Cancel Account
Good Day,
After working for several months on my Drupal 5 site I notice that a registered user has no ability/option to cancel their account (even here are drupal.org, option is not available).
I have been searching for 4 hours now, this is the only thread I found. http://drupal.org/node/8#comment-151471
First of all I am not a web developer nor a webmaster, I am a hobbyist.
Now I am forced to stop production and seek legal advice but before I do, a few questions for web developer or webmaster who uses drupal for their intranet site or corporate sites.
1. Are you concerned about such legalities concerning this matter or any? What if your company gets audited? Should I be concerned about this. I am not a company and I don't want any lawsuits at my doorstep, hence legal advice.
2. Since admin can only cancel or delete accounts, it it advisable to have a user who wants their account canceled be handled by sending a request form? Is this an acceptable workaround? Any other workarounds?
3. Since this has been an on going issue, does anyone know if this option (cancel my account) will be available in version 6?
4. If all else fail, I would like to hire someone to create a cancel_user_account_module. Please email me your rates. Serious inquiries only, please.
5. Does anyone know if this issue has been addressed?
Thank you very much,
Mark
We can create that for you
We can create that for you if you wish. We are always interested in developing new modules.
That is an interesting idea... Let me know if you would like something like that designed for you. I will email you a bid for that job shortly.
derek(at)makefunds(dot)com
Best regards, Derek Webb
http://makefunds.com
eCommerce made easy!
=-
Depending on the site;
In a "news" or "articles" type situation a legal disclaimer stating that content submitted to the site becomes the property of the site, is typically a good way to go.
In a social networking site a request for cancelation form can be deployed.
In my testing of D6, I have not come across a cancel my account addition.
The problem arises in a scenario where, what exactly should be deleted ? The User ? all content of said user ? what a situation where other users have commented on the content that is about to be deleted ?
I would think that the
I would think that the user's content could revert to anonymous so that IF they contributed something that was great it could stay.
Naturally it would not be hard to make it to where they could decide whether or not to have all of thier content deleted though. That would be easy enough...
Best regards, Derek Webb
http://makefunds.com
eCommerce made easy!
Good Question.
I think it really depends on the site. I think a good module will include options as what to delete.. maybe delete user account and take user content offline and archive it?
Where others have commented could be replaced by(depending on its content value).. this user is no longer registered or some sort of message or a message saying if you find the removed content valuable and would have it online please contact site admin who could contact ex-user if they could place the content back...
or define this part in your Terms and Conditions of Service....
Sorry... my brain is fried today.. overwhelming day.
Thank you,
Mark
Why is this a legal question?
I'm having trouble fathoming how a undesired, yet free account on somebody's server could possibly be a legal pitfall. No money has changed hands, no goods were exchanged, no taxes paid, and certainly no services rendered once the user ceased all activity on the site. Most of the good admins will come along and clean house on unused accounts every six months, and there are modules that do it automatically as well.
It's not like cancelling their account will instantly remove all evidence of a user's wrongdoings or libelous statements. Yahoo, Google, and their like have cached pages that sometimes last the duration of six hard drive swaps.
[/Senpai]
for example..
just a scenario... I am thinking
I create a Drupal based dating site or maybe a site for children. Member A starts harassing member B. Member B emails nicely to let him/her be, Member A does not comply and continues to harass member B. Member B reports this issue. Site Admin blocks, suspend, or even delete Member A account (include IP blocking, etc.). Member A signs up for another account and continues where they left off. Now Member B wants to cancel his/her account or has been trying to cancel their account but can't. Send several email but I am on vacation. Member gets traumatized and fears for his/her life, hires a lawyer and takes me to court, for whatever reasons.
Or I create a e-commerce site, then one day, part of database gets hacked and gets credit card numbers. By law, I must report this incident and notify customers, even if their card was not compromised. Customers decides they want to cancel their account, just imagine if this option is not available. I would be spending the whole day deleting account and their records.
I know it may sound crazy but I just want to play it safe. It may happen it may not. It may sound ridiculous.
Google and Yahoo have deep pockets and have their own legal department to take care of legal issues. I don't.
just some thoughts.
