129 comments

[ 4.1 ms ] story [ 223 ms ] thread
Occasionally I go through my password manager to do a cleanup of accounts I no longer use. For the simple reason that if any one of those services get hacked, I don't want to lose credit card- or personal information, and have that end up in the hands of somebody who shouldn't have it.

In trying to delete a few accounts, some services outright refused to delete my info, without giving any reason. Therefore, I've decided in to create a naughty list of tech companies who don't respect your right to your own information.

There are already 261 sites in the list, but let me know if there are any other services you think I should add.

I like this idea a lot. With GDPR on the horizon, this is a great resource to put together.

I’m a little confused about the implementation right now. I don’t understand Rank and Score specifically. The columns need some explanation to make it clearer if a higher number is good or bad, what the number is representing, and how it’s calculated.

It would help to explain your scores a bit (is +10 worse than -10?)
Thanks! I changed the scoring system slightly, and added an explanation.
Why is Mastodon listed as "does not delete account"? Look under Security -> Delete account
Updated to Yes - Partially, because don't guarantee deletion of all data.
I don't know what you mean. Mastodon deletes all the data from the server, and sends out delete payloads to other servers that may have stored copies. If you refer to the fact that some of those copies may remain, then you need to mark all services as not allowing account deletion because Google may have caches of indexed profile and post pages.
Very true, most other services don't even try to delete all data like messages received by others. Changed.
It looks like the major password managers are on the list.
Clean this up a bit and you can br troyhunt for gdpr and command corresponding consulting fees.
Clean this up in what way?
The navigation is a bit confusing. I didn't know the landing page was the "Naughty List". And I was expecting each "category" to filter the existing list, not show a new list of websites/companies.

Also, the ranking list isn't that helpful when 20-some companies are tied for 3rd.

Do you work with any UX designers? Get some feedback from them. It's not about making it pretty as much as it's about presenting the content in a clear way.

It's not perfect, but what I could build in a short amount of time. I'm working on creating a much better and more intuitive system.
One company I would like to nominate as naughty is Newegg. I hadn't ordered from them in years, and asked to delete or disable my account. They can keep their old invoices in the system if they want for legal reasons but I didn't want to log on anymore -- other sellers have processed that request for me.

They repeatedly said "No, we will not disable your account."

And they keep the last address you ordered from in an uneditable field visible on the website, so you can't scramble it with fake address data. I haven't seen any other retailer do that.

Newegg is going on the naughty list.
But NewEgg is famous for not bowing to patent trolls.
I have always appreciated them for that, too. Not respecting the desire to close your account is a separate issue. Fighting patent trolls doesn't make up for their refusal to let you protect your information.
One good deed does not absolve them of other misdeeds.
The very first thing that shows is the companies that are the least naughty.

This is a naughty list is it not? Suggest to please sort by naughtiest first.

We always sort by naughtiest first. Any services in particular you think have the wrong data?
Ah I see, I think it's a case of ambigious copy being misinterpreted by some of us:

"Tech Companies That Won't Delete Your Information Services with the highest scores have the worst policies"

I read this as 20 is worse than 1.

Maybe something along these lines, explicitly explaining 1 is the worse.

"Tech Companies That Won't Delete Your Information Services. Those with the highest rank have the worst policies. A rank of 1 is the worst offender"

I think this is somewhat a problem of English missing a term that unambiguously means "1 is highest".

Kayako. No direct account deletion, they need to poke engineer to do it after many requests. They require your personal information and CC to use free plan. No direct downgrade button to free plan if on trial.
(comment deleted)
This makes little sense:

		Slack	No	No	2
		Kayako	Yes - Difficult	No	0.25
Almost the same level of issues, yet an 8X difference in the score.
I can only find documentation on how to deactivate a Slack account, not delete it. Kayako allows you to delete an account, but after multiple requests.

What do you suggest I change the weight to?

Maybe make scoring much, much clear. Like, add a popup next to scores with a breakdown on how the score was calculated.
I'm working on building a new site that will support a similar feature, and many others.
Uber needs to be on the list.

They have had employees tracking their Ex's whereabouts. They have publicly boasted of being able to identify "rides of shame" after your One-night stand. They collected location information beyond what was necessary to pick you up.

Plus, you know, being union-busting, misogynistic, democracy-undermining, corner-cutting and pedestrian-killing frat boys. But the reasons above seemed to be better tailored to the intent of your list.

What ranking factors would you suggest I add to cover Uber?
There really isn't a single, objective yes/no question that would capture all the nuances here. that's why "the other naughty list", i. e. the criminal justice system and regulatory agencies like the FTC employ judges, lawyers, and long processes to arrive at their nice/naughty lists.

What Uber comes down to is, I believe, essentially the same as the famous Zuckerberg chat message: 'They "Trust me". Dump fucks!'. Saying that isn't illegal by itself. But it shows a complete disregard for the publics' interests.

Every single one of Uber's actions could actually be excused. When, for example, Google admitted to capturing unencrypted Wifi traffic picked up by their Street View cars, I was willing to give them the benefit of the doubt, because that explanation seemed more consistent with their past (and future) behaviour than the alternative.

But the sum of Uber's actions leads me to believe they have misunderstood the causality their own motto proclaims, and are now intentionally breaking things in the hope that it will make them move faster.

One more thing: the Uber help page states that they "permanently delete your account", but also includes this sentence: "Please note that Uber may retain certain information after account deletion as required or permitted by law."

Which makes me think that they're deactivating your account and basically keeping as much data as they can legally get away with.

Since I doubt any of the other companies on your list are openly ignoring the law and keeping more than permitted, the logical conclusion would be that Uber is just as bad your top contenders.

I'm wondering what kind of information, because they are required to keep accounting records for some time.

The only challenge is how to rank them based on ranking factors.

That covers the "required" part of their statement. But they also have the weasel phrase "as permitted", which is far more open ended. In much of the US, for example, the law does not expressly state what steps a provider has to do to "delete" your account. So implicitly, they're permitted to keep what data they like.
Perhaps a ranking of subtle retention policies.

And though not directly related, data breaches do undermine a user’s ability to delete their data. So maybe some kind of formula to quantify data loss.

Just some ideas. Your work thus far is really eye opening and you have my thanks. I had no idea I was trapped in LinkedIn.

Thanks for your suggestion. This is a work in progress, and I have to create a more advanced system than only a spreadsheet to improve the list.
You had me until pedestrian-killing frat boys... Is this a California thing?
(comment deleted)
This page doesn't make sense: you say Tech Companies That Won't Delete Your Information at the top, and then immediately list, e.g. "Outlook Mail: Delete Account? Yes".

This makes them sound like they do delete your account information. If there is something specific that they don't delete, it might be best to highlight that.

Also I am unsure what "Track" means.

And how can you Delete Account be unknown? Did you try? If not, how can you claim they are naughty?

The point of me posting the list here, is to get feedback so that I can make corrections.

Hover of the Tracking text to see the explanation.

There are over 250 services in the list. Those who have the status Unknown didn't mention it clearly on their website. Feel free to make specific suggestions, and I'll make corrections.

It seems unfair to assume they won't delete it, before testing the assumption.
Will GDPR save us from the products on this list?
Yes, but only EU companies have to comply, and those who by extension is subject to the same rules by treaty, mainly the EEA and EFTA as well.
The GDPR applies to the data of anyone using a service while in the EU, not just to companies that are based in the EU.
While technically true, if the EU has no jurisdiction over you or your business, it's difficult for them to force compliance.

Another example of this is sales tax in the US. Several states have laws that tell the seller to collect and remit sales tax on any sales to residents within the state. But for sellers that have no physical presence in that state, the state has no ability to force them to actually do so (or to force them to open up their books and prove one way or the other).

For most large tech companies EU is their biggest or second biggest market. The fines are large, so it will be in their interest to comply.
Yes, and it will also give more insight in what and how they collect and process your data.

GDPR would be a nice "tool" to validate the actual deletion of personal data.

what in the world does a yes or no in the "tracking" column mean?
If you hover your pointer over the Tracking text, there is an explanation.
This site - hackernews - will not delete your account - full stop.

I sent in a request asking what steps were necessary to have one's account deleted. I was told this was not possible. This is unreasonable.

And yes, I created this account specifically to post this comment.

Could GDPR change this?
For EU users yes, but for other people kind of, when using EU based services.
Does the GDPR actually express a right to account deletion? My understanding is that it expresses only a right to erasure in a limited set of circumstances. Given that comments are public, I think it may be possible to deny the right to erasure on the archival exception.

However, upvotes are currently private, and cannot be removed after some length of time. I wonder if this would mean they should be made removable (or at least the record of them in a user's account).

Crocagile.com not only lacks an option to delete your account, they also flat out ignore any email to their support address with any such request.
GoDaddy will let you close your account, but you have to call customer service to do so. (After many years of having multiple domains with them, recently I decided to migrate all the domains I had with them over to other providers.)

One thing that is troubling is that if you have an expired domain with domain lock turned on, they will not delete your account until a year has passed from the non-renewal of the domain. The domain-lock feature cannot be turned off if that domain has been inactive for less than a year unless the domain is renewed. They told me they could not turn it off either so that the account could be closed, but I'm a bit skeptical on that, since it makes no sense that they cannot change the account settings with an authenticated customer making the request. Don't they control their own code? It strikes me as an excuse for them to leave the account open in case you change your mind.

In their favor, I was able to delete payment information immediately. Also, they have very friendly customer service representatives (though friendliness doesn't make up for powerlessness.)

Btw, this is an interesting and good service you are setting up. Thanks for your work!

Some companies do that, and say "it's our policy", without giving a real reason for it.

Thanks, and I've added GoDaddy :)

Why isn't HN/YC on this list?
HN doesn't allow for people to delete their account, a lot of forum type websites have the same rule.
Or comments (after a certain age, which they say would disrupt threads), although it’s entirely possible to delete the author of a comment whilst leaving it intact (an option they do not offer)
They keep telling me they're working on it.
I didn't see LinkedIn in this list?

A while ago I deleted my account, then recreated my account after a year, and requested a full backup history, this backup had my old contacts from the original Linkedin android app gathered from my old phone without my permission.

Please add reasons for each site why they have points they have and links that support those claims.

For example, you said that Facebook deletes data partially. What does it mean?

The site is literally based on a spreadsheet at the moment, which has some limitations. I'm working on re-designing my system, which will allow to more easily include sources.
Is anyone else having trouble viewing the spreadsheet? I can't view it on my computer or phone.
You have to allow scripts to run, because it relies on jquery.
It seems like they'll soon be (heavily) fined under GDPR if they don't change... ;-)
I can’t delete my Hacker News data, comments or profile.
Thanks, I appreciate the thought and effort.

There is too much special sauce on the page for me to see the actual list (perhaps one of your critical resources is already on my blacklist or too third partyish).

Thought you may be able to make use of http://backgroundchecks.org/justdeleteme/ to help with your checking. (no affiliation)

Plus it is great when a study like that is reproduced and vetted for drift.

Thanks again for you work.

Something's up with the site, at least for me. The table content doesn't load - I see the different options (email, etc.) but no entries. Firefox console tells me:

----

Loading failed for the <script> with source “https://secured.fyi/analytics/piwik.js”: naughtylist.html:1

The resource at “https://cdn-images.mailchimp.com/embedcode/horizontal-slim-1... was blocked because tracking protection is enabled: naughtylist.html

Source map error: request failed with status 404 Resource URL: https://secured.fyi/assets/style.css Source Map URL: bulma.css.map

----

What's wrong with a good ol'fashioned HTML table?

I have problems with FF too (+uBlock Origin +DuckDuckGo Privacy). Loading the data from Google seems to fail:

  code	403
  message	Requests from referer https://sheets.googleapis.com/v4/spreadsheets/1A3xz8NFWjebuMbGWvy2yUBKcnAmuZSs5JmKq9-JDss8/values/Email?key=AIzaSyCxiboNdLE5nSch2pdwI3blsfvfyss3Y0M are blocked.
  status	PERMISSION_DENIED
Read my previous reply.
As you can see from the code in my post, the script runs, but the server responds with a 403 error. That looks more like the JS is doing the wrong request in FF. The problem seems to be the referrer. For comparison:

Referrer in FF:

  https://sheets.googleapis.com/v4/spreadsheets/1A3xz8NFWjebuMbGWvy2yUBKcnAmuZSs5JmKq9-JDss8/values/Email?key=AIzaSyCxiboNdLE5nSch2pdwI3blsfvfyss3Y0M
Referrer in Chromium:

  https://secured.fyi/
Btw. I tried deactivating any Addons which might interfere with the requests but it didn't change anything. So probably all users with a modern Firefox will have an empty table.
I had to disable the "Smart Referrer" Firefox Addon to get the table to load in Firefox :(
I'll be working on re-designing everything from scratch, and not rely on my current jquery solution. It's a matter of how much time I have available, but it's a priority on my list :)
The table pulls data from a Google Sheet. When the spreadsheet is updated, the table is populated with data. You have to run the site's jquery, otherwise it's not going to work.
Tracking you for "free" Google Search, Google DNS, Google Photos(geo location, faces, maybe object recognition), Google Recaptcha, Google Analytics.

Arbor Network Atlas anti ddos service on the tier one ISP level. Seeing flow samples of most traffic anti DDOS through network flow logs of many major tier one internet networks.

Cloudflare CDN major focal point of internet traffic.

Most companies will not "delete" your account. They will deactivate your account. It is hard to delete things in SQL databases that use FKs, and in many cases it is illegal or inadvisable to delete all customer data (e.g. if you need to keep invoices for accounting reasons, or if you are eligible for chargebacks). Small startups are often busy trying to keep everything working and go after their key metrics and don't have time to build a system robust enough to handle deletions.
Of course it is hard (or maybe not top priority for some) but that's no excuse in my book.

Besides, from a technical perspective archiving PDF invoices and using SQL cascade delete doesn't sound overwhelming in complexity.

I had a user request account deletion last month. It's the first time we've had that.

I simply overwrote all their details with nonsense, and marked the account as deleted. The account exists, but is about as useful as the fake accounts spammers sometimes make.

I wonder about the ranking for the 'Communication' category. Somehow there are protocols, clients and services mixed up. To give an example of each:

- Service: Jabber.org

- Protocol: OMEMO

- Software: Gajim

Next, the score seems to be a similar mix up, not so much focused on security but more as a general recommendation as a trade off between number of features and overall security. To me that feels like a bad advise. That way, a very respectable and stable app like Conversations is listed below the protocol it uses (OMEMO) and even below Tox which is officially listed as experimental, just because conversations doesn't support audio or video telephony.

Other privacy related aspects, like the need to register a phone number to use the service, automatic contact list uploads or custom servers, are completely ignored.

I'm working on creating a new system that will improve the accuracy. Some people have pointed out something similar on reddit, which I do agree with. Phone number requirement is added under SMS.