Renames, OpenID and deletion of external content
Thursday, July 29th, 2010 03:09 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
charmianRecently, LJ had been restricting openID usage of LJ accounts which had been renamed. The problems seem to have been resolved to some extent, but I'm not sure what they'll end up doing in the long run. Basically, the problem has to do with renames. If you delete your account, and I rename my account to take up your old username, I can use openID to login to sites where you have previously left data under the open ID identity oldusername.livejournal.com, view it, delete it, etc, and represent myself as oldusername.livejournal.com. Now, probably you can say that since you abandoned oldusername.livejournal.com, you implicitly consented to my assuming the identity; however, I'm worried about the privacy implications this has. Many users do not understand openID or how it works very well at all. If you understand how it works, it becomes immediately obvious the renamed LJ account would be technically indistinguishable from the prior LJ account, but many people don't understand openID and also, could have used it, but not remembered that they had.
However, in this situation, since the user voluntarily created an openID account, you could say that the onus of responsibility is on them to remember that they created one, and to go back and delete the data left by the openID accounts before they delete their LJ account and lose access to the openID login. IANAL, but I believe that legally the data still belongs to them, but if it can no longer be proved that it does, I am not sure what even a DMCA could do. How can a user who has deleted their account prove that they are the owner? Or, in reverse, how can someone who is NOT the original user be prevented from fraudulently asserting that they ARE the original user and getting content deleted?
Similar issues were the source of some conflict when DW introduced its importation feature. Comments left by LJ users in the journals of people importing their LJ journals to DW are imported as attributed to the openID forms of the LJ accounts. Many people were upset about this, but eventually it died down, and it was said that if the people who were upset were really THAT upset, they could log in with openID and delete the comments and comm posts (in the case of community import). However, this presents a problem if the user in question has deleted their journal. A user is not informed if an openID identity has been automatically created by them, or that comments by them have been imported. Therefore, a user may want to delete comments that they've made on LJ, and not know that they are mirrored on DW. Then, if the user then deletes their journal, they will never be able to delete those comments. In this situation, you can't argue that it's the user's responsibility to remember when and where they've left data using openID, because they had no idea that content attributed to their openID identity existed on external sites in the first place. I don't know what this means legally, but it goes against the way LJ works socially. On LJ you're assumed to know where your content is and be able to delete it.
Anyway, this problem becomes more serious with this potential change. If I read it correctly, in the future it may be possible for users who are deleting their accounts to also purge all external content: that is, comments and posts on communities. If this option exists, it may become normalized in LJ deletion behavior, and socially, people will expect that they have the ability to completely purge all of their external content. I don't think it's unreasonable for me to suppose that if these people see that their external content still exists on DW, that they might be rather put out.
Further thoughts:
1. When people delete their accounts, LJ (or DW) should include a message alerting users to the possibility that another person could rename their account to that account name, and if they had used that username for any openID authentication, that those openID authentications would also be controllable by the new user. This is very technically feasible, as it is simply a warning.
2. In an ideal world, whenever an openID identity is created for a user on DW, without the user's knowledge, the LJ (or whatever service it is) user would be alerted. Unfortunately, I have no idea how this could be put into practice.
3. DW should (ideally) also introduce mass deletion of external content, for both regular account holders and openID users, especially if this feature comes into being on LJ. I'm not sure how feasible this is, though.
However, in this situation, since the user voluntarily created an openID account, you could say that the onus of responsibility is on them to remember that they created one, and to go back and delete the data left by the openID accounts before they delete their LJ account and lose access to the openID login. IANAL, but I believe that legally the data still belongs to them, but if it can no longer be proved that it does, I am not sure what even a DMCA could do. How can a user who has deleted their account prove that they are the owner? Or, in reverse, how can someone who is NOT the original user be prevented from fraudulently asserting that they ARE the original user and getting content deleted?
Similar issues were the source of some conflict when DW introduced its importation feature. Comments left by LJ users in the journals of people importing their LJ journals to DW are imported as attributed to the openID forms of the LJ accounts. Many people were upset about this, but eventually it died down, and it was said that if the people who were upset were really THAT upset, they could log in with openID and delete the comments and comm posts (in the case of community import). However, this presents a problem if the user in question has deleted their journal. A user is not informed if an openID identity has been automatically created by them, or that comments by them have been imported. Therefore, a user may want to delete comments that they've made on LJ, and not know that they are mirrored on DW. Then, if the user then deletes their journal, they will never be able to delete those comments. In this situation, you can't argue that it's the user's responsibility to remember when and where they've left data using openID, because they had no idea that content attributed to their openID identity existed on external sites in the first place. I don't know what this means legally, but it goes against the way LJ works socially. On LJ you're assumed to know where your content is and be able to delete it.
