Subscribe now

Technology

Is it possible to permanently delete a social media profile?

By Sally Adee

27 July 2015

New Scientist Default Image

Put it online and it will live forever (Image: Aldo Sperber/picturetank)

They thought they could get away with it. The 37 million people who put nude photos and intimate details of their sexual fantasies on the Ashley Madison website (which has the slogan “Life is short. Have an affair”) had a get-out clause.

Ashley Madison, like some other sites, offers a hard delete – a guarantee that for a certain amount of money, your data will be scrubbed from all of its internal records. To permanently destroy all traces of your affiliation with the adultery social network costs £15 in the UK.

However, a hacker collective called Impact Team has revealed that customers’ details aren’t entirely deleted. Compliance with auditing requirements means that the credit card details and name used to scrub the account remain in Ashley Madison’s database, rather defeating the point.

Serves them right, some might say. But this should be a reminder that there is a big gap between what web sites do with our data and what they tell us they will do. And that there is a lot of wiggle room in the technical details. That’s true even if you haven’t been having an affair on the internet.

Your digital remains

Take Facebook, for example. The site advises that “when you delete your account, people won’t be able to see it on Facebook“. However, just because you can remove your account from the public-facing servers doesn’t mean no data about you remains in Facebook’s coffers.

“Facebook’s data policy is ambiguous on what exactly it promises to delete after you delete your account,” says Brendan Van Alsenoy, a legal researcher at the Catholic University of Leuven (KUL) in Belgium. “It mentions ‘information associated with your account’,” he says, but “it’s unclear whether this covers any information other than the information that is immediately visible to users themselves”. So while Facebook is legally bound to delete things like status updates, the same legal protections may not apply to internal business information of the sort that Ashley Madison kept.

“Copies of some material may remain in our database for technical reasons,” a Facebook representative told New Scientist. However, “when you delete your account, this material is disassociated from any personal identifiers”. According to European Union law, says Van Alsenoy, “if the data has been sufficiently anonymised, the individual will not be able to insist on deletion”.

Back from the dead

The precise workings of deleting accounts or history with other companies is similarly unclear. A Google spokeswoman directed us to the company’s fine print, which reveals similar caveats: “It is possible to deactivate your user name“, but “if you deleted your Gmail account but want it back, we work to help you recover your deleted account whenever we can.”

“Because we maintain backup systems to make sure we don’t lose users’ data,” she said, “the deletion process may take time.”

This makes business sense given the calamity associated with hacked and deleted Gmail accounts. While the company lets you delete your search history, it does keeps those search logs, but dissociates them from your Google account: anonymised.

However, data anonymisation is becoming increasingly unrealistic. “Re-identifying supposedly anonymised data has been demonstrated many times,” says information privacy legal scholar Paul Bernal of the University of East Anglia, UK, and it will only get easier as re-identification techniques become more sophisticated.

Unfortunately, the law often either misunderstands or lags behind technological developments. In health law, for example, squabbles are ongoing over the definition of “sufficiently” anonymised.

Some say full anonymisation is simply impossible. EU regulators have issued guidelines on anonymisation, however, that are sensible, says Van Alsenoy. “Whether or not somebody is “identifiable” or not is a question of fact,” he says.

And the proposed reform of the EU Data Protection regime includes an explicit “right to erasure” motivated by the frustration of Viviane Reding, the European commissioner for justice, fundamental rights and citizenship, with the difficulty of deleting social media profiles.

The bottom line

Perhaps the real reason companies bury their promises in caveats has to do with the bottom line. Facebook accounts are replicated across geographically distributed data centres. “It would cost Google and Facebook money to delete all data – just setting up the systems would be complex, I suspect, and tracking down all data might be a little hard too,” says Bernal.

For the time being, no one knows what data is kept, how identifiable it is, or how it could eventually be strung together. Plenty of people have been convicted of murder partly on the basis of web searches such as “how to commit murder” and “undetectable poison”.

But even if your search queries are more anodyne, they or other online traces might come back to haunt you. “People tend to think short term, accurately believing that the threat over exposure of “just one post” over a small time frame is rather minimal,” says David Dunning, who studies cognitive biases at Cornell University in Ithaca, New York. “It’s this neglect of the long term that often gets people into trouble.”

So how would such information come to light? A hack would do it. But even if every company were scrupulous about storing your information far from a hackable internet connection, there are still other avenues for your information to find its way back into the open internet.

“The notion of a defunct Facebook seems preposterous today,” says Bernardo Huberman, director of the Social Computing Lab at Hewlett Packard. But many other social networks like Orkut and Friendster fell to the fickle winds of Silicon Valley. In the future, Facebook’s valuable data may become its most valuable commodity.

What guarantee does anyone have that someone can’t one day use Facebook’s or Google’s log files to construct a damning narrative about you?

Whether it’s an incriminating Facebook back-and-forth from 2004 or a series of late-night Google searches on erectile dysfunction, “many people likely don’t know just how long their material stays on the internet, what companies can do with it, or how open it is to hacking”, says Dunning.

Topics:

Sign up to our weekly newsletter

Receive a weekly dose of discovery in your inbox! We'll also keep you up to date with New Scientist events and special offers.

Sign up