[Request] Allow account deletion #1941
Comments
|
If a very active user would be deleted this way you suggest, that would destroy conversations completely. imagine this user chatted a lot with others in hundreds of rooms, others took a lot of effort to answer questions of this user,.... all those work of others would be in vain. that wouldn't be fair. Also this would violate the Idea of the Matrix: What is said can't be unsaid. An exception would be rooms, where everyone agrees, that they are moderated and messages are not persistent all the time. The only possibility I can imagine to free a username for a new registration would be to remap the old posts to a new user with the same name, so the messages are unlocked from the user, that wants to be deleted. Only a user that has never said anything could be deleted completely! |
AFAICT it would only destroy the history of that conversation, i.e. a new client from a recipient on the same homeserver cannot sync it anymore.
Then the history of that conversation is gone from the user's homeserver just as his choice implied.
Fair to whom? It certainly is not fair to the user clearly stating that he/she wishes not to use a server anymore to keep the data the user owns around. In countries with strict privacy laws and with a history of many privacy related court cases being decided in the user's favour operating a server of this nature is grey at best in terms of legal safety, derelict at worst.
Where did you get this idea from? It certainly is not expressed in the FAQ[1] and the spec only implies it by being vague about what [1] http://matrix.org/docs/guides/faq.html
If a user wants to cease using a service, it has to be possible for his/her usage data to be deleted by him/her.
Or just do the thing the user explicitly asked you to: Delete those posts.
Only from other homeservers', since AFAICT homeserver A cannot tell another homeserver B that user C has unregistered from A and events by him/her should also be deleted from B. |
|
You can redact all your messages already one by one before you delete your account. Those redactions are already federated to other servers, so you can write a script that does this for you already.. But you can never be sure, that other servers obey to the redact command though. |
These two seem to contradict each other. Either what is said can't be unsaid, or you can delete your messages. Regardless, there is currently no way to delete your account, only to deactivate it.
Good to know, as the Client-Server spec does not fully specify how redacted events are propagated. But this does not deal with account deletion.
Of course, you can never be certain a blackbox third party claiming to implement a spec actually fully comply with it. But this is a red herring, diverting from the issue of a user not being able to delete his or her account in this implementation. |
|
@rubo77 In some countries law demands that you're able to completely remove your account. Besides that, if I want to stop using a service, I always make sure that all of my data will be removed. Here, this is not possbile. I think this is a major flaw in the design specification. |
|
This is like requesting that you can delete your email account and somehow magically delete every email you ever sent at the same time. It's a reasonable request for a centralised service like facebook, but Matrix is not centralised. Instead, the best we can offer for now is deactivating accounts, and in future purging history from your local homeserver but this really doesn't achieve much. |
|
@ara4n No, this is like requesting that you can delete your email account and all the data pertaining to that account from the service provider's servers. |
|
@Calrama except that concept does not exist on Matrix, because the concept of "all the data pertaining to that account on your service provider" is not well-defined, given the whole point of Matrix is that your messages are replicated equally over all participating servers. It's not like deleting your IMAP spool from a service provider, it would be like deleting some combination of global IMAP+SMTP history both for you & everyone you've ever spoken to. Here are the possible "solutions" here:
So, this is why right now the only option supported is number 1, and possibly in future number 2. Hopefully this also explains more clearly why options 3, 4 and 5 would cause more harm than they solve. In the end, if you want to communicate using a system which lets you destroy all every message you've ever sent, or doesn't keep that history in the first place, I'd suggest using something other than Matrix.
|
No. The only thing I request is that I can delete my account (e.g.: Make a login with my credentials impossible). Nowhere I wrote that I want to magically delete every message ever written by me. This is pretty much number 1 of the solutions you posted:
I don't know what else in stored in a user account besides username and password, but if this could be enhanced to delete all the other stored data too (e.g. linked phone number, mail addresses, in short: every personal information) it would be nearly perfect for me. |
|
@ara4n Thanks for explaining your position in depth, this makes it easier to refer people to.
I am aware of that, but that does not change what is required in terms of privacy laws.
