Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic:  Should we purge old & unused accounts?  (Read 7475 times)

Offline vinzv

  • Administrator
  • User
  • *****
  • Posts: 160
Should we purge old & unused accounts?
« on: 2022/04/30, 00:49:21 »
I just came across this posting over at Bunsenlabs forum which I found interesting. Quoting:

Quote
We'll shortly delete all forum accounts that match the following criteria:
We'll delete all accounts which both have zero posts and have not been logged in to after 2021-04-01.

So I poked around the member list on our forum and gathered some figures:

Data

1. We currently have 2.010 activated accounts on this forum.

2. Of them there are...
  • 1.620 accounts with 0 posts and older than 1 year
  • 900 accounts with 0 posts and no login since 1 year
  • 420 accounts with 0 posts older than 1 year with 0 logins
  • 1.350 accounts with 0 posts and older than 2 years
  • 1.320 accounts with 0 posts and older than 2 years and no login since 2 years

3. Data stored for each account is at least:
  • username
  • "real" name
  • password (hashed)
  • email adress (which often reveals their real-real name...)
  • IP and hostname of their last visit

4. Furthermore, what's stored more often than I'd had expected:
(I only did some spot checks.)
  • location
  • sex
  • language

Resulting consequences

So all in all that's a relatively huge number of accounts and therefore quite a big set of personal data. With all consequences and liabilities for the siduction core team. Which is also covered in a way by the Bunsenlabs people:

Quote
The purpose of this exercise is to get rid of personally identifiable information associated with these dormant accounts such as email addresses and nicknames: Passive readers can always view the boards anonymously without signing up, and the best data protection for user data is simply not having any data on file. Also, if the user is not using the forums (as indicated by the 1+ year absence), we shouldn't continue storing the data as there doesn't seem to be a reason for that anymore (discontinued usage).

While this is all correct, it leaves out data protection laws (GDPR) that demand to store data as short as possible while. Furthermore, it recommends establishing review and deletion processes.

My proposal

So I want - and somehow we have to - do that "data hygiene" over here as well. But I'd like to add some additional steps:

  • Remind all users with no login for 6-12 months of their account and ask them to come back. Add a way for them to delete their account rightaway.
  • Send out an informational note about anonymous reading possibilities (e.g. RSS feeds) to all accounts inactive/no post >1 year. Add a way for them to delete their account rightaway.
  • Send out a reminder to all accounts with no login and no posting for >1 year, that their account will be deleted soon.

Any thoughts on that? Otherwise, I maybe will just go for it... ;-)

Offline fams

  • User
  • Posts: 42
Re: Should we purge old & unused accounts?
« Reply #1 on: 2022/04/30, 10:55:19 »
Just necessary imho (GDPR).
Good plan.

Offline edlin

  • User
  • Posts: 615
Re: Should we purge old & unused accounts?
« Reply #2 on: 2022/04/30, 11:02:05 »
Gute Idee.
Ich würde in der E-Mail eine eindeutige Frist (14 Tage?) setzen, innerhalb derer ruhende Accounts wiederbelebt werden können.
Hinweis, dass die Nutzer nichts unternehmen müssen, wenn man seinen Account inklusive der damit verbundenen Daten verfallen und löschen lassen will. Dies erspart das rücksetzen von Passwörtern (viele werden ihres nicht mehr kennen) und die Fragen, wie und wo man seinen Account löschen kann.

Good idea.
I would set a clear deadline (14 days?) in the email within which dormant accounts can be reanimated.
Note that users do not have to do anything if they want their account, including the associated data, to expire and be deleted. This saves resetting passwords (many will no longer know theirs) and the questions of how and where to delete their account.

edlin
« Last Edit: 2022/04/30, 11:08:24 by edlin »
Der Kluge lernt aus allem und von jedem,
der Normale aus seinen Erfahrungen
und der Dumme weiß alles besser.

Sokrates

Offline DeepDayze

  • User
  • Posts: 461
Re: Should we purge old & unused accounts?
« Reply #3 on: 2022/04/30, 20:18:42 »
Totally in agreement with this idea as it will reduce the attack surface in case of a breach. Sending out a mass email to those old inactive accounts is one way to make members aware and if they want to keep their account active they should at least log in once each year or if they forgot their password or no longer have access to the email account used at registration there should be instructions (in both English and German).

Offline vinzv

  • Administrator
  • User
  • *****
  • Posts: 160
Re: Should we purge old & unused accounts?
« Reply #4 on: 2022/05/08, 21:52:20 »
Thanks for the input and the affirmation, all. I'll be starting the cleanup process soon.

Offline vinzv

  • Administrator
  • User
  • *****
  • Posts: 160
Re: Should we purge old & unused accounts?
« Reply #5 on: 2022/05/09, 22:41:17 »
Quick update: Currently I'm sending out the initial mail to ~1.700 accounts.

Furthermore, I found a way to automate the whole process. \o/
Once the initial cleaning is done, I will set the forum up in a way that:
  • every account not logging in for 6 months will get one reminder
  • after that passing 15 days the account will get deleted
All that is done with no interaction, which gives us a valid data handling strategy to comply with GDPR.