Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Allow us to leave! - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Allow us to leave!

Here's one yardstick that I use before signing up for any new online service: I first search the Interwebs for stories from users who tried to close their account and to leave same service, and were given a hard time.  I understand that commercially it is "rewarding" to show 300 million subscribers, even if 90% of them are stale accounts. But from a privacy and data security point of view, it does NOT make any sense for a user to leave an account behind that he/she knows for sure will never be used again.  Some services, also larger ones, are handling this issue professionally, and have a decently findable link on their home page that allows the closing of an account and deletion of stored data. Others .. give you the run-around via six levels of customer "service", and in the end, they basically change your username to username.inactive, but leave everything else as-is. And keep spamming you, too.

If you have stories to share about online services that don't let you leave, please do so below. Keep it PG-13 and factual, please, but if a little ire shines through, we understand ...

Daniel

367 Posts
ISC Handler
Let's start with one company that I've publicly shunned in the past ( http://alexstanford.tumblr.com/post/31336099656/godaddy-a-disgrace-to-telecom ) and can barely hold my tongue from bashing: GoDaddy. Admittedly, domain transfers are a slightly different topic, but I think the same morals apply.

In a seemingly past life, I managed domains for many companies. I'll never forget when the whole SOPA/PIPA thing was going on and I had dozens of clients finally ready to take my advice and transfer away from GoDaddy. Of course, ( and in spite of http://www.icann.org/en/news/announcements/advisory-03apr08-en.htm ) GoDaddy misleadingly holds a domain hostage for ~90 days after any change of WHOIS contact information. I had clients either jumping through hoops with GoDaddy's support, or simply giving up, due to this practice. I wholeheartedly believe that this is their intention: make it hard to leave while still attempting to seem legitimate to the uneducated consumer in which they target. I no longer use GoDaddy or manage domains that do, so it's possible they have abandoned this practice, but I doubt it.

Anyway, I digress. :)
Alex Stanford

154 Posts
The latest Fortune magazine that just arrived in our mailbox tonight has a an article about how GoDaddy is to trying to change itself. Stalling domain transfers was not discussed.
Alex Stanford
22 Posts
The website: http://justdelete.me/ was created in order to provide details to users about how hard or easy it is to close accounts with specific websites.

It also provides details of how to close accounts, when the company behind the website is not very forthcoming on how to "close your account" or "unsubscribe from their services".
Alex Stanford
3 Posts
Deleting a skype account is not really possible... so just put garbage in all the fields. Funny.

https://support.skype.com/en/faq/FA142/can-i-delete-my-skype-account
dveeden

3 Posts
I went through this a number of years back when my father passed away. I took ownership of his email account and tried to go through and shut down his numerous accounts across the net. Primary concern was make sure that no one hacked his accounts to take his identity and/or ruin his reputation.

The numerous private forums and communities around the internet are generally the biggest offenders. They neither have a policy or procedure for removal of your account and in many cases don't have a technical solution for removing an account as their database requires an account be associated with posts.

Many don't have a policy or procedure and aren't very responsive to these types of requests. For example the numerous automotive based forums run by Gigathreads don't have anything in their policy, FAQ, etc on how to go about locking or removing an account. And numerous attempts to contact them via their "contact us" didn't get a response.

On other forums I got very nice replies stating that while they run the forum they have absolutely no clue how to disable/remove an account. In some cases the only solution was for them to put the account on a list of "banned" individuals as that would keep he account from being logged into or used in the future. But getting his account put on a "banned" list seemed counter to my whole purpose which was to shut down his accounts to protect his identity and reputation.
pktman

14 Posts
It has always irked me that so many web sites and organizations will tout their Privacy and Security Statements. Going so far as to have a user agree to the terms of the statements. But I find it difficult to find wording in these statements that provides policy or instruction on how a user can request termination account in a permanant and conclusive manner.

The reason a user wants to terminate and delete an account should never be a question.
It should be the right of a valid user to end any relationship with an organization conclusively for any reason they deem viable. In other words, once a user properly announces the explicit desire to end a relationship with a web site or organization, that any accounts that exist for that user be disabled and eventually deleted from the systems where it resides within the web site or organization. No questions asked.
I can understand where maybe an account is disabled for a period of time, but during that period, the account should not be allowed to be used for any other purposes, to include mailing/marketing lists.

I also wonder if the BBB.org folks have standards regarding this subject. I know the BBB is not the only resourse for business practice reporting, but they do have some track record in that regard.
AlSitte

28 Posts
ICANN sets the majority of the regulations and requirements that GoDaddy follows. See URL below:
http://www.icann.org/en/resources/registrars/transfers/name-holder-faqs

ICANN requires a mandatory 60 day lock/hold on domain transfers or new registrations. GoDaddy was just taking this a step further by locking the domain when the contact information was changed on a domain in order to help prevent domain hijackings.

I worked at GoDaddy for 5 years and have seen it happen. An account is compromised due to a weak user password, or stolen password. Domain contact info is changed to person stealing domain, domain transfer is initiated, thief accepts transfer, bye bye domain. I can't even tell you how many calls or emails that were received on a daily basis of people complaining their domains were stolen, and not just at GoDaddy, this was a global problem. It was ridiculous. However GoDaddy does now allow you to lift the 60 day lock, but as you can imagine there are caveats.

I make a point to ensure my contact information is up to date, and I also make any changes well in advance of any transfers. Usually it is people making last minute transfers, or otherwise last minute decisions without any planning that run into issues with domains.
Trenton

1 Posts
I agree and in my opinion, there should literally be a "law" that mandates every online service/website to provide an easy way for users to delete their account along with all of their data. The problem is that most Terms of Service (usually for "free" services) specifically state that your data belongs to the company/service and it is basically your payment for the free service.

That said, this is what I usually do to delete an account that I can't delete:

1) I delete all possible data from the service. If not possible, I replace it with bogus data/information.
2) I update or change all of my personal info as well and replace it with bogus info. This includes name, address, email, and if possible- username.
3) Finally, I change the account password to a password that is so complex that it'll never be remembered or used again.

* Caution, sometimes it's best to change your email address last, as a confirmation email will be sent to your new bogus email address. That's why it's important to use an email address that you know for sure is bogus. I.E. Bob-1234567890-deleted@abcd-domain-that-doesnt-exist-at-hello.org

Click save and you've gotten as close to a "deleted" account as possible.
da1212

69 Posts
I find that very strange, pktman. Most forums let you delete a user's account very simply. Heck, you can even create a group that they belong to that doesn't let them log in, or just lock the account -- all depends upon the forum software. But in this day and age, where you can one-click deploy a forum with no real technical background, administration is a lost cause.
Darron Wyke

20 Posts
Just out of curiosity: What is SANS policy for deleting accounts?

I'm currently looking at the "My Information" page, and I don't see anything on there that looks like a link or button to allow deleting (or even just closing) my account.

(I'm not actually planning on closing this account, but explaining your policy seems like it would be a good opportunity to lead by example.)
whurlitzer

13 Posts

Sign Up for Free or Log In to start participating in the conversation!