Anyway, this problem becomes more serious with this potential change. If I read it correctly, in the future it may be possible for users who are deleting their accounts to also purge all external content: that is, comments and posts on communities. If this option exists, it may become normalized in LJ deletion behavior, and socially, people will expect that they have the ability to completely purge all of their external content. I don't think it's unreasonable for me to suppose that if these people see that their external content still exists on DW, that they might be rather put out.
Further thoughts:
1. When people delete their accounts, LJ (or DW) should include a message alerting users to the possibility that another person could rename their account to that account name, and if they had used that username for any openID authentication, that those openID authentications would also be controllable by the new user. This is very technically feasible, as it is simply a warning.
2. In an ideal world, whenever an openID identity is created for a user on DW, without the user's knowledge, the LJ (or whatever service it is) user would be alerted. Unfortunately, I have no idea how this could be put into practice.
3. DW should (ideally) also introduce mass deletion of external content, for both regular account holders and openID users, especially if this feature comes into being on LJ. I'm not sure how feasible this is, though.
no subject
Date: 2010-07-30 05:48 am (UTC)But yeah, I had considered the implications of comment importing, but never considering the situation of account deletion/purgation.
no subject
Date: 2010-07-31 12:05 am (UTC)used openID to say, comment under their LJ identity via Intensedebate or
Disqus, and actually commenting themselves vs. the DW import. So that's
what I meant by 'onus of responsibility,' because those are usually in
public, discoverable places, and they would have actually personally
commented there (also, w/ Disqus you might be able to get a record of the
comments you've left. I'm not sure if it works for openID, but it works
for Disqus login)
Sure, but it can still be a hugely impractical burden if the site does not offer a way to mass-delete comments. I don't really have a problem with granting "ownership" of my comments to a site or blog, but I do have a problem with the possibility of someone else--NOT the site owner--coming along and deleting (or worse, editing) my comments.
I'm also not super-fussed about the prospect of confusion--non-authenticated comments are still so common that on many sites, someone could comment as "holyschist", no problem.
no subject
Date: 2010-07-31 12:19 am (UTC)That is a potential security and privacy risk. :/ It becomes much like the situation of recycled hotmail addresses which were then used by hackers to erase people's LJs (because the owner had never deauthorized the dead hotmail address, which could be used to get the password mailed to them).
Thinking of solutions:
Could ban renaming (LJ would have to do this)
Could allow users to delete journals while disallowing renames
Could turn off openID for all renamed journals (LJ currently doing this for renamed journals made post 7/15/10)
no subject
Date: 2010-07-31 12:23 am (UTC)That is a potential security and privacy risk. :/ It becomes much like the situation of recycled hotmail addresses which were then used by hackers to erase people's LJs (because the owner had never deauthorized the dead hotmail address, which could be used to get the password mailed to them).
This.
no subject
Date: 2010-07-31 12:33 am (UTC)Yeah... In that situation, I think users intuitively understand why they ought to keep an email address alive, because they have passwords mailed to it. But the situation w/ openID and DW (with regards to the imported comments) is kind of like if I didn't know that my data was hosted on a site where I could have used my email address to control it, and then I deleted my email address and a hacker took it over.
Thankfully, at least with respect to LJ, the security risk will be minimized in the future. Not sure about IJ, though. I do wonder if DW intends to do anything about renaming and openID.
no subject
Date: 2010-07-31 12:38 am (UTC)In that situation, I think users intuitively understand why they ought to keep an email address alive, because they have passwords mailed to it.
Even so--if I'd started an LJ using my undergrad college email address, which was closed when I graduated--the college could have theoretically reassigned that to another student. Less likely, but still...there are possibilities.
no subject
Date: 2010-07-31 12:43 am (UTC)Yes, it occurs, however, you can go into LJ and delete your college email address from the list of official emails. You can't really do that in openID, IIRC.
no subject
Date: 2010-07-31 12:58 am (UTC)I would have thought so. I dunno--I like the theory of openID, but so far I've been pretty unthrilled by the execution.
Yes, it occurs, however, you can go into LJ and delete your college email address from the list of official emails. You can't really do that in openID, IIRC.
True.
no subject
Date: 2010-07-31 12:59 am (UTC)no subject
Date: 2010-07-31 02:01 am (UTC)