Apps supporting account creation must also offer account deletion
developer.apple.comRelevant text under 5.1.1 (v):
> (v) Account Sign-In: If your app doesn’t include significant account-based features, let people use it without a login. If your app supports account creation, you must also offer account deletion within the app. Apps may not require users to enter personal information to function, except when directly relevant to the core functionality of the app or required by law. If your core app functionality is not related to a specific social network (e.g. Facebook, WeChat, Weibo, Twitter, etc.), you must provide access without a login or via another mechanism. Pulling basic profile information, sharing to the social network, or inviting friends to use the app are not considered core app functionality. The app must also include a mechanism to revoke social network credentials and disable data access between the app and social network from within the app. An app may not store credentials or tokens to social networks off of the device and may only use such credentials or tokens to directly connect to the social network from the app itself while the app is in use.
Weird how these integrity precautions are being championed by Apple and not the EU or US, democracy is dead, long live corpocracy
To be fair the “right to be forgotten” is, in fact, a law in the EU, it’s just that often you need to go through great lengths to exercise this right.
Apple’s playing field is just much more narrow, which allows it to enforce rules like these in an elegant manner which makes for a much better experience to the end user.
This is more about the "Hotel California" business model where you can't cancel a service without jumping through ridiculous hoops.
I’d never heard of the “Hotel California business model.” Googled it - for others: Hotel California is a song by the band The Eagles, which contains the lyrics:
“Relax," said the night man, "We are programmed to receive You can check out any time you like But you can never leave!"Can someone explain it to me, though?
Logically, after you check-out of a hotel you've surrendered your right to abode at that location - after that you're usually limited to common/shared areas like the lobby, bar, restaurant, maybe the pool - but excepting the lobby those places are closed at night - and they'd have security to remove people from the lobby if necessary - so as far as the Eagles' are concerned, what is it to "never leave" when you legally cannot stay?
From Wikipedia:
> The song has been described as being "all about American decadence and burnout, too much money, corruption, drugs and arrogance; too little humility and heart." It has also been interpreted as an allegory about hedonism, self-destruction, and greed in the music industry of the late 1970s. Henley called it "our interpretation of the high life in Los Angeles", and later said: "It's basically a song about the dark underbelly of the American dream and about excess in America, which is something we knew a lot about."
Hotel California is, of course, not literally a hotel; it's a metaphor for an addictive and entrapping lifestyle, and your legal "right to abode at that location" is a real-world detail that doesn't really matter for the purposes of the metaphor. The singer wants to get out -- by "checking out" he has declared his intentions to leave the hotel, but the point of the song is that wanting to leave is not the same as actually leaving.
It's a bit more obvious if you consider the full verse:
> Mirrors on the ceiling / The pink champagne on ice / And she said: "We are all just prisoners here / Of our own device"
> And in the master's chambers / They gathered for the feast / They stab it with their steely knives / But they just can't kill the beast
> Last thing I remember, I was / Running for the door / I had to find the passage back / To the place I was before
> "Relax," said the night man / "We are programmed to receive / You can check out any time you like / But you can never leave!"
The song is a metaphor, though what the metaphor is has been debated — be it drugs or some other form of escapism. In any respect, the “check out” is a play on words of the euphemism for dying — your only way out is death, which is partly what makes the belief so popular that the song is a metaphor for a drug like heroin.
"check out" also has a slang meaning, not literally that you stopped paying for a hotel but get to stay anyway, and the song is not about a hotel.
It's not literal.
You’re confusing the right to be removed from search engine indexes (right to be forgotten) with GDPR (control of data provided to websites)
The right to a GDPR erasure request is sometimes called the right to be forgotten:
https://gdpr-info.eu/art-17-gdpr/
It is confusing, bc the latter is sometimes also used to refer to index removal too.
It's been EU law for a while that a company must delete all user data upon request.
Can anyone translate that into practical terms? To me that doesn’t match this post’s title, currently “AppStore: Apps supporting account creation must also offer account deletion”.
Quote:
There’s nothing about account or stored-data-about-me deletion in there.The app must also include a mechanism to revoke social network credentials and disable data access between the app and social network from within the app. An app may not store credentials or tokens to social networks off of the device and may only use such credentials or tokens to directly connect to the social network from the app itself while the app is in use.It's the second sentence: "If your app supports account creation, you must also offer account deletion within the app."
