Want to just add my voice to others who’ve already said this isn’t true.
I work at a company where the task to ensure that every last shred of a person’s data is deleted when they leave the service took a whole team more than a year to develop. It includes all backups and databases, and is complete shortly after 45 days have elapsed (which is in our T&C to ensure that users have enough time to migrate their data, or even reverse their decision).
I also worked for companies where this isn't true. Some projects to setup Data Science / AI Pipelines for a few large companies.
Not only they do delete everything upon request and it's effective after a given number of days ; but they also made sure we correctly updated a person's consent in the middle of a marketing campaign if they _withdrew_ it. They could occasionally get an additional text or email if they sent their withdrawal after they were drafted in the current batch, but that's about it. It was disclosed to the customer as well.
I worked for a company that made games that were used by young children and so covered by COPA. They definitely took a lot of care to delete everything.
The practice developed around the GDPR looks something like this: You keep a separate record of deleted accounts. If you ever need to use or restore from backups, you need to filter the import or other use against that list. You can only do data-integrity checks against the backups and not use it for any purpose, of course. You must notify your local data protection authority if there are any exceptions. Like, if you restored a backup but you can't guarantee that deleted accounts remains deleted.
In other words, you don't need to wipe backups but you can't use them without processes in place to ensure you comply with your customers' rights granted under the GDPR.
In this case, you would still leak the data you had on the user. In France, according to the CNIL's recommendation, you can keep users' data in backups but you have to notify in clear words them that their data is kept X years.
As a side note, the CNIL also clarified things the author have issues with, for instance "without undue delay" is set to 30 days. In the UK, I've read they backups for specific users must be deleted when technically possible. I'm not sure how that works in practice.
Backups are not even processed under the UK GDPR when people want data wiped!
Put another way do you see any backup service/software advertising the ability to wipe data from backups to conform with GDPR DSAR requests? Its virtually impossible with existing tech services and legislators, law enforcement and the like are covering this up!
You can create a special deleted user account, and that claims ownership of FK relations that would break things. But then a lot of relational datastores aimed at Big Data (tm, rights reserved, patent pending) don't do super well at updates.
When a user requests deletion from my wishlist service, I fully delete everything, not only to be GDPR-compliant, but because it's the right thing to do. This includes:
- Their account changes and passports
- Their own wishlists, including all items added
- Any claims they've made on other wishlists
- Any item suggestions they've added to other wishlists
- The checked status of any item suggestions they've checked on other wishlists
- Removing them as partners on collaborative wishlists created by others
- The user
I'm not sure why someone would _want_ to keep user data around, as that seems more of a liability than an asset.
Ok, we all understand the idea of a tombstone (a "deleted" field in the record that is set on deletion). However, the article actually describes something much worse -- user deletes their account and subsequently the account is still active. Not "marked deleted but some data is still on the disk" but rather "completely active, works, can still log in". This is surprising to me. I would not expect to see that really ever. But the article claims that this occurred in some significant number of their tests. Not sure how to interpret that.
That's illegal under the GDPR and many other privacy laws and is subject to heavy fines if caught. I work in privacy at a large tech company, and we take this stuff extremely seriously.
The heavy fines everyone is fear-no getting about are a running joke now.
It took 4 years and a non-profit making lots of noise for a brazen, obvious and malicious GDPR breach to be investigated despite it being plastered on every single website out there (I’m talking about non-compliant consent popups).
To date, the accumulated fine amount over the 4 years and all fined companies is around a billion. Now lookup the profit that just one top adtech vendor makes in a year.
The spirit of the GDPR is great but its enforcement is severely lacking.
Yep. And you can extend that to all security compliance, not just GDPR. The biggest driver for compliance is being able to give solid answers on VSA questionnaires, not actually being secure. Certainly not fear of getting fined or failing an audit. The number of companies who get caught is so small, and the amount they get dinged for is so minuscule that it's not even a concern for them once they figure out how it works.
When the enforcing agency works against it, its harder to effect change. Do many companies change their ways due to GDPR though? Not having too many fines may also be a testament to compliance kicking in before fines are necessary.
