"Note: According to facebook’s privacy policy, messages on facebook can not be deleted anymore. If you click on ‘delete’ the messages will only be invisible to you. US law enforcement agencies can access this information at there own liking, without judicial review."
That last one is scary indeed. People were arguing a while ago whether these companies should keep data only for 6 months, or for a year, or 18 months - but Facebook is simply keeping it forever. Even 10 years from now law enforcement could verify your Facebook data.
Facebook Timeline should give them a nice UI, too, in case you don't delete anything. But they would still want to dig deep. I wonder if Facebook built a special Timeline product for law enforcement to see everything about everyone. Remember when they admitted a while ago that they provide law enforcement a special software for the data? I wonder if the idea of Timeline for users comes from that.
Julian Assange was dead-on that Facebook is the biggest spying machine.
It also seems to indicate a deliberate quasi-law-enforcement role being played by Facebook. If Facebook handed over data when presented with warrants, the "without judicial review" wouldn't be true. That can only be true if they're purposely partnering with law enforcement, to voluntarily offer them data that courts haven't requested.
Reduces any qualms I might have about calls for Facebook to be regulated as a public utility, if it's actively choosing to act as an arm of the government anyway. Public utilities are actually, despite being much more entangled with the state in some ways, more separated from the state when it comes to law-enforcement. For example, the phone company can't just choose to record all your calls and give them to the police without a warrant.
It's not Facebook's call. The USA PATRIOT Act allows for National Security Letters, or NSLs, that legally function like warrants but require no judicial review. The US government uses them over 60,000 times per year. The law allowing them turns ten years old next month.
Precisely. If you want to place blame, it goes squarely on the Bush Administration. (And yes, I'm sure I'll be down-voted for saying that, but it's still unquestionably, uncontroversially, non-debatably true.) If you want this fixed, it has to be fixed politically at a federal level.
> Precisely. If you want to place blame, it goes squarely on the Bush Administration. (And yes, I'm sure I'll be down-voted for saying that, but it's still unquestionably, uncontroversially, non-debatably true.)
Wasn't the Patriot Act recently renewed, where "recently" means "post-Bush"?
> If you want this fixed, it has to be fixed politically at a federal level.
And Dems, who voted for the initial version overwhelmingly, were uninterested in doing so when they held all three elected branches and that didn't change when they lost one.
So, yes, it's true that it was passed under Bush, but no one is interested in fixing it. (Yes, I'm ignoring Ron Paul and Dennis Kucinich.)
It'd be interesting to know if that covers 100% of data releases to the state. Does Facebook release data to law enforcement in cases other than either: 1) pursuant to a warrant; or 2) compelled by a National Security Letter? I would guess yes, but I'd be interested in a solid statement either way.
It's not like the telecomm corps in the US haven't been caught handing over info to cops/FBI without warrants or NSL letters (or handing over more than required when presented with a warrant or NSL).
You may be surprised that many (at a guess, maybe most?) companies/websites actually consider a delete function to be changing a 'deleted' flag to 1 in a database. The data persists, but is no longer shown.
I would also make a very big assumption that the only companies who wouldn't do this are those run by developers or other people who have had experience implementing that sort of system.
There's nothing bosses love more than storing whatever data they can get their hands on, no matter how relevant it is, and how reluctant they are to actually delete it. Or secure it properly. Hell, it's just data, who gives a shit right?
I think you're close, but missing something: The companies who wouldn't do this are run by developers or other people who don't interact much with the actual users. Irreversible actions are horrible UX, and any irreversible action in a commonly used area of the app will make a large number of people steaming mad on a daily basis — guaranteed.
People who will blithely click "Delete" — and then click "Yes" even though they don't mean it on the confirmation dialog that comes up — vastly outnumber people who care that an invisible copy of their content might be buried in some Facebook database somewhere. Next to the unintentional deleters, the second group looks like a rounding error. And that's not even counting people who get their accounts hijacked.
So I would say people who know users are more likely to go with the delete flag, since that leaves you an avenue to help the user who emails support with "I got really drunk last night at the wake and thought it might be funny to delete everything on my Facebook and now all my photos of my dead Nanna are gone."
I think that it is probably one of the major reasons, though certainly not the only one. In my experience, one of the most common customer service complaints/requests is "Oh no, I did this irreversible thing you warned me not to, fix it." I imagine facebook also gets its fair share of complaints like "Oh no, my ex-boyfriend deleted my account, fix it." This stuff is really common, and I can understand why a company would rather be able to say "Oh yeah, sure" than "Sorry, for privacy reasons your online life for the past two years has been lost irretrievably."
I'm sure you're right, and not necessarily in any insidious manner. There's any number of entities that we won't actually purge when deleted from our system here. For example, when a sales rep wants to get rid of a Quote, we can't necessarily dump it, because we'll need a future record if there has already been a customer order placed against that quote. Sometimes the integrity of the system, and the ability to look at history in a (unfortunately necessary) CYA view, demands that some data be "deactivated" rather than deleted.
I agree. I've already just replied to another reply on this but dealt more with the ethics of the matter.
What I would actually implement is something akin to the recycle bin in an OS. Flag something as deleted, ensuring it's no longer published in whatever form on the website. Optionally, delete it properly after a set period of time, or otherwise allow the users to manually perform that action.
In addition to that, log the delete actions along with the IDs of the deleted items. So if after all that the user regrets it and files a complaint, you can trawl through your backups to restore it.
Irreversible actions in the UI are bad. Having no choice but to tell the customer tough luck is bad. Deceiving the user is also bad.
Of course I'll concede my ideals are more compatible with the concept of deleting an entire user account, for example, as opposed to removing individual items associated with. But I don't think everyone else's intents are as pure as yours.
This is how I usually implement delete. Deleting a record can have many cascading effects and there is no possibility for undoing it if it was an error. I think this is a pretty standard way of doing it.
I agree with the fact a hard delete may have unintended effects, even in the best design, but in my ideal world I'd rather make allowances for that than simply offer my users the illusion I'm deleting their data.
I think that may be a view shared between developers who care about ethical practices, where our personal ideals and how we think we should respect the user takes precedence over the data collection and profit motive.
I think it's important to remember websites are dealing with actual people, who aren't a new commodity to be exploited for capital gain. Who aren't little mines full of precious data ready to extract at any cost.
Of course, none of this really matters. Whether you delete something or not, it will be routinely stored, over and over again, on some backup server. It's there forever.
I think it's a bit of a jump to imply that if I don't actually delete the data that I don't care about ethical practices nor my users.
For me, at least, it all depends on what 'delete' means to the user. There are some people out there that want 'delete' to mean "I don't want this stored anywhere anymore". There are other users that want it to mean "I don't want to see this anymore".
Unfortunately, people in both groups sometimes regret deleting stuff. Those in the first group accept the responsibility, however some people in the second group feel as though it's a problem with the system that they are using when they cannot restore the data easily. There are a lot of people that appreciate the "Recycle Bin" in Windows and never empty it.
Now, I've written a number of systems over time and I've implemented 'delete' in most of them. Sometimes I do an actual delete, sometimes I set a flag. It all depends on what I expect my users to actually want. It's got nothing to do with trying to exploit them for capital gain though, that's for sure!
I'd certainly like to think I'm an ethical developer, and I always implement the delete as a flag.
I, however, do not implement an easy way to retrieve deleted data without going into the database or through an administrative interface with heavy auditing.
It isn't just about data mining for customer data -- it's about data mining for site usage and user activity. Using metrics off of visited web pages or tracking that way can be too convoluted when the KISS method is: flag it on the data side and you can interpret flow.
This is one stage of deletes (mark for deletion). The 2nd equally important deletion metric is to purge the deleted records (expunge)... this may be a complicated process, stubbing out or redirecting pointers where need be.
You can force local governments to expunge your data (it's not just off the records, it's forcibly erased).
I think this weight of eternal data is both unnatural and unsustainable. All living things die. Things that don't have a natural cycle of creation and destruction are abominations and should rightfully be feared (see Corporation).
This is almost certainly not true for a lot of medical data (in Canada and Australia at least, don't know about the US).
There was a rather interesting example in Queensland ~two years ago when govt. health sector payroll data (from an outgoing system) was deleted due to privacy concerns, and then the replacement system mis-functioned (never really worked) and the entire state's health payroll information was lost. $200 million and counting to fix the lost data.
unless I was dealing with a security based application where data needed to be wiped - I would never delete, but just flag as deleted. I don't see it as evil from a development perspective. Losing data is about the worst thing that can happen - all other errors can be fixed.
I have many times ran into a situation where having that deleted data either saved us from losing a customer or was used to show that our app was not mysteriously "deleting" their data.
There are also some technical problems with deletion. For example: What to do if the post has subposts from other user? What happens is someone steals your account and erases all your posts?
And, when you click on the delete, should they erase the information:
* From the cache
* From the database (not only mark it for deletion)
* From the weekly/monthly/yearly backup
* From the old backup system that is not longer in use, and was connected to the old backend that is not longer in use.
The main reason why facebook and many other websites do this is risk minimalization. What if some spam filter goes wild and deletes half of all profiles?
EDIT: That was just meant to be an example. I believe it's generally a good practice to use a delete flag as the default option (unless there are legal or serious privacy concerns), because it makes you sleep better at night. I don't know if it justified in this case, but I just wanted to point out that they did not do it just out of pure evilness.
It would hardly be a great programming feat to create 3 states: 'good', 'marked as spam, hidden', and 'deleted, remove from the DB at earliest convienence'.
Hell, my mail client has been doing that as long as I can remember.
What to do if the post has subposts from other user?
My solution: mark the record with a 'deleted' flag, leave all the logical/structural data (user id, post id, etc.) untouched, overwrite/wipe out the post's content, on the webpage display "Post deleted" message. If you want to have an ability to 'unerase' things: mark as deleted, delay the purge.
Cache should be purged as well, though not necessarily in real-time. Backups issue is a complicated one - but is there any use of yearly backups in Facebook case?
Best advice I ever heard (and it came from an ex-Facebook employee), "treat communication ("private" & "public") on all services, including Gmail, Facebook, and Tumblr, like a million people are listening."
That doesn't account for the times the receiver decrypts your communication and then intentionally makes it public.
There's a deep wisdom to the idea that one ought not put into words that which they wouldn't want the world to see... Once it's out of your head, your ability to control it diminishes if not outright vanishes... Just say'n is all..
Heads up: Google does this with Gmail, too. http://news.cnet.com/2100-1047_3-6050295.html - "Judge grants subpoena and orders that all e-mail messages, including deleted ones, be divulged."
You can be asked for anything, that doesn't mean you have it. As the article you linked states, Google's privacy policy notes deleted information may live on in backups. This is common sense, otherwise they would have to touch every backup on a delete, which besides being very risky (one bug away from disaster), would mean having to go through offline tape archives of everyone's mail. If that were the case it would be prohibitively expensive to allow anyone to delete.
The question is if they have the ability/requirement to go sifting through the old backups for requested data.
They delete sh*t, if you delete your posts they don't remove them from their databases.
This makes me really angry, there is a reason why i delete this stuff. I can't believe this, they have a responsibility.
Edit: WTF http://europe-v-facebook.org/EN/Data_Pool/data_pool.html#Mac...
This is maybe the most frightening: http://europe-v-facebook.org/EN/Data_Pool/data_pool.html#Mes...