Hacker News new | comments | show | ask | jobs | submit login
Show HN: Tech Companies That Won't Delete Your Information (secured.fyi)
197 points by fredrikaurdal 6 months ago | hide | past | web | favorite | 124 comments

Occasionally I go through my password manager to do a cleanup of accounts I no longer use. For the simple reason that if any one of those services get hacked, I don't want to lose credit card- or personal information, and have that end up in the hands of somebody who shouldn't have it.

In trying to delete a few accounts, some services outright refused to delete my info, without giving any reason. Therefore, I've decided in to create a naughty list of tech companies who don't respect your right to your own information.

There are already 261 sites in the list, but let me know if there are any other services you think I should add.

I like this idea a lot. With GDPR on the horizon, this is a great resource to put together.

I’m a little confused about the implementation right now. I don’t understand Rank and Score specifically. The columns need some explanation to make it clearer if a higher number is good or bad, what the number is representing, and how it’s calculated.

Changed, clarification added.

Clean this up a bit and you can br troyhunt for gdpr and command corresponding consulting fees.

Clean this up in what way?

The navigation is a bit confusing. I didn't know the landing page was the "Naughty List". And I was expecting each "category" to filter the existing list, not show a new list of websites/companies.

Also, the ranking list isn't that helpful when 20-some companies are tied for 3rd.

Do you work with any UX designers? Get some feedback from them. It's not about making it pretty as much as it's about presenting the content in a clear way.

It's not perfect, but what I could build in a short amount of time. I'm working on creating a much better and more intuitive system.

Great! Apologies if my older post was a bit curt. I'm glad you're building this.

btw, have you seen the 2FA List? https://twofactorauth.org/

Why is Mastodon listed as "does not delete account"? Look under Security -> Delete account

Updated to Yes - Partially, because don't guarantee deletion of all data.

I don't know what you mean. Mastodon deletes all the data from the server, and sends out delete payloads to other servers that may have stored copies. If you refer to the fact that some of those copies may remain, then you need to mark all services as not allowing account deletion because Google may have caches of indexed profile and post pages.

Changed, replied to another message.

Very true, most other services don't even try to delete all data like messages received by others. Changed.

It would help to explain your scores a bit (is +10 worse than -10?)

Thanks! I changed the scoring system slightly, and added an explanation.

It looks like the major password managers are on the list.


Uber needs to be on the list.

They have had employees tracking their Ex's whereabouts. They have publicly boasted of being able to identify "rides of shame" after your One-night stand. They collected location information beyond what was necessary to pick you up.

Plus, you know, being union-busting, misogynistic, democracy-undermining, corner-cutting and pedestrian-killing frat boys. But the reasons above seemed to be better tailored to the intent of your list.

What ranking factors would you suggest I add to cover Uber?

There really isn't a single, objective yes/no question that would capture all the nuances here. that's why "the other naughty list", i. e. the criminal justice system and regulatory agencies like the FTC employ judges, lawyers, and long processes to arrive at their nice/naughty lists.

What Uber comes down to is, I believe, essentially the same as the famous Zuckerberg chat message: 'They "Trust me". Dump fucks!'. Saying that isn't illegal by itself. But it shows a complete disregard for the publics' interests.

Every single one of Uber's actions could actually be excused. When, for example, Google admitted to capturing unencrypted Wifi traffic picked up by their Street View cars, I was willing to give them the benefit of the doubt, because that explanation seemed more consistent with their past (and future) behaviour than the alternative.

But the sum of Uber's actions leads me to believe they have misunderstood the causality their own motto proclaims, and are now intentionally breaking things in the hope that it will make them move faster.

One more thing: the Uber help page states that they "permanently delete your account", but also includes this sentence: "Please note that Uber may retain certain information after account deletion as required or permitted by law."

Which makes me think that they're deactivating your account and basically keeping as much data as they can legally get away with.

Since I doubt any of the other companies on your list are openly ignoring the law and keeping more than permitted, the logical conclusion would be that Uber is just as bad your top contenders.

I'm wondering what kind of information, because they are required to keep accounting records for some time.

The only challenge is how to rank them based on ranking factors.

That covers the "required" part of their statement. But they also have the weasel phrase "as permitted", which is far more open ended. In much of the US, for example, the law does not expressly state what steps a provider has to do to "delete" your account. So implicitly, they're permitted to keep what data they like.

Perhaps a ranking of subtle retention policies.

And though not directly related, data breaches do undermine a user’s ability to delete their data. So maybe some kind of formula to quantify data loss.