I think the system improved the web as a whole for EU with new options for consumers despite.
At big tech companies I’ve seen and heard about, the answer is crypto shredding.
Encrypt all PII at rest with a per user data key.
GDPR deletion requests can then delete the data key.
This isn’t perfect, but it’s a step in the right direction IMO. Unfortunately I don’t see it being feasible for a typical company anytime soon.
Stlll keeps foreign keys and the key management can be a nightmare. Basically, you're talking per customer encryption keys... Even then, you still might get something if you have enough other data to cross-ref/compare against/you're just looking for something to confirm/parallel construct from.
Just linking to the root of the documentation itself doesn't help much. The relevant info appears to be Article 17, but even it makes no explicit mention of backups. There is this line, though; "[T]he controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data." This is not clarified in Article 23, Restrictions, so the logical meaning would be that even backups - assuming they are not read-only which would make this, at least in the minds of people who understand the technical limitation, unreasonable - must be purged of user data on an account deletion request. However, "reasonable to people who understand the technology" is not synonymous with "reasonable to people who make/enforce the law."
My previous employer had a "delete on restore" id list, if we ever needed to restore from a backup. My manager said that this should be sufficient for offline backups. They had a lawyer who had said it's OK but I of course don't have the full picture.
It is however a risk, too. The drives are encrypted, without power and not even networked but they can still be stolen together with the encryption key from the same building. But then probably you have bigger problems.
This also forces the systems that test the backups to be also offline, which is a huge hassle.
> Just linking to the root of the documentation itself doesn't help much.
I’m sorry, I didn’t have time to find a good specific reference, so I just linked to the whole document.
I suppose that a technical solution is to encrypt all backups of user data with one key per user. Then you only have to erase that user’s key if necessary.
So you're suggesting it's okay to ignore the law if the enforcement isn't complete? It's designed to protect people from corporate overreach.
Also, given that the EU has been taking increasing action against companies for non-compliance, I wouldn't bet on it remaining unchecked forever. In the intermediate term, I'd bet on there being third-party compliance checks and certificates, with companies that don't use such getting more attention.
It's not that enforcement is not complete, it's that enforcement is near non-existent. In that case, it makes sense not to spend disproportionate amounts of resources mitigating a very slim risk, especially if your competition is overtaking you because they don't have the burden of compliance.
Confluence even explicitly does this - you can do a “gdpr delete” which disables the user and replaces all info with random strings. It’s kind of hilarious.
I remember a service that I used 10 years ago that would do something like that. You would request to delete your account but it wouldn't work well as you stayed logged in; if you looked at your account panel most of your info was changed to random strings, including your email.
As long as all PII is purged in this process (tricky to guarantee with software like Confluence that is entirely dedicated to hosting user-generated data), that could be compliant.
Let’s imagine you’re a modern bank and associate card transactions with the merchant.
Even if you sanitize/delete the account holder record, you can’t delete the transactions themselves (as it would screw up your accounting) nor the merchant association.
Now let’s say you have a very particular customer that always goes to a very specific restaurant at pretty much the same time every day consistently.
That pattern alone is enough to single out that particular person (and deanonymize them by correlating with other records such as cell phone location data, etc).
A bank would entirely be entitled to keep the info around. All information that must be retained by law (such as receipts, financial transactions etc.) is exempt from the GDPR and you cannot ask for deletion. You can ask that the holder of that information does not use it for purposes other than the ones covered by law, but that’s the full extend of it.
The same principal about foreign key relationships could be applied to messaging apps, restaurant booking services or anything else where a user's relationships with other entities/users would allow them to be identified.
The posting I responded to was about a case where the transactions themselves cannot be deleted since they must be retained for accounting reasons, so the same reasoning applies here: If they need to retain the messages/bookings/... for legal/accounting reasons, then they're exempt. If they don't need to retain them, they can just delete them.
The banking example was a bit muddled because it mixed the necessity of deletion with the method of deletion.
Wherever possible a business should delete relational data upon request. However, relational data is special because it cannot be effectively deleted by overriding user data with random values as Confluence seems to do.