I am using something different, but not for that reason. The reason is privacy laws, as I indicated earlier. |
|
@ara4n I forgot to ask, but:
Is this only possible via the api or is this already possible via the webinterface or apps like riot? I found nowhere the option to do this. |
|
@KopfKrieg it depends on the client. on Riot/Web it's the big red 'deactivate my account' button at the very bottom of the User Settings screen:
|
|
Ah, perfect, thanks. |
@calrama IANAL, but as I understand it: typical data protection law requires a service provider to delete personal user data if requested by that user (and to not hold it beyond a given time threshold). In practice, we do not consider messages that a user has sent to other users as being personal user data - just as an email service provider would not consider emails sent to another user to be the exclusive personal property of the sender. Instead, these messages are the shared property of those with whom they have been shared. I completely agree that actual personal data (as per @KopfKrieg's example) should be deletable - and we do as much of this as we can currently in solution 1, with solution 2 filling in the remaining gaps in future. I might be able to help better on this if you explained whether any of my proposed solutions would be satisfactory for your requirements - i.e. are you petitioning for solution 2? or 5? or 6? |
|
@ara4n Messages a user has sent to other users may still be considered personal data with regards to you as a service provider (regardless of what the recipients do with their copy); as is the user's account name. I was petioning for exactly what I wrote in the opening post: All (personal) data pertaining to that user on that specific homeserver to be deleted (permanently); that includes the account name and all messages sent (on that specific homeserver). With regards to your proposed solutions, AFAICT: As long as it is not possible for users to completely wipe a homeserver of all data that a German court may decide can be considered personal (data), I cannot deploy one. |
|
Okay, I am definitely not qualified to say what a German court might or might not consider personal data. My intuition is that they would not consider email body+headers sent from user A to user B to be personal to user A, if stored on user B's account (whether user B is local or remote to that mailserver). And so the same logic would apply to Matrix. I'll keep the bug open though to track solution 2, and in case someone with the necessary legal expertise wants to contribute an opinion :) |
|
@ara4n It is not a question of how something is sent, but what is sent. You could absolutely argue that an email body containing PII, e.g. my real address should be deleted on request, just as if it were stored in any other form on a server, whether it is my own or a remote server. |
|
I hit this problem. I have my account deactivated and made new one. For now user search returns both my accounts regardless is it active. Also my deactivated account still visible in all channels and even takes nick name in IRC. So for me account deactivation as it now is just «forget password». When I click «deactivate» I thought matrix at least will exit from all rooms, and stop IRC bridging and free nick name for future registration. But it doesn't. By the way can someone help me to stop IRC bridge from taking my nick name? |
|
I agree with @ara4n that the idea that someone "owns" what they voluntarily say or type to others is nonsense on slits. That said, nothing stops governments from enacting laws around nonsense, so those running homeservers in those states will have to do what they feel is necessary to avoid run-ins with the relevant authorities. Only you can assess your risk tolerance. That said, what @akhilman has brought up disturbs me, if true, because I just hate it when my initial noob screwing around results in my forever and always seeing evidence of it. I plan on running my own homeserver soon and would love it if I could eventually stop my @username:matrix.org account (which I may deactivate, as I never really used it) from showing up where it doesn't make sense. If I understand it correctly, it seems to fall somewhere in between 1 and 2. A deactivated account shouldn't erase conversational history for that account, or allow the potential for spoofing, but it doesn't make much sense from a UX perspective for that account to appear in the present context as an active user available for chat or invitation etc. It's not clear to me why one would have to go so far as to change the internal ID system to accomplish this. Isn't it enough to mark the ID as locked and use that fact when deciding what to offer users in various contexts? |
|
Seems fair to attempt to leave all rooms upon deactivation. |
|
Today I have two zombie accounts in matrix-hq room, First one is my deactivated account, second one is from dead local server. When matrix become popular there will be thousands of dead accounts in rooms. I propose to add a kind of garbage collector to kick abandoned accounts from rooms after year timeout, or even to completely remove all data. |
|
Had some more thoughts on it. Would be nice to finally have extensive profiles so we can mark accounts as disabled. It's a feature slack does and I've found it incredibly useful to determine if people in the company are still employed, for instance. |
|
We Could rename the alias of disabled usernames to "old alias (disabled)" to prevent others from inviting, or sending messages to those deactivated accounts. |
|
