If the entirety of your delete process is replacing an email address with something@deleteduser.com, not only are you doing the bare minimum, you are somehow doing something worse than the bare minimum — because you are willingly exposing PII to some random fella’s domain, and you weren’t doing that before.
At least in Europe, you would be breaking the law. GDPR is pretty clear on that; you have to delete all PII from your system.
There are places where you are legally required to hold things like a name and an address, for e.g. tax reasons or something, which are of course exempt from the GDPR law anyway, but making sure those do not run out is a good.
That's still a valid domain, with valid MX records. deleted_user@gdpr (no external domain) and marking the user as deleted so you don't waste time and money on the mailing process should be better
But someone does own that domain (presumably under IETF auspices) and administrates it, which means information is leaking. Sure, an attacker couldn't register the domain, but GDPR doesn't have an exception that says "don't share personal information, unless you're sending it to an IETF-owned domain, then it's probably fine, don't worry about it".
example.com is registered to the IETF, you know, an organziation! Sure, there might be someone (or some team) that's responsible for the DNS records and such but ownership is to the organization!What personal information is being shared in this case? And as @altano states, you can't route email to that domain anyway.
Or: supposing you're companyname.com, you set the email to USERID@deleteduser.companyname.com and stand up an SMTP server on that domain. Any mail that goes there is either an error on your part or spam, so with appropriate monitoring you can catch bugs around your deleted-user handling.
.invalid (like .example and .localhost) is designated to never end up in the root zone since 1999. That way it's a valid-looking email address that is defined invalid.
Plenty of sites already don’t let me use my .email domain, but they’d allow “.ema” because they check if it’s 3 characters or less for some dumb resson
I've had a similar problem with my .rocks domain. Worse still, some shitty site my kids use decided to filter it after we signed up. So now I can't reset the kid's password.
Yeah this doesn't quite make sense to me. Why would any organization think that they should only overwrite the email address and not the rest of the PII?
At work we have an email account set up for this. We replace the user's email with deleted+<uuid>@<company>. Any emails sent end up in one of our inboxes.
Medium makes me grumpy. I was interested in this article, started reading it, and some javascript hid the article that I was reading, but failed to show whatever annoying modal it wanted to show me, so I couldn't dismiss it. I'm on a very slow and somewhat unreliable connection today, so that kind of stuff is more annoying than usual.
And CAPTCHAs don't seem to work well on this connection, so I can't get at the archive sites either.
I kind of got the gist of the article from the comments here plus the snippet I was able to read before Medium took it away to attempt to show whatever it was they wanted to show over the top of it. But I find it ironic that a piece about very user-hostile behavior was posted on a site that is itself so user-hostile.
I saw a discussion on the internet where someone mentioned that they deleted users in their app by overwriting their email addresses with $somethingRandom@deleteduser.com.
Not that I think this is a good way to delete data, but if you ever do something like this, a strictly better solution is to use an officially non-routable domain name like @example.com or @deleted.invalid.
I am pretty sure they mean routable MX records , given the topic of this thread. One can easily confirm there are no MX records for that domain : https://dns.google/query?name=example.com.&rr_type=MX&ecs= and it's a good thing because who would want to host a server that only accepts incoming emails forever?
Email is weird: “no MX records” means email uses the address records instead. There’s actually a null MX record on example.com which means it explicitly rejects all email.
It is always "surprising" and somewhat horrifying how naively some of these things are implemented by companies. I put surprising in quotes there because I am well aware how much of an afterthought many things are that shouldn't be in many companies.
vrolfs | 22 hours ago
At least in Europe, you would be breaking the law. GDPR is pretty clear on that; you have to delete all PII from your system.
spc476 | 19 hours ago
I would expect replacing an email address with
x@example.comwould be good enough.majaha | 11 hours ago
Not if you don't also delete their name, phone number, address etc. Clearly, some of these companies weren't and were probably breaking the law.
zladuric | 6 hours ago
There are places where you are legally required to hold things like a name and an address, for e.g. tax reasons or something, which are of course exempt from the GDPR law anyway, but making sure those do not run out is a good.
einacio | 18 hours ago
That's still a valid domain, with valid MX records.
deleted_user@gdpr(no external domain) and marking the user as deleted so you don't waste time and money on the mailing process should be betterspc476 | 17 hours ago
It's a domain set aside by the IETF for documentation and should not be used at all, and it should be easy enough to filter that address.
einacio | 16 hours ago
Sure, it would be as easy to filter as deleteduser.com, but then we have this post haha
altano | 6 hours ago
You wouldn’t have this post because no one can buy the domain name and you can’t route email to it
Johz | 6 hours ago
But someone does own that domain (presumably under IETF auspices) and administrates it, which means information is leaking. Sure, an attacker couldn't register the domain, but GDPR doesn't have an exception that says "don't share personal information, unless you're sending it to an IETF-owned domain, then it's probably fine, don't worry about it".
spc476 | an hour ago
example.comis registered to the IETF, you know, an organziation! Sure, there might be someone (or some team) that's responsible for the DNS records and such but ownership is to the organization! What personal information is being shared in this case? And as @altano states, you can't route email to that domain anyway.jdpage | 7 hours ago
Or: supposing you're
companyname.com, you set the email toUSERID@deleteduser.companyname.comand stand up an SMTP server on that domain. Any mail that goes there is either an error on your part or spam, so with appropriate monitoring you can catch bugs around your deleted-user handling.sibexico | 18 hours ago
Most forms will not accept 1st level domain in the email address...
pgeorgi | 16 hours ago
Then go for deleted@deleted.invalid.
.invalid (like .example and .localhost) is designated to never end up in the root zone since 1999. That way it's a valid-looking email address that is defined invalid.
junon | 13 hours ago
TIL invalid is special, what's the spec number for that?
EDIT: someone beat me to it: https://lobste.rs/s/muofgb/deleteduser_com_15_pii_magnet#c_wfwlil
bwbuhse | 11 hours ago
Plenty of sites already don’t let me use my .email domain, but they’d allow “.ema” because they check if it’s 3 characters or less for some dumb resson
hoistbypetard | 11 hours ago
I've had a similar problem with my .rocks domain. Worse still, some shitty site my kids use decided to filter it after we signed up. So now I can't reset the kid's password.
There are some fun links about it here.
creesch | 16 hours ago
User facing forms, companies should be able to adjust their tooling to accept it of course.
tome | 11 hours ago
Yeah this doesn't quite make sense to me. Why would any organization think that they should only overwrite the email address and not the rest of the PII?
stig | 16 hours ago
I was confused about the headline. I thought they were selling a $15 magnet to erase PII data 🤣
bezdomni | 16 hours ago
At work we have an email account set up for this. We replace the user's email with
deleted+<uuid>@<company>. Any emails sent end up in one of our inboxes.hoistbypetard | 10 hours ago
Medium makes me grumpy. I was interested in this article, started reading it, and some javascript hid the article that I was reading, but failed to show whatever annoying modal it wanted to show me, so I couldn't dismiss it. I'm on a very slow and somewhat unreliable connection today, so that kind of stuff is more annoying than usual.
And CAPTCHAs don't seem to work well on this connection, so I can't get at the archive sites either.
I kind of got the gist of the article from the comments here plus the snippet I was able to read before Medium took it away to attempt to show whatever it was they wanted to show over the top of it. But I find it ironic that a piece about very user-hostile behavior was posted on a site that is itself so user-hostile.
mdaniel | 9 hours ago
Courtesy of an announcement on the orange site, just replace medium with scribe.rip and enjoy https://mike-sheward.scribe.rip/deleteduser-com-a-15-pii-magnet-c4396eb21061
It works with any of their hex suffixed urls, no need to use the vanity domain, if that's easier for you https://scribe.rip/deleteduser-com-a-15-pii-magnet-c4396eb21061
gerikson | 9 hours ago
I have the same issue with Medium - I use an extension to auto-click cookie banners, and I think it interacts badly with Medium's scripting.
I ended up reading this in another browser and it was worth it, unlike a lot of other content hosted on Medium.
mtlynch | 13 hours ago
Not that I think this is a good way to delete data, but if you ever do something like this, a strictly better solution is to use an officially non-routable domain name like @example.com or @deleted.invalid.
doug-moen | 12 hours ago
example.com is not non-routable. Try opening it in a web browser.
mtlynch | 52 minutes ago
Ah, you're right! I forgot that it actually hosts something.
I'll revise that to like @deleted.example or @deleted.invalid.
mdaniel | 10 hours ago
I am pretty sure they mean routable MX records , given the topic of this thread. One can easily confirm there are no MX records for that domain : https://dns.google/query?name=example.com.&rr_type=MX&ecs= and it's a good thing because who would want to host a server that only accepts incoming emails forever?
[OP] fanf | 9 hours ago
Email is weird: “no MX records” means email uses the address records instead. There’s actually a null MX record on example.com which means it explicitly rejects all email.
creesch | 16 hours ago
It is always "surprising" and somewhat horrifying how naively some of these things are implemented by companies. I put surprising in quotes there because I am well aware how much of an afterthought many things are that shouldn't be in many companies.
blinry | 16 hours ago
I had to look it up: PII = Personally Identifiable Information
bitshift | 4 hours ago
They're all scary—and it's still bad that they're holding onto former customers' names—but this particular one is just so comically futile.
rnb37 | 14 hours ago
I wonder how many such domains exist and are either unowned (ripe for the picking) or are already being squatted by bad actors.
mattgreenrocks | 5 hours ago
I still don't understand why companies overwrite things instead of deleting the data. Are their data models really that brittle?