
Show HN: Tech Companies That Won't Delete Your Information - fredrikaurdal
https://secured.fyi/naughtylist.html
======
fredrikaurdal
Occasionally I go through my password manager to do a cleanup of accounts I no
longer use. For the simple reason that if any one of those services get
hacked, I don't want to lose credit card- or personal information, and have
that end up in the hands of somebody who shouldn't have it.

In trying to delete a few accounts, some services outright refused to delete
my info, without giving any reason. Therefore, I've decided in to create a
naughty list of tech companies who don't respect your right to your own
information.

There are already 261 sites in the list, but let me know if there are any
other services you think I should add.

~~~
daveid
Why is Mastodon listed as "does not delete account"? Look under Security ->
Delete account

~~~
fredrikaurdal
Updated to Yes - Partially, because don't guarantee deletion of all data.

~~~
daveid
I don't know what you mean. Mastodon deletes _all_ the data from the server,
and sends out delete payloads to other servers that may have stored copies. If
you refer to the fact that some of those copies may remain, then you need to
mark _all_ services as not allowing account deletion because Google may have
caches of indexed profile and post pages.

~~~
fredrikaurdal
Changed, replied to another message.

------
IAmEveryone
Uber needs to be on the list.

They have had employees tracking their Ex's whereabouts. They have publicly
boasted of being able to identify "rides of shame" after your One-night stand.
They collected location information beyond what was necessary to pick you up.

Plus, you know, being union-busting, misogynistic, democracy-undermining,
corner-cutting and pedestrian-killing frat boys. But the reasons above seemed
to be better tailored to the intent of your list.

~~~
fredrikaurdal
What ranking factors would you suggest I add to cover Uber?

~~~
IAmEveryone
One more thing: the Uber help page states that they "permanently delete your
account", but also includes this sentence: "Please note that Uber may retain
certain information after account deletion as required or permitted by law."

Which makes me think that they're deactivating your account and basically
keeping as much data as they can legally get away with.

Since I doubt any of the other companies on your list are openly ignoring the
law and keeping more than permitted, the logical conclusion would be that Uber
is just as bad your top contenders.

~~~
fredrikaurdal
I'm wondering what kind of information, because they are required to keep
accounting records for some time.

The only challenge is how to rank them based on ranking factors.

~~~
cosmie
That covers the "required" part of their statement. But they also have the
weasel phrase "as permitted", which is far more open ended. In much of the US,
for example, the law does not expressly state what steps a provider has to do
to "delete" your account. So implicitly, they're _permitted_ to keep what data
they like.

------
throwawaydelete
This site - hackernews - will not delete your account - full stop.

I sent in a request asking what steps were necessary to have one's account
deleted. I was told this was not possible. This is unreasonable.

And yes, I created this account specifically to post this comment.

~~~
regularhackerer
Could GDPR change this?

~~~
fredrikaurdal
For EU users yes, but for other people kind of, when using EU based services.

~~~
gnode
Does the GDPR actually express a right to account deletion? My understanding
is that it expresses only a right to erasure in a limited set of
circumstances. Given that comments are public, I think it may be possible to
deny the right to erasure on the archival exception.

However, upvotes are currently private, and cannot be removed after some
length of time. I wonder if this would mean they should be made removable (or
at least the record of them in a user's account).

------
edsouza
I didn't see LinkedIn in this list?

A while ago I deleted my account, then recreated my account after a year, and
requested a full backup history, this backup had my old contacts from the
original Linkedin android app gathered from my old phone without my
permission.

~~~
fredrikaurdal
That's really not good, added.

------
bmarquez
One company I would like to nominate as naughty is Newegg. I hadn't ordered
from them in years, and asked to delete or disable my account. They can keep
their old invoices in the system if they want for legal reasons but I didn't
want to log on anymore -- other sellers have processed that request for me.

They repeatedly said "No, we will not disable your account."