Wow. Not sure how I missed that. Thanks.
That sentence is about storing Facebook logins, for example, not storing other data about the user. Apple is saying you may allow people to login to their social networks (to post through your app) but you cannot save their login from Facebook into your private (off-device) server.
You should consider your social media access credentials/tokens as data about you, because they can be used to request your social media data.
Right, but I'm still reading that as "you must allow people to log-out (locally)".
“If your app supports account creation, you must also offer account deletion within the app.”
Separately, they should also do this for subscriptions.
At present, by requiring the use of Apple's IAP system for subscriptions, this is already taken care of.
Given the Apple vs. Epic stuff going on, this may change soon -- In that case I'd also like to see rules against excessive retention tactics / dark patterns.
>If your app doesn’t include significant account-based features, let people use it without a login...Apps may not require users to enter personal information to function, except when directly relevant to the core functionality of the app or required by law. If your core app functionality is not related to a specific social network (e.g. Facebook, WeChat, Weibo, Twitter, etc.), you must provide access without a login or via another mechanism.
Ok, shoutout Apple for this. But shouldn't they apply their policy intent to themselves too? I can technically use an iPhone without an AppleID, but you need to login to download apps. I would argue installing apps shouldn't require a login.
Not all apps are free and persistent purchases tied to a user account are certainly preferable to needing to keep a list of license keys handy every time you delete and reinstall an app, etc.
yeah, an exception for paid apps would be ok.
Indeed. Same for icloud. Last time I upgraded my gf's phone the constant hammering that you need to set up icloud was obnoxious.
A few years ago I was part of an AI customer service startup. One of our first customers was a web hosting company, and we were supposed to take some of the load off the chat support team.
When we talked to the support team they told us their by far largest task was handling account deletions. They had tried to just put a button in the control panel, but the CEO of the company thought it was bad for retention.
So we started writing scripts for "I want to cancel my account" and similar requests. The official process also required the users to verify by email after talking to support, so there were a number of steps. Eventually we needed an API call for actually completing the process. But we were told the CEO had to approve.
The CEO didn't know we were working on automating account deletions. And when we finally got to talk to him about giving us API access, he decided it would be easier to just add an account deletion button to the control panel. That's how we lost our initial business case.
To me, even if you don't have an account deletion button. User retention isn't going to matter because the people who are looking for it aren't going to use the service anyway, you are just holding onto dead data
Tell that to giganews or dejanews whoever the F it was some usenet service I signed up for once, who had no way to cancel the account on the site, required a phone call during business hours in Sweden or somewhere, and I think I even did the first few of their hoops like sent an email to the special address, but when they didn't simply honor the request, I just stopped paying.
I think either the card was expiring naturally or it was google pay or something that I could shut off. (it was years ago by now so thats why the vague details)
anyway, they actually tried to say I owed them money for years and I even got emails and calls from collections companies for a few years.
If they had been in the US I bet it would have been harder to just blow them off like that.
Simply stopping payments is not the ultimate trump you and I both thoight it should be.
For my part I decided I was on record as having requested to cancel the service, and had not used the service, so do your worst. Go ahead and try to convince a judge that I owe you anything.
CEO with attachment issues, the worst kind...
As long as they were still paying...
I’ve seen quite a lot of people complaining about this on Twitter. Is there some negative to this I’m not aware of other than companies losing customers? I’ve come across more and more sites in recent years with no account deletion option and it’s hugely frustrating. One I discover it and manage to shut my account down via a support channel they have lost me for good. There is no way I’m ever becoming a customer again because I can’t trust them with my data if they’re going to hold it hostage. If they’d included the account deletion option I very well may have returned in the future.
Reddit has been allowing easy account deletion and content deletion for years (since the beginning I believe?) and while I enjoy that freedom, it also makes some old conversations almost impossible to read where [deleted] answers to [deleted] and only one message in the middle of the conversations still there saying "Wow that's really interesting information! Everyone should read that!"
This has even become a way of trolling in some subreddits where you try to make people waste time answering you in detail then deleting all your messages.
This has prompted some people to quote bigger parts of the original message.
