For some time now I have been trying to clean up my digital footprint by requesting deletion of accounts and associated data for unused accounts, and being critical about which accounts I actually benefit from keeping. This turned out to be far more time consuming than I imagined beforehand.
I’ve been using a password manager for about a decade, so I have a fairly good overview of a lot of the accounts I’ve opened over the years. However, while privacy has always been important to me, I was more concerned with increasing governmental surveillance rather than corporate surveillance for many years. So over the years I’ve signed up uncritically to a large number of services. Most of these do not have much data about me, but my username has generally been reused, along with e-mail and sometimes phone number and other more sensitive data. This of course doesn’t take into account all those minor services I’ve signed up for with e-mail + reused password. I have no control over those…
Now GDPR thankfully makes the job of cleaning up the accounts I do have control over a lot easier, because I doubt many of these services would even let me delete my account if not for it. However, it does not regulate enough how easy this process should be, and there are so many different ways companies implement this. From extremely convenient and easy ways of exporting all data and deleting the account, such as implemented by Strava (kudos to these companies!), to the worst offender of them all: British Airways… Until recently you would have to send an actual letter to their data protection offer with a copy of your passport (yeah right…). Sometime this year they’ve changed this, so now you just have to upload a picture of a letter to their document’s portal, but since that is borked, I can’t even access it to complete the deletion request. Apple also rejected my deletion request for an unknown reason, and I had to spend 45 minutes on the phone with them to understand that a cancelled, but still active subscription (a 1-year subscription that had not expired yet) from the app store, was blocking the deletion. Most are in between these two extremes, and either require that I actively follow up that I get a reply when I send an e-mail to their data protection officer with my request, or have processes that take up to a month to complete.
Of course, cleaning up 10-15 years of uncritical online presence would take a long time anyway, but companies making it hard on purpose to delete your account and data is infuriating, and a testament to a status quo that should burn in hell.
On the plus side: I no longer have accounts with Microsoft and Twitter, accounts with Apple and Amazon should soon be closed. My goal is to have completely phased out Meta and Google by the end of this year, although the communication lock-in of Meta and the fact that my primary e-mail was Gmail for 15 years (I’ve switched two years ago to Proton), makes these transitions a bit more difficult.
If nothing else, this process has made me very conscious about platform lock-in and the “joys” of ecosystems…
I feel you man. Here un Latin America we don’t even have the regulations. My experience here is we are getting blasted with by corporate abuse and our little protection (SERNAC in Chile) we had has stripped apart by some stupid law.
The problem is twofold. The first part is that companies cannot be trusted to act in good faith when it comes to complying with the intent of laws they disagree with. This doesn’t apply to every company, but it applies to enough of them to make life difficult. I think it was Enron who, when ordered to supply prosecutors with emails, opted to print them out and hand over reams of paper that then had to be re-scanned. This is the same approach as companies that require physical mail to delete a record and who only do so for locations where it’s required by law. There’s no reason that it cannot be done more easily with a login and password. When I was deleting my reddit accounts, I had to use a script to delete all of my posts and comments because reddit did not support that functionality.
The second, related problem is that the legislators writing the laws aren’t skilled technologists, and that technology keeps evolving. It’s like having people with no background in finance writing laws to regulate wall street (which also happens). Cynical people might think this is seen as a feature not a bug.
Yes, proper regulation is difficult. My (limited) impression of EU regulation is that they often do have enough technology know-how to make regulations that to a large degree make sense, but not enough for them to be fool-proof. This is at least the case in the industry that I work in, which is also heavily regulated by EU. I don’t know anything about the processes of making these regulations, and whether those shortcomings generally are the result of sneaky lobbying (most certainly this must be the case at least sometimes) or lack of know-how.
I just started this process now. It definitely is a marathon. The plus side is that you get a warm, fuzzy feeling after each piece of data you remove/fuzz!
Agreed with the others that you need to prevent that data getting in the cloud in the first place. This is essential from having to do the clean up again the future.
Not an answer but more of a mitigation strategy.
Duck mail proxy and a password manager that uses its API solves a few of the issues.
Phone number is linked to Google voice so I can change it on the whim.
Absolutely expect this to be an unpopular opinion on c/privacy, but tbh I’ve yet to understand why this high level of privacy is important anyway. Obviously there’s value in protecting your personal information from doxxing, but that doesn’t seem to be the focus very often. It seems like once you go beyond the first couple steps of improving your data privacy, the diminishing returns stack up exponentially. Maybe I’m missing something. I have some basic precautions set up, like auto-deleting cookies. But what’s the reason to care if a few slip through? Targeted ads or not, I’ll still be seeing a certain amount of ads throughout my day, and they all seem equally predatory.
I think the best answer is to stop creating the data and accounts. Everything can come later
Removed by mod
Yeah, it’s about finding the right balance for oneself. I know WhatsApp is very much needed many places, in the same way Facebook Messenger still is here (but to a much lesser degree than before, so there’s hope!). Discord I also have, and will keep, but if I find communities I’m looking for on Matrix instead, I rather go there first. Amazon does not really work well in my country, so that is not a big deal to delete.
Regarding e-mails: to prevent lock-in, I set up custom domains that I use with Proton, that I can easily migrate to another service provider if needed in the future. I have one for personal communications, and use a mixture of catch-all aliases and SimpleLogin for new signups and accounts I want to keep. I also have one domain for semi-anonymous accounts more associated with my “online personas” than my real identity. This fits my threat level nicely.
I have also rid myself of streaming accounts now (last one is heading towards expiration within a couple of weeks). But instead of not consuming any media, I must admit I have taken to piracy again. The goal is to be a lot more conscious about the content I consume - too much time has been spent on mindless browsing for something to watch on Netflix and garbage movies / shows. Now I host Jellyfin locally, and I control exactly what content is there in the first place.
As to your last paragraph, I did not really understand what you are asking about?
Removed by mod
As with all things infosec (and life in general), best practice is to not get yourself into the mess in the first place vs. trying to clean up the mess later. You should have already not had personal data “in the cloud” and should have been using unique identifiers and authentication for every service that you use.
I agree that the it would’ve been best to never have gotten into the mess in the first place, but these are sins of the past that are not undone now. I, like many others, was for a long time ignorant of the extent of data collection, and did not have the knowledge to fully reflect on the potential consequences (I signed up for Facebook as a teenager). And it’s not like all these companies have been very transparent about how much they collect and where the data goes and is used for. The vast majority of netizens still do not fully understand the scope of this, and are also not in a place to be able to apply best practice infosec principles.
My rant is about how unnecessarily time consuming and difficult the process of cleanup is, when you already find yourself in this situation, despite regulations that gives you the right to have your data deleted. Most people would not want to spend this amount of time on this, and as such, the tactics applied by these corporations work.
I feel your pain. I’ve been trying to clean my digital life up and it is almost overwhelming. I’ve only been working on it for a month or so in my spare time but it’s a collosal PIA. I wish every site that had a create account button had an equally obvious and easy to click delete account button.
That’s common knowledge now but some of us have been around since the beginning of the modern internet when corporate data collection wasn’t even a thing. The privacy invasion was a slow creep that some of didn’t notice until it was too late. The 198 accounts in my password manager are only the last ten years or so of accounts. I’ve been online since the early 90s and can’t begin to remember what services/sites I was using back then that might have survived or been breached.