And they keep the last address you ordered from in an uneditable field visible
on the website, so you can't scramble it with fake address data. I haven't
seen any other retailer do that.

~~~
fredrikaurdal
Newegg is going on the naughty list.

~~~
the-dude
But NewEgg is famous for not bowing to patent trolls.

~~~
sverige
I have always appreciated them for that, too. Not respecting the desire to
close your account is a separate issue. Fighting patent trolls doesn't make up
for their refusal to let you protect your information.

------
sleavey
Something's up with the site, at least for me. The table content doesn't load
- I see the different options (email, etc.) but no entries. Firefox console
tells me:

\----

Loading failed for the <script> with source
“[https://secured.fyi/analytics/piwik.js”](https://secured.fyi/analytics/piwik.js”):
naughtylist.html:1

The resource at “[https://cdn-images.mailchimp.com/embedcode/horizontal-
slim-1...](https://cdn-images.mailchimp.com/embedcode/horizontal-
slim-10_7.css”) was blocked because tracking protection is enabled:
naughtylist.html

Source map error: request failed with status 404 Resource URL:
[https://secured.fyi/assets/style.css](https://secured.fyi/assets/style.css)
Source Map URL: bulma.css.map

\----

What's wrong with a good ol'fashioned HTML table?

~~~
JepZ
I have problems with FF too (+uBlock Origin +DuckDuckGo Privacy). Loading the
data from Google seems to fail:

    
    
      code	403
      message	Requests from referer https://sheets.googleapis.com/v4/spreadsheets/1A3xz8NFWjebuMbGWvy2yUBKcnAmuZSs5JmKq9-JDss8/values/Email?key=AIzaSyCxiboNdLE5nSch2pdwI3blsfvfyss3Y0M are blocked.
      status	PERMISSION_DENIED

~~~
fredrikaurdal
Read my previous reply.

~~~
JepZ
As you can see from the code in my post, the script runs, but the server
responds with a 403 error. That looks more like the JS is doing the wrong
request in FF. The problem seems to be the referrer. For comparison:

Referrer in FF:

    
    
      https://sheets.googleapis.com/v4/spreadsheets/1A3xz8NFWjebuMbGWvy2yUBKcnAmuZSs5JmKq9-JDss8/values/Email?key=AIzaSyCxiboNdLE5nSch2pdwI3blsfvfyss3Y0M
    

Referrer in Chromium:

    
    
      https://secured.fyi/
    

Btw. I tried deactivating any Addons which might interfere with the requests
but it didn't change anything. So probably all users with a modern Firefox
will have an empty table.

~~~
QasimK
I had to disable the "Smart Referrer" Firefox Addon to get the table to load
in Firefox :(

~~~
fredrikaurdal
I'll be working on re-designing everything from scratch, and not rely on my
current jquery solution. It's a matter of how much time I have available, but
it's a priority on my list :)

------
qpiox
I don't understand why were some of the tech added to the list. The title says
"Tech Companies That Won't Delete Your Information Services with the highest
scores have the worst policies"

Tox is listed among them. But ToX does not need any information from you. You
can create a random id without any of your personal information whatsoever,
and share this id with your friends, who will also have a random id.

Tox is not a company.

A clarification is much needed.

In the communication lists it says that security wise is "Bad". Why?

In fact, it would be beneficial for all of us if these lists had some
information on why were some of the stuff added to the list. Precisely why is
Tox added to the list.

Similar to this discussion we can see that Retroshare is too listed. Again,
why?

Please share some URL with reading material why are some of the companies and
tech listed at all.

~~~
qpiox
Also KeePass and KeePassXC are listed among companies that will not delete
your information.

I was not even aware that they kept some of my information. Which information
do they keep? Which information about me they will not delete?

~~~
confounded
Yes, this is completely ridiculous; they’re local client-side software, which
optionally _can_ integrate with e.g. a Dropbox account.

