By mrgoltra on

Good Day,

After working for several months on my Drupal 5 site I notice that a registered user has no ability/option to cancel their account (even here are drupal.org, option is not available).

I have been searching for 4 hours now, this is the only thread I found. http://drupal.org/node/8#comment-151471

First of all I am not a web developer nor a webmaster, I am a hobbyist.

Now I am forced to stop production and seek legal advice but before I do, a few questions for web developer or webmaster who uses drupal for their intranet site or corporate sites.

1. Are you concerned about such legalities concerning this matter or any? What if your company gets audited? Should I be concerned about this. I am not a company and I don't want any lawsuits at my doorstep, hence legal advice.

2. Since admin can only cancel or delete accounts, it it advisable to have a user who wants their account canceled be handled by sending a request form? Is this an acceptable workaround? Any other workarounds?

3. Since this has been an on going issue, does anyone know if this option (cancel my account) will be available in version 6?

4. If all else fail, I would like to hire someone to create a cancel_user_account_module. Please email me your rates. Serious inquiries only, please.

5. Does anyone know if this issue has been addressed?

Thank you very much,

Mark

Categories: Drupal 5.x

Comments

derekwebb1’s picture

derekwebb1 commented

We can create that for you if you wish. We are always interested in developing new modules.

That is an interesting idea... Let me know if you would like something like that designed for you. I will email you a bid for that job shortly.

derek(at)makefunds(dot)com

Best regards, Derek Webb
http://makefunds.com
eCommerce made easy!

vm’s picture

vm commented

Depending on the site;

In a "news" or "articles" type situation a legal disclaimer stating that content submitted to the site becomes the property of the site, is typically a good way to go.

In a social networking site a request for cancelation form can be deployed.

In my testing of D6, I have not come across a cancel my account addition.

The problem arises in a scenario where, what exactly should be deleted ? The User ? all content of said user ? what a situation where other users have commented on the content that is about to be deleted ?

derekwebb1’s picture

derekwebb1 commented

I would think that the user's content could revert to anonymous so that IF they contributed something that was great it could stay.

Naturally it would not be hard to make it to where they could decide whether or not to have all of thier content deleted though. That would be easy enough...

Best regards, Derek Webb
http://makefunds.com
eCommerce made easy!

mrgoltra’s picture

mrgoltra commented

I think it really depends on the site. I think a good module will include options as what to delete.. maybe delete user account and take user content offline and archive it?

Where others have commented could be replaced by(depending on its content value).. this user is no longer registered or some sort of message or a message saying if you find the removed content valuable and would have it online please contact site admin who could contact ex-user if they could place the content back...

or define this part in your Terms and Conditions of Service....

Sorry... my brain is fried today.. overwhelming day.

Thank you,

Mark

senpai’s picture

senpai commented

I'm having trouble fathoming how a undesired, yet free account on somebody's server could possibly be a legal pitfall. No money has changed hands, no goods were exchanged, no taxes paid, and certainly no services rendered once the user ceased all activity on the site. Most of the good admins will come along and clean house on unused accounts every six months, and there are modules that do it automatically as well.

It's not like cancelling their account will instantly remove all evidence of a user's wrongdoings or libelous statements. Yahoo, Google, and their like have cached pages that sometimes last the duration of six hard drive swaps.
[/Senpai]

****
Joel "Senpai" Farris | certified to rock score

mrgoltra’s picture

mrgoltra commented

just a scenario... I am thinking

I create a Drupal based dating site or maybe a site for children. Member A starts harassing member B. Member B emails nicely to let him/her be, Member A does not comply and continues to harass member B. Member B reports this issue. Site Admin blocks, suspend, or even delete Member A account (include IP blocking, etc.). Member A signs up for another account and continues where they left off. Now Member B wants to cancel his/her account or has been trying to cancel their account but can't. Send several email but I am on vacation. Member gets traumatized and fears for his/her life, hires a lawyer and takes me to court, for whatever reasons.

Or I create a e-commerce site, then one day, part of database gets hacked and gets credit card numbers. By law, I must report this incident and notify customers, even if their card was not compromised. Customers decides they want to cancel their account, just imagine if this option is not available. I would be spending the whole day deleting account and their records.

I know it may sound crazy but I just want to play it safe. It may happen it may not. It may sound ridiculous.

Google and Yahoo have deep pockets and have their own legal department to take care of legal issues. I don't.

just some thoughts.

stevenpatz’s picture

stevenpatz
he/him
commented

Storing credit card numbers is not allowed.

vm’s picture

vm commented

Agreed, you never want the responsibility of storing credit card numbers. Especially in a shared hosting environment. Leave that to banks who are insured against such things as Fraud as well as having their servers breached.

derekwebb1’s picture

derekwebb1 commented

Mr. Goltra, I would let the good folks at PayPal* or take care of the credit card numbers if I were you. Just a though... I don't think I could sleep at night if I knew that my server had other peoples CC #'s on file. I'd be sweating bullets!

You can use *PayPal Pro so that people don't have to leave your site to make payment... I hope that this helps.

I think that giving the user a way to cancel accounts is a good idea anyway though....

Best regards, Derek Webb
http://makefunds.com
eCommerce made easy!

mrgoltra’s picture

mrgoltra commented

what if I want to start something like paypal?

vm’s picture

vm commented

At that stage you are no longer a hobbyist. You will need to bascially become a bank and will have to hire a team of attornies to guide this desire. Internal hardware and a 24 - 7 security team to insure your security is not breached. Insurance and all the garnishing that banks need. Not to mention a team of developers to develop the site beyone what drupal can do. Personally , if you are lookiing to become a bank I wouldn't think you want anything to do with an open source CMS, you would want an internal team of programmers to whip up the backend.

Quite a bit to bite off for someone who isn't a developer or programmer.

stevenpatz’s picture

stevenpatz
he/him
commented

And search for PCI compliance.

mrgoltra’s picture

mrgoltra commented

what if some company decides to use Drupal for such purposes. (I am not trying to be a sarcastic here)

Compared to other CMS, nothing comes close to Drupal and it would be a shame to see such limitation in a CMS. I don't want to compare Drupal to Wordpress or Joomla.

Still, I think this is a very important option to have. It doesn't matter what the scenario is (complying with the law, etc.), it is a matter of preference.

Thank you all for you input.

Mark

vm’s picture

vm commented

what limitation exactly ?

user cancellation of their own account ?

or the CC#/paypal questions you've been asking ?

If the latter, preference shouldn't outweight security & liability.

Open source is exactly that, open source. The source to run your banking site can be downloaded by anyone. This includes people who would like to seek out secuirty holes.

My best advice is to discuss this preference of using an open source software product available to anyone who would like to download the source code with the attorney when you retain him/her.

WickedMetalHead’s picture

WickedMetalHead commented

Some Countries Require Sites to have a Cancel Account Feature I beleive...

I may be wrong though but i beleive there is some, and im thinking Germany might be one of them.

sepeck’s picture

sepeck commented

Drupal.org doesn't cancel people's accounts.

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

derekwebb1’s picture

derekwebb1 commented

Not even if asked to?

Best regards, Derek Webb
http://makefunds.com
eCommerce made easy!

vm’s picture

vm commented

Not that I've seen. In the case of DO, questions wind up getting answered through comments and as such, those answers would be lost if the content itself was removed.

derekwebb1’s picture

derekwebb1 commented

That is true. It would be a shame to lose all that...

But in the case that say a Drupal site kept spamming... hmm if they were unethical enough to spam then I don't think they would opt to have a "cancel account" button.

At any rate it could still be useful. I would install it on my Drupal site. It is a courtesy to users. Although I don't think that too many folks are going to go around suing people because there is not a "cancel acct" button somewhere.

Best regards, Derek Webb
http://makefunds.com
eCommerce made easy!

sepeck’s picture

sepeck commented

If you delete an account then they can create a new one. If you block an account then they cannot log on.

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain

-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide

derekwebb1’s picture

derekwebb1 commented

...

vm’s picture

vm commented

but they can't use the same email address for that new account.

derekwebb1’s picture

derekwebb1 commented

So that's not really an issue. Indeed I have seen sites that grant you use of randomly generated email accounts to bypass that very issue. I can't think of one but an old buddy of mine used to use them to register at places he wasn't sure he wanted to give his real address to...

vm’s picture

vm commented

agreed, but again blocking forces users to have to get that new email address and doesn't allow the old addressed to be reused.
If the account is deleted, a user can re-register with the same email address, which is what the tail of this discussion is about right? why block vs. delete?

If someone is just trying to be a PITA, then yes, They'd go create a new account with a new address and yadda yadda, having to do that would eventually get old I'd figure.

derekwebb1’s picture

derekwebb1 commented

I agree with you there. It would get very old...

mrgoltra’s picture

mrgoltra commented

I don't have any plans canceling my Drupal account... I must be crazy if I do.

Christefano-oldaccount’s picture

Christefano-oldaccount commented

The patch at http://drupal.org/node/8#comment-151420 does work on Drupal 5.1. I can't advise you on legal matters, but I agree that this is a big issue.

mrgoltra’s picture

mrgoltra commented

I tried modifying the user.module but I get errors. I don't know what I did wrong.

Christefano-oldaccount’s picture

Christefano-oldaccount commented

If the patch utility says it succeeded (for example, "Hunk #1 succeeded at 405") then it should work. It just means that the lines of code it patched weren't found exactly where the patch was expecting them.

update: I don't patch core anymore for this and have been using the User Cancellation module instead:

http://drupal.org/project/user_cancellation

ben_scott’s picture

ben_scott commented

I also needed users to be able to cancel their accounts, along with an email confirming the account has been cancelled. I put all of this into a module called user_cancellation (it's in CVS as the moment). It also allows admin to select nodes to keep after the user deletes their account...

mrgoltra’s picture

mrgoltra commented

I will give it a try when I get a chance.

pauldawg’s picture

pauldawg commented

Never mind credit card info, what about basic privacy? Interesting that no one has discussed basic privacy concerns such as those that even caused a simple change of Facebook's terms of service to reach the front page news. Drupal is very often a social networking tool (to varying degrees depending on the implementation of course) and if you look at the modules people create for drupal, including avatars, profiles, private profile, node privacy by role, etc., all of these privacy concerns should be considered by anyone implementing a drupal site, and the ability to cancel one's account is a basic fundamental requirement of any social networking site. Read Groundswell or any other book on social networking and tell me why Drupal should be immune from this?

Too bad there has not been a single reply to the request to update the user cancellation module for Drupal 6... a bit mind-boggling, frankly.

michelle’s picture

michelle
she/her
Primary language English
Location Wisconsin, USA
commented

Maybe the maintainer doesn't need it for D6, yet. There's lots of people still running D5. If it's important to you, you could always post a bounty in the paid services forum.

I'd sooner see the D7 functionality backported into contrib, though, so the behavior is consistant on upgrade.

Michelle

Aleksic’s picture

Aleksic commented

I agree what pauldawg wrote. Also I will adds, If user make post and if he or she delete account node still can have ex-mamber instead anonymus. If member change mind and like to come back to be a full member he/she only need to reset account. Than we will have really friendly Drupal:))

derekwebb1’s picture

derekwebb1 commented

good idea