Very interested in this kind of feature. I am not currently a Matrix user but it is very appealing, but the inability to at least obfuscate an deactivated account is unfortunate from a privacy perspective. I can think of a number of scenarios where someone might want to make it at least a little more difficult to be directly identified or reached from a deactivated account, especially victims of organized harassment. It seems like, from my reading and understanding of the spec, a good way to handle this would be:
A given user can redact their own messages in batch, that wouldn't necessarily be a requirement of a homeserver implementation and there are plenty of examples for e.g. Twitter for doing so. I have used one! They're very powerful. From a homeserver implementation standpoint, at least dropping a deactivated account from all rooms doesn't require anything more from the protocols. This would resolve the application service problem of leaving zombie sessions in rooms on bridged services like IRC. It would also aid moderators of rooms to be able to see that deactivation state too, if they want to remove deactivated accounts by hand, for other homeservers that don't automatically remove them. |
|
We're working on this right now for GDPR compliance (including BDSG compliance for our German friends). We're looking into supporting a fairly extreme solution, although the scope might get dialled back based on the legal advice we receive. The approach we're considering for right-to-erasure is:
EDIT May 8th 2018: our position has slightly changed on the first bullet point, as we couldn't find a robust and intuitive definition of 'public room' - see the 5th paragraph in the 'Right to erasure' section at https://matrix.org/blog/2018/05/08/gdpr-compliance-in-matrix. So rather than redacting, we're instead withholding GDPR-erased messages from ever being shared with users who didn't receive them in the first place Much of this is aligned with the feedback above from @HybridEidolon and others. Thoughts would be welcome on whether this covers everyone's use cases! |
|
Minor request for the implementation: A way for other users/homeservers/something to positively identify that the account was deleted and not just a redaction spree or other event. The primary use case is for bots (namely voyager) to purge any relevant data they may have. Other use cases may include bridges trying to purge data in 3rd party networks, etc. |
|
|
I'm working on this for forum software and since "mega-redaction" doesn't make much sense in a forum the solution we are probably going to choose is renaming the account before deletion to something like "anonymous001" and then stripping every personal data from that account. (User names in quotes are still an unsolved problem.) The goal would be to merge all those anonymous accounts into one. We hope that this will remove any personal aspect of the data and we think that prior user consent to this procedure might stand a chance under GDPR since a forum has some kind of publishing nature and purpose - which a messenger service like matrix has not. So a consent clause of that kind in Matrix might be considered "surprising" (and thus invalid) for a matrix user. In matrix the best thing would be to give the user options upon deletion, but I think one of those options has to be mega-redaction. Option here means at the discretion of the user, not of the server operator. |
|
Please also remember that federation might be considered as a case of "joint controllers" (Art. 26 GDPR). I can see strong arguments for that opinion at least in our jurisdiction (and in some others in Europe). That would mean that deletion has to be carried out across federation. All home server operators would have to join an arrangement that specifies how the GDPR responsibilities are carried out and who is responsible for what. This would have to include bots like voyager (if anybody really wants to federate with them). Please also notice Art 26 no 3 GDPR: "Irrespective of the terms of the arrangement referred to in paragraph 1, the data subject may exercise his or her rights under this Regulation in respect of and against each of the controllers." Are your lawyers aware of that ara4n ? |
|
(Here's a heads up of where we're at right now: https://matrix.org/blog/2018/05/08/gdpr-compliance-in-matrix/) |
|
As somebody concerned with server operation I'd really prefered if you played it safe as much as technically possible. Playing it save means: Leave the decision to the user. If the user wants to mega-redact, give her/him the means to do so. Yes, that would mean that context gets lost - but keeping context intact is not protected by any law and certainly not with fines. Yes, that's bad for other users but if the leaving user decides to delete, then s/he's to blame. You could easily solve the context problem by giving users a tool to save conversations locally. Local copies are not under the responsibility of server operators, so - not our business. And if people forget to save and lose context - not our business as well. Both only seen from a legal point of view, that's what we are discussing here. Matrix is currently advertised as a messenger and there's a real risk that juridiction will consider it as that. Good luck trying to convince a judge that Matrix is just email. This is wishful thinking. A lot of our court decisions in consumer law work around the concept of "reasonable user expectations". Many judges consider themselves being the prototype of a reasonable user. So what will a judge say while looking at riot on android: is that like Outlook or like Whatsapp? Please chose the most radical GDPR compliance possible to mitigate liability risks for server operators, otherwise operators might decide they have to shut down to avoid risks. |
But the article reads that WhatsApp and other messengers follow the same approach:
So I think we are safe to say we're email! |