Just some ideas. Your work thus far is really eye opening and you have my thanks. I had no idea I was trapped in LinkedIn.

Thanks for your suggestion. This is a work in progress, and I have to create a more advanced system than only a spreadsheet to improve the list.

You had me until pedestrian-killing frat boys... Is this a California thing?

This site - hackernews - will not delete your account - full stop.

I sent in a request asking what steps were necessary to have one's account deleted. I was told this was not possible. This is unreasonable.

And yes, I created this account specifically to post this comment.

Could GDPR change this?

For EU users yes, but for other people kind of, when using EU based services.

Does the GDPR actually express a right to account deletion? My understanding is that it expresses only a right to erasure in a limited set of circumstances. Given that comments are public, I think it may be possible to deny the right to erasure on the archival exception.

However, upvotes are currently private, and cannot be removed after some length of time. I wonder if this would mean they should be made removable (or at least the record of them in a user's account).

I didn't see LinkedIn in this list?

A while ago I deleted my account, then recreated my account after a year, and requested a full backup history, this backup had my old contacts from the original Linkedin android app gathered from my old phone without my permission.

That's really not good, added.

One company I would like to nominate as naughty is Newegg. I hadn't ordered from them in years, and asked to delete or disable my account. They can keep their old invoices in the system if they want for legal reasons but I didn't want to log on anymore -- other sellers have processed that request for me.

They repeatedly said "No, we will not disable your account."

And they keep the last address you ordered from in an uneditable field visible on the website, so you can't scramble it with fake address data. I haven't seen any other retailer do that.

Newegg is going on the naughty list.

But NewEgg is famous for not bowing to patent trolls.

I have always appreciated them for that, too. Not respecting the desire to close your account is a separate issue. Fighting patent trolls doesn't make up for their refusal to let you protect your information.

One good deed does not absolve them of other misdeeds.

Something's up with the site, at least for me. The table content doesn't load - I see the different options (email, etc.) but no entries. Firefox console tells me:


Loading failed for the <script> with source “https://secured.fyi/analytics/piwik.js”: naughtylist.html:1

The resource at “https://cdn-images.mailchimp.com/embedcode/horizontal-slim-1... was blocked because tracking protection is enabled: naughtylist.html

Source map error: request failed with status 404 Resource URL: https://secured.fyi/assets/style.css Source Map URL: bulma.css.map


What's wrong with a good ol'fashioned HTML table?

I have problems with FF too (+uBlock Origin +DuckDuckGo Privacy). Loading the data from Google seems to fail:

  code	403
  message	Requests from referer https://sheets.googleapis.com/v4/spreadsheets/1A3xz8NFWjebuMbGWvy2yUBKcnAmuZSs5JmKq9-JDss8/values/Email?key=AIzaSyCxiboNdLE5nSch2pdwI3blsfvfyss3Y0M are blocked.

Read my previous reply.

As you can see from the code in my post, the script runs, but the server responds with a 403 error. That looks more like the JS is doing the wrong request in FF. The problem seems to be the referrer. For comparison:

Referrer in FF:

Referrer in Chromium:

Btw. I tried deactivating any Addons which might interfere with the requests but it didn't change anything. So probably all users with a modern Firefox will have an empty table.

I had to disable the "Smart Referrer" Firefox Addon to get the table to load in Firefox :(

I'll be working on re-designing everything from scratch, and not rely on my current jquery solution. It's a matter of how much time I have available, but it's a priority on my list :)

The table pulls data from a Google Sheet. When the spreadsheet is updated, the table is populated with data. You have to run the site's jquery, otherwise it's not going to work.

I don't understand why were some of the tech added to the list. The title says "Tech Companies That Won't Delete Your Information Services with the highest scores have the worst policies"

Tox is listed among them. But ToX does not need any information from you. You can create a random id without any of your personal information whatsoever, and share this id with your friends, who will also have a random id.

Tox is not a company.

A clarification is much needed.

In the communication lists it says that security wise is "Bad". Why?

In fact, it would be beneficial for all of us if these lists had some information on why were some of the stuff added to the list. Precisely why is Tox added to the list.

Similar to this discussion we can see that Retroshare is too listed. Again, why?

Please share some URL with reading material why are some of the companies and tech listed at all.

Also KeePass and KeePassXC are listed among companies that will not delete your information.

I was not even aware that they kept some of my information. Which information do they keep? Which information about me they will not delete?

Yes, this is completely ridiculous; they’re local client-side software, which optionally can integrate with e.g. a Dropbox account.

