[gdpr-discuss] Deletion of Data

[Ben Cooksley]

Hi all,

Sorry for starting a new thread on this one, but I thought it would be
a good idea to gather the methods for deleting data we know of as
something separate from the current "undeleteable data" thread.

The following is what i'm aware of that we do at KDE:

Bugzilla: We merge the account to be deleted into an single anonymous
account (null at kde.org). This erases all the PII collected from the
user (name, email address, etc) as the data from the anonymous account
takes it's place. The history also gets merged in with the anonymous
account (and thus mixed in with that of every other account which
we've removed).

The only thing which does get kept are the posts made by that user,
which are as far as I am aware outside the scope of GDPR. There is
already a script shipped with Bugzilla, contrib/merge-users.pl for
this.

Mediawiki: We merge accounts here as well, same thing happens as
Bugzilla. The edits stay behind but the user's details are erased
forever. You can use the UserMerge extension for this.

Only place we might fall short are User: namespace pages if they've
used these - while these can be purged using RevisionDelete I don't
think this actually destroys the information (just hides it from
everyone except those with revisiondelete permissions)

phpBB: It has functionality to allow accounts to be deleted, so you
rename the account to something like "AnonymousAnimal" then delete the
account, ticking the option to keep posts. It's an included part of
it's functionality. The only "identifying" thing left behind is the
name of the account (hence the rename before you pull the delete
trigger)

Drupal: It has integrated functionality to let you cancel accounts -
as part of this process you are given the option to transfer the
content it created to the "Anonymous" user then delete the account
(effectively equivalent what we do for Bugzilla)

Wordpress: Same situation as Drupal, it's account deletion option
let's you transfer the content it created to another user.

Nextcloud: Lets you delete accounts freely from the web interface if
you are a Super Administrator. Destroys everything owned by the
account for good measure.

Traces of information in shared files they'd worked on would be the
only concern here, for which we'd have to manually check everything
they had access to (given the myriad forms data can come in, manual
checks are the only way to do this in reality as automatic mechanisms
are bound to miss support for one or more types of file).

Phabricator: Unfortunately it does not support merging of user
accounts, and upstream strongly warn you against deleting data (they
don't support it). There is a tool to do it for data including user
accounts however this isn't really a solution because the history of
actions taken by that account can still be reconstructed from the
transaction logs kept by Phabricator (which can be freely accessed by
anyone with an account via it's Conduit API)

At the moment we deal with these requests by changing the username to
something anonymous and removing all other profile details which are
personally identifying. This does leave the users activity history,
but is otherwise a fairly complete removal and doesn't run the risk of
breaking parts of Phabricator.

I'd be interested to know folks thoughts on user account merging as a
solution to the problem - and whether they think any of the above
aren't sufficient for compliance. Historically we haven't seen any
user profile information survive account merges.

Cheers,
Ben