The challenge of deleting old online accounts

A few days ago I decided to continue working on a project I am planning (and barely executing) for quite a while: my “Digital Resiliency Plan.” I am planning to write about this here eventually, but essentially it’s just a nice way to say “get my stuff in order” when it comes to digital data, especially in terms of safety of the data (e.g., backups) and the ability to maintain access to it in most circumstances.

A crucial piece of my digital information includes the credentials to access the many services I rely on, which are stored in my password manager. While I currently use Bitwarden and back up the data regularly, I wanted to try one-way-syncing all the entries into Proton Pass, since I have it included in my subscription and it could work as a simple, fully functional “offsite” backup. Before doing so, I took the silly decision of cleaning up the existing items in Bitwarden, so that I wouldn’t duplicate useless entries that will require multiple deletion in the future. I call this decision silly because there are virtually no downsides to having stale items in a password manager, and because this activity has required more than 20 hours of actual work, essentially eating up all the time I wanted to spend on the broader project.

But hey, what’s done is done, and I think there is plenty of value, especially from a privacy perspective, in ensuring your own data is not scattered all over the internet. This post will therefore cover my relatively monotonous adventure in what it means and what it takes going through about 15 years of online accounts, trying to delete your data. In doing so, I will compile a top 10 list for what I found to be the funniest or most interesting experiences. Let’s begin.

My Rights

I live in Europe. As everyone who hasn’t lived under a rock in the last 8 years knows, for European residents the GDPR applies. The Article 17 states what is commonly referred to as the “right to be forgotten”, which means that any data subject has the right to request the erasure of personal data in some cases, which include “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.”

In more practical terms, I have the right to have my data deleted, especially if I want to get rid of that particular service completely. There are caveats, and some services are required for various reasons to keep some data for a number of years, but they need to provide such justification.

My plan

Going through all the entries in your password manager one by one is not exactly a particularly entertaining activity, so I tried to get the most out of doing it this one time. Besides deleting data for whatever service I don’t want or need anymore, I also carried out two more activities in parallel:

• I adjusted email addresses used, based on a simple 3-level tier:
  • For services that don’t need my real identity, and that are not really critical or that I don’t care about, I use a Simplelogin alias. Using an alias with no other personal data means that in the future I can potentially delete the alias and forget about that service without bothering deleting the data.
  • For services that don’t need my real identity, but that are critical or that I care about, I use an address from another domain I control and that I consider pseudo-anonymous. This will ensure independence from Proton/Simplelogin, as I can simply move that domain to another provider to maintain access, for example in case Proton goes out of business or Simplelogin explodes overnight.
  • For services that require personal data (for example, for billing reason or to ship you items), I just use my name@surname email address. They have that data anyway and if anything using another domain will give them more data by de-anonymizing it.
• I organized every item in the manager, adding them to a simple hierarchy of folders that mostly reflects the data used (e.g., real identity, alias, etc.) and added notes where appropriate.

Some Numbers

To give an idea of the amount of work needed, here are some numbers regarding this whole thing:

• I started with 356 items in my password manager.
• 57 accounts (16%) have been deleted.
• 33 accounts (9.2%) are pending deletion, meaning the deletion process is not immediate.
• 27 accounts (7.6%) are now in a category I called “legacy & unmodifiable”, which includes services that simply don’t exist anymore, or that don’t offer any way to delete or change account data.

These numbers might seem very small to some, very big to others, but it’s just what I have accumulated over the years. Overall I managed to eliminate about 30% of my online accounts.

Top 10 Account Deletion Experiences

Without being unreasonably optimistic and expecting that Delete Account is a button in every website that allows users registration, there are a few ways in which an account can be deleted, sorted by professionalism:

• You do it yourself from within the service.
• You fill in some web form (authenticated), in which you request the deletion.
• You reach out via email to some contact, asking for deletion.

I perfectly understand that some websites are run by tiny companies or organizations with no technical department, and in these cases I think it’s OK to have a manual process. The “send an email” method is a bit sketchy, mostly because in a data deletion request you have to include some identifier (e.g., username, email, name), and I genuinely wonder what will happen to that email after the deletion, since now this contains personal data…

Anyway, here are the few experiences I found most interesting or just funny.

10 - The Marketing Email

I can’t even imagine what kind of spaghetti code governs the account deletion process in some systems. I can only guess that it might be some weird reuse of registration flows with some flags inverted or something as weird as that. Either way, the 10th place has been earned by Wikiloc, with their hopefully harmless weirdness. A few minutes after I deleted my account, I received a marketing email that introduced me to the new features of the website.

Was the email queued to be sent before the deletion, because I logged in? Is there a trigger on any user event for emails? I will never know. I did confirm that my login is not longer valid, so this will remain a mystery.

9 - The Bouncer

Buried deep in my password manager, and even deeper in my memory, there was an item for Workrite, a website that - it turns out - my employer used for some Health & Safety training. The apex domain redirects to Ideagen, while the app domain is a page with no privacy policy or other links. Logging in I couldn’t find a way to do anything besides seeing my data. I could not change my email either. I decided then to check the privacy policy for ideagen, where I found a statement that will become a very common occurrence in this process:

Should you wish to exercise any of these rights, please contact [email protected].

This falls into the “what happens to the data in my email” category, especially since this sentence is preceded by:

In order to review any request in line with your rights it may be necessary to verify the identity of the person exercising their rights.

Anyway, I send an email with a template for GDPR data erasure request, and…

I haven’t received my bounce email yet, so perhaps writing this is premature. Yes, emails may fail, but let me just go out on a limb and say that it’s not very common for email servers to be down for whole days, and I am not sure how an active company (by the looks of it!) can survive without incoming emails for an extended period. On a separate note, a company that deals with work-related health & safety presumably treats very sensitive data. I find it relatively worrying if this is in any way representative for their level of commitment to data protection. I will try to remember to update this entry in a few days should my email finally be delivered, maybe it’s all a misunderstanding!

8 - The Goner

We sometimes think of the internet as an eternal entity, but many people, especially those who work in the field, know that in reality many parts of the internet are broken at any time, links break and services disappear. It is quite unreasonable to expect every website to be up for 10, 20 or 30 years. This story is far from the only case of a service that doesn’t exist anymore, but I think it’s the strangest since the website was public, recent and collected very sensitive data.

Back in 2020/2021, in the middle of the COVID pandemic, travelers to certain countries were forced to fill in some “Passenger locator form”. Essentially you included your personal data, flight details and address where you would be staying, so that you could be more easily tracked in case of infection.

To support this process, a European service was created, euplf.eu. If you search for it, you might find a few results, for example this page that mentions it.

This is how this website looks today:

As I said, websites are not eternal, but a governmental website that disappears (without even a redirect) after less than 5 years? Actually, the requirement persisted until sometime in 2022 in some cases, and who knows since when this website has been down.

Anyway, I am left wondering what happened to my data. Did they just delete it together with the reverse-proxy configuration? Is it sitting in a backup somewhere, waiting for a “non sensitive” breach to access some “old non production data” including detailed personal data for millions of people? Who do I even contact to ask clarification about it? Yet another mystery.

7 - The Template

This is one of the cases that I found funny rather than infuriating or interesting. Few years ago I bought a (very good!) Varmilo keyboard. The company is presumably very small, you can see that the website is held together by scotch tape, and that is basically 99% a Shopify integration.

However, I had a good laugh when I went through the Privacy Policy:

I put myself in the shoes of the person at Shopify who underlined the “delete all Notes to Merchant drafting notes” section. Anyway, besides the funny aspect, the policy actually contained an email address for sending data requests. Interestingly, the address was a (personal) @gmail address, which means that all the data that identifies me has now been processed by Google too. I also did not receive any automated response to acknowledge the request, so I think I can only cross my fingers for this one.

6 - The Megacorp Who Can’t Code a Button

The 6th entry is also a funny encounter, as the problem was ultimately solved. Have you tried changing your Reddit email? Have you tried deleting your Reddit account? Well if you haven’t give it a try. I think it’s hilarious in its own way that apparently such a big company (and very hip) cannot write a simple form.

In fact, if you go to the account deletion menu, fill in all the data, and you let your password manager fill the username/password, the button for deletion (same applies for email change) doesn’t work:

The secret? You need to type username and password. Why? I didn’t hit my head enough times yet to understand it, but I assume it has to do with some Javascript event or something. Was it written anywhere? Is it a bug? Is it a feature? No idea, but now if you face the same issue, you know what to do.

Reddit, seriously?

5 - The Scapegoat

In the 5th position we find yet another occurrence of “this is a small company”, and a perfect representation of classic sloppy compliance. While this is another funny instance, it’s also a bit annoying for two reasons:

• Effectively, I haven’t solved the issue yet (i.e., my data is not deleted).
• This provider decided to collect data when it’s absolutely not necessary. To clarify, this is the digital booking system for a barber shop. There is no reason for a barber shop to actually collect any data, and I would say that if you decide to do it, then you should accept the corresponding responsibilities, in the same way that if I decide to serve food in my toilet business, I now have to comply with food safety regulations.

I will not mention the service because it’s somewhat local, but as usual, there was no way to delete the data from the website. So I checked the privacy policy and I found the usual email address to use for “exercising my rights”: [email protected].

Armed with my usual data erasure template, I sent an email, and few minutes later I received an automated response:

Translated to English from Finnish, it reads something like:

Hi, thank you for your message. I’m on holiday until August 17, 2025. For urgent matters, please contact me by text message.