Even if banks were allowed to delete customer data, they would face the same problem as social or booking services in that their relational data must be truly 'removed' rather than just overridden.
Banks are also regulated by financial crime regulations, which take presence over GDPR. There is an obligation to preserve data for a period of time (years) for this purpose.
The former - my understanding is that anything that can be used to identify a user is considered personal data, so even things that would be benign/meaningless in isolation would count if they produce a unique enough signal when aggregated.
The risk is very minimal or non-existent in the current situation though. Maybe once Google or Facebook is properly fined (with those 4% fines everyone was fear-mongering about) then you'll have to reevaluate, but given how it's gone so far I can't see that happening ever.
Backups usually have limited retention after various data protection agencies. In my current location the recommended time is a few weeks for backups, a few days for logs etc. Those agencies are fully aware that nobody goes around purging data from backups (which may also be hard with airgapped backups etc.) and you might need to wait before being "forgotten".
You only need to state to what extend and period the information is stored in backups, and have a process in place to purge it again in case of a restore.
This is a bit too absolute but I too have worked for SAAS companies who told people things were deleted when they were soft deleted or not deleted at all.
At the company I work for we actually hard-delete all user/tenant data, when requested. The column you mention is used for soft-deletion, which is a transient state. Even when not explicitly requested by the customer, we still hard-delete soft-deleted data that has been stale for at least X months (6?).
So yeah, some companies really delete customer data, by request or by policy.
Admittedly we're a two-person startup so not exactly the same as a big corporate, but at Supernotes[1] we actually delete you from the database when you delete your account.
> 2 services moved my account to a different email address instead of deleting it. I was only able to detect this because they changed the mailbox part (the bit in front of the @ sign) but left the domain unchanged. I capture all incoming emails to my domain, so I saw email-change confirmation emails and other emails arriving at the new unexpected addresses.
That's sketchy, especially if you don't own the domain but you're on a multi tenant domain like Gmail
AFAIK, with the default domains owned by the email providers, Gmail and Yahoo don’t recycle unused/deleted gmail/yahoo addresses ever (whereas other paid providers like Fastmail, Posteo, etc., do recycle within a few months or in a year or so). One needs to be wary of address recycling policies while using somebody else’s domain.
I’m unable to edit my comment above, but I understood the problem of changing the email address (even to something like name-deleted, since it could be claimed or already registered by someone else). In this context, my comment above is pointless. :(
Thanks also to @paranoidrobot for the additional explanation.
I've also had no luck getting Google to delete an unused Developer Account. They suggest I stop using my Google account and create a new one; abandoning all services in the process.
Before requesting an account "deletion" for an account you have anywhere, always go through every single field and enter fictitious data. This includes adding fictitious photos and the like. The service may keep the previous iterations of the data, sure, but that's less likely than them keeping the latest version of the data, which is almost a certainty.
And precisely for that reason many companies nowadays don't allow to edit/modify certain fields unless you request support and provide a proof of your identity.
Depending on the service, it's not always possible, or even desirable, to fully delete an account. For example, if something has an important social part to it, do you also delete the comments that user has left on other people's content? Or their messages in chats? If you do, then discussions end up broken. If you don't, this isn't really a "full deletion". Most social services I've seen do the latter. Some replace the name with "deleted user".
I’d have to look at what Apple requires, but I think deleting comments is good (maybe replacing them with a slug). That’s considered heresy, though, by today’s “data is money” crowd.
I have seen apps that delete an entire thread, when a root comment is deleted; including responses by other people. I think SMF did that.
In the case of our app, we leave communication between users to other apps (like Mail and Messages), so we sidestep that problem.
Actually, the reason we deliberately push communication out to other apps, is so we’re not on the hook for it. There’s no reason for us to have the users communicating with each other, via our app. Long story, but privacy is a real big deal, with our user base. I’m super tinfoil about security.
> Does Apple have any way to verify it’s actually a full delete, and do they do so?
