[itake]

One thing that is confusing about the concept of "deleted" is how do you minimize fraud on a social platform without retaining PII (indefinitely?) of your users.

If there is a known fraudster and you have their selfie image, email address, and ML face vectors, the fraudster requests their account to be deleted. What should the company delete? Maybe the company can keep a one-way hashed email and face vectors, but what about hash-collisions or false positives?

If there is a user that wants their account deleted, but then they come back to the platform (maybe abusing a referral bonus or first-time-only coupon), how do you stop this fraud?