I am just deleting accounts, this is far from an urgent matter and I won’t disturb this guy’s holiday, but I can totally see how:

• privacy@ is not even an email distribution group, it’s probably just an alias to this guy’s inbox.
• This guy set automated replies for everyone, not just for internal emails.
• This is clearly a message for colleagues, because the email doesn’t even have a signature with the phone number or anything. The screenshot is the whole email.

I really hope that this guy will know what to do with my email after complying with my deletion request, but I have a suspicion that some of my data will sit in their inbox for a while…

If I were aware of a data breach for this company, I should probably find their phone number online and interrupt them while they sip a tropical drink on the beach?

4 - The App

The hostility that service providers have towards websites to push users towards using their apps is not a new topic. Just a few days ago a post about the topic was on the front page of Hackernews.

In some very rare cases, I understand it. In others, I struggle. This is one where I struggle. Few years ago I decided to use an old phone I had laying around as a security camera while I was travelling, and I installed Alfred. Since then, the phone is back into a drawer, and I forgot about the whole thing.

When I saw this account I decided to delete it; immediately after opening their website I was informed that the site only works on Chrome, Edge or Safari. I installed Chrome, logged in and tried to look at my settings. Well, despite this company has developed a whole system to see your cameras from the browser and use your computer as a camera, I couldn’t find even a page that displayed my own information. Not even to change the password.

I then searched for “How to delete Alfred account” on Kagi, and found this support page, which shows the following:

To be fair, they offer the “send us an email” option as well, but to avoid the whole “what happens to my email with my data”, and since they specify that they need “a verification” process, I decided to use the automated way. You may notice that the list of “device types” has only 2 items, Android or iOS. No deletion process from a regular browser.

This forced me to reinstall the app, login and then perform the cancellation according to the instruction. It worked decently, but it was very annoying having to install an app to do basic account management, and then having to uninstall the same app immediately.

Do you want to know what is even more annoying, though? That it was not necessary. If you access the privacy policy, there is a line:

If you would like to request access to your personal data, please refer to the Contact Us section below to submit a rights request.

Superficially this smells a lot like the “send us an email” option, however, in the Contact Us section, it says:

Once again, we take the information we gather from you rather seriously. Generally, the information is collected to serve as an important reference to provide you with better products and services. If you have any questions about our privacy practices, you may submit an inquiry via our Feedback Form.

I don’t really want to ask anything about their practices, but the careful reader will notice that the instructions are fairly similar to the ones for Android devices. In fact, turns out that their “feedback form” is exactly the same page that is shown by the Android application. Literally the same, screen size and all.

The whole thing raises more questions for me: do they know that you can do the same action in the browser? Why do they call a “feedback form” something that you can use to request actions? Why they don’t mention this possibility straight in the privacy policy? Why not mentioning it at least in the support page? Why writing a whole system to use the service via desktop, but not allow the most basic operations ever, like a password reset (the careful reader might have noticed the Change or reset my password entry in the screenshot, but it just leads to the same support page where you are guided through the app)?

3 - The Literal Interpretation

The bronze medal goes to probably the event that made me laugh the most during this whole project. There was a time when I used to play League of Legends, and in a particularly competitive period I decided to “study” the game more methodically, which for me meant signing up for Skill-capped and purchase a few months subscription.

Since LoL is now thankfully in my past, and I assume my daily dose of toxicity from other sources, I decided to wipe that account clean, since it had personal data due to the past purchase.

Such a small company obviously doesn’t have any account management feature, but as usual, the privacy pol… just kidding, they don’t have one. But there is a support email in the website footer, so I sent my data erasure request to that one and prayed. I got an automated reply that indicated this email is wired to Zendesk (good, no OOO auto-reply), and soon I got a reply from a human (most likely) that informed me:

While in my mind I was imagining the guy just poking the “development team” person sit next to them, I was happy that they were very quick in satisfying what for them must be a very rare request.

Interestingly enough, when I tried to re-login with all my allegedly deleted accounts, I was still able to login into this one. Is this a classic case of “the process might take up to 2939011 days”? Was this a case like Quora that “if you login we reactivate your account immediately”? Nah, it was actually much better:

The “development team” literally replaced my username with “DELETED”, supposedly in a literal interpretation of “can you delete this user?” request, and that’s it. My transaction is still there (maybe they need to keep it?), my email address is still there, my password is obviously there (since I can login).

I find this so hilarious, that I am almost tempted to create another account and then request deletion for that too. I want to see what happens if they set multiple users to DELETED.

I will soon followup my previous email, but at this point I think the two following options have a 50/50 chance of happening:

• The “development team” will simply change/delete my password. So my data will still be there but I won’t be able to login and see it, simply hiding the problem.
• They will actually delete the data.

