Invision Community 4: SEO, prepare for v5 and dormant account notifications By Matt Yesterday at 02:04 PM
Greenman Posted September 27, 2017 Posted September 27, 2017 It would be great if there was a built-in option for members to close their account. This function would need three permission settings and an option to delete or leave their content. Off Members can close Admin to approve It would be so useful and save a lot of time for administrators. If someone wants to leave, there is no point forcing them to stay as they are of very little use. Thanks, Si
opentype Posted September 27, 2017 Posted September 27, 2017 Yeah, it’s almost funny how this simple and obvious feature gets ignored in US-based forum software for so long. It’s like as if the logic is “if we didn’t add it in the last 20 years, we won’t start now”. ;-) Luckily, there is at least a 3rd-party solution:
Management Lindy Posted September 28, 2017 Management Posted September 28, 2017 I've never quite understood the notion that not deleting someone's account is the virtual equivalent to locking them in your basement and holding them against their will. Perhaps it's a US vs EU cultural difference, but generally, if I don't want to use a site anymore, I just... stop using it. Beyond that though, I recognize it's a preference and as an admin, if you want to delete a user's account, more power to you. It's important to remember, however, we're not just a forum company -- people can use our software to perform financial transactions. As a US-based company, I am not familiar with the rest of the world's financial record retention requirements, but in the US, you can't just willfully destroy customer data, even if the customer says pretty please. Further, there are other considerations - as a provider, we've processed hundreds of subpoenas and warrants over the years (as have clients) and many are preceded by an order called "motion to preserve evidence" that demands we retain data for X days, or even months. Certainly, those cases do not happen every day for us, but it would be quite unfortunate for an admin to receive such an order and often, the subject is aware of the investigation and deletes or requests to delete their account (and an admin, perhaps not site owner) approves it. Or you undergo a financial audit and suddenly, you're missing blocks of financial data because you let users delete their data and you can no longer correlate credit card transactions to purchases. Yes, it's not uncommon for social sites to allow you to delete your account. Once money is involved, however, it's trickier. Account deactivation would not be a problem. I don't see an issue with disabling an account, ensuring a disabled account cannot be emailed, etc. For account deletion, I would be more inclined to add a link under account deactivation "want to delete your account entirely? please <contact us.>" That is still in compliance with the GDPR and presumably, you aren't getting requests to delete accounts regularly or you may have bigger issues. If you would still prefer to completely automate users deleting their own accounts, I think the third party resources mentioned would be the best course of action for you.
opentype Posted September 28, 2017 Posted September 28, 2017 If the “cultural aspect” is hard to convey, you can just think of it in terms of usability. The functionality of deleting accounts is there anyway and it is being used. So we don’t necessary need to use red herring arguments and discuss whether deleting account is a good idea to begin with or what reasons there might be for users to request deletions all the time. The software has all sorts of approval queues, mass moderation actions and so on. It doesn’t say: “To sign up on our site, please write an email to this address and an admin will manually create an account for you“. You simplify and automate the process to get people on the site and you can do the same for leaving the site or pausing the use. It’s as simple as that.
-FP Posted September 28, 2017 Posted September 28, 2017 I had a few members wanting me to delete their accounts. I did the first few times. The problem with this is that in many cases these members have content that if deleted, would alter the flow of a topic/conversation. So then I decided to add a few policies to our Sign Up terms. A specific one informed that accounts are not deleted on demand. Aftet that, some people threatened me with their lawyers for "vulnerig their right to privacy". I talked to a lawyer friend of mine and he concluded that their claims are basically bullcrap. At least in my country you are not vulnering a person's privacy if you can't physically identify the person or their identity. So solely their email or some random internet picture as an avatar doesn't count. It would be different if they posted a real picture of them or if they were dumb enough to post their ID or something like that. In which case you'd just get rid of that information. In the end nothing happened with the threats. Fun times though, people get so paranoid and upset over silly things.
