Welcome to Codidact Meta!
Codidact Meta is the meta-discussion site for the Codidact community network and the Codidact software. Whether you have bug reports or feature requests, support questions or rule discussions that touch the whole network – this is the site for you.
Comments on Please allow a user to permanently delete their account
Parent
Please allow a user to permanently delete their account
Please allow a user to permanently delete their account, without the current mechanic of writing an email to the support, writing another email for approval, etc.
Please just have a simple button to permanently delete the account.
Post
I'm going to be a bit contrarian here.
First, don't get me wrong. I am not arguing that a user should not be able to delete their own account. Of course a user should be able to delete their account. Besides all the reasonable arguments, that's a pretty firm requirement in the EU GDPR.
However, let's not go overboard by making it too easy.
Account or profile deletion, done properly, is very much a destructive operation that cannot easily be undone.
Destructive operations typically come with safeguards. In the real world, you have everything from locked cabinets and guarded switches to multiple distinct inputs required that cannot be performed by the same person (for example, by being placed far enough apart that one person cannot reach both at the same time, yet both must be done simultaneously). All of those serve to protect against accidental activation of or exposure to the thing in question.
This doesn't mean that it can't appear to visitors as though the account has been deleted immediately. But the rightful account owner should:
- be required to provide their current password immediately before the "delete my account" function takes any effect
- be provided with an "undo" of some kind for some reasonable amount of time
- be notified elsewhere (for example, by email to the address associated with their account) that their account/profile is about to be deleted, including simple, actionable instructions on how to stop that process
The first helps ensure that the person in front of the computer at the time is someone who actually has access to the account password. It protects against session hijacking or just someone taking advantage of the fact that the account holder didn't lock the computer while stepping away for a few minutes.
The second ensures that if the user changes their mind, they have a window of opportunity within which they can recover their account. This doesn't have to be much; I imagine 2 to 7 days would be plenty.
The third ensures that in case of unauthorized access to the account, it's not as easy as just clicking a "delete my account" button for someone other than the rightful account holder to cause havoc even if, say, the browser autofills the password or the password is known. To delete the account, an attacker would then also have to intercept and somehow either prevent delivery of or delete that notification email, raising the bar a fair bit.
3 comment threads