Welcome to the modern "usable" internet, where mail validation "spoils the user experience" and "is bad for conversion rate". I guess Apple has a valid way to subscribe without e-mail verification somewhere.
Let me tell you a story, sorry if it is somewhat OTish, but I really feel related to the programmingzen guy. Back when I got my Gmail address I got a 6 char username account of the form name+surname initial. My name is Pedro, its not that common but neither is it a bizarre name. At the moment, I can count 5 different people who sometimes think they own my e-mail address, or have e-mail addresses that are similar enough to mine so that people usually mails me instead of them.
About a month ago, one Pedro subscribed to Redbox. It seems Redbox has kiosks where you can instantly subscribe and order your first DVDs there, those kiosks do no mail validation. Someone used my e-mail on the kiosk, and ordered his first DVD. I got the receipt in my inbox.
At first I thought he would realize he did something wrong and fix his Redbox account from his computer later. He didn't. In fact, he somehow managed to order more DVDs, so I got more receipts in my inbox. I used the password recovery feature and logged to his (or mine?) Redbox account. There was no way to delete it, neither was it possible to avoid getting receipts by e-mail.
I contacted Redbox support asking them to close the account, or at least stop sending me receipts. This was their proposed solution to my problem:
As long as he or she keeps using your email address, you’ll continue to get receipts. To avoid receiving them, please block the sender’s email address or mark the messages as spam. If those options don’t work, you might need to contact your email provider.
So yeah, Apple is not the only one who doesn't care about people who by chance get subscribed to their services.
Fortunately, after about three weeks, Redbox started mailing me and asking me for e-mail validation with big red banners and all caps subjects. I didn't reply to any of those e-mails, and it seems they finally deleted the account.
Free anecdote: Once, one of the other Pedros mom died. That week my inbox was completely surreal, and sad.
PD: I live in Argentina. So no, free DVDs where not an option for me.
I wish my gmail account only got the emails for 5 strangers. It's more like 50. It is indeed incredibly hard to get these errors fixed, even when they're fairly serious. Like the guy working at a US army base who managed to sign up for their internal newsletter using my address, or the married couple who gave various financial institutions my email address when buying their first home a few years ago. I'm still getting their financial information occasionally, despite trying to tell the senders that they have the wrong address.
I had this where I'd be getting a "statement notification" from some guy's bank every month - no financial information in the email, but you also couldn't unsubscribe without logging into the online banking thingie. In the end I googled the guy's name (it was in the email), found the one with a really similar email address to mine and let him know :)
I have the same problem. Most recently someone signed up for a DirecTV account with my email. I went back and forth with DirecTV customer service about 5 times before they removed my address.
I have to wonder if these companies are violating the CAN-SPAM act by not giving us an easy way to opt out...
I'm just as puzzled by this. If a customer makes it clear that he wants to pack up and go, why wouldn't you just let him?
It reminds me of the way Facebook treats its users. I've tried to get rid of an old account, and I found it's nigh impossible. The most a mere mortal can hope for is for the account to be put in hibernation mode -- but if you ever make the mistake of logging into the account ever again, bam! You're back.
I've had the same Apple ID since the day iTools launched (in 2000), and I've never felt the need to cancel or delete an account, but I assumed they would let me! I see no good reason Apple would keep around every account that was ever created.
You really shouldn't be puzzled at this. It is actually pretty easy to explain if you have ever worked on a large scale website before. The problem is you begin to accrue large amounts of data and metadata (data about your data). And just "getting rid" of that data is actually hard at scale for a few reasons:
1) Lets say I post on your wall and then I delete my account. Does that mean the message should be removed from your wall? What if you really liked the conversation in the comments that took place after I posted the comment, you are just out of luck? This gets trickier and tricker to handle these types of problems as things like groups, forums, and tagging get added to the social network feature set. All of a sudden is very confusing and unclear what exactly should happen with this type of data. Let's say you do keep that message, when how much of the deleted account is required to keep alive to maintain your database relations (this assumes you are using a normalized relational database to manage your site).
2) The site I work on gets a lot of data from users. It isn't uncommon to have ~5MB from a single user in our database. The actual delete operation on that tables is really rough. If 4 users all tried to delete their account at the same time doing a straight DELETE on the tables would be horrible. Not to mention it leaves holes in your tables in some cases.
3) Is it actually legal to delete the data? Can Apple just delete an account where charges can be placed? I would think they need to keep a history of who used what credit card and so on. I am guessing that medical records and emails for large companies have some kind of restrictions about data retention.