You're already in trouble.
Storing credit card numbers is not allowed.
=-=
Agreed, you never want the responsibility of storing credit card numbers. Especially in a shared hosting environment. Leave that to banks who are insured against such things as Fraud as well as having their servers breached.
Mr. Goltra, I would let the
Mr. Goltra, I would let the good folks at PayPal* or take care of the credit card numbers if I were you. Just a though... I don't think I could sleep at night if I knew that my server had other peoples CC #'s on file. I'd be sweating bullets!
You can use *PayPal Pro so that people don't have to leave your site to make payment... I hope that this helps.
I think that giving the user a way to cancel accounts is a good idea anyway though....
Best regards, Derek Webb
http://makefunds.com
eCommerce made easy!
now what if
what if I want to start something like paypal?
=-=
At that stage you are no longer a hobbyist. You will need to bascially become a bank and will have to hire a team of attornies to guide this desire. Internal hardware and a 24 - 7 security team to insure your security is not breached. Insurance and all the garnishing that banks need. Not to mention a team of developers to develop the site beyone what drupal can do. Personally , if you are lookiing to become a bank I wouldn't think you want anything to do with an open source CMS, you would want an internal team of programmers to whip up the backend.
Quite a bit to bite off for someone who isn't a developer or programmer.
Go to VISA or MC
And search for PCI compliance.
ok let me clear this
what if some company decides to use Drupal for such purposes. (I am not trying to be a sarcastic here)
Compared to other CMS, nothing comes close to Drupal and it would be a shame to see such limitation in a CMS. I don't want to compare Drupal to Wordpress or Joomla.
Still, I think this is a very important option to have. It doesn't matter what the scenario is (complying with the law, etc.), it is a matter of preference.
Thank you all for you input.
Mark
=-=
what limitation exactly ?
user cancellation of their own account ?
or the CC#/paypal questions you've been asking ?
If the latter, preference shouldn't outweight security & liability.
Open source is exactly that, open source. The source to run your banking site can be downloaded by anyone. This includes people who would like to seek out secuirty holes.
My best advice is to discuss this preference of using an open source software product available to anyone who would like to download the source code with the attorney when you retain him/her.
Other Countries
Some Countries Require Sites to have a Cancel Account Feature I beleive...
I may be wrong though but i beleive there is some, and im thinking Germany might be one of them.
....
Drupal.org doesn't cancel people's accounts.
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
Not even if asked to? Best
Not even if asked to?
Best regards, Derek Webb
http://makefunds.com
eCommerce made easy!
=-=
Not that I've seen. In the case of DO, questions wind up getting answered through comments and as such, those answers would be lost if the content itself was removed.
That is true. It would be a
That is true. It would be a shame to lose all that...
But in the case that say a Drupal site kept spamming... hmm if they were unethical enough to spam then I don't think they would opt to have a "cancel account" button.
At any rate it could still be useful. I would install it on my Drupal site. It is a courtesy to users. Although I don't think that too many folks are going to go around suing people because there is not a "cancel acct" button somewhere.
Best regards, Derek Webb
http://makefunds.com
eCommerce made easy!
block
If you delete an account then they can create a new one. If you block an account then they cannot log on.
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
I know and...
I don't have any plans canceling my Drupal account... I must be crazy if I do.
The patch works
The patch at http://drupal.org/node/8#comment-151420 does work on Drupal 5.1. I can't advise you on legal matters, but I agree that this is a big issue.
I tried it
I tried modifying the user.module but I get errors. I don't know what I did wrong.
What errors did you have?
If the patch utility says it succeeded (for example, "Hunk #1 succeeded at 405") then it should work. It just means that the lines of code it patched weren't found exactly where the patch was expecting them.
update: I don't patch core anymore for this and have been using the User Cancellation module instead:
http://drupal.org/project/user_cancellation
user cancellation module
I also needed users to be able to cancel their accounts, along with an email confirming the account has been cancelled. I put all of this into a module called user_cancellation (it's in CVS as the moment). It also allows admin to select nodes to keep after the user deletes their account...
Thanks for the heads-up
I will give it a try when I get a chance.