Deleting accounts is a right, no problem about it, but deleting public information is really problematic. The right to be forgotten should be a moral right, not a legal one. I don't want it to be illegal to point out politicians responsibilities in Iran-Contra or the Iraq war even 20 years after.
It’s just not something that developers have really had to account for thus far.I’ve come across more and more sites in recent years with no account deletion option and it’s hugely frustrating.You ingest data and then it and derived data goes god knows where in your organization. How do you track all of that down?
(There’s “should be” and “actually is”. I’m referring to the latter.)
At least in Europe with GDPR they, at least legally, had to account for this.
This is great on Apple’s part for enforcing this for every account based app, now if only HN offered account deletion…
Or indeed, deletion of your comments. The way dang explained it to me was that each comment thread is a shared work created by multiple people rather than a collection of individual comments. Since you don’t own your comments, you can’t delete them. He is very accommodating about requests to disavow comments from your account.
But I don’t expect people on HN to complain about this. They hold every other website to absurd standards on data ownership and content moderation, while happily being users of a site where they own none of the data and are subject to strict rules about what can be discussed and how.
> Since you don’t own your comments
where on HN did I waive or assign copyright or ownership to YC?
The FAQ ( https://news.ycombinator.com/newsfaq.html ) says you just need to email them to get stuff deleted:
> we care about protecting individual users and take care of privacy requests every day, so if we can help, please email hn@ycombinator.com
You didn’t waive or assign copyright but you did “grant Y Combinator and its affiliated companies a nonexclusive, worldwide, royalty free, fully paid up, transferable, sublicensable, perpetual, irrevocable license to copy, display, upload, perform, distribute, store, modify and otherwise use your User Content for any Y Combinator-related purpose in any form, medium or technology now known or later developed.”
So, with a license like that, they can legally choose to keep showing your comment if they want to.
That said, I think dang will help delete things if you email to ask and have a good reason. I’ve done it with a couple of my comments.
I did that once and got this reply:
Hi <real name>,
I’m sorry to disappoint, but Hacker News doesn’t delete entire accounts because that would gut the threads it participated in. We do sometimes remove specific comments if users are worried they’ll get in trouble, and we’re also working on the ability to rename accounts. Would either of those help?
Regards,
I don’t quite agree with it but have to recognise I have no leverage here.<name> (a moderator)
I agree with the idea that once you say or do something in public, you no longer have any rights or control over it, other than about credit or slander.
You have a right to complain if someone lies about something you said, either by putting words in your mouth or taking credit for your words.
You have zero rights over anyone else's memory of the fact that you said something or what you said.
That's not some new thing HN is doing, that's just life.
This is exactly the response I expected. Would you feel the same way of Facebook used your exact words to respond to a GDPR request?
Of course anything I've published on FB, is public.
Yeah, HN privacy standards are really low. I was horrified to read of moderators using the email addresses that they say are for account recovery to contact commenters. (Thankfully I never put an email in my account; I'd definitely have felt the need to send a GDPR notice if that happened to me). I assume that sooner or later an EU resident will decide they actually want to quit and force the site to buck up.
GDPR notice? Do you mean a Right of Access/Subject Access Request? What for?
What is the issue around moderators of a service you signed up for, contacting you via the email you provided to use this service?
> What is the issue around moderators of a service you signed up for, contacting you via the email you provided to use this service?
My email address is personal data and as such it's legally required to be
Using it to contact me about my comments as a moderator is not compatible with using it to reset my password, which is the only specified, explicit purpose that I (could have had) supplied it for.collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposesWhat was the reason to contact you about your comments? What did the email say?
I wasn't contacted myself (I didn't supply an email in the first place), I read about it in https://www.newyorker.com/news/letter-from-silicon-valley/th... .
Some old reddit discussions are plagued with deleted comments (deleting all your comments is an option when deletinc an account)
Threads of [deleted content] answering to [deleted content] are hard to follow.
Also on ux of everything but the HN website must be perfect.
HN offers account deletion, it's just not up to you to decide when your account is deleted.
Expectation: Apps offer account deletion, finally empowering the user.
Reality: Apps no longer support seamless account creation and instead redirect the user to a website to register, user can no longer manage any aspect of their account from the app.
What are your assumptions?
Not the GP, but seems to me the assumption there is "companies will do everything in their power to make it hard for you to stop making their numbers go up", whether those numbers are actual money, user data, or just total user counts.
