[johnnycerberus]

Do you have a paid account or a free account? If I store my documents on a free account for a one time send to the university application and then I forget about it, then Dropbox should purge it after a time to protect my data, as I don't have any "contract" with them like a subscription or something. The same for G2A, I have bought from them some game keys at a cheap price sometime ago and then I totally forgot that I have one, I couldn't even find the activation mail in my inbox, lol. One day in the summer I woke up with a mail that I have to pay an inactivity fee even if I'm just a row in their database and I have no contractual obligation with them.

[fiddlerwoaroof]

I had a family member go through a major life event that left his OneDrive account unused for about a year. When we needed to access tax documents on it, Microsoft had deleted it. I’m strongly against non-user initiated account deletion.

[saurik]

Yeah: I would take the opposite stance to this whole "accounts should be deleted due to inactivity" BS and say that a company that you entrusted your data to now has a moral responsibility to do everything they can to hold on to that data until such time as you explicitly relinquish them of that duty, and if the cost of such a requirement is scary you shouldn't put yourself in a position to hold on to other peoples' data in the first place.

[rsync]

"... a company that you entrusted your data to now has a moral responsibility to do everything they can to hold on to that data until such time as you explicitly relinquish them of that duty ..."

I completely agree.

I will take this even further: that company should break a data retention law in order to hold ambiguously abandoned data that might be important to that user.

Further: that company should safeguard that data and protect it from unlwaful intercept or surveillance just like the data of any other paying customer.

Finally: no additional costs should be accrued beyond the original terms for this safekeeping of data.

Please do not abuse this.

[ivan_gammel]

They do not have such moral responsibility. Their responsibilities are defined by laws and their T&Cs, which are known to the customers and customers explicitly opt in. If I say in my T&Cs that I delete data after certain period of account inactivity, then this is how it is going to work and user shall not expect anything else.

[saurik]

> Their responsibilities are defined by laws and their T&Cs, which are known to the customers and customers explicitly opt in.

You seem to just not believe in morals I guess? ;P

Like, yes: the law says you can do something... but I am claiming it isn't moral to do that. You can assert your terms of service let you, but I am claiming that it wasn't moral of you to put that in your terms of service in the first place. (And to the extent to which the law requires you do the opposite, that is us arguing over what the law should say, given that the entire point of this thread is about a changing law.)

And like, the user of course should expect you to do the things you claim you will do, but I also think it is fair for users to expect you to claim you will do moral things in the first place. If you are going to pull stunts like deleting data users entrusted to you, hopefully your service is sufficiently optional and unimportant that they can just not use your service without losing out on anything at all in life.

I see you work in medicine. Your field collects data on people all the time and then hoards it from them. You take X-rays and then just put them in some filing cabinet. To get a copy of MY X-ray I have to argue with people about it and then I usually get some low-quality shit copy. Meanwhile, you purge your records and delete MY data because I somehow have the gall to not need your specific service for some number of years until I get old and suddenly wish I could get my X-ray and you destroyed it :/.

You should frankly be REQUIRED to give people their data to take with and not take it yourself, a step you can't be trusted to not put it in your terms of service that you get to both hoard it and delete it on a whim. If you must insist on holding it yourself, you should be required to have a trust set up that you make regular deposits into to ensure that the data you are holding will survive at least as long as all of your patients.

That's what I will claim is "moral", and to the extent to which either laws or the terms of service of your organization fails to match then the lawmakers, lawyers, or entrepreneurs are being horrible people. If you believe in a religion that has a place similar to hell, maybe that's where all of the people who push for, allow, or take part in stuff like this will end up :/.

[ivan_gammel]

I do not believe in „morals“, yes. Whatever you think is right is just your opinion, unless it is important enough that society decides to codify it in law. Christians think that homosexuality is immoral - should I care about their opinion and lecture my gay friends about their wrong behavior? I rather suggest one billion of people to go to hell with this belief. Same here. If you want to discuss my personality from „moral“ perspective, you can join them. Especially given that you suggest to analyze from „moral“ perspective data retention, which is a pure UX and product topic.

[rsync]

"They do not have such moral responsibility. Their responsibilities are defined by laws and their T&Cs ..."

You have this backwards.