In that case Dropbox would be the ones holding data.

~~~
fredrikaurdal
Look at my previous comment, you are not interpreting the list correctly.

~~~
confounded
Apologies!

------
mic47
Please add reasons for each site why they have points they have and links that
support those claims.

For example, you said that Facebook deletes data partially. What does it mean?

~~~
fredrikaurdal
The site is literally based on a spreadsheet at the moment, which has some
limitations. I'm working on re-designing my system, which will allow to more
easily include sources.

------
delhanty
Elsevier (Mendeley)

TLDR: Claimed to have deleted everything on 2017-06-08, but they lied.

0\. 2017-06-06: Mendeley <mendeley@mail.elsevier.com> email me "Paul,
important changes to your Mendeley account ..." I log on and 'delete' my
account.

1\. 2017-06-07: Mendeley <mendeley@mail.elsevier.com> me "We have deleted your
Mendeley profile and data, to delete your full Elsevier account, please email
usinfo@elsevier.com"

2\. 2017-06-07: I reply to Elsevier <usinfo@elsevier.com> "Please do that for
me now - if you've created one for me delete my full Elsevier account from all
databases and backups that you have on me, including cold storage."

3\. 2017-06-07: Elsevier <usinfo@elsevier.com> email me a ticket number

4\. 2017-06-08: ELS-Mendeley Support<support@mendeley.com> email me "This
email is to acknowledge the request and to confirm that we have already
removed your email address from our database. We have cleared out all data
associated with your account across all Mendeley servers. You shouldn’t be
receiving any more emails from Mendeley moving forward. Apologies for any
inconvenience this may have caused you."

5\. 2017-06-11: Elsevier Customer Feedback <research@surveys.elsevier.com>
"According to our records you recently contacted <NAME REDACTED> in Elsevier
Customer Support. The ID of the support query was 170607-010708. We want to
improve the service we provide you. In order to evaluate our current service,
we are conducting a brief (3-4 minute) survey. This asks a few questions about
your most recent experience of contacting us. Your feedback would be very
valuable. ..." I don't click on the link

6\. 2017-06-15: Mendeley <mendeley@mail.elsevier.com> email me "Paul,
important changes to your Mendeley account" ...

7\. 2017-11-11: Mendeley <mendeley@mail.elsevier.com> email me "Paul, identify
relevant funding opportunities Hi Paul, Have you logged into Mendeley lately?
..."

Edit: correct dates

~~~
ameister14
You're still on the email list - that doesn't mean your account data is still
there, it means the marketing team is probably silo'd and doesn't clean their
lists.

~~~
delhanty
>6\. 2017-06-15: Mendeley <mendeley@mail.elsevier.com> email me "Paul,
important changes to your Mendeley account" ...

That doesn't look like it's from the marketing team - looks just like the
original email they sent before I closed my account.

~~~
ameister14
Yeah, they probably send those as drip emails when there are global changes to
policy, and to get you to open the email and re-engage with their system. I
wouldn't be surprised if the support team doesn't engage with the email team
at all, or rarely. It's not usually a huge priority, in my experience.

~~~
delhanty
With respect, I think that you're just writing what you suppose they did with
out bothering to read what I've written because it's too long for you.

I didn't write it out carefully for you. I wrote it for the OP.

~~~
ameister14
No, I read what you wrote. You had an automated email, you responded by
deleting your account. You got another automated email, from the same email
address, saying your account had been successfully deleted.

You then engaged with a support representative, who deleted your data and
email from their account system. What that representative did not do, clearly,
is delete you from the (likely third party held) email system.

Note that the automated emails come from an elsevier domain, and the support
email came from a mendeley domain. That is a good sign that you are in
multiple systems.