Alongside, of course, the assumption that "companies don't respect their users in any way, shape, or form."
These seem like assumptions which, while they certainly have exceptions, are well borne out by the available data.
It would be great for this to be reestablished as the norm for online services.
I think some might argue that being able to intercept a user at account deletion via support gives them the opportunity to either solve a misunderstanding in the product or better understand why the user is leaving but I think there are much better ways to accomplish this. I’m more convinced this is done as a dark pattern to add friction to the deletion process.
A notable example was having to contact support to delete a Starbucks account.
I think it's much more likely that it just takes timeand money to develop how the deletion process works, testing the implementation etc. It's easier to just not have the capability since it's not critical to the majority of users.
Fair point, that’s probably a decent part of it, but the deletion process has to be defined somewhat formally for a support person or some one else to do it, no?
And they could still offer an account deletion button which automatically filed a support request. Most sites which don’t offer account deletion have made me dig or google for a solution instead of putting any info in a contextually relevant spot such as in account settings or in a support article about disabling an account.
Unfortunately I do not have evidence to justify this position but for most companies from an incentives standpoint as I understand them: 1) a user who cannot delete an account will have a far easier time using the service again compared to a user who has deleted an account so they are more likely to reengage, 2) user numbers and active user numbers may be important metrics for funding or company evaluation, 3) assuming data is deleted on account deletion then that can no longer be used for marketing or model training, 4) services which rely on the network effects from the user base need to have a relevant and usually large user base to provide consistent value, 5) if done manually there support and or dev cost on each account delete request.
This will be interesting for companies who have a combined account for multiple applications.
How do you clearly explain to a user that if they delete their account on app X, apps Y and Z will also have all of their account data deleted?
If this is actually enforced it will be a huge boon for everyone. Especially if they require proof of some sort that the account info is gone.
What kind of proof could establish that something has been deleted?
An "AppStore oath" could come close.
GDPR data package request should return an empty set.
Well, here's a snippet from my GdprReportGenerator.java :
account = getAccount(); if (account.wasDeleted) { return emptyPdf(); }
Of course there might be hell to pay if the EU catches this, but well..
What actual benefit will anyone derive from this?
There are a lot of shitty companies that require you to contact support or even wait weeks before you can delete your account.
Yep.. for subscription cancellation and account deletion. One of the reasons I love the AppStore
The ability to easily delete an account they don’t want anymore? Without jumping through hoops like contacting support. Not sure your question is serious or not.
I can create an iCloud account on my iPhone at the top of the settings menu. How do I delete it?
I know you’re asking just to be contrarian, but here’s how:
Yes, just to be clear, it’s a website.
That is not an app.
Also the stakes are a lot higher as it could delete all of someone’s photos, backups, music and video purchases - not to mention all of their apps and related data.
I believe you can delete it through the iCloud website.
Of course, people use their apps for all sorts of important things, and it would be disruptive to accidentally delete their accounts from many of them. This issue can be mitigated through confirmation dialogs and other measures.
So Apple’s new pro-consumer policy applies to everyone but Apple. Interesting, but not unexpected.
The point is that iCloud is not an app. The account you are referring to is a phone account, not app account. You are comparing apples to oranges.
Apple writes these rules, and as platform owner of iOS they can design the rules not to apply to themselves. I don’t think that’s a good defense against the obvious hypocrisy here. A major part of Apple’s playbook these days is to design some policy that has the effect of advantaging themselves vs. competitors, while also helping the consumer. I think it’s an effective strategy, but it also deserves some criticism. The consumer would be helped more if Apple treated their own services equally.
Everything is an app and nothing is an app. I opened my bank account through an app. Is iCloud more important than my bank account?
“iCloud is not an app and does not need a delete button through the same UI” is a double-standard cop out.
Delay the deletion by 2 weeks if it’s really that dangerous, but they should still allow it.
In case someone thinks this is an exaggeration, my only bank account was created through an app on an iPhone. The bank has no physical branches.
You can delete all of your data from iCloud through Settings.
Simply uncheck everything e.g. Photos and it will be instantly removed.
Arguably, yes, for some people, iCloud is more important than, or as important as, their bank account if their iCloud is used for disaster recovery of their primary computing device data, including passwords. Maybe even the password for their bank account.