The guidelines do state that it should be a full delete. In my experience, Apple has never checked or asked to verify if a user account was fully deleted on apps I've worked on, which involve PHI. It's been a part of HIPAA compliance for our apps since the beginning (and we do actually fat delete, FWIW). It's a relatively new requirement from Apple's end, though. The deadline was actually extended from January 31st 2022 to now June 30th 2022. Enforcement or stringency on Apple's part could change around then, but I don't see Apple having the resources or willpower to do much of an increase here.
It’s both. I suspect most of their focus is on data retention; regardless of where it happens.
Most times, that’s usually a server, of some kind, but it could also be something like an iCloud data account, I guess; which would be a challenge, as the data could be in many places.
> If a user of the app deletes, it completely nukes their entire account, down to the last byte.
Edit: This comment is in response to the suggestion that all apple apps delete all local data which after rereading the parent they were only suggesting for their app.
Are you sure about that?
I'm not an iOS developer but as a user I noticed a few years ago that deleting google apps, even all google apps, off my phone and from icloud still resulted in a freshly installed google app suggesting I log in using the account I was last using.
My best guess after doing some searching is re-identification was done using a "Keychain Access Group"[1] which does not automatically get deleted on app uninstall. Though it is stated [2][3] that this is an implementation detail and not a guaranteed behavior. If I recall correctly the only way to reset the Keychain Access Group if the app doesn't do it is to wipe the phone.
It is also possible to persist data if an app is part of an "Application Group" and one of the apps in that group is still installed on your device then data shared via that approach will not be automatically deleted unless all apps in that group are uninstalled (from what I have read).
Apple does have the "DeviceCheck"[4] framework which significantly limits the amount of bits which can persist across app reinstalls which prevents / severely limits an app's ability to reidentify users but still enable some useful use cases. However until "Keychain Access Group" persistence is removed there is not a lot motivating a developer to use this framework.
I don’t have control over MItM attacks, but Apple enforces TLS (and insists on it being robust).
I wrote every line of code in the server that manages users’ PID (which is held under conditions that would drive most HNers into fits). I use a modified variant of my BAOBAB server[0]. It’s pretty tightly bolted down. The security of the system is enforced on the server[1].
I also wrote every line of the native Swift frontend app. I use the keychain for some stuff, and persistent prefs[2] for other stuff. The keychain can live between installs, so I have to explicitly delete that, as well as the persistent prefs. Since it only holds login info for a deleted account, it’s not an enormous risk (unless the user is one of those folks that reuses passwords).
Ah I misinterpreted that you were talking just about your app, my apologies.
I didn't mean to call you out on that. I'll update my comment to reflect that.
This is super duper common. Most companies that I've run across don't actually have a mechanism for properly deleting accounts.
My anecdote: Collage.com - I tried it, was unsatisfied with the results so I requested that they delete my account under CCPA (being a Californian). They said they completed. My account was renamed from email@domain.com to email@domain.com-deleted12344843223432 . My session wasn't even terminated, so not only could I see this, I could still see my not-deleted photos AND all the sharing links still worked.
I fought with them at length and their support insisted it was deleted and that this was just something on my computer. Logout/clear cookies/cache/reboot and it'll be all good. I know that's BS.
Even when they "escalated" the issue to a manager who said "Your account has been deleted and will not be reopened." - I could still take screenshots of my account homepage. At which point they stopped responding to me.
Complaints don't do anything. We need people filing lawsuits. Politicians don't care, they are in bed with businesses and information collection companies.
Is it name and shame time? Cause I know Walgreens doesn't even have the option to allow you to request deleting your online account. Not an online option nor even calling them on the phone.
The company I know handles account "deletions" by pseudonymizing data, which is utter BS, any half-competent engineer can recover who the original person was. The engineering lead in charge realized he can get promoted by calling pseudonymization "anonymization" thereby fooling most, and not losing the data for the company. Those who knew he was making a mess were not included in the data deletion project, likely because it was inconvenient to hear the truth.
So that's how a huge company deals with "data deletion". I hope the DPA will come down on them hard but of course this clown will then just go and do this circus at another company, now promoted to high heavens.