In that case Dropbox would be the ones holding data.

Look at my previous comment, you are not interpreting the list correctly.


Nope, their status is Yes, which means they will delete your data.

To make this clear, Tox has 0 Naughty Points.

There are some limitations to running this on what is essentially a spreadsheet. I want to re-design the system before I add more data, because then it will be easier to make the transition. This is a priority, only limited to how much time I have available.

There is some clarifications in the change log: https://secured.fyi/changelog but all sources will be added once I have the new site ready.

Please add reasons for each site why they have points they have and links that support those claims.

For example, you said that Facebook deletes data partially. What does it mean?

The site is literally based on a spreadsheet at the moment, which has some limitations. I'm working on re-designing my system, which will allow to more easily include sources.

Elsevier (Mendeley)

TLDR: Claimed to have deleted everything on 2017-06-08, but they lied.

0. 2017-06-06: Mendeley <mendeley@mail.elsevier.com> email me "Paul, important changes to your Mendeley account ..." I log on and 'delete' my account.

1. 2017-06-07: Mendeley <mendeley@mail.elsevier.com> me "We have deleted your Mendeley profile and data, to delete your full Elsevier account, please email usinfo@elsevier.com"

2. 2017-06-07: I reply to Elsevier <usinfo@elsevier.com> "Please do that for me now - if you've created one for me delete my full Elsevier account from all databases and backups that you have on me, including cold storage."

3. 2017-06-07: Elsevier <usinfo@elsevier.com> email me a ticket number

4. 2017-06-08: ELS-Mendeley Support<support@mendeley.com> email me "This email is to acknowledge the request and to confirm that we have already removed your email address from our database. We have cleared out all data associated with your account across all Mendeley servers. You shouldn’t be receiving any more emails from Mendeley moving forward. Apologies for any inconvenience this may have caused you."

5. 2017-06-11: Elsevier Customer Feedback <research@surveys.elsevier.com> "According to our records you recently contacted <NAME REDACTED> in Elsevier Customer Support. The ID of the support query was 170607-010708. We want to improve the service we provide you. In order to evaluate our current service, we are conducting a brief (3-4 minute) survey. This asks a few questions about your most recent experience of contacting us. Your feedback would be very valuable. ..." I don't click on the link

6. 2017-06-15: Mendeley <mendeley@mail.elsevier.com> email me "Paul, important changes to your Mendeley account" ...

7. 2017-11-11: Mendeley <mendeley@mail.elsevier.com> email me "Paul, identify relevant funding opportunities Hi Paul, Have you logged into Mendeley lately? ..."

Edit: correct dates

You're still on the email list - that doesn't mean your account data is still there, it means the marketing team is probably silo'd and doesn't clean their lists.

>6. 2017-06-15: Mendeley <mendeley@mail.elsevier.com> email me "Paul, important changes to your Mendeley account" ...

That doesn't look like it's from the marketing team - looks just like the original email they sent before I closed my account.

Yeah, they probably send those as drip emails when there are global changes to policy, and to get you to open the email and re-engage with their system. I wouldn't be surprised if the support team doesn't engage with the email team at all, or rarely. It's not usually a huge priority, in my experience.

With respect, I think that you're just writing what you suppose they did with out bothering to read what I've written because it's too long for you.

I didn't write it out carefully for you. I wrote it for the OP.

No, I read what you wrote. You had an automated email, you responded by deleting your account. You got another automated email, from the same email address, saying your account had been successfully deleted.

You then engaged with a support representative, who deleted your data and email from their account system. What that representative did not do, clearly, is delete you from the (likely third party held) email system.

Note that the automated emails come from an elsevier domain, and the support email came from a mendeley domain. That is a good sign that you are in multiple systems.

Then, later, you again got automated emails from them. This didn't come from the support person, it came from the automated system the company set up, again likely with a third party and managed by a different team. Unsubscribe from those and they will go away.

Go to the following domain:

Enter a valid email address that has never been registered with Mendeley. You will get the following message:

  Oops, this email address was not found in our system.
But, if I enter the email I registered I get this message:

  Thank you. If we have been able to identify your account, an email containing instructions on how to reset your password will be sent to you.
I don't receive an email, but Mendeley password reset can discriminate my previously registered email from random valid email addresses. That would be impossible if that registered email was only known to third parties.

Why would that be?

Look what I wrote at point 1.

  1. 2017-06-07: Mendeley <mendeley@mail.elsevier.com> me "We have deleted your Mendeley profile and data, to delete your full Elsevier account, please email usinfo@elsevier.com"
So my Mendeley profile and data has gone, and Mendeley have deleted my data from Mendeley servers but it looks to me as though there is a central Elsevier server that still knows my email address.