Then, later, you again got automated emails from them. This didn't come from
the support person, it came from the automated system the company set up,
again likely with a third party and managed by a different team. Unsubscribe
from those and they will go away.

~~~
delhanty
Go to the following domain:

    
    
      https://www.mendeley.com/forgot
    

Enter a valid email address that has never been registered with Mendeley. You
will get the following message:

    
    
      Oops, this email address was not found in our system.
    

But, if I enter the email I registered I get this message:

    
    
      Thank you. If we have been able to identify your account, an email containing instructions on how to reset your password will be sent to you.
    

I _don 't_ receive an email, but Mendeley password reset _can_ discriminate my
previously registered email from random valid email addresses. That would be
impossible if that registered email was only known to third parties.

Why would that be?

Look what I wrote at point 1.

    
    
      1. 2017-06-07: Mendeley <mendeley@mail.elsevier.com> me "We have deleted your Mendeley profile and data, to delete your full Elsevier account, please email usinfo@elsevier.com"
    

So my Mendeley profile and data has gone, and Mendeley have deleted my data
from _Mendeley_ servers but it looks to me as though there is a central
_Elsevier_ server that still knows my email address.

Furthermore, Elsevier Product Insights for Customers password reset

    
    
      https://e-pic.elsevier.com/forgot
    

rejects random valid email addresses but recognizes my previously registered
email address:

    
    
      Thank you. An email containing instructions on how to reset your password will be sent to you shortly.
    

And the password reset email actually does get sent to me!

    
    
      Dear null,
    
      You requested to change your password. Click the link below to change your password:
    
      ..
    

Well, what do you know! As far as Elsevier is concerned I _do_ have an account
after all!

BTW, is this you ?

    
    
      https://angel.co/aiden-meister

~~~
ameister14
what happens when you click the link and reset your password?

------
inteleng
Why isn't HN/YC on this list?

~~~
fredrikaurdal
HN doesn't allow for people to delete their account, a lot of forum type
websites have the same rule.

~~~
travmatt
Or comments (after a certain age, which they say would disrupt threads),
although it’s entirely possible to delete the author of a comment whilst
leaving it intact (an option they do not offer)

------
woweeeee
I can’t delete my Hacker News data, comments or profile.

------
aftbit
Most companies will not "delete" your account. They will deactivate your
account. It is hard to delete things in SQL databases that use FKs, and in
many cases it is illegal or inadvisable to delete all customer data (e.g. if
you need to keep invoices for accounting reasons, or if you are eligible for
chargebacks). Small startups are often busy trying to keep everything working
and go after their key metrics and don't have time to build a system robust
enough to handle deletions.

~~~
NewsAware
Of course it is hard (or maybe not top priority for some) but that's no excuse
in my book.

Besides, from a technical perspective archiving PDF invoices and using SQL
cascade delete doesn't sound overwhelming in complexity.

------
sverige
GoDaddy will let you close your account, but you have to call customer service
to do so. (After many years of having multiple domains with them, recently I
decided to migrate all the domains I had with them over to other providers.)

One thing that is troubling is that if you have an expired domain with domain
lock turned on, they will not delete your account until a year has passed from
the non-renewal of the domain. The domain-lock feature cannot be turned off if
that domain has been inactive for less than a year unless the domain is
renewed. They told me they could not turn it off either so that the account
could be closed, but I'm a bit skeptical on that, since it makes no sense that
they cannot change the account settings with an authenticated customer making
the request. Don't they control their own code? It strikes me as an excuse for
them to leave the account open in case you change your mind.

In their favor, I was able to delete payment information immediately. Also,
they have very friendly customer service representatives (though friendliness
doesn't make up for powerlessness.)

Btw, this is an interesting and good service you are setting up. Thanks for
your work!

~~~
fredrikaurdal
Some companies do that, and say "it's our policy", without giving a real
reason for it.

Thanks, and I've added GoDaddy :)

------
evolve2k
The very first thing that shows is the companies that are the least naughty.

This is a naughty list is it not? Suggest to please sort by naughtiest first.

~~~
fredrikaurdal
We always sort by naughtiest first. Any services in particular you think have
the wrong data?