I hate that privacy and security are full of snake oil peddlers, and it pays of extremely handsomely to be a snake oil peddler. It's not in anyone's interest for you to get caught (who wants to advertise their security is bad/they don't abide by GDPR?), so even if it becomes painfully obvious you've been selling snake oil, you'll only be asked to hand in your resignation, allowing you to do the same (but at an even higher level) at another company.
One reason deletion may not be technically absolute is that tombstone records may be needed to gradually cull the data from things like backups and 3P systems. Usually though these should just be surrogate keys with no human significance. Then ultimately they get purged too.
The danger with surrogate keys and pseudonymization/tokenization is that the mere patterns in the data such as foreign key relationships may be enough to uniquely identify someone.
If the tombstones are barren enough there may not any/enough relations or metadata for that. And ideally even the tombstones get removed once related records and 3P copies have been wiped.
The post paints a discouraging picture overall, but it does have some interesting double standards if you consider these three separate quotes:
> It would seem there is no end to how far businesses can take white-labeling and outsourcing.
> I’m sure engineering time to manually delete data must be more expensive in the long run than creating processes and tools for customers and customer support representatives to handle delectation requests.
> 11 of these were smaller niche online stores.
If I'm a "niche online store", am I somehow excused from these rules? I would think there would be a market for white-labeled online stores for niche online stores, but that's somehow Bad™? But having an in-house engineering team develop the platform and respond to development needs as they arise (to handle the first account deletion request) is also Bad™?
Had a similar terrible experience with crypto.com. After the MFA and stolen digital assets debacle earlier this year, decided to [hard/soft] delete my account with them. The company has a very complicated process for account deletions which involves having the account owner send a picture of themselves holding a sign. The picture must meet several criteria in order to be accepted.
I had a service provider delete the hosted graph databases I used for my startup demo that even had some past consulting client data in them, while still continuing to charge me for several months for the service. Since I didn't believe anyone actually deleted data, I asked for a download of it, and they insisted it was actually deleted. It was absolutely shadey. Tainted my view of that technology as well.
Valuable lesson was next project I will likely have to figure out how to effectively shard and round robin containers across diverse cloud providers, as I don't forsee ever affording to be able to be treated that poorly again.
I guess it can get complicated, but most of the software I've written I gracefully handle missing user relationships so that it's possible to delete the user. I wouldn't be surprised if a lot of these circumstances are just because the software can't handle a missing user relationship, nothing nefarious. Stupidity before malice and all that.
My favorite in the bad old days was ETrade. They wanted money to delete your account - $80! Fortunately they had an 'ETrade checks' feature, so I wrote myself a check on my account for the entire total, directed their email to the trash and threw their snail-mail away for 2 years before it dried up.
> The last successful request was processed 71 days after the first email. The GDPR doesn’t define “without undue delay”, but I’m fairly certain that it requires companies to not stall for over 10 weeks.
Having worked at a couple of cloud companies... the GDPR deletion timeline within our systems was 90 days. I assume that legal had vetted that timeline.
I wonder how this is supposed to work with workplace apps such as Slack, especially with regards to GDPR.
Say I am leaving my job, and want my personal information to be purged from this 3rd party service (Slack). They say [1] "Primary Owners of a workspace or org must contact Slack to request deletion of a deactivated member's profile information.". What if I contact the "Primary Owner" before leaving my job and they ignore my request, or better yet I have already left my job and I don't know how to contact them or who they are? Why can't I request my personal information to be deleted from a completely 3rd party American company's database myself?
If you are using company account, company owns the data. The data produced during company time is company's property. Company has to request for deletion. Slack is right about it.
- Is my full name, birth date, telephone number, job and other details Slack collects company property?
- Can they also sell this to other 3rd parties along with my social security number which was also collected by the company during company time?
- Is Slack also free to sell this data to other parties afterwards?
- Does GDPR protect your personal information if you gave it away during your free / unemployed time using your personally owned devices and only to services you have admin access to?
Try telling a friend a sufficiently spicy secret and then tell me there's a delete. It's just as much a falsehood as imagining you can un-break a window.
It’s software not magic. We focus on the happy path … there is rarely maligned intent here it’s just a matter of focus… I’d say if gdpr did any good it was in forcing many to be like fine we’ll devote resources to deleting data we’d otherwise probably only brother to if our db size became too big to deal with… it’s the build big and sell to someone else to deal with problem … we just don’t focus on the negative less fun problems
Part of this is leftover tech culture from Facebook's early focus on Growth, Growth, and more Growth. Allowing for easy deletion of accounts was fundamentally at odds with user growth.
It's refreshing to see that tech is now heading in a more socially responsible direction, but the industry still has a long way to go.
> It's refreshing to see that tech is now heading in a more socially responsible direction
What? Absolutely the opposite is true. Tech is now doing evil shit that was unthinkable ten years ago. Like Facebook using the phone number you put in as part of your 2FA for marketing purposes [1]. The only thing that's happening right now is tech companies are paying more lip service to giving a fuck about users, not actually giving a fuck about them.
Datacenter carbon neutrality and de-biasing ML models are two that I can recall off the top of my head.
These are, of course, unrelated to account deletion, but it shows that big tech is at the very minimum aware that social responsibility is becoming a more important part of business.
You must be mistaken. There is an entire department focused just on that at my local university, at least over 100 people. Plenty of candidates to replace those 2.
Actually deleting accounts means you're losing very valuable information about [past] customers, their behavior, geo, etc. Also some people may suddenly decide to delete their account and request its reactivation after a while.
It also means you cannot use this data for forensics which is not such a rare occurrence.
It should be possible to complain to your local data protection authority.
Whether they'll do anything tangible about it is another matter (in the UK the answer is absolutely not), and same for whether they are able to do anything tangible about it (good luck if the offender is shielded behind the crooked Irish DPA).
I'm pretty sure you can file a complaint with any company that operates in Germany (or other GDPR-supporting countries). AFAIK it does not matter where they're registered, only that they provide services in your country.
It is a function of incentives and punishments. The nature of the company you are in and the risk the org is willing to bear plays out. I work for one that puts in a lot of effort to get rid of all the user data if they request a deletion based on the laws of the country they are from which we can expand to any user as needed. Whenever we have found gaps in our existing data storage, we go back and really try to clean it up. However there is a lot of legacy that surfaces out time to time.
The reality is doing this is messy and is going to remain so for some time. One cannot suddenly start after years of no incentives in the online economy to do this and get to cover all areas without huge cost. This requires giving up competitive advantage today. Mid to small organisations that were beyond startup state but not yet having 1000's of engineers, which have to balance growth and operational aspects are left in the most difficult situation. As the laws started taking hold, their incentive structure is still not fully aligned with this as the digital economy does not yet reward them for this enough nor does enforcement create a large enough risk yet. Same thing plays out with some of the larger orgs, just that they have more lawyers to help them stall this as humans are always biased to keep the status quo if it is beneficial to them.
Personally I think we've had a start but its going to take some time to get to where we need to be. I really applaud the idea of the privacy laws and the intent behind them. Its just that one has to recognise we won't be getting to a state of good behaviour within a few years after a couple of decades of not having those requirements baked in from the get go. Old habits have to be replaced as well. The enforcement is hard and that will be something that has to be bubbled upwards from the ground up by users themselves to create a digital economy where consumers/users reward those that respect their privacy. It is just not yet that way today, so why would the organisations change? The risk is low as enforcement is hard and the user demand is not enough.
Most successful would be attempts by large organisations such as Apple and laws like GDPR which forces developers and companies to change their thinking. By asking for change and continuing to iterate on that you can start seeing a slow move towards development practices that will have privacy by default. You need the whole chain of actors to move towards this: The product managers, the engineering leads and architects, the decision makers, the risk assessors. Once enforcement is more steady alongside more demand from users the balance will come. All of this moves slowly whether we like it or not.
(edit - grammar and made some long sentences shorted)
* accounts are never deleted, period *
At most there's a column in the table which specifies whether the account is alive or not. That's it.