They do not have such legal responsibility - and you are correct that their legal responsibilities are defined by laws, T&C, etc.

However it is for them, not you, to define their moral responsibility.

I believe that if you run (something like a safe deposit box) you have a moral responsibility to (make human decisions about burning the contents).

[ivan_gammel]

As many people pointed out in the comments here, there are different expectations in this field - there is no common unwritten law about how it should work. If some people make wrong assumptions about it despite having access to the necessary information, it is really their fault. They are not the victims to be saved. If I run a deposit box, I do not offer it for free and I will empty it the moment payment stops. If I run a service with a free plan, I will keep the data as long as possible and will delete it only after economically justified period of inactivity. Contrary to the trials of paid subscriptions, free plans are not meant to be auto-deleted quickly, but since nobody pays for storage, business also cannot take obligation to keep the data of inactive accounts forever. That said, read the T&Cs and do not assume that your understanding of „morality“ is right.

[_hzrk]

Interconnectedness of the world today is economically justified, it does not have any morality in it. In the same vein, if we would have to listen to your anti-morality point of view, we should have kept the connections as before even if we contribute to the global warming, to the deaths of many vulnerable people contributed by the rising number of viruses that are spreaded at an accelerated rate, to the number of cyberattacks that have quadrupled. Similarly to economically accessible transit around the world and its complexity, we have the Internet which is clearly becoming more and more prone to breaches exploiting vulnerabilities (log4j literally proved that everything was open for exploitation). Today, while I'm watching a random Romanian TV channel, many psychopaths at a round table are leading you to believe that Covid's risk is self inflicted by people who don't work out & are overweight and that lockdowns are unjust, it is all people's fault, that there's nothing moral in lockdowns and wearing masks, which I strongly disagree with and it is also not supported by data.

[valdiorn]

Especially since the problem can be completely avoided by encrypting the user's data in the first place. Then the whole "we're deleting the data for your privacy" argument doesn't really hold up.

Also, have had similar experiences, and would be livid is someone deleted my data after only a few months.

[kingcharles]

I ended up in jail without any prior notice, for 8 years. You can imagine how much of my online life was still there when I got out.

[ivan_gammel]

In fact you have the contract with the services where you sign up. Even if you did not read T&Cs, you have accepted them and only then your relationship with the service started on their terms. You are not just a row in the database, you are a customer getting service in exchange for something. You have at least opted in to their data retention policy, and you have to opt out explicitly. If services will be required to purge the customer data after period of inactivity by default, chances are high that free accounts will simply cease to exist. In any case, quite significant share of customers would prefer to opt out from purge and they will be important enough from commercial perspective to make this opt out default in T&Cs acceptance process.

[lexandstuff]

So you'd like Dropbox to "protect your data" by deleting it?

I'd rather see my family photos leaked to hackers than see them purged from existence forever because I forgot to log in enough.

[nickff]

>"If I store my documents on a free account for a one time send to the university application and then I forget about it, then Dropbox should purge it after a time to protect my data, as I don't have any "contract" with them like a subscription or something."

I found this sentence interesting, as it contained positive and normative statements that I disagree with, with a non-sequitor between them. You say that you have no contract with them, even though you agreed to some sort of 'user agreement'. Then you say that you forgot about it, and that makes your faulty memory their problem. They have to make sure your data is secure for you because you... just don't bother to pay any attention to where you're leaving it? Should they also be responsible for checking your password against known breaches, to make sure it's not compromised? Where does this end?

[_hzrk]

Yes, they should check for any possible breaches. As any other responsbile company already does, like AWS for example which not only checks for breaches, but also scans public repositories like GitHub and GitLab for leaked credentials. A company should also warn a user from time to time that the respective needs to update his password, some companies are so careless that they don't even pay attention to this latter small detail. Or at least to warn an account holder that he still has an account with them.

> and that makes your faulty memory their problem

It is not only memory that is flawed in humans. Hence the protective measures I'm proposing.

> against known breaches

What about the unknown ones? How do you protect your user's account when under GDPR Dropbox is the controller of the data? By sending mails ocassionally to update the password, to adopt 2FA, by locking account due to suspicious activity or to purge it in the end if no further action is taken. It ends with the deletion of the user.