Welcome to Codidact Meta!
Codidact Meta is the meta-discussion site for the Codidact community network and the Codidact software. Whether you have bug reports or feature requests, support questions or rule discussions that touch the whole network – this is the site for you.
Please allow a user to permanently delete their account
Please allow a user to permanently delete their account, without the current mechanic of writing an email to the support, writing another email for approval, etc.
Please just have a simple button to permanently delete the account.
2 answers
The current email path (and asking you to prove you control the account, because email can be spoofed) is a stopgap. We do want to allow you to delete an account more directly. If you could make the request from the site, for instance, then the fact that you're signed in would already demonstrate control of the account, so we could skip that confirmation step.
It's not quite as simple as "just delete the account on request", because we want to have some mitigation for abuses like serial spam/trolling. If you delete and immediately re-create an account, for instance, that's something we would want to be able to record, so that we can tie the activity of the two accounts together internally. We haven't built that tooling yet, or even worked out what exactly it should include, so currently account deletion includes somebody taking a quick look for suspicious activity first.
We want to give community members as much control as possible; it's part of our raison d'etre. We also want to protect communities from "easy" abuse, because supporting communities is also part of our raison d'etre. I'm sorry we don't yet have better tooling for the latter that would help the former, but we do aspire to get there. We're not trying to nanny or second-guess you; this is just the best we can do right now. It's not ideal and it doesn't scale.
Upodate (2022-12-28): we now have soft deletes, which mitigates the abuse concerns (the data is still in the database, just not shown). The remaining piece is a "delete profile" option for the user, which should probably send email with instructions for how to change your mind and maybe a time limit for doing so.
1 comment thread
I'm going to be a bit contrarian here.
First, don't get me wrong. I am not arguing that a user should not be able to delete their own account. Of course a user should be able to delete their account. Besides all the reasonable arguments, that's a pretty firm requirement in the EU GDPR.
However, let's not go overboard by making it too easy.
Account or profile deletion, done properly, is very much a destructive operation that cannot easily be undone.
Destructive operations typically come with safeguards. In the real world, you have everything from locked cabinets and guarded switches to multiple distinct inputs required that cannot be performed by the same person (for example, by being placed far enough apart that one person cannot reach both at the same time, yet both must be done simultaneously). All of those serve to protect against accidental activation of or exposure to the thing in question.
This doesn't mean that it can't appear to visitors as though the account has been deleted immediately. But the rightful account owner should:
- be required to provide their current password immediately before the "delete my account" function takes any effect
- be provided with an "undo" of some kind for some reasonable amount of time
- be notified elsewhere (for example, by email to the address associated with their account) that their account/profile is about to be deleted, including simple, actionable instructions on how to stop that process
The first helps ensure that the person in front of the computer at the time is someone who actually has access to the account password. It protects against session hijacking or just someone taking advantage of the fact that the account holder didn't lock the computer while stepping away for a few minutes.
The second ensures that if the user changes their mind, they have a window of opportunity within which they can recover their account. This doesn't have to be much; I imagine 2 to 7 days would be plenty.
The third ensures that in case of unauthorized access to the account, it's not as easy as just clicking a "delete my account" button for someone other than the rightful account holder to cause havoc even if, say, the browser autofills the password or the password is known. To delete the account, an attacker would then also have to intercept and somehow either prevent delivery of or delete that notification email, raising the bar a fair bit.
3 comment threads