Management Lindy Posted September 28, 2017 Management Posted September 28, 2017 7 hours ago, opentype said: The software has all sorts of approval queues, mass moderation actions and so on. It doesn’t say: “To sign up on our site, please write an email to this address and an admin will manually create an account for you“. You simplify and automate the process to get people on the site and you can do the same for leaving the site or pausing the use. It’s as simple as that. Of course signing up is easy. Signing up does not disrupt discussion and content flow. Signing up does not destroy content and records. Surely, you want people to freely join. As I said, account deactivation is fine and would be easy enough to implement. To do properly, to our standards, an account self-deletion system would be more complex - it would require a request and approval system (both on the admin and the user side to prevent "hacked" and accidental deletion), provisions in other apps such as Commerce for the previously mentioned reasons, etc. I'm not saying we will never do it, but we prioritize functionality that encourages people to join and stay on your site, not leave it.
opentype Posted September 28, 2017 Posted September 28, 2017 2 hours ago, Lindy said: Signing up does not disrupt discussion and content flow. Signing up does not destroy content and records. … he said, quoting from the post that also said: 10 hours ago, opentype said: The functionality of deleting accounts is there anyway and it is being used. So we don’t necessary need to use red herring arguments and discuss whether deleting account is a good idea to begin with …
Joel R Posted September 28, 2017 Posted September 28, 2017 8 hours ago, opentype said: … he said, quoting from the post that also said: Party in the Basement!! True picture of the IPS Basement.
Management Lindy Posted September 29, 2017 Management Posted September 29, 2017 9 hours ago, opentype said: … he said, quoting from the post that also said: Yes... and it's a function within the AdminCP, not a user-initiated function. There's a pretty significant difference there. Yes, absolutely, we could throw a quick "delete your account" function together. We're not going to do that. If we were to incorporate a user-initiated function that led to the account and content being destroyed, it would have to be a far more thought out system than what you're thinking as a single client. @Makoto's app https://invisioncommunity.com/files/file/8571-account-deactivation/ is really quite comprehensive and I'm confident involved a fair amount of development time and we'd have to take it even further to address things like Commerce. I'll reiterate one last time -- I'd rather our development efforts be spent on people joining and staying on your site than leaving. Account deactivation is something we can look at. If you want to truly automate account deletions, you'll need to rely on a third party method to do so as I don't envision being able to justify working this into a roadmap item in the foreseeable future. In short: account deactivation - yes, I will log that as an internal feature request. Automated self-deletion - I'd suggest a third party solution for now.
Makoto Posted September 29, 2017 Posted September 29, 2017 Yes, my account deactivation application is one of the applications I've sunk the most time into. It is very comprehensive and prioritizes features to prevent abuse or "hacked" account deletions as @Lindy referenced. It's written with extensive testing and such in mind as well, which is run with every new release to ensure all of the security features remain working properly with every update. It sounds like a simple enough feature to add, but it takes a lot of care and work to ensure it's done properly and safely.
opentype Posted September 29, 2017 Posted September 29, 2017 2 hours ago, Lindy said: Yes, absolutely, we could throw a quick "delete your account" function together. We're not going to do that. I’m fine with that (since we have 3rd-party solutions). I mostly questioned the justifications presented above. But we are going in circles in that regard. So I stop.
Colonel_mortis Posted September 29, 2017 Posted September 29, 2017 On 28/09/2017 at 6:49 AM, Lindy said: As a US-based company, I am not familiar with the rest of the world's financial record retention requirements, but in the US, you can't just willfully destroy customer data, even if the customer says pretty please. On the contrary, it is my understanding that, at least in the EU and Canada, we are required by law to remove information about a user if requested.