~~~
evolve2k
Ah I see, I think it's a case of ambigious copy being misinterpreted by some
of us:

"Tech Companies That Won't Delete Your Information Services with the highest
scores have the worst policies"

I read this as 20 is worse than 1.

Maybe something along these lines, explicitly explaining 1 is the worse.

"Tech Companies That Won't Delete Your Information Services. Those with the
highest rank have the worst policies. A rank of 1 is the worst offender"

I think this is somewhat a problem of English missing a term that
unambiguously means "1 is highest".

~~~
fredrikaurdal
Changed.

------
f2n
The list does not appear without allowing 3rd party javascript (and presumably
tracking) by Google :/

~~~
fredrikaurdal
I'm planning on re-building the site, which I'm working on. The analytics
software I'm using is a self hosted version of Matomo.

------
JepZ
I wonder about the ranking for the 'Communication' category. Somehow there are
protocols, clients and services mixed up. To give an example of each:

\- Service: Jabber.org

\- Protocol: OMEMO

\- Software: Gajim

Next, the score seems to be a similar mix up, not so much focused on security
but more as a general recommendation as a trade off between number of features
and overall security. To me that feels like a bad advise. That way, a very
respectable and stable app like Conversations is listed below the protocol it
uses (OMEMO) and even below Tox which is officially listed as experimental,
just because conversations doesn't support audio or video telephony.

Other privacy related aspects, like the need to register a phone number to use
the service, automatic contact list uploads or custom servers, are completely
ignored.

~~~
fredrikaurdal
I'm working on creating a new system that will improve the accuracy. Some
people have pointed out something similar on reddit, which I do agree with.
Phone number requirement is added under SMS.

------
dotsh
Kayako. No direct account deletion, they need to poke engineer to do it after
many requests. They require your personal information and CC to use free plan.
No direct downgrade button to free plan if on trial.

~~~
fredrikaurdal
Added.

------
tejtm
Thanks, I appreciate the thought and effort.

There is too much special sauce on the page for me to see the actual list
(perhaps one of your critical resources is already on my blacklist or too
third partyish).

Thought you may be able to make use of
[http://backgroundchecks.org/justdeleteme/](http://backgroundchecks.org/justdeleteme/)
to help with your checking. (no affiliation)

Plus it is great when a study like that is reproduced and vetted for drift.

Thanks again for you work.

~~~
fredrikaurdal
Thanks :)

------
rexpop
This page doesn't make sense: you say _Tech Companies That Won 't Delete Your
Information_ at the top, and then immediately list, e.g. "Outlook Mail: Delete
Account? Yes".

This makes them sound like they _do_ delete your account information. If there
is something specific that they _don 't_ delete, it might be best to highlight
_that_.

Also I am unsure what "Track" means.

And how can you Delete Account be _unknown_? Did you try? If not, how can you
claim they are naughty?

~~~
fredrikaurdal
The point of me posting the list here, is to get feedback so that I can make
corrections.

Hover of the Tracking text to see the explanation.

There are over 250 services in the list. Those who have the status Unknown
didn't mention it clearly on their website. Feel free to make specific
suggestions, and I'll make corrections.

~~~
rexpop
No hover on mobile. ;)

~~~
fredrikaurdal
Will be fixed in the next major release :)

------
borntyping
Slack's inclusion feels a little odd, since the customer in their case is the
business paying for the service, not the individual. They do claim deleting a
workspace cannot be undone.

------
kyriakos
Will GDPR save us from the products on this list?

~~~
fredrikaurdal
Yes, but only EU companies have to comply, and those who by extension is
subject to the same rules by treaty, mainly the EEA and EFTA as well.

~~~
christop
The GDPR applies to the data of anyone using a service while in the EU, not
just to companies that are based in the EU.

~~~
cosmie
While technically true, if the EU has no jurisdiction over you or your
business, it's difficult for them to force compliance.

Another example of this is sales tax in the US. Several states have laws that
tell the seller to collect and remit sales tax on any sales to residents
within the state. But for sellers that have no physical presence in that
state, the state has no ability to force them to actually do so (or to force
them to open up their books and prove one way or the other).

~~~
sandstrom
For most large tech companies EU is their biggest or second biggest market.
The fines are large, so it will be in their interest to comply.

------
peternicky
I like this idea a lot, however, as many others said, you need to be
transparent with the scores. I was more confused after reading your FAQ.
Additionally, the column where you generate retweet links is obnoxious (entire
UI needs major work).

~~~
fredrikaurdal
The scores are completely transparent:
[http://secured.fyi/edit](http://secured.fyi/edit)

------
sandstrom
Nice! Some thoughts:

\- I’d rank them on a combination of size and score. \- perhaps a link to
relevant delete / info page \- automatic vs manual (ie do you need to ask
support) \- whether they have precise info on which information is deleted,
and what is kept \- a column for claimed gdpr compliance

~~~
fredrikaurdal
I want to add a lot more information as well, but there are some limitations
to my current spreadsheet system :) I'm working on creating a new site.

------
IndefiniteFrog
Is anyone else having trouble viewing the spreadsheet? I can't view it on my
computer or phone.

~~~
fredrikaurdal
You have to allow scripts to run, because it relies on jquery.

------
lern_too_spel
I've been trying to delete the Apple ID associated with my email address for
years, but Apple can't be bothered to handle account deletion, even after I
paid them.

~~~
fredrikaurdal
This doesn't work?
[https://discussions.apple.com/thread/7093344](https://discussions.apple.com/thread/7093344)

~~~
lern_too_spel
No, that simply removes the Apple ID from a device. Apple doesn't allow you to
delete the account itself, which makes it worse than Facebook in that respect.

------
chaostheory
23andme and their competitors both ancestry and genotype tests

------
bufferoverflow
This makes little sense:

    
    
    		Slack	No	No	2
    		Kayako	Yes - Difficult	No	0.25
    

Almost the same level of issues, yet an 8X difference in the score.

~~~
fredrikaurdal
I can only find documentation on how to deactivate a Slack account, not delete
it. Kayako allows you to delete an account, but after multiple requests.

What do you suggest I change the weight to?

~~~
BartBoch
Maybe make scoring much, much clear. Like, add a popup next to scores with a
breakdown on how the score was calculated.

~~~
fredrikaurdal
I'm working on building a new site that will support a similar feature, and
many others.

------
jensmtg
Crocagile.com not only lacks an option to delete your account, they also flat
out ignore any email to their support address with any such request.

~~~
fredrikaurdal
Added.

------
acd
Tracking you for "free" Google Search, Google DNS, Google Photos(geo location,
faces, maybe object recognition), Google Recaptcha, Google Analytics.

Arbor Network Atlas anti ddos service on the tier one ISP level. Seeing flow
samples of most traffic anti DDOS through network flow logs of many major tier
one internet networks.

Cloudflare CDN major focal point of internet traffic.

~~~
fredrikaurdal
Not sure what you mean.

------
olivierduval
It seems like they'll soon be (heavily) fined under GDPR if they don't
change... ;-)

------
Jerry2
Where's Gmail?

~~~
fredrikaurdal
Good question, added.

------
fogzen
Why should a company have to delete accounts?

~~~
icebraining
Protection of personal data. If you don't use an account anymore, you
shouldn't have to be subject to the data leaks the site will suffer in the
future.

------
jtbayly
what in the world does a yes or no in the "tracking" column mean?

~~~
fredrikaurdal
If you hover your pointer over the Tracking text, there is an explanation.

------
awt
Also hacker news.

------
a_imho
mailgun

~~~
fredrikaurdal
Any personal experience with them, in if that's the case what was it like?

~~~
a_imho
[https://news.ycombinator.com/item?id=16080300](https://news.ycombinator.com/item?id=16080300)

