Changing 186 email addresses

15th Jan, 2022

As part of my ongoing de-Googling, I recently finished removing my old personal Gmail account from as many accounts as I can. Along with switching email provider, I’ve switched to using masked emails instead of an actual inbox.

My password manager revealed 186 accounts that needed updating. For each, I’d either update the email address or delete the account if no longer needed.

The flows and user experience varied greatly, but I hadn’t anticipated the number of issues that would come up.

Some of these were down to poor design. In once case, the email verification link failed if I wasn’t logged in, with no indication that I had to be logged in for it to work.

More concerning were the security and data protection issues that were revealed.

Security theatre

As you might expect, many of the password requirements limitations were horrendously weak: numbers/letters only, must be no longer than 10 characters. In one example the password had to ‘start with a letter’!

For reasons entirely unknown, a surprisingly large number of services forced me to contact support to change my email or delete my account. In many cases, I wasn’t able to change the email address at all.

This could be because the company/organisation wouldn’t permit it, or the reset flow was entirely broken (e.g. email not sent, the verification link didn’t work, etc). Tough luck if you lose access to your email account!

A surprisingly large number of services forced me to contact support to change my email or delete my account.

In one case, the company wouldn’t let me change email address without providing a screenshot of the inbox – impossible with a forwarding address! They only relented when I asked them to show me the requirement in their T&Cs for the account email address to have an associated inbox...

Many websites still don’t verify email addresses, too. This perpetuates entirely preventable unintended privacy and data breaches for people mistyping their email address.

Extraordinary data retention

It was concerning to discover that several sites I hadn’t interacted with in over a decade retained lots of personal data: name, phone number, history of delivery addresses, payment details, etc. This was true even in situations where a membership/subscription had lapsed many years ago or where I hadn’t purchased anything at all (e.g. abandoned checkout).

Are these places really “not keeping data longer than they need to” as their privacy policies so often claim? At what point would they delete this?

Many accounts also force individuals to keep unnecessary information on file. Why do we have to keep an address in our accounts? Or a phone number? Or our names?

In some cases, I wasn’t allowed to update a single piece of information – such as my email address – without also supplying additional information the company didn’t have: address, phone number, address, etc.

Several sites I hadn’t interacted with in over a decade retained lots of personal data

To combat this, I took a leaf out of Terence Eden’s book, entering ‘alternative information’ for required fields.

Lots of contact forms don’t practice data protection by design, requiring entirely superfluous fields: surname, address, phone number, date of birth. Some companies required me to enter credit card and transaction information just to change my email address.

Account deletion

I deleted a lot of accounts. In most cases this was because I was unlikely to need the account in future. But sometimes this was necessary as the company made it difficult/impossible to update information.

Very few sites make account deletion easy. Even fewer made it crystal clear that they delete your account and data. Account deletion is often framed as ‘deactivation’, which sounds suspiciously like they hold onto your data after deleting the account.

In most cases, deleting an account required searching through help pages, an internet search or contacting support. This led to a new personal policy: if a company doesn’t make account deletion easy or clear, I do a quick search of their privacy policy for their data protection officer’s email address and ask them to delete my data. This usually resulted in quick action.

NB: I wouldn’t do, or recommend doing, this to a microbusiness.

All I want is a big red button that says “delete my account and all associated data immediately”. Is that too much to ask?

This might seem over-the-top, but account deletion should be clear and quick. Users shouldn’t be forced to spend 10–15 minutes, longer if it involves contacting support, trying to work out how to delete their account.

All I want is a big red button that says “delete my account and all associated data immediately”. Is that too much to ask?

A permanent record for convenience

I’m glad I did this but it was work. It also revealed just how much of our personal data is peppered through the databases of companies we no longer have a relationship with.

Yes, this information is necessary to perform transactions. But it was surprising and concerning to see how many sites retain this data for many years after my last transaction or interaction. In more than a couple of cases, over a decade had passed since I’d last logged in.

There are clear and obvious benefits both to users and companies for data to be held for a period of time. But going back through so many accounts, it was startling to see so many pieces of still-accurate data (e.g. phone number) retained in accounts I hadn’t touched in many years. This digital trail also revealed many old addresses and the contact details/addresses of people I might have sent things to.

Where does the responsibility lie? Is it down to individuals to keep tabs on every single account they create or purchase they make? Should we all be making diary notes to check in and delete our details? Or should there be a standard point at which users are deemed ‘inactive’, after which their data is purged?

It seems the default position is to hold user data indefinitely, despite privacy policies frequently saying “we don’t hold data any longer than they need to”. Generally speaking, this statement seems worthless.

Should there be a standard point at which users are deemed ‘inactive’, after which their data is purged?

This causes problems for users, who seem solely responsible for cleansing their data from every single company they interact with, even if it’s not be clear or obvious their data is being held (i.e. when retained after an abandoned checkout).

And it could cause problems for companies, too: it increases the risk of unnecessary data being exposed in data breaches, which could lead to uncomfortable questions about their data retention practices.

If data was regularly purged when users become ‘inactive’, it would help users and companies alike. Individual’s personal data would be held in fewer places, their digital footprint would be minimised and companies would reduce their exposure in the event of a breach.

Ultimately, buying from or creating an account with a website doesn’t mean we give the company permission to hold our data forever. But in many cases, it seems that is exactly what’s happening.