this post was submitted on 22 Mar 2025
69 points (100.0% liked)

AssholeDesign

8342 readers
100 users here now

This is a community for designs specifically crafted to make the experience worse for the user. This can be due to greed, apathy, laziness or just downright scumbaggery.

founded 2 years ago
MODERATORS
Buddahriffic@lemmy.world
69
character.ai does not actually delete any accounts. If you try to do it, you lose the access to the account, but the account is still stored in the site (lemmy.ml)
submitted 1 day ago by N00b22@lemmy.ml to c/assholedesign@lemmy.world
11 comments fedilink hide all child comments
 
top 11 comments
sorted by: hot top controversial new old
[–] scrubbles@poptalk.scrubbles.tech 31 points 1 day ago (3 children)

Hate to tell you but 95% of companies do this. It's common practice. You're "deleted" account? There's a column called "DeletedDate" and it's marked to whenever you hit delete. Their query then just says "Select Account where DeletedDate is null" and yours just doesn't return until that date is cleared.

Is it asshole design? No. And it's not for privacy reasons. it's because the vast majority of people who hit delete will call the next day and yell and scream saying "But I didn't know it would delete everything". That's why Meta keeps it, and Youtube, and Google, and everyone.

Not to mention legal reasons. If someone uses your platform for illegal purposes and the feds come knocking you bet your ass you need that data or your company is liable. That is different in the EU I grant you, but that's the exception, not the common practice. Over there they can point to GDPR and say "That's why we don't have it". Anywhere else you're pretty screwed.

So. Not asshole design. The session staying open is bad security though. Everything else is just knowing your userbase and knowing that people will be pissed and need something. If you want privacy stop giving your data to companies in the first place.

[–] OsrsNeedsF2P@lemmy.ml 14 points 1 day ago* (last edited 1 day ago) (2 children)

You are mostly correct, some additional insight from someone who works with security/privacy stuff:

That is different in the EU I grant you

Even in the EU, when a user requests to delete their data, you're allowed to keep enough to validate they were a previous rule-breaker so they can't just delete their data and re-register

The session staying open is bad security though.

There isn't enough context to say for sure, but in general this is standard practice. JWTs, probably the most widely adopted standard for authorization on the web, have an expiry date and cannot be revoked. Yes it's not great security, but I want to emphasize this is standard practice. Google, Apple, Meta, Slack, etc all do this.

Also, when you request data deletion, the companies have up to a month to do it. I'm not sure if OP expected it to be instant, but it doesn't have to be

[–] scrubbles@poptalk.scrubbles.tech 3 points 1 day ago

Thanks for your insights in gdpr. Jwts though I know can be invalidated, but it's a few extra steps, and I'm not surprised when companies don't go the extra mile. It's usually such a niche case where someone logs in, has a jwt, and the server needs to invalidate it, but it happens.

[–] tja@sh.itjust.works 1 points 1 day ago

I thought Google is using macaroons, an extension(?) of jwts, which can be revoked

[–] Showroom7561@lemmy.ca 9 points 1 day ago

That’s why Meta keeps it, and Youtube, and Google, and everyone.

It's been a while since I deleted those accounts, but from what I remember, Meta explicitly says that they will NOT delete your account for 30 days, unless you log in. After that, it's gone "forever".

I'm almost certain that Google does the same, but I don't recall.

Still, if you want it deleted, it should be deleted!

[–] dparticiple@sh.itjust.works 3 points 1 day ago

In the absence of a US federal privacy law akin to the GPDR, many states have enacted laws such as the California Consumer Privacy Act (CCPA) which grant varying rights to state residents, including the right to data deletion in some cases. Bloomberg Law has a helpful primer: https://pro.bloomberglaw.com/insights/privacy/state-privacy-legislation-tracker/#states-with-comprehensive-data-privacy-laws

[–] PhilipTheBucket@ponder.cat 6 points 1 day ago

I think this is probably the way on practically every site that allows you to delete your account.

[–] brucethemoose@lemmy.world 3 points 1 day ago* (last edited 1 day ago)

Open source LLMs are a great alternative to cai anyway. The community's been finetuning them before Llama v1 was even a thing, and before ChatGPT blew up, and they’re darn smart now.

[–] Showroom7561@lemmy.ca 3 points 1 day ago (1 children)

I usually fill my account details with garbage data before deleting my account. That way, even if they don't actually delete it, it's useless to them, and keeps me out of it.

I do the same for accounts that cannot be deleted or closed (so, sooo many sites).

[–] scrubbles@poptalk.scrubbles.tech 4 points 1 day ago

Using temporary emails is great for this, especially with places that you know you don't care about, then just break the link. Granted for very nefarious things there will probably still be a link back to you via the provider.

[–] fuckwit_mcbumcrumble@lemmy.dbzer0.com 2 points 1 day ago

(in addition to the other comments) Is it actually not deleted, or is it still cached on one server and hasn't made it to another server?