Furthermore, Elsevier Product Insights for Customers password reset

rejects random valid email addresses but recognizes my previously registered email address:

  Thank you. An email containing instructions on how to reset your password will be sent to you shortly.
And the password reset email actually does get sent to me!

  Dear null,

  You requested to change your password. Click the link below to change your password:

Well, what do you know! As far as Elsevier is concerned I do have an account after all!

BTW, is this you ?


what happens when you click the link and reset your password?

Why isn't HN/YC on this list?

HN doesn't allow for people to delete their account, a lot of forum type websites have the same rule.

Or comments (after a certain age, which they say would disrupt threads), although it’s entirely possible to delete the author of a comment whilst leaving it intact (an option they do not offer)

They keep telling me they're working on it.

I can’t delete my Hacker News data, comments or profile.

Most companies will not "delete" your account. They will deactivate your account. It is hard to delete things in SQL databases that use FKs, and in many cases it is illegal or inadvisable to delete all customer data (e.g. if you need to keep invoices for accounting reasons, or if you are eligible for chargebacks). Small startups are often busy trying to keep everything working and go after their key metrics and don't have time to build a system robust enough to handle deletions.

Of course it is hard (or maybe not top priority for some) but that's no excuse in my book.

Besides, from a technical perspective archiving PDF invoices and using SQL cascade delete doesn't sound overwhelming in complexity.

I had a user request account deletion last month. It's the first time we've had that.

I simply overwrote all their details with nonsense, and marked the account as deleted. The account exists, but is about as useful as the fake accounts spammers sometimes make.

GoDaddy will let you close your account, but you have to call customer service to do so. (After many years of having multiple domains with them, recently I decided to migrate all the domains I had with them over to other providers.)

One thing that is troubling is that if you have an expired domain with domain lock turned on, they will not delete your account until a year has passed from the non-renewal of the domain. The domain-lock feature cannot be turned off if that domain has been inactive for less than a year unless the domain is renewed. They told me they could not turn it off either so that the account could be closed, but I'm a bit skeptical on that, since it makes no sense that they cannot change the account settings with an authenticated customer making the request. Don't they control their own code? It strikes me as an excuse for them to leave the account open in case you change your mind.

In their favor, I was able to delete payment information immediately. Also, they have very friendly customer service representatives (though friendliness doesn't make up for powerlessness.)

Btw, this is an interesting and good service you are setting up. Thanks for your work!

Some companies do that, and say "it's our policy", without giving a real reason for it.

Thanks, and I've added GoDaddy :)

The very first thing that shows is the companies that are the least naughty.

This is a naughty list is it not? Suggest to please sort by naughtiest first.

We always sort by naughtiest first. Any services in particular you think have the wrong data?

Ah I see, I think it's a case of ambigious copy being misinterpreted by some of us:

"Tech Companies That Won't Delete Your Information Services with the highest scores have the worst policies"

I read this as 20 is worse than 1.

Maybe something along these lines, explicitly explaining 1 is the worse.

"Tech Companies That Won't Delete Your Information Services. Those with the highest rank have the worst policies. A rank of 1 is the worst offender"

I think this is somewhat a problem of English missing a term that unambiguously means "1 is highest".


The list does not appear without allowing 3rd party javascript (and presumably tracking) by Google :/

I'm planning on re-building the site, which I'm working on. The analytics software I'm using is a self hosted version of Matomo.

I wonder about the ranking for the 'Communication' category. Somehow there are protocols, clients and services mixed up. To give an example of each:

- Service: Jabber.org

- Protocol: OMEMO

- Software: Gajim

Next, the score seems to be a similar mix up, not so much focused on security but more as a general recommendation as a trade off between number of features and overall security. To me that feels like a bad advise. That way, a very respectable and stable app like Conversations is listed below the protocol it uses (OMEMO) and even below Tox which is officially listed as experimental, just because conversations doesn't support audio or video telephony.

Other privacy related aspects, like the need to register a phone number to use the service, automatic contact list uploads or custom servers, are completely ignored.

I'm working on creating a new system that will improve the accuracy. Some people have pointed out something similar on reddit, which I do agree with. Phone number requirement is added under SMS.

Kayako. No direct account deletion, they need to poke engineer to do it after many requests. They require your personal information and CC to use free plan. No direct downgrade button to free plan if on trial.


Thanks, I appreciate the thought and effort.