It’s a pity I won’t know either way.

2 - The Ghost Startup

The silver medal goes to a worse variation of “The Goner”. If there is something worse than a company disappearing, is a company that is seemingly disappeared but with their systems still running. You see, for the former the chance that nobody is paying the server/cloud/storage bills is quite high, and so is the chance that everything is - in fact - deleted. In the latter instead, you are certain that the systems are up and the data is there, but there is nobody to actually manage it, protect it, and more generally taking ownership for it.

It’s also not news that startups care about time-to-market, disrupting, capturing users, growing fast. They don’t have time to deal with bullshit like the law. So I definitely feel proud to give the silver medal to bike-id.eu. This service has (had?) the respectable goal of tracking bicycles serial numbers to identify stolen bikes. When I spent 800 Euros for my bike I wanted something similar, so I signed up for the service.

Years now passed, and while I still don’t want my bike stolen, my tires lasted longer than this service, which means now it has no value for me. In fact, this service collects very sensitive data:

What was I thinking when I signed up? No idea, but now it’s the time of action, not complaints. One of the most striking features of this service’s privacy policy is that there isn’t one. There is no contact, no support, no company name, no footer, no address, no phone number, fax number, company registration number, nothing. If you were to go to their website and check who runs it, you won’t find it.

I know what you are thinking. I know. You are thinking “why do you care about this stuff, just delete the account and move on, it’s a dead service”. You are right, I can just delete the account:

Or not

So, what now? We have no contact, nobody who is responsible, no company, no phone to call, nothing. Searching online I found this entry in what looks like some Estonian business register, which indeed seems to list the website and might be what I need. In the “E-mail” section I see a @gmail address and a @bike-id.eu address, presumably of the same guy.

I dropped an email to the guy with some hope that he will read it and that he will do something about it.

To conclude this story, I just want to highlight how risky it is to give your personal data (this includes my national code, in addition to full name!) to companies, and even more so to startups. It’s so common to find absolutely zero care for personal data, and complying with the law and protecting this data is at the bottom of the list of priorities, probably under at least 3 logo and color-scheme refreshes. If this was not enough, these companies can launch, collect data and then simply disappear because the idea doesn’t work out, they never take off, the founders lose interest, etc.

1 - The Hydra

I want to end with an anti-climax. This story is not particularly scandalous and doesn’t excel for gravity, but I found it a mix between funny and confusing, plus it relates to a decently-sized company that cannot get a pass like small shops did.

I will spare my opinion on Bug Bounty programs, but let me just say that I stopped working for free for companies that can very well afford security teams. Additionally, Terms & Conditions for the bug bounty platforms are absolutely predatory for researchers, so for these and many other reasons, I stopped doing any of this long ago and now it was time to delete my Bugcrowd account. Obviously a platform this size has an automated function to delete your acc- no it doesn’t. You have to send an email to [email protected] and make your request. It’s worth mentioning that in this platform you (can) get paid, which means you can absolutely have lots of personal data in there. But alright, let’s not get worked up, at this point I have already sent probably 30 emails to delete accounts, I am definitely not surprised by any of this anymore.

So I sent the email, and as expected, after a few minutes I received an automated response from their Freshdesk integration:

Until here, the usual frustration for a company that deals with tech and sensitive data who didn’t bother automating data management features, but nothing out of the ordinary. Then, the magic:

You see, here we are in a hydra situation, you try to delete an account, and you get another account created instead. As of today, my ticket has not been serviced (which is fine, it’s not urgent), but the whole thing begs the question:

• Should I now ask a separate deletion for the ticketing system account and data?
• Why would you create an account for me automatically (already with my full name, by the way), to track a request I made via email (not even to a support email!)? A request to delete data, no less!
• Why did you configure the servicedesk in general to create account automatically, and not simply offer registration for those who want it?

I don’t know the answer, and to be fair, it’s possible that when the ticket will be serviced, the good people at Bugcrowd will delete both accounts, but I have to admit that having your data shared with yet another service (sure, it’s same company, but different system) when asking to delete your data is ironic.

Conclusion

I hope it’s obvious for all the readers that this whole post is about a first-world problem, mostly. However, I believe that it’s still very important that collectively we learn to treat our own data as it deserves to be treated, and demand that companies that decide to collect this data are held accountable for their choices.

For serious companies data should be a liability, and they should be absolutely happy to get rid of as much of it as possible. For companies that instead choose to participate in the data economy and therefore try to make it hard, inconvenient, complex or not possible to make them give up your data, we should make this as hard, annoying and legally risky as possible.

---

If you find an error, want to propose a correction, or you simply have any kind of comment and observation, feel free to reach out via email or via Mastodon.