Our approach, as referenced by @ara4n above is grounded in on-going legal advice. We are certainly not looking to place undue risk onto homeserver owners, we are ourselves responsible for matrix.org not to mention pretty much the whole core team running their own personal servers. The solution must unquestionably be GDPR compliant. We use e-mail as example because of the similarities as far as federation is concerned, but as @26000 references many other messengers have arrived at the same conclusion, and that gives us further confidence in our reading of the legislation. |
|
That static private part is a good point. I created an issue for that #3210 |
|
I personally dislike the possibility of data being suddenly erased, destroying context and all. Something you said can't be unsaid. But the option to dissociate your identity from your messages seems nice. And to prevent further spread of messages — this seems much more fair. I value privacy much, some even say I'm paranoid. But regarding Matrix, I like the way it is now. Because it's federated, and if you can't rely on each node of the network to erase everything completely. You give a user false sense of privacy saying that their data is destroyed. The principle is basically that if you post something in the public internets, you lose your control over it. You can make your data difficult to find, even nearly impossible. But the chances are that a copy remains somewhere. The think I find nice is the way how it is done in IRC. It's just like a real-life conversation: you say something, those who are around you hear it, and you can be sure only they do (as in IRC you see everyone who is online) (let's not think about hidden microphones and so for now). Once something is said, it gets recorded in people's memory, not in a centralized database (like the way every IRC client writes logs, but no IRC server does that). And even if it's recorded, nobody can prove you said something — they can retell everything (or lie that you said something), and it depends on their interlocutors if they do believe them or not. This feels so natural and logical. But, the modern requirements for a messenger are much more than that. We need history sometimes, and IRC is unusable as a replacement for SMS/mail/etc, so we have Matrix now. If IRC is real-life conversations, then Matrix is paper mail. Matrix is nice, and the way it deals with privacy is nice too, even better with those enhancements in development. The only thing I think could be improved is those static states for private rooms. This all is my opinion, I'd like Matrix developers to consider it, but if the majority wants to follow the other way, let it be so. |
|
to try and limit fragmentation:- A response to @gerg5c42g542g2c54g52c comment from @ara4n is here https://matrix.to/#/!boLskYiwabbCQNNhlK:sw1v.org/$15260441781010915AnGmT:matrix.org " metadata can also be vaped if you gdpr-erase the account (thanks to removing the mxid mapping). and i think everyone agrees that retention policies would be a nice feature, and i'm sure it will happen. but for better or worse it's orthogonal to GDPR right-to-erasure stuff." |
|
I'm adding DSGVO here just for the search for the german talking guys. I am interested because i am thinking about suggesting matrix/synapse to my company, while someone else is suggesting Slack. |
I have to do with dsgvo in my company. So matrix is not allowed to use in germany. |
Is that really only a problem in Germany? I thought the GDPR applies to the whole European Union (including the right to request, alter and delete all data about your own account?)? |
@ecxgh then email would not be allowed in germany either, you cannot magically delete your data, which is stored in others inboxes! please read the comments above first, starting at #1941 (comment) |
No. Not only germany. It's whole EU. |
And I only write what DSGVO say.
|
|
in Matrix, when you send someone your data by communicating in a room, you share ownership of it with them, much like email.. We do not believe this is counter to gdpr or dsgvo (which were not built with decentralised systems in mind, so we have applied commonsense ourselves). In future it may be possible to also have a “megaredact” feature which lets users send out kill message to request servers delete everything a user ever said, at the expense of vandalising all the conversations they were ever in, but we do not believe it is a legal requirement. Instead, we are working on MSC1228 to let users remove their PII without destroying conversation history. |
|
I think this is a duplicate of #1707. |
|
what about Github's way of doing it? so the information is still there, which can be a problem if the user still wants to delete it, for example:
but now his messages have nothing to do with his account. and of course basic stuff like:
about impersonation: you can see account's registration date to verify identity |
|
also what about Telegram's way of doing it? |
I've looked over the matrix spec and unfortunately
/account/deactivateonly requires for any future login to become impossible. Synapse fulfils the spec, but does not actually delete the account, whicha) leaves the user's data on the server after the user has expressed the intention to never use this account again
b) leaves the user id taken (i.e. future registration attempts on it fail with "M_USER_IN_USE")
Either
/account/deactivateshould completely wipe any data belonging to that account from the homeserver, or there should be a second endpoint/account/deletethat does this.Keeping account data from people who specifically want to cease using one's service seems shady at best in terms of privacy policy and technically impractical at worst, since it accumulates data that
a) isn't required for the continued function of the service
b) takes up increasing storage space for no apparent benefit to the service
The text was updated successfully, but these errors were encountered: