Occasionally I go through my password manager to do a cleanup of accounts I no longer use. For the simple reason that if any one of those services get hacked, I don't want to lose credit card- or personal information, and have that end up in the hands of somebody who shouldn't have it.
In trying to delete a few accounts, some services outright refused to delete my info, without giving any reason. Therefore, I've decided in to create a naughty list of tech companies who don't respect your right to your own information.
There are already 261 sites in the list, but let me know if there are any other services you think I should add.
I like this idea a lot. With GDPR on the horizon, this is a great resource to put together.
I’m a little confused about the implementation right now. I don’t understand Rank and Score specifically. The columns need some explanation to make it clearer if a higher number is good or bad, what the number is representing, and how it’s calculated.
I don't know what you mean. Mastodon deletes all the data from the server, and sends out delete payloads to other servers that may have stored copies. If you refer to the fact that some of those copies may remain, then you need to mark all services as not allowing account deletion because Google may have caches of indexed profile and post pages.
The navigation is a bit confusing. I didn't know the landing page was the "Naughty List". And I was expecting each "category" to filter the existing list, not show a new list of websites/companies.
Also, the ranking list isn't that helpful when 20-some companies are tied for 3rd.
Do you work with any UX designers? Get some feedback from them. It's not about making it pretty as much as it's about presenting the content in a clear way.
One company I would like to nominate as naughty is Newegg. I hadn't ordered from them in years, and asked to delete or disable my account. They can keep their old invoices in the system if they want for legal reasons but I didn't want to log on anymore -- other sellers have processed that request for me.
They repeatedly said "No, we will not disable your account."
And they keep the last address you ordered from in an uneditable field visible on the website, so you can't scramble it with fake address data. I haven't seen any other retailer do that.
I have always appreciated them for that, too. Not respecting the desire to close your account is a separate issue. Fighting patent trolls doesn't make up for their refusal to let you protect your information.
Kayako. No direct account deletion, they need to poke engineer to do it after many requests. They require your personal information and CC to use free plan. No direct downgrade button to free plan if on trial.
I can only find documentation on how to deactivate a Slack account, not delete it. Kayako allows you to delete an account, but after multiple requests.
They have had employees tracking their Ex's whereabouts. They have publicly boasted of being able to identify "rides of shame" after your One-night stand. They collected location information beyond what was necessary to pick you up.
Plus, you know, being union-busting, misogynistic, democracy-undermining, corner-cutting and pedestrian-killing frat boys. But the reasons above seemed to be better tailored to the intent of your list.
There really isn't a single, objective yes/no question that would capture all the nuances here. that's why "the other naughty list", i. e. the criminal justice system and regulatory agencies like the FTC employ judges, lawyers, and long processes to arrive at their nice/naughty lists.
What Uber comes down to is, I believe, essentially the same as the famous Zuckerberg chat message: 'They "Trust me". Dump fucks!'. Saying that isn't illegal by itself. But it shows a complete disregard for the publics' interests.
Every single one of Uber's actions could actually be excused. When, for example, Google admitted to capturing unencrypted Wifi traffic picked up by their Street View cars, I was willing to give them the benefit of the doubt, because that explanation seemed more consistent with their past (and future) behaviour than the alternative.
But the sum of Uber's actions leads me to believe they have misunderstood the causality their own motto proclaims, and are now intentionally breaking things in the hope that it will make them move faster.
One more thing: the Uber help page states that they "permanently delete your account", but also includes this sentence: "Please note that Uber may retain certain information after account deletion as required or permitted by law."
Which makes me think that they're deactivating your account and basically keeping as much data as they can legally get away with.
Since I doubt any of the other companies on your list are openly ignoring the law and keeping more than permitted, the logical conclusion would be that Uber is just as bad your top contenders.
That covers the "required" part of their statement. But they also have the weasel phrase "as permitted", which is far more open ended. In much of the US, for example, the law does not expressly state what steps a provider has to do to "delete" your account. So implicitly, they're permitted to keep what data they like.
And though not directly related, data breaches do undermine a user’s ability to delete their data. So maybe some kind of formula to quantify data loss.
Just some ideas. Your work thus far is really eye opening and you have my thanks. I had no idea I was trapped in LinkedIn.
This page doesn't make sense: you say Tech Companies That Won't Delete Your Information at the top, and then immediately list, e.g. "Outlook Mail: Delete Account? Yes".
This makes them sound like they do delete your account information. If there is something specific that they don't delete, it might be best to highlight that.
Also I am unsure what "Track" means.
And how can you Delete Account be unknown? Did you try? If not, how can you claim they are naughty?
The point of me posting the list here, is to get feedback so that I can make corrections.
Hover of the Tracking text to see the explanation.
There are over 250 services in the list. Those who have the status Unknown didn't mention it clearly on their website. Feel free to make specific suggestions, and I'll make corrections.
While technically true, if the EU has no jurisdiction over you or your business, it's difficult for them to force compliance.
Another example of this is sales tax in the US. Several states have laws that tell the seller to collect and remit sales tax on any sales to residents within the state. But for sellers that have no physical presence in that state, the state has no ability to force them to actually do so (or to force them to open up their books and prove one way or the other).
Does the GDPR actually express a right to account deletion? My understanding is that it expresses only a right to erasure in a limited set of circumstances. Given that comments are public, I think it may be possible to deny the right to erasure on the archival exception.
However, upvotes are currently private, and cannot be removed after some length of time. I wonder if this would mean they should be made removable (or at least the record of them in a user's account).
GoDaddy will let you close your account, but you have to call customer service to do so. (After many years of having multiple domains with them, recently I decided to migrate all the domains I had with them over to other providers.)
One thing that is troubling is that if you have an expired domain with domain lock turned on, they will not delete your account until a year has passed from the non-renewal of the domain. The domain-lock feature cannot be turned off if that domain has been inactive for less than a year unless the domain is renewed. They told me they could not turn it off either so that the account could be closed, but I'm a bit skeptical on that, since it makes no sense that they cannot change the account settings with an authenticated customer making the request. Don't they control their own code? It strikes me as an excuse for them to leave the account open in case you change your mind.
In their favor, I was able to delete payment information immediately. Also, they have very friendly customer service representatives (though friendliness doesn't make up for powerlessness.)
Btw, this is an interesting and good service you are setting up. Thanks for your work!
Or comments (after a certain age, which they say would disrupt threads), although it’s entirely possible to delete the author of a comment whilst leaving it intact (an option they do not offer)
A while ago I deleted my account, then recreated my account after a year, and requested a full backup history, this backup had my old contacts from the original Linkedin android app gathered from my old phone without my permission.
The site is literally based on a spreadsheet at the moment, which has some limitations. I'm working on re-designing my system, which will allow to more easily include sources.
There is too much special sauce on the page for me to see the actual list (perhaps one of your critical resources is already on my blacklist or too third partyish).
Something's up with the site, at least for me. The table content doesn't load - I see the different options (email, etc.) but no entries. Firefox console tells me:
I have problems with FF too (+uBlock Origin +DuckDuckGo Privacy). Loading the data from Google seems to fail:
code 403
message Requests from referer https://sheets.googleapis.com/v4/spreadsheets/1A3xz8NFWjebuMbGWvy2yUBKcnAmuZSs5JmKq9-JDss8/values/Email?key=AIzaSyCxiboNdLE5nSch2pdwI3blsfvfyss3Y0M are blocked.
status PERMISSION_DENIED
As you can see from the code in my post, the script runs, but the server responds with a 403 error. That looks more like the JS is doing the wrong request in FF. The problem seems to be the referrer. For comparison:
Btw. I tried deactivating any Addons which might interfere with the requests but it didn't change anything. So probably all users with a modern Firefox will have an empty table.
I'll be working on re-designing everything from scratch, and not rely on my current jquery solution. It's a matter of how much time I have available, but it's a priority on my list :)
The table pulls data from a Google Sheet. When the spreadsheet is updated, the table is populated with data. You have to run the site's jquery, otherwise it's not going to work.
Tracking you for "free"
Google Search, Google DNS, Google Photos(geo location, faces, maybe object recognition), Google Recaptcha, Google Analytics.
Arbor Network Atlas anti ddos service on the tier one ISP level. Seeing flow samples of most traffic anti DDOS through network flow logs of many major tier one internet networks.
Cloudflare CDN major focal point of internet traffic.
Most companies will not "delete" your account. They will deactivate your account. It is hard to delete things in SQL databases that use FKs, and in many cases it is illegal or inadvisable to delete all customer data (e.g. if you need to keep invoices for accounting reasons, or if you are eligible for chargebacks). Small startups are often busy trying to keep everything working and go after their key metrics and don't have time to build a system robust enough to handle deletions.
I had a user request account deletion last month. It's the first time we've had that.
I simply overwrote all their details with nonsense, and marked the account as deleted. The account exists, but is about as useful as the fake accounts spammers sometimes make.
I wonder about the ranking for the 'Communication' category. Somehow there are protocols, clients and services mixed up. To give an example of each:
- Service: Jabber.org
- Protocol: OMEMO
- Software: Gajim
Next, the score seems to be a similar mix up, not so much focused on security but more as a general recommendation as a trade off between number of features and overall security. To me that feels like a bad advise. That way, a very respectable and stable app like Conversations is listed below the protocol it uses (OMEMO) and even below Tox which is officially listed as experimental, just because conversations doesn't support audio or video telephony.
Other privacy related aspects, like the need to register a phone number to use the service, automatic contact list uploads or custom servers, are completely ignored.
I'm working on creating a new system that will improve the accuracy. Some people have pointed out something similar on reddit, which I do agree with. Phone number requirement is added under SMS.
129 comments
[ 4.1 ms ] story [ 223 ms ] threadIn trying to delete a few accounts, some services outright refused to delete my info, without giving any reason. Therefore, I've decided in to create a naughty list of tech companies who don't respect your right to your own information.
There are already 261 sites in the list, but let me know if there are any other services you think I should add.
I’m a little confused about the implementation right now. I don’t understand Rank and Score specifically. The columns need some explanation to make it clearer if a higher number is good or bad, what the number is representing, and how it’s calculated.
Also, the ranking list isn't that helpful when 20-some companies are tied for 3rd.
Do you work with any UX designers? Get some feedback from them. It's not about making it pretty as much as it's about presenting the content in a clear way.
btw, have you seen the 2FA List? https://twofactorauth.org/
They repeatedly said "No, we will not disable your account."
And they keep the last address you ordered from in an uneditable field visible on the website, so you can't scramble it with fake address data. I haven't seen any other retailer do that.
This is a naughty list is it not? Suggest to please sort by naughtiest first.
"Tech Companies That Won't Delete Your Information Services with the highest scores have the worst policies"
I read this as 20 is worse than 1.
Maybe something along these lines, explicitly explaining 1 is the worse.
"Tech Companies That Won't Delete Your Information Services. Those with the highest rank have the worst policies. A rank of 1 is the worst offender"
I think this is somewhat a problem of English missing a term that unambiguously means "1 is highest".
What do you suggest I change the weight to?
They have had employees tracking their Ex's whereabouts. They have publicly boasted of being able to identify "rides of shame" after your One-night stand. They collected location information beyond what was necessary to pick you up.
Plus, you know, being union-busting, misogynistic, democracy-undermining, corner-cutting and pedestrian-killing frat boys. But the reasons above seemed to be better tailored to the intent of your list.
What Uber comes down to is, I believe, essentially the same as the famous Zuckerberg chat message: 'They "Trust me". Dump fucks!'. Saying that isn't illegal by itself. But it shows a complete disregard for the publics' interests.
Every single one of Uber's actions could actually be excused. When, for example, Google admitted to capturing unencrypted Wifi traffic picked up by their Street View cars, I was willing to give them the benefit of the doubt, because that explanation seemed more consistent with their past (and future) behaviour than the alternative.
But the sum of Uber's actions leads me to believe they have misunderstood the causality their own motto proclaims, and are now intentionally breaking things in the hope that it will make them move faster.
Which makes me think that they're deactivating your account and basically keeping as much data as they can legally get away with.
Since I doubt any of the other companies on your list are openly ignoring the law and keeping more than permitted, the logical conclusion would be that Uber is just as bad your top contenders.
The only challenge is how to rank them based on ranking factors.
And though not directly related, data breaches do undermine a user’s ability to delete their data. So maybe some kind of formula to quantify data loss.
Just some ideas. Your work thus far is really eye opening and you have my thanks. I had no idea I was trapped in LinkedIn.
This makes them sound like they do delete your account information. If there is something specific that they don't delete, it might be best to highlight that.
Also I am unsure what "Track" means.
And how can you Delete Account be unknown? Did you try? If not, how can you claim they are naughty?
Hover of the Tracking text to see the explanation.
There are over 250 services in the list. Those who have the status Unknown didn't mention it clearly on their website. Feel free to make specific suggestions, and I'll make corrections.
Another example of this is sales tax in the US. Several states have laws that tell the seller to collect and remit sales tax on any sales to residents within the state. But for sellers that have no physical presence in that state, the state has no ability to force them to actually do so (or to force them to open up their books and prove one way or the other).
GDPR would be a nice "tool" to validate the actual deletion of personal data.
I sent in a request asking what steps were necessary to have one's account deleted. I was told this was not possible. This is unreasonable.
And yes, I created this account specifically to post this comment.
However, upvotes are currently private, and cannot be removed after some length of time. I wonder if this would mean they should be made removable (or at least the record of them in a user's account).
One thing that is troubling is that if you have an expired domain with domain lock turned on, they will not delete your account until a year has passed from the non-renewal of the domain. The domain-lock feature cannot be turned off if that domain has been inactive for less than a year unless the domain is renewed. They told me they could not turn it off either so that the account could be closed, but I'm a bit skeptical on that, since it makes no sense that they cannot change the account settings with an authenticated customer making the request. Don't they control their own code? It strikes me as an excuse for them to leave the account open in case you change your mind.
In their favor, I was able to delete payment information immediately. Also, they have very friendly customer service representatives (though friendliness doesn't make up for powerlessness.)
Btw, this is an interesting and good service you are setting up. Thanks for your work!
Thanks, and I've added GoDaddy :)
A while ago I deleted my account, then recreated my account after a year, and requested a full backup history, this backup had my old contacts from the original Linkedin android app gathered from my old phone without my permission.
For example, you said that Facebook deletes data partially. What does it mean?
There is too much special sauce on the page for me to see the actual list (perhaps one of your critical resources is already on my blacklist or too third partyish).
Thought you may be able to make use of http://backgroundchecks.org/justdeleteme/ to help with your checking. (no affiliation)
Plus it is great when a study like that is reproduced and vetted for drift.
Thanks again for you work.
----
Loading failed for the <script> with source “https://secured.fyi/analytics/piwik.js”: naughtylist.html:1
The resource at “https://cdn-images.mailchimp.com/embedcode/horizontal-slim-1... was blocked because tracking protection is enabled: naughtylist.html
Source map error: request failed with status 404 Resource URL: https://secured.fyi/assets/style.css Source Map URL: bulma.css.map
----
What's wrong with a good ol'fashioned HTML table?
Referrer in FF:
Referrer in Chromium: Btw. I tried deactivating any Addons which might interfere with the requests but it didn't change anything. So probably all users with a modern Firefox will have an empty table.Arbor Network Atlas anti ddos service on the tier one ISP level. Seeing flow samples of most traffic anti DDOS through network flow logs of many major tier one internet networks.
Cloudflare CDN major focal point of internet traffic.
Besides, from a technical perspective archiving PDF invoices and using SQL cascade delete doesn't sound overwhelming in complexity.
I simply overwrote all their details with nonsense, and marked the account as deleted. The account exists, but is about as useful as the fake accounts spammers sometimes make.
- Service: Jabber.org
- Protocol: OMEMO
- Software: Gajim
Next, the score seems to be a similar mix up, not so much focused on security but more as a general recommendation as a trade off between number of features and overall security. To me that feels like a bad advise. That way, a very respectable and stable app like Conversations is listed below the protocol it uses (OMEMO) and even below Tox which is officially listed as experimental, just because conversations doesn't support audio or video telephony.
Other privacy related aspects, like the need to register a phone number to use the service, automatic contact list uploads or custom servers, are completely ignored.