Makoto Posted September 29, 2017 Posted September 29, 2017 1 minute ago, Colonel_mortis said: On the contrary, it is my understanding that, at least in the EU and Canada, we are required by law to remove information about a user if requested. Personal information from their profile, maybe. But deleting all of their posts and everything else, I doubt it. I even have a specific clause in my Terms of Service to act as a protection against such claims, Quote You hereby grant (and you represent and warrant that you have the right to grant) to Community an irrevocable, nonexclusive, royalty-free and fully paid, worldwide license to reproduce, distribute, publicly display and perform, prepare derivative works of, incorporate into other works, and otherwise use and exploit your User Content, and to grant sublicenses of the foregoing rights, solely for the purposes of including your User Content in the Site. You hereby irrevocably waive (and agree to cause to be waived) any claims and assertions of moral rights or attribution with respect to your User Content. It's a bit aggressive, but it leaves no room for dispute or argument.
opentype Posted September 29, 2017 Posted September 29, 2017 Just now, Makoto said: But deleting all of their posts and everything else, I doubt it. It depends on the nature of the content. It might count as intellectual property, which the user has rights on. But that might also conflict with the terms of service which tell the user upfront there is no content deletion … It might depend on the country or the specific court case, which one would top the other. It’s a complicated matter. But it is really bugging me that these things are usually not separated in these discussions. There is content deletion and there is account deletion, which may or may not happen at the same time. If people ask for account deletion options (e.g. to obey local laws regarding personal data), we always here that this would destroy the discussion, because we rip individual posts from longer discussion. No it doesn’t if just the account is deleted and the posts remain as guest posts.
Joy Rex Posted September 29, 2017 Posted September 29, 2017 I think that IPS should ensure their software complies with (and at best, offers built-in solutions to address) GDPR and PII concerns, as they are selling software to customers that may not understand laws in various countries governing users' rights over their personal information. If anything, I think it would be beneficial to at least include information regarding these laws so site administrators can ensure they comply with applicable laws where their users reside so they can at least take that information into consideration.
Allen Bradford Posted September 29, 2017 Posted September 29, 2017 My 2 cents from a total Admin/Mod perspective. FWIW...In my experience running a Board for over 15 years is....that when a Member wants to Delete their account it is often a spur of the moment, emotional decision. Typically they are angry at another Member or something that was written on a Forum. (Of course there are other solid reasons) When contacted I tell them that I don't hold Members hostage, but to understand Deleting their account won't necessarily remove all their content, but they will be noted as a Guest on their Posts etc. I also ask if they would share the reason why, and if there is anything I can do to solve any problems. Sometimes they tell me the issue which I mitigate, some say to hold off for now, and some tell me to please Delete their Account. I then tell them I will do that as soon as I perform some Board Admin work. This creates a small window or grace period like a day or two. The vast majority of the Members who request to complete the Deletion of their account get back to me wanting to stay a Registered Member. They cool off and change their minds. Of course, that personal touch and some might argue manipulative moderator approach might not work in a huge online community or if there are a load of Delete account requests.
opentype Posted September 29, 2017 Posted September 29, 2017 Good point. An account deletion option can certainly have a grace-period build in, as some web services already have it. The account will be hidden instantly, but the deletion will only happen after 14 days (for example). Until that time, the user can come back and cancel the deletion request, which restores the regular account.
Makoto Posted September 29, 2017 Posted September 29, 2017 Yep. My account deactivation application supports grace periods for account deletion request as well. Additionally, during the grace period the account is considered deactivated and the only way the user can access the account again is to abort the deletion request on login. This can also be combined with required moderator approval (where the grace period starts after a request has been approved).
Management Lindy Posted September 29, 2017 Management Posted September 29, 2017 1. We will explore account deactivation further. 2. We can add a blurb "if you wish to close your account, please <contact us.>" The GDPR requires you address account deletion requests no more than 30 days after submission. There are no requirements to automate this process or provide instant deletions. 3. There are too many considerations to develop anything less than a comprehensive, proper solution and that would take an amount of development time that doesn't make sense (to us) to allocate at this juncture. There are third party solutions to handle a robust, automated account removal system and again, we'd rather focus our efforts on people joining and using your community, not leaving it. We appreciate the feedback and the dialogue. This is unfortunately going in circles - feedback has been provided, we have addressed it and are considering a partial implementation of the original request and now it's simply time to move on. Thank you.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.