> You really do need user accounts to run an email service
Exactly, regardless of that companies keep asking users for a whole collection of personal data, not always making it obvious which fields are actually required because it's good business for them to get as much personal data as possible.
Average users are usually unsure about a lot of this stuff and naive enough to enter their real data for fear of getting caught "lying".
This happens because companies see this data as an asset instead of a liability, from the companies view not asking for that data/tricking users into giving it away means missing out on assets.
But if you instead make the personal data a liability, by enforcing standards for keeping/sharing it with hefty fines, then fewer companies will go out of their way asking users for personal information they have no business asking for in the first place because it would put them in a position of liability for what happens with said data.
>> User accounts? Really? This is Yahoo we’re talking about. You really do need user accounts to run an email service
> Exactly, regardless of that companies keep asking users for a whole collection of personal data, not always making it obvious which fields are actually required
You literally don't need any user information to run an email service. You only need a means to identify them which could just amount to giving them a long, randomly generated password. Even the username is only necessary for the purpose of being able to identify them as a recipient, not for login itself.
> You literally don't need any user information to run an email service.
I know that and you know that the average user does NOT know that and is too good-natured to enter fake information.
There are plenty of email services out there, among them many of largest and most established ones, where the real name is a required field during registration.
Sure you can always argue "Well just enter fake details" but that's missing the point. The point being that once personal information becomes a liability, instead of something you can just haphazardly hoard as an asset, companies would be much more careful about what kind of information they are asking from the users in the very first place.
Companies abuse the goodwill of the average users by asking for more information than they should because it comes at no cost to them while at the same time being a very big asset. Even if they fail to secure these assets and a breach happens, most of the costs of that are externalized onto the users whose data actually got leaked, the consequences for the company are often only cosmetical, some bad PR/stock prices take a little downturn.
But the brunt of that will be over after a couple of weeks and after that, it's back to business as usual.
That needs to change, companies need to be held liable for:
A) Needlessly asking for and hoarding personal information
B) Sloppy treatment of information resulting in a leak
Yes, this could very well be opening Pandora's box, but something about the current state of things really needs to change.
That's dangerous schematic games along the same lines of "Metadata is harmless and can't identify anybody".
Emails can sometimes contain very detailed and very denoting user information. Trying to differentiate between users "personal information" and users "personal content" is imho a rather dangerous thing to do because who decides where to draw the lines between the two?
As a user, I expect my data, regardless of which data, to stay private unless I explicitly intent to publish it to the public or somebody else. I most certainly do not expect some employees reading through my private emails for their lunch-break entertainment.
> That's dangerous schematic games along the same lines of "Metadata is harmless and can't identify anybody".
That's a complete strawman argument that has nothing to do with what I wrote. The distinction is correct and factual in this exact situation. You are attempting to redefine terms for apparently no reason other than to argue.
Whether emails contain detailed information or not is irrelevant to the term "user information" in this context, meaning information about a user. The discussion is about whether an email service requires personal information to operate.
> As a user, I expect my data, regardless of which data, to stay private unless I explicitly intent to publish it to the public or somebody else. I most certainly do not expect some employees reading through my private emails for their lunch-break entertainment.
In the real-world, you either need to change your expectations or encrypt your data.
Sure, but you don't need first name, last name, phone number, birth date or gender. All of which are asked on the signup and of which only Gender is specified as optional: https://login.yahoo.com/account/create
On my small business we ask only for an email address, password and confirm password. Everything else is excessive.
Tax obligations can be another problem which may require an address, but often have a simpler way to resolve them by simply picking the appropriate country and state off a list or even with just a checkbox for "are you in X jurisdiction which I am required to tax?". I believe Tarsnap handles it that way.
Tax obligations can be another problem which may require an address, but often have a simpler way to resolve them by simply picking the appropriate country and state off a list or even with just a checkbox for "are you in X jurisdiction which I am required to tax?". I believe Tarsnap handles it that way.
Tarsnap has a "are you Canadian" checkbox. Unfortunately if you are Canadian I have to collect your name and address because I have to provide[0] invoices/receipts which contain this information.
Mind you, there's no requirement that you give me truthful information. If you claim to be John Smith living at 123 Main Street, you'll get an invoice which says that at the top of it. You won't be able to use it to claim a tax rebate; but if you're not running a business it's not useful for that purpose anyway.
[0] IIRC I technically don't have to provide those such invoices to everybody; merely to anyone who asks for one. But collecting the information up front and emailing PDFs to all the Canadians is much easier than handling individual requests later.
My memory of implementing COPPA compliance a decade ago was that DOB was an implicit requirement, the explicit requirement being “confirm they’re over 13; a checkbox isn’t good enough because they’ll clearly just lie.” (paraphrased, not quoted).
For a consumer mail service, you to need to know enough to let them recover their account, possibly with decades of un-backed-up correspondence with and photos of since-deceased friends and relatives, when they’ve forgotten their password, and without letting someone else recover their account. This is a hard problem.
(I’m expecting some idealized “solutions” from people with idealized beliefs about mass market tech skills.)
You also need a process for resolving ownership disputes. Facebook takes the tactic of having the person claiming ownership upload government-issued ID, which seems like it would be the only foolproof way to do so, yet they're constantly maligned for it.
