Right to be forgotten and safety concerns
Opened this issue · 3 comments
As things stand, wheretofind.me acts like the huge majority of social media sites out there: once you've created an account and filled it out, it exists in perpetuity unless you take action to change it. In discussing the service with a few people, I've come around to the perspective that the service should gracefully forget people over time, as a safety feature.
Consider this: if you had a directory of my past identities - even one I'd willingly created - you could tie me back to cringey livejournal passive-aggressiveposting from my teen years and early 20s, to most or all of my professional lives, and probably to identities I've used in contexts that, in hindsight, I was in a fair bit of danger in. I've been protected from being associated with that basically by accident: my internet coming-of-age happened during a time where linking one identity to the next wasn't even a concern, let alone a thing there was a service for. Had wheretofind.me existed, however, I likely would have used it - and it likely would cost me here and now.
I'm a fairly privileged person - my past isn't really much of a danger to me, beyond being mildly embarrassing. I'm not part of any especially vulnerable groups, I've never had to flee a violent ex, and I've never dealt with significant professional or academic discrimination. For people who don't enjoy this degree of good luck, wheretofind.me presents a risk, and does very little to highlight that the risk exists or to suggest ways to manage it while still getting value out of the service.
As a straw proposal, I think wheretofind.me can do marginally better, without significantly disrupting the users we already have, as follows:
- Once a year, on the anniversary of signup, we send each user an email reminding them that we take privacy seriously, and that the right to be forgotten is important to us. In that email is a call to action: if you still want the site to maintain your account, click a link in the email or log into the site at least once in the next month. If you don't want the site to maintain your account, do nothing.
- Once the month passes, if the user has not confirmed their account, we hide their account from searches and send them a second email saying that their account has been archived and will be preserved for another year, and that they can reactivate their account at any time by logging in or clicking a reactivation link in the email.
- If a user reactivates, we reinstate their account.
- Otherwise, after nine months, send a final reminder that the account will be deleted, with the same alternatives.
- After a year, shred the account and all records pertaining to it.
I specifically do not think we should keep lapsed accounts around indefinitely. If you go a year without logging in after the reminder emails, we should not keep records that are exposed to a breach or to a subpoena when we don't have a specific reason to do so.
I approve this proposal. I suggest further that we start the clock from when we add this feature.
For what it's worth, I would be interested in implementing this, and have a sticky to at least try to spike it. However, if someone else beats me to the punch, I'd be quite excited to see that. I'm not certain when I'd be able to work on this.
I initially proposed a complex policy and a process to cause the site to automatically forget people. That proposal remains daunting: it implies adding capabilities for periodic automatic administration, which do not exist today, and additionally implies new recordkeeping on a per-user or per-profile basis in order to track outstanding deletion reminders.
It's not clear to me that it would be effective, however. Automatic deletion simultaneously runs the risk of destroying information that is actually still in use if a user fails to respond in time, and also fails to meet the obligations implied by a right to be forgotten because it does not allow users to request the deletion of their data. Proactively forgetting information may help keep the size of the service manageable and may even help protect users' privacy, but it's not necessary to respect their rights, and it has significant externalities on our users' attention.
The right to be forgotten can be met, in spirit (and in most jurisdictions, in legal letter) by allowing people to request the removal of their information and actioning those requests promptly. For people with access to their accounts, this can be done by actively destroying (rather than soft-deleting) profiles when a user requests deletion through the app. For users who have lost access to their account, they can contact us. We already have an informal process for user-driven requests to manage their information. We use it to address abusive or fraudulent profiles. We can add the right to be forgotten to that process without much disruption, and without the need to build a complex technical system.
References: