this post was submitted on 11 Jan 2024
57 points (82.0% liked)

Privacy

32120 readers
463 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I wanted to delete my old oppo id account, and to do that I'll need to login into it, but I don't know the password.

Password reset requires saying when the account was created (month and year) and "tech support" can't help here either.

Is it legal to block / hide account deletion behind login in European countries? GDPR (and polish RODO) both talk about a right to data deletion, which in this case, I believe, isn't respected.

all 27 comments
sorted by: hot top controversial new old
[–] taladar@sh.itjust.works 56 points 10 months ago (1 children)

What would prevent someone else from requesting the deletion of your account if there was no proof that you are the person whose account it is?

[–] pacjo@lemmy.dbzer0.com 6 points 10 months ago (1 children)

I'm writing from the email associated with the account, this is enough for most services I encountered

[–] mp3@lemmy.ca 20 points 10 months ago (2 children)
[–] lazynooblet@lazysoci.al 1 points 10 months ago

But spoofing doesn't allow a 2 way conversation. Confirming the email should be enough

[–] pacjo@lemmy.dbzer0.com -5 points 10 months ago (3 children)

That's just how it is. If you try hard enough everything can be spoofed. You can also try guessing someone's password and creation date of an account. This is not the issue here.

[–] mp3@lemmy.ca 22 points 10 months ago

The issue is with support not giving you an adequate account recovery method, they're correct about validating ownership of the account tho.

[–] taladar@sh.itjust.works 9 points 10 months ago (1 children)

Email (on domains without DKIM and SPF at least) can be spoofed so easily, you could literally do it with on-board tools and a few lines of typing though. It is literally just sending an email that has your email address in the From header.

[–] lud@lemm.ee 2 points 10 months ago (1 children)

What are the odds that OP is emailing from an email that's not configured correctly? Very low.

[–] taladar@sh.itjust.works 3 points 10 months ago (1 children)

If you mean from a domain without DKIM and SPF on the sending domain and DKIM and SPF validation on the receiving one? Pretty high.

[–] lud@lemm.ee 0 points 10 months ago (1 children)

Not really since Microsoft, Yahoo (I guess), and Google dominate the email space really hard.

[–] taladar@sh.itjust.works 4 points 10 months ago* (last edited 10 months ago) (1 children)

In terms of domains not really. Only the free-mailers use domains by one of those. The corporate users still need to set up their DNS properly for those technologies even if they use one of them as a mail hoster.

[–] lud@lemm.ee -2 points 10 months ago

Why would OP contact OPPO using a corporate email?

It's extremely likely that they don't have their own domain since it's very uncommon for personal usage. Some absolutely do but they are in the minority.

Of course custom emails need to be set up properly, otherwise all mails would just go to spam.

[–] echo64@lemmy.world 17 points 10 months ago (1 children)

it's not illegal to put account deletion behind a login at all. Its also legal for them to request identification.

However if you request data deletion and they have no valid exception to avoid doing that they must comply, it doesn't matter if they have a mechanism for deletion that you can use, they have to still delete the data even if you don't press the "delete account" button.

you can file a complaint with your countries regulatory departments but if they refuse to press the delete account button for you, there's not much else you can do outside of that.

[–] pacjo@lemmy.dbzer0.com 1 points 10 months ago

Not the answer I was hoping for, but still a good one. I'll try contacting someone who might be interested in this.

In the mean time I sent them another email specifically mentioning this as a request and not me just asking for help.

[–] lypticdna@feddit.uk 14 points 10 months ago

It has already been said but the company is complying in the sense that it is providing a solution whereby you can delete your account. That said, where you are unable to follow that process, they should offer you the same ability via email. Each company does things slightly differently but I would hazard a guess that an email stating that you find it more reasonable for the action to be carried out via email, they would be likely to comply.

The reasons why companies put these in place is simply to avoid mass requests for deletion and, as stated, to also protect you.

While email spoofing has been mentioned, it is somewhat unlikely anyone would send a request for deletion after spoofing your email, yet, it is not impossible.

You may have to be persistent, could use services that support or even get some pointers from the ICO. Here is a really good link https://ico.org.uk/for-the-public/your-right-to-get-your-data-deleted/

I wish you luck

[–] survivalmachine@beehaw.org 5 points 10 months ago (1 children)

saying when the account was created (month and year)

This is an absurd requirement, but do you have a ballpark idea, and does it let you continue to guess multiple times? Submit a few dozen password reset requests and if they complain, tell them to verify you via alternate means.

[–] pacjo@lemmy.dbzer0.com 3 points 10 months ago

It allows 3 guesses, but I don't know how often they reset. I'm pretty sure the account was created after September 2019, but that's still a lot of possibilities.

[–] _MusicJunkie@beehaw.org 4 points 10 months ago (1 children)

Did you tell them that you don't have access to your account? Because to me, this reads like the default answer ("here's how you do it yourself"), not like they won't do it by email if asked to do so.

My company does the same - if you ask our support how to delete the data, they will send you a link to the customer portal. Only if you tell them that doesn't work for you, they will work out another way.

We built the feature into the customer portal, so we want people to use it if possible. Because that's way less work for our support team.

[–] pacjo@lemmy.dbzer0.com 3 points 10 months ago

First I wrote on live chat support. After they couldn't help me, I sent the email.

...and it's not the email alone I'm mad at (maybe a little) but the overall experience I had with them. After explaining my issue I was told multiple times they couldn't do anything and the best suggestion I got was "you could create another account", that's not helpful. What am I supposed to do, just leave the old one to die slowly and forgotten?

[–] ReversalHatchery@beehaw.org 3 points 10 months ago (1 children)

Password reset requires saying when the account was created (month and year) and "tech support" can't help here either.

Did you try the date of their first email?

[–] pacjo@lemmy.dbzer0.com 2 points 10 months ago (2 children)

If only I had that. It's not reasonable to assume someone would know that or will hold onto emails about account creation.

Thanks nevertheless.

[–] ares35@kbin.social 2 points 10 months ago

knowing when an account is created, down to the month and year seems to me to be an unrealistic requirement for a password reset.

i wouldn't know the answer to that for any account, anywhere.

[–] ReversalHatchery@beehaw.org 1 points 10 months ago

I don't think so. I never delete such emails. Why would I? Not like it's in the way