Ask HN: “Remove me and all my info entirely from your database and records”?

3 points by ezl ↗ HN
Sometimes site users email and ask for "all their information to be removed from the site". This comes in various forms, from "please deactivate my account" (easy) to "Remove all of my information COMPLETELY from your systems" (maybe not so easy).

What are recommended approaches for dealing with this?

I'm assuming that "soft deletion" isn't actually "removing information completely", but trying to engage consumers in that conversation isn't productive.

Also note that if destroying data is on the table, that deleting one person's records may necessarily destroy another person's (for example, in-site communication between 2 users).

Considerations:

1. Feasibility: What does this mean? I think some users may mean "scrub traces of my access from your logs, delete database records (and possibly from backups)".

2. Legal/Ethical concerns: What, if any, legal concerns are there with this? What, if any, are the ethical considerations surrounding this type of request?

3. Obligation: What obligation or responsibility does a site have to abide by these sorts of requests, if they are feasible?

4. Recommended practices: Independent of how feasible it is, what the legal or ethical responsibility is, whether such an obligation reasonably exists -- what are some of the ways that people deal with (or recommend dealing with) these types of requests?

6 comments

[ 2.9 ms ] story [ 20.2 ms ] thread
Where in the world are you?
the law will ultimately be the deciding factor however adding in some relevant T&Cs would be a good first step.

Ultimately in most countries you will be required to delete personally identifying information upon request, I would expect this to include name, address, dob etc. It would not include meta data which is not really identifiable if the previously mentioned data has been deleted. Messages in a forum is perhaps something you need to consider but I would push this onto the user, i.e allow them to edit/delete old posts.

I love when companies have a delete account button, I'm not sure about conjoined data but if I delete my account I expect to be expunged or anonymized in a reasonable time and gradually forgotten as backups grow old. I have deleted my account on lots of websites and would probably delete 200 more today if they had that facility just for the sheer unlikeliness that I will need them again.

Think about how many 100s of websites you must have registered on by now... all those idle accounts just waiting to be sold, hacked, leaked. At least one of those sites probably has "/accounts.txt" just sitting there, their first foray into database driven sites.

If I start another company that requires user registration it will definitely have a delete account button.

The first thing that comes to mind is if you have legal or business requirements to retain financial information, you may not be able to COMPLETELY remove all traces of a user.
That's a good point. One really obvious case of this is that if the user owes you money or you owe them money, you can't delete their account until the transactions are settled. And you'd need to keep the records for some period of time to be able to prove that you paid them, in case they claim otherwise.

Or maybe you've paid the user and need to report the transaction to tax authorities (e.g., a form 1099). Or you may need to have proof of income or expenses in case you're audited by the tax authorities.

This is often impractical to the point of being impossible. Rather than doing this, perhaps designing a system where all PII is hashed through some sha method, and a a custom ID/salt for the user. If they ask you to delete you say sure, and remove that one relationship.

This will screw up searching and indexing data though.