There is too much special sauce on the page for me to see the actual list (perhaps one of your critical resources is already on my blacklist or too third partyish).

Thought you may be able to make use of http://backgroundchecks.org/justdeleteme/ to help with your checking. (no affiliation)

Plus it is great when a study like that is reproduced and vetted for drift.

Thanks again for you work.

Thanks :)

This page doesn't make sense: you say Tech Companies That Won't Delete Your Information at the top, and then immediately list, e.g. "Outlook Mail: Delete Account? Yes".

This makes them sound like they do delete your account information. If there is something specific that they don't delete, it might be best to highlight that.

Also I am unsure what "Track" means.

And how can you Delete Account be unknown? Did you try? If not, how can you claim they are naughty?

The point of me posting the list here, is to get feedback so that I can make corrections.

Hover of the Tracking text to see the explanation.

There are over 250 services in the list. Those who have the status Unknown didn't mention it clearly on their website. Feel free to make specific suggestions, and I'll make corrections.

It seems unfair to assume they won't delete it, before testing the assumption.

No hover on mobile. ;)

Will be fixed in the next major release :)

Slack's inclusion feels a little odd, since the customer in their case is the business paying for the service, not the individual. They do claim deleting a workspace cannot be undone.

Will GDPR save us from the products on this list?

Yes, and it will also give more insight in what and how they collect and process your data.

GDPR would be a nice "tool" to validate the actual deletion of personal data.

Yes, but only EU companies have to comply, and those who by extension is subject to the same rules by treaty, mainly the EEA and EFTA as well.

The GDPR applies to the data of anyone using a service while in the EU, not just to companies that are based in the EU.

While technically true, if the EU has no jurisdiction over you or your business, it's difficult for them to force compliance.

Another example of this is sales tax in the US. Several states have laws that tell the seller to collect and remit sales tax on any sales to residents within the state. But for sellers that have no physical presence in that state, the state has no ability to force them to actually do so (or to force them to open up their books and prove one way or the other).

For most large tech companies EU is their biggest or second biggest market. The fines are large, so it will be in their interest to comply.

I like this idea a lot, however, as many others said, you need to be transparent with the scores. I was more confused after reading your FAQ. Additionally, the column where you generate retweet links is obnoxious (entire UI needs major work).

The scores are completely transparent: http://secured.fyi/edit

Nice! Some thoughts:

- I’d rank them on a combination of size and score. - perhaps a link to relevant delete / info page - automatic vs manual (ie do you need to ask support) - whether they have precise info on which information is deleted, and what is kept - a column for claimed gdpr compliance

I want to add a lot more information as well, but there are some limitations to my current spreadsheet system :) I'm working on creating a new site.

Is anyone else having trouble viewing the spreadsheet? I can't view it on my computer or phone.

You have to allow scripts to run, because it relies on jquery.

I've been trying to delete the Apple ID associated with my email address for years, but Apple can't be bothered to handle account deletion, even after I paid them.

No, that simply removes the Apple ID from a device. Apple doesn't allow you to delete the account itself, which makes it worse than Facebook in that respect.

23andme and their competitors both ancestry and genotype tests

This makes little sense:

		Slack	No	No	2
		Kayako	Yes - Difficult	No	0.25
Almost the same level of issues, yet an 8X difference in the score.

I can only find documentation on how to deactivate a Slack account, not delete it. Kayako allows you to delete an account, but after multiple requests.

What do you suggest I change the weight to?

Maybe make scoring much, much clear. Like, add a popup next to scores with a breakdown on how the score was calculated.

I'm working on building a new site that will support a similar feature, and many others.

Crocagile.com not only lacks an option to delete your account, they also flat out ignore any email to their support address with any such request.


Tracking you for "free" Google Search, Google DNS, Google Photos(geo location, faces, maybe object recognition), Google Recaptcha, Google Analytics.

Arbor Network Atlas anti ddos service on the tier one ISP level. Seeing flow samples of most traffic anti DDOS through network flow logs of many major tier one internet networks.

Cloudflare CDN major focal point of internet traffic.

Not sure what you mean.

It seems like they'll soon be (heavily) fined under GDPR if they don't change... ;-)

Where's Gmail?

Good question, added.

Why should a company have to delete accounts?

Protection of personal data. If you don't use an account anymore, you shouldn't have to be subject to the data leaks the site will suffer in the future.

what in the world does a yes or no in the "tracking" column mean?

If you hover your pointer over the Tracking text, there is an explanation.

Also hacker news.


Any personal experience with them, in if that's the case what was it like?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact