For some time now I have been trying to clean up my digital footprint by requesting deletion of accounts and associated data for unused accounts, and being critical about which accounts I actually benefit from keeping. This turned out to be far more time consuming than I imagined beforehand.
I’ve been using a password manager for about a decade, so I have a fairly good overview of a lot of the accounts I’ve opened over the years. However, while privacy has always been important to me, I was more concerned with increasing governmental surveillance rather than corporate surveillance for many years. So over the years I’ve signed up uncritically to a large number of services. Most of these do not have much data about me, but my username has generally been reused, along with e-mail and sometimes phone number and other more sensitive data. This of course doesn’t take into account all those minor services I’ve signed up for with e-mail + reused password. I have no control over those…
Now GDPR thankfully makes the job of cleaning up the accounts I do have control over a lot easier, because I doubt many of these services would even let me delete my account if not for it. However, it does not regulate enough how easy this process should be, and there are so many different ways companies implement this. From extremely convenient and easy ways of exporting all data and deleting the account, such as implemented by Strava (kudos to these companies!), to the worst offender of them all: British Airways… Until recently you would have to send an actual letter to their data protection offer with a copy of your passport (yeah right…). Sometime this year they’ve changed this, so now you just have to upload a picture of a letter to their document’s portal, but since that is borked, I can’t even access it to complete the deletion request. Apple also rejected my deletion request for an unknown reason, and I had to spend 45 minutes on the phone with them to understand that a cancelled, but still active subscription (a 1-year subscription that had not expired yet) from the app store, was blocking the deletion. Most are in between these two extremes, and either require that I actively follow up that I get a reply when I send an e-mail to their data protection officer with my request, or have processes that take up to a month to complete.
Of course, cleaning up 10-15 years of uncritical online presence would take a long time anyway, but companies making it hard on purpose to delete your account and data is infuriating, and a testament to a status quo that should burn in hell.
On the plus side: I no longer have accounts with Microsoft and Twitter, accounts with Apple and Amazon should soon be closed. My goal is to have completely phased out Meta and Google by the end of this year, although the communication lock-in of Meta and the fact that my primary e-mail was Gmail for 15 years (I’ve switched two years ago to Proton), makes these transitions a bit more difficult.
If nothing else, this process has made me very conscious about platform lock-in and the “joys” of ecosystems…
I feel you man. Here un Latin America we don’t even have the regulations. My experience here is we are getting blasted with by corporate abuse and our little protection (SERNAC in Chile) we had has stripped apart by some stupid law.
The problem is twofold. The first part is that companies cannot be trusted to act in good faith when it comes to complying with the intent of laws they disagree with. This doesn’t apply to every company, but it applies to enough of them to make life difficult. I think it was Enron who, when ordered to supply prosecutors with emails, opted to print them out and hand over reams of paper that then had to be re-scanned. This is the same approach as companies that require physical mail to delete a record and who only do so for locations where it’s required by law. There’s no reason that it cannot be done more easily with a login and password. When I was deleting my reddit accounts, I had to use a script to delete all of my posts and comments because reddit did not support that functionality.
The second, related problem is that the legislators writing the laws aren’t skilled technologists, and that technology keeps evolving. It’s like having people with no background in finance writing laws to regulate wall street (which also happens). Cynical people might think this is seen as a feature not a bug.
Yes, proper regulation is difficult. My (limited) impression of EU regulation is that they often do have enough technology know-how to make regulations that to a large degree make sense, but not enough for them to be fool-proof. This is at least the case in the industry that I work in, which is also heavily regulated by EU. I don’t know anything about the processes of making these regulations, and whether those shortcomings generally are the result of sneaky lobbying (most certainly this must be the case at least sometimes) or lack of know-how.
I just started this process now. It definitely is a marathon. The plus side is that you get a warm, fuzzy feeling after each piece of data you remove/fuzz!
Agreed with the others that you need to prevent that data getting in the cloud in the first place. This is essential from having to do the clean up again the future.
Not an answer but more of a mitigation strategy.
Duck mail proxy and a password manager that uses its API solves a few of the issues.
Phone number is linked to Google voice so I can change it on the whim.
I think the best answer is to stop creating the data and accounts. Everything can come later
Out of Big Tech, I carry an Outlook, WhatsApp (needed), Discord and Amazon account, after having purged out everything else from my life. And I find myself comfortable with it. The range of information, societal participation and convenience I get with these is great.
Out of these, I want to get rid of Outlook mainly, as I have been a ProtonMail user for years now, however, Outlook works well as the junk mail to give to everyone, while professionally I use ProtonMail. Amazon is used for shopping once a year atmost, so I do not find it that problematic, and I need to have one trustable e-commerce shopping account, since I do not live in a village.
People are bamboozled when I tell them I do not have a Netflix, Google, Instagram or Tiktok account, but then they also see I am able to do more things than them in better ways and am physically and mentally pretty strong, and I have more or less zero drama in life. And this increases my standing in society a lot more than the average person that has these accounts to “socialise with society”. I am trusted with everyone’s personal secrets and have a nearly ideal foundation in life, which most privacy seekers struggle with.
I am not sure you know about me, but how would you advise me on a privacy guide about something like a Pareto frontier graph? I have had it on my mind since a whole year, but nothing concrete to shape it up into a guide.
Yeah, it’s about finding the right balance for oneself. I know WhatsApp is very much needed many places, in the same way Facebook Messenger still is here (but to a much lesser degree than before, so there’s hope!). Discord I also have, and will keep, but if I find communities I’m looking for on Matrix instead, I rather go there first. Amazon does not really work well in my country, so that is not a big deal to delete.
Regarding e-mails: to prevent lock-in, I set up custom domains that I use with Proton, that I can easily migrate to another service provider if needed in the future. I have one for personal communications, and use a mixture of catch-all aliases and SimpleLogin for new signups and accounts I want to keep. I also have one domain for semi-anonymous accounts more associated with my “online personas” than my real identity. This fits my threat level nicely.
I have also rid myself of streaming accounts now (last one is heading towards expiration within a couple of weeks). But instead of not consuming any media, I must admit I have taken to piracy again. The goal is to be a lot more conscious about the content I consume - too much time has been spent on mindless browsing for something to watch on Netflix and garbage movies / shows. Now I host Jellyfin locally, and I control exactly what content is there in the first place.
As to your last paragraph, I did not really understand what you are asking about?
I create guides and writeups for privacy. If you ever heard of r/privatelife or the non root smartphone privacy guide, that should help. I do not spam content, and I write only once or twice a year, and come up with guides no one else does. Do you know what Pareto frontier is? I am thinking of plotting multiple graphs between privacy, security, anonymity and convenience, which would end a lot of unnecessary debates.
As with all things infosec (and life in general), best practice is to not get yourself into the mess in the first place vs. trying to clean up the mess later. You should have already not had personal data “in the cloud” and should have been using unique identifiers and authentication for every service that you use.
I agree that the it would’ve been best to never have gotten into the mess in the first place, but these are sins of the past that are not undone now. I, like many others, was for a long time ignorant of the extent of data collection, and did not have the knowledge to fully reflect on the potential consequences (I signed up for Facebook as a teenager). And it’s not like all these companies have been very transparent about how much they collect and where the data goes and is used for. The vast majority of netizens still do not fully understand the scope of this, and are also not in a place to be able to apply best practice infosec principles.
My rant is about how unnecessarily time consuming and difficult the process of cleanup is, when you already find yourself in this situation, despite regulations that gives you the right to have your data deleted. Most people would not want to spend this amount of time on this, and as such, the tactics applied by these corporations work.
I feel your pain. I’ve been trying to clean my digital life up and it is almost overwhelming. I’ve only been working on it for a month or so in my spare time but it’s a collosal PIA. I wish every site that had a create account button had an equally obvious and easy to click delete account button.
That’s common knowledge now but some of us have been around since the beginning of the modern internet when corporate data collection wasn’t even a thing. The privacy invasion was a slow creep that some of didn’t notice until it was too late. The 198 accounts in my password manager are only the last ten years or so of accounts. I’ve been online since the early 90s and can’t begin to remember what services/sites I was using back then that might have survived or been breached.
