavoidable and there is no legitimate interest not having it
The regulation does not talk about self-service directly but the intent of the law, which counts, implies that a self-service is unavoidable.
Technically, all websites having registration and account (management) without that self-service are rejecting the user’s legal authority over the own private data (or PII), including posts where the person is identifiable and therefore are probably violating the GDPR, which is to interpret in widest possible extent.
I do believe that German law is also violated, as our interpretation of the GDPR is much deeper and “wider” than the original GDPR. People have on German platforms always the right to delete all their data all the time. The only exceptions are legal and security purposes. Both legitimate causes can’t be justified here.
I do agree that a the owner/super admin should decide whether this functionality is active or not, but it should be by default enabled for all discourses that have German or EU users.
Having a button that asks the admin to anonymize is a nice tool and might be sufficient under U.S. law.
In anyway just anonymizing the account is not enough. It probably keeps the E-Mail, IP addresses etc. which is probably illegal in most cases.
That’s half-way correct. GDPR allows that time BUT only under extreme circumstances e.g. when you’re Facebook. Under all other circumstances the deletion process must be completed ASAP. The GDPR is not forgiving in that sense and it must be interpreted in the most extent. The safety, morale and legal rights of the user are the main thought of this regulation.
It was never the idea of the Software Industry in the first place, and yet as developer and hacker I love those buttons. People will always opt for it, and it is a human and legal right providing it. But we can debate about the action behind the button click.
The best defense against account hijacking attacks is educating the users! Not limiting actions that should be limited anyways (per rate-limiting) for the sake of the general app security of the site.
So we are not allowed to leave when we want so? Despite admins should have common sense and a feeling for that, I have a personal right to leave when I want to leave with or without telling anyone. The same you can’t just lock me in your room because you want to know why I am leaving.
The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
If the registration is easy, the deletion (consent withdraw) must be easy as well.
If the user steps back from a statement it is not part of this exception anymore. So legally this would a very weird gray area that is extremely contradicting to the fundamental principles of the GDPR.
The idea of the ECHR, and thus GDPR freedom of expression and information inclusion is simply that you could strike every e.g. media or private blog owner if they put up PII regarding to a valid case that suits the public interest. I do not see that this would apply to forums.
So per case basis would be applied here, like when a user posts a statistical overview, such things could be kept but not the rest e.g. when a user posts a picture of themself.
I’ve also read in one post that was linked here:
You can restore a backup made before the destructive action [the account deletion]
So because the “deletion” (anonymizing) is reversible this is technically not legal.
The GDPR must be interpreted in most extreme ways.
It has nothing to do with content deletion per se.
And that is not even remotely true. It is unlegal save backups until the world comes to its end. But it is legal to have backups resonable time. But sure, if a backup is restored then deletions must be done again.
Kinda depends! One could certainly argue that a user has all rights of the work they have posted. Therefore everything “belongs” to the user, and is thus indirectly connected to the identity, and therefore all the posts / information connected to it. I agree that this would be extreme.
The key point about deleting the account is that all connected PII or at least all links to the PII are safely deleted. The content can be kept it is totally open information and not leading to the user('s identity).
But sure, if a backup is restored then deletions must be done again.
I agree! Like you say, you would have to do the deletions again, but the fact that you can restore the deleted users information is the key issue, although you have a right to do backups for maintaining the service and security. I do not believe anyone would sue for that or any prosecutor letting the legal proceedings continue. However, we have to bring law and technical aspects together if it comes to privacy.
Kinda not. Those are two totally different things.
GDPR limits why, how, when and long a service can indetify users.
Copyright and ownership of publishing are totally different story and and has nothing to do with data protection and GDPR.
Any post in this topic is not such creativive content that could be protected by copyright somewhere in the world. But Meta has content that is protected, as blogs etc.
And then we step in the world of agreements and terms, and how content is licensed.
But that’s contradicting the principles of the GDPR The idea is that I can easily remove my posts, account etc. Everything that is connected to my PII or identity.
When the first post of a topic is deleted, the whole topic is deleted
That’s a special case where you could keep the post itself but replace the content with “user deleted this post”. Then the thread’s structure would remain.
Would you like it if someone would just delete this topic including the whole discussion?
I’m split regarding this. On one hand the user has a right to do so.The privacy and liberty is above my interest to discuss, and sometimes even above the public interest. On the other hand I love to discuss, and if everything just vanishes I would be annoyed as well.
These laws, as you point out, are open to interpretation.
Laws are always open for interpretation but we have to go by the interpretation of the courts, academics, and what the regulation says about itself. The ideology behind GDPR is pretty clear and leaves less space for interpretations.
Sorry, I think you misunderstood me. I pointed out that a combination of the mentioned laws leading to the same effect, and thus establishes a responsibility under GPDR. Of course is copyright (or similar) and PII, and the GDPR fully different things. Yet they still can be combined to establish a cause.
Any post in this topic is not such creativive content that could be protected by copyright somewhere in the world.
I think you might confuse, copyright and ownership. Especially under German jurisdiction you have for everything you create a special ownership right, which you can enforce globally.
we step in the world of agreements and terms, and how content is licensed.
Even there you can’t just strip a user of their ownership, and the biggest issue is still the PII connected to a post, depending on the content and nature of course.
The idea is that I can easily remove my posts, account etc. Everything that is connected to my PII or identity.
and it makes a huge difference.