The spread of personal information across myriad services is, I think, becoming a huge problem.
I recently had a case with one such services. They store personal information that could be very damaging if it got out. SSN, driver's license, name, address, phone, credit card info, etc.
I decided I no-longer needed the service and so I asked to close the account and clear all of my data from their servers and backups. I was particularly interested in the information that could be used for nefarious purposes given a data breach or a sale of the business.
They refused and gave me some bullshit reason.
I moved immediately to arbitration per their own TOS. Within a couple of days they became very responsive and have, in theory, cleared all my info from their service.
And that's the issue. How do you know? They could have lied to me just to get me to drop arbitration. Hard to know how far to pursue something like this. No company should keep information on you that you do not authorize them to keep. A consumer ought to have the right to have any and all traces of their personal data erased from databases with absolute certainty. Privacy ought to supersede everything else.
What if you want Facebook to clear all data related to your account? I don't think that's possible in the US, is it?
The reason given for collecting such data is often, "for your protection" or a variant of, "to verify who you are."
And invariably, I hear about that exact data becoming exposed a few months later. It's extraordinarily frustrating that even when you articulate this viscous cycle to them, they still blindly push forward with the same efforts.
Once Facebook has data, it ends up in their database backups and potentially in their logs, and also potentially in CDN caches, so even if they deleted it from their production database it wouldn't really be gone.
This is one of those cases where it is impossible to prove a negative -- one can never prove that the data you gave to Facebook doesn't still exist somewhere, even if they look for it everywhere they can think of. Similarly, the company you entered into arbitration with might have made a good-faith effort to delete your data, but they might not have fully succeeded.
Therefore, one must assume that any data given to any company might somehow survive even if the company attempts to delete it.
They're Facebook, I'm sure if they actually bothered they would be able to design things so that deleted data could also be removed from backups and expired out of CDN's.
I mean hell, at my company we are putting in tools and methods that will allow us to very easily remove data with a single command from our systems should a customer/partner request their data deleted.
23andme tried to give me the runaround when I wanted my data destroyed, when I replied pointing out the exact clause in the TOS I was referencing (that was very hard to find) they were immediately condescending assholes, when I politely replied that I just wanted them to do what the TOS said, and I asked using the exact phrasing they requested they went right to hostile and insulting.
There is no way in hell they actually destroyed my sample or my data. They quite rightly knew that they didn't need to convince me of anything or try to hide the fact they were lying.
I recently had a case with one such services. They store personal information that could be very damaging if it got out. SSN, driver's license, name, address, phone, credit card info, etc.
I decided I no-longer needed the service and so I asked to close the account and clear all of my data from their servers and backups. I was particularly interested in the information that could be used for nefarious purposes given a data breach or a sale of the business.
They refused and gave me some bullshit reason.
I moved immediately to arbitration per their own TOS. Within a couple of days they became very responsive and have, in theory, cleared all my info from their service.
And that's the issue. How do you know? They could have lied to me just to get me to drop arbitration. Hard to know how far to pursue something like this. No company should keep information on you that you do not authorize them to keep. A consumer ought to have the right to have any and all traces of their personal data erased from databases with absolute certainty. Privacy ought to supersede everything else.
What if you want Facebook to clear all data related to your account? I don't think that's possible in the US, is it?