develop a data retention policy

[chadwhitacre]

After reading "The Internet’s Best Terrible Person Goes to Jail: Can a Reviled Master Troll Become a Geek Hero?," I had another wave of worry about the day when Gittip is subpoenaed. We talked about this a bit in the context of IP addresses (#345).

My thought is that we should only keep detailed info on money flows for a certain period of time, like 90 days or six months or something. After that we should compute aggregates and leave it at that. We want a certain amount of detailed history for our own anti-fraud efforts, but I think the value of the detailed data goes down quickly after a few months, especially relative to the risk of coerced divulgence.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[chadwhitacre]

This actually solves a problem with merging accounts (#313). I had been trying to figure out how to maintain history for merged accounts where there is transfer history on the lesser account (the account going away). Maybe it's still an issue for the short term, but if we're willfully losing info in the long run then maybe it doesn't matter as much if we lose a little info in merging accounts.

Forgetfulness. Imagine if each of us remembered everything forever. It'd be a different life.

[chadwhitacre]

Maybe 120 days, since that's the chargeback window? Though that's the window for filing, might not hit us for even longer. Six months, then?

[thiloplanz]

+1 for keeping the payment related records only as long as necessary. There may be legal requirements in place that make that quite long actually (Flattr says they have to keep these things for years, even after an account has been deleted, but the situation in Europe is probably different).

So maybe not too much can be done about the financial stuff, but I'd like to include the policy to delete (or even better not collect in the first place) other information as soon as possible. For example, is it really necessary to use Google Analytics?

[ChimeraCoder]

Commenting on this because I came here by way of #375.

I'd like to include the policy to delete (or even better not collect in the first place) other information as soon as possible

I agree with this.

I'd like to include the policy to delete (or even better not collect in the first place) other information as soon as possible

There are some open-source and/or privacy-conscious alternatives. I can't remember the names, but I saw a few examples on a website this summer which compared privacy- & security-aware alternatives to mainstream applications. Some sleuthing should be able to find the HackerNews thread where I saw this if you're interested.

[chadwhitacre]

Via @selenamarie's links on Twitter: "How OSPs Can Develop Sane Network Policies to Protect Themselves From Legal Liability and Respond to Subpoenas and Court Orders."

[chadwhitacre]

IRC in the context of #54.

[chadwhitacre]

Received in private email:

Since this has actually been a rather unpleasant surprise when trying to delete my Patreon account, I figure I will check ahead of time with you.

• What is your policy on deletion and removal of personal and financial information?
• If I request my personal and financial information to be removed from your system, how long can I expect this to take?
• Can I be assured that, when I request my information to be deleted, that ALL instances of my information (including name, email address, and any and all relevant financial information) will be entirely deleted from your system, and that I will not be in for any unpleasant surprises should your system be compromised in the future?

Your privacy policy does not cover anything about how you respond to requests for deletion of personal information from your systems.

Thank you.

My reply:

No. When you give money to someone, the information about your gift belongs equally to them as to you. It wouldn't be right of us to alter history from their point of view, therefore we keep a minimal record of your gift. Other than that we do try to delete your info. We go into a bit more detail on the "Close Account" page. If you don't want to create an account in order to see the close account page, then you can see the same info in our source code:

https://github.com/gratipay/gratipay.com/blob/1773/www/%25username/account/close.spt#L100-L131

We do have a ticket about firming up our data retention policy:

#397

May I copy your comments over there?

Then:

Okay, I can live with a record of my username there, but what about payment information?

For example, this email/account is obviously a pseudonym, because I don't want to have a publicly accessible record of my name connected to funding activity. HOWEVER, almost any payment method I use is going to connect to my real identity eventually.

So, if I request my account to be deleted, is there still going to be a record of anything related to payment or financial information that could connect to my identity, or will it just be the user/profile information that I enter into gratipay?

May I copy your comments over there?

Sure.

And:

As an addendum to this question, would "altering history from their point of view" apply even if the only people I was funding had been deleted from your service for whatever reason?

[chadwhitacre]

The most definitive answer I can give you is the source code, so here it is:

https://github.com/gratipay/gratipay.com/blob/1773/gratipay/models/participant.py#L336-L500

So, if I request my account to be deleted, is there still going to be a record of anything related to payment or financial information that could connect to my identity?

Yes, because we don't delete your financial info at Balanced (our payments provider). It looks like we can do this to a certain extent. They do retain a record of your existence, but your sensitive financial info is pruned (they retain just the last four digits of your card number, e.g.). Here's the conversation I'm finding on their end:

balanced/balanced-api#22
balanced/balanced-api#29

And here's a new ticket I just made to track this on our side:

#3111

Feel free to subscribe or periodically check back there for updates.

As an addendum to this question, would "altering history from their point of view" apply even if the only people I was funding had been deleted from your service for whatever reason?

Good question! I've noted this on our data retention policy ticket. I don't have an answer for you right now.

Anything else I can answer at this point?

[chrisdev]

This discussion fails to take into account the role of Balanced. Their data retention policies are probably more important than ours (that is, once the person connects their credit card our even more critically their bank account)

Sent from my iPhone

On Jan 12, 2015, at 2:35 PM, Chad Whitacre [email protected] wrote:

Received in private email:

Since this has actually been a rather unpleasant surprise when trying to delete my Patreon account, I figure I will check ahead of time with you.

What is your policy on deletion and removal of personal and financial information?
If I request my personal and financial information to be removed from your system, how long can I expect this to take?
Can I be assured that, when I request my information to be deleted, that ALL instances of my information (including name, email address, and any and all relevant financial information) will be entirely deleted from your system, and that I will not be in for any unpleasant surprises should your system be compromised in the future?
Your privacy policy does not cover anything about how you respond to requests for deletion of personal information from your systems.

Thank you.

My reply:

No. When you give money to someone, the information about your gift belongs equally to them as to you. It wouldn't be right of us to alter history from their point of view, therefore we keep a minimal record of your gift. Other than that we do try to delete your info. We go into a bit more detail on the "Close Account" page. If you don't want to create an account in order to see the close account page, then you can see the same info in our source code:

https://github.com/gratipay/gratipay.com/blob/1773/www/%25username/account/close.spt#L100-L131

We do have a ticket about firming up our data retention policy:

#397

May I copy your comments over there?

Then:

Okay, I can live with a record of my username there, but what about payment information?

For example, this email/account is obviously a pseudonym, because I don't want to have a publicly accessible record of my name connected to funding activity. HOWEVER, almost any payment method I use is going to connect to my real identity eventually.

So, if I request my account to be deleted, is there still going to be a record of anything related to payment or financial information that could connect to my identity, or will it just be the user/profile information that I enter into gratipay?

May I copy your comments over there?

Sure.

And:

As an addendum to this question, would "altering history from their point of view" apply even if the only people I was funding had been deleted from your service for whatever reason?

—
Reply to this email directly or view it on GitHub.

[chadwhitacre]

This is hot right now.

[chadwhitacre]

Closing in light of our decision to shut down Gratipay.

Thank you all for a great run, and I'm sorry it didn't work out! 😞 💃