How about my Google account? Is Google an app or my life?
Any app could follow into your description, should they have an exception? 1Password doesn't need this? Backblaze? Amazon Photos?
I already gave a solution to the problem: Allow it, delay deletion. Apple does not need an exception to its own rule.
Why isn’t it an app? What’s the criteria for something being an app?
An app is a program that launches, does something and exits.
iCloud is an "always on" cloud storage/sync service where you choose what data you want to use it for.
How is this a meaningful distinction whatsoever? There are countless apps that allow you to sign up for an "always on" service. Should they be exempt from allowing you to delete your account as well? Or is that privilege reserved for built in bloatware?
iCloud is part of the operating system, and, most importantly, it is not downloaded through the App Store.
These rules are for apps on the App Store.
Edit to add: There may be a reasonable debate to be had over whether there should be some visible component of iCloud that has to be downloaded from the App Store before it can be used on an iDevice—or whether the App Store rules should be, by some means, applied to the entirety of what can/does run on an iDevice. But right now, neither of those are the case, and thus, though some may find the difference between "iOS" and "application running on iOS" frustratingly slim, Apple is not, in this instance, applying its rules inconsistently.
Are you being deliberately obtuse or just really not able to understand that Apple provides two things: 1) an operating system with ancillary features and 2) an App Store with applications for sale?
iCloud is not an app that you can download on the App Store. It is an ancillary service for the operating system.
> comparing apples to oranges.
Great pun. :-D
The stakes are also high for users of apps like Google Drive, OneDrive, etc. but I don't see them getting an exemption from this policy.
I hope they finally crack down on Instagram (and maybe some of Facebook’s other apps?) which make you go to the browser to deactivate/delete your account. I’ve done this a few times (temporarily deactivate) and requiring me to switch to the browser first and login with my IG credentials — something I would never otherwise do — seems like a sneaky way to drop a tracking cookie in my browser before I leave for a while.
'Right to forget' is required in EU, and it's been illegal in California since 2018 for subscription services that take signups online to not offer online cancel options too (i.e. without being forced to call customer service). https://techcrunch.com/2018/07/04/californias-new-online-can...
Visa cc passed new policy in 2020 and New York did in February 2021. So the infuriating practice of forcing us to call or go through chat loops to quit a basic subscription are numbered. I feel strongly enough that I started brightback.com in 2018 to help make online cancels easy for app/saas developers to offer while keeping it simple for the customer.
A related question about this: if an account was flagged for something (e.g. the account was shadow banned), is it OK by GRPD standards to:
1/ not tell the user this info.
2/ keep track of the fact this account was flagged after the account was deleted, for instance by keeping a hash of the email address of the accounts that were flagged?
Not sure about #1, but #2 is definitely allowed, although you’re supposed to keep only the data that you need to prevent them from circumventing your ban system.
An interesting corollary: A software supporting file creation must also support deletion. A user can create a document in Microsoft Word and save it. Why can't they also delete it from within Word. If they have an open document, where's the delete button to just delete it. :-)
Hackernews should also provide account deletion option. In case of accounts getting doxxed for people who do not want it. Account deletion will help in saving fallout.
Based on a quick Cmd+F this document doesn't explicitly define what 'Account deletion' must be. Does it just mean that the user does no longer exist on the app's frontend, but all data is retained? Or does it explicitly mean that all data relevant to that user is deleted?
Now do subscriptions.
For all the people who fall prey to misleading tactics and don’t know how to cancel.
I think that's already there. If you subscribe using the app store subscription mechanism you can see a list of subscriptions in your account settings, including unsubscribe buttons.
My point is for that to also be in the downloaded app, since the new rule requires account creation and deletion to both be in the same place - which I think is a natural place to look for it as a user, savvy or not.
Well, you can blame Apple for that, there is no way to developers to cancel a subscription or issue a refund.
Most iOS apps already don't do subscriptions in-application because of Apple's fee requirements.
> How do you cancel your Clubhouse account? I was invited to talk about Apple and monopolies, and that was (mostly) a fine conversation. But I have no interest in staying in that place, yet all I see is a Log Out option, no "Cancel Account" option?
> @DHH - Jul 3, 2020
or simply not allow them to login via iOS lol instead of deleting anything on the backend
Lying users about how you process their data could lead to legal action in EU