Thursday, March 31, 2016

The right to delete your own data

After I left higher ed in December to work in government, I suddenly became aware of all my online accounts that were tied to my University email address. While I am an alumnus of the University of Minnesota, so my email won't go away until I stop using it, I realized I should delete some of my accounts that only relate to working in higher ed.

So I have been going through my list of accounts, every week logging into the old account and finding the "Delete my account" function. I'm pleased to report that most websites allow you to remove your own account when you are done using it. Even if there isn't a self-service method to delete your account, most websites will remove your account upon request if you ask via their "Contact Us" form.

However, not all websites let you leave their network, or even to delete your account data. It's like an online Hotel California where "You can check out any time you like / But you can never leave."

It's disturbing to me that some websites make it impossible to remove my account. While I can understand that some systems are just not set up to accommodate deleted accounts (Wikia tracks edits by account, for example) at least most websites don't actually store personal information.

But some websites do keep personal information about you, and they don't let you delete your account or remove (or edit) your own personal data after it's in the system. This should be a large concern for anyone these days. Data breaches are (unfortunately) too common.

Data breaches have become such an issue that you can find other websites such as Have I Been Pwned? to discover if you have an account that has been compromised in a data breach. Enter your email address (like you'd use to login to a website) and haveibeenpwned will tell you when and where your data was accessed by hackers.

Do you want your personal data out there if that website is breached? If you can delete your own account when you stop using it, then you can minimize your risk if the website is attacked. If you can't delete your own data, you can only hope the website doesn't get breached.

The website that's causing me the biggest headache is Educational Testing Service (ETS), the people who run the Graduate Record Examination (GRE) when you apply to graduate school. They also manage other exams. I took the GRE in late 2011 before I entered my Master's program in Spring 2012. As far as I know, I haven't accessed my account since then—until now, anyway. After finding no option to remove my own account, I contacted ETS last week (March 2016) to request they delete my account for me. I received this reply:
Thanks for your message! Unfortunately the MY GRE Account can not be deleted. Please note, it will drop out of the system as long as there is no access with the account.
It's unsettling to have an account out there that I cannot remove. Especially one like ETS, which by its nature needs to know several personally identifying details about you so they can verify your identity for any exams you take through them. If the ETS website is ever hacked, my personal information is out there. As will be thousands of other users who have taken the GRE or other exams.

We need to have the right to delete your own data. If it's your data, you should have the right to have it removed from a website's systems after you stop using their service.

I know some this is technically impossible, for some websites and for specific types of data. For example, Facebook stores some of your data (such as photos) on BluRay discs. And BluRay is a write-only medium. But there's a middle ground, a best-case scenario. Sure, maybe Facebook can't delete the data on the BluRays, but if I stop using their service, they should be able to delete my account and all my metadata that refers to data on BluRay.

I consider the right to delete your own data an emerging issue. The right to delete your online accounts reduces our risks to data breaches.

I also see this benefiting future generations. When I was growing up, the Internet didn't exist. We didn't have Facebook or Twitter or Instagram or the plethora of social media websites we enjoys today. When we took a photo of ourselves doing something stupid (as all teens do) the record of that act didn't proliferate. The only photos might get tossed out, and the negatives eventually lost. By the time we got our first jobs, employers couldn't see the embarrassing things we did in our wonder years of middle school, high school, and college.

But today's generation takes photos of everything they do. And they post those photos online. And if you cannot delete your own account, those photos continue to be available for others to see.

We need the right to manage and protect our personal information. We need the right to delete our own data when we stop using a website.

I'm planning to reach out to US Senator Franken (my Senator) on this issue. I think it's something worth fighting for. I hope you'll support me!
If you live in Minnesota, please contact Senator Franken's office (phone or email) and ask him to support the right to delete your own data. You can also tweet to him via @alfranken.

If you live elsewhere, I encourage you to reach out to your own Senator and ask that they support the right to delete your own data. Feel free to use the reasons I've shared here.
image: Sammynetbook (cc-by)

No comments:

Post a Comment