4) The backup issue. If a user deletes their account, does the user expect that the company also goes through all their backups and delete their information from there as well.
All of these things add up to a pretty big burden pretty quick and I think it is logical to see why companies might choose to not allow people to delete their own data. I can also understand why people disagree with that decision, but it really shouldn't be puzzling.
It should be just as puzzling as any other security / privacy issue. No more, no less.
If a website doesn't take security and privacy as high priority concerns, then they don't want me as a user. I hope to educate more people to feel the same as I do.
I won't defend Apple/Facebook, because I think it's nonsense, but here are a couple (technical) reasons why companies like that might justify keeping the account around:
- Integration with other systems. It's easier to just mark the account record as "inactive" than it is to add functionality to remove it and any references to it from all the other systems. There can be a lot of cascading that would need to happen.
- Auditing/Reporting. Perhaps legal or accounting feels the need to keep it around "just in case". Maybe they think they'll need to look up the history of the account one day or audit the activities of previous user at some point down the road.
It's been a while since I deleted my account, so can't remember how to get there (just found it in 30 seconds googling), and yes you do have to avoid logging in for x days (if I remember correctly it's either 30 or 90) before the deletion becomes permanent.
But that's a long way from not being able to delete your account at all.
Oh, I've finally managed to do it, but it took way more effort than it should have, and I know that someone like my mom wouldn't be able to do it at all.
Not interacting with Facebook sounds easy, but it's not.
You have to clear the caches on every browser on any computer that you've ever logged into Facebook with. You have to delete all native Facebook clients. You can't log into any site that uses Facebook Connect. You can't accidentally click on a Facebook 'like' button. You can't respond to any mails Facebook sends you or click on a Facebook related link. Etc etc.
If you so much as look in the direction of Facebook during the two weeks following your deletion request, it is canceled.
Wait. If you delete your facebook account and then accidentally click a like button, you're just magically logged back in? It doesn't ask for your password?
I created an account to stop the invites email after I've deleted it once.
5 or 6 months, and all my data was still there.
After i deleted it again, 4mo later and it appeared deleted when i recreated. But 100% match on my 1st friend list and my 3rd installment of the account is weird
They might have only been able to hit a low level support rep who doesn't know anything. Hopefully, a story like this will get the attention of someone who can actually figure out what's going on here and do something.
It's really easy. Have a boolean flag called "deleted" or "defunct". if the bit is set, never display that account or allow it to log in. From the outside, it does not exist. But for referential integrity and other auditing, it does. This is pretty common.
I think the issue here is that the word "delete" is being applied to two mostly-unrelated operations: removing users who no longer want to be part of the system/have been banned/etc., and removing accounts which were never operated by a human being at any point at all.
The former is "hard", since even though you might not want the user around in the present, you usually want their history to persist. However, the latter case is comparatively simple. If a spambot posts on my wall, then yes, emphatically, delete that wall post when you delete the spambot. Delete any photos they uploaded. Nullify all their votes/likes/plus-ones/whatever. Make it so that the whole thing never happened, other than perhaps as a line in an abuse log.
It is critical, though, that this should never happen automatically in a case where an automated account might be confused with a human one. It probably shouldn't even be exposed as part of a bulk "check off these accounts and purge" moderation view. But in cases where the automatedness of an individual account is out in the open and there's no contradictory evidence whatsoever, the "tactical-nuke" button could be a viable option. (Whether you can trust your community's moderators to not misuse this button is a whole 'nother can of worms.)
I've been getting emails from Verizon about home phone, DSL, and cell service for over two years. I have never been a customer. The password reset for the account requires account numbers I don't have access to or the ability to receive text messages on cell phones I don't have. Verizon support's only solution is to contact the account holder and have them remove my email address from their account.
no, they only have CAN-SPAM. As long as Apple doesn't actually send emails, I believe they can keep the address indefinitely; however, the minute they shoot out a promo email, they have to obey CAN-SPAM, so the user would have a right to be removed from the database.
I thought it was an Apple mistake. At least five of the people I follow on Twitter received this John Dillinger mail, and there's a person in the comments saying he/she received the same mail. (And all these persons have nothing to do with each other)
Maybe I'm on the wrong trail here, but might this have something to do with the transition of AppleID/MobileMe -> iCloud?
If this email was (a) an Apple ID, or, more likely in this case, (b) an email address associated with an old Apple ID (that wasn't already in the form of a@b.c) then Apple could have just converted it to their new form of "every apple id should be in email address form", which I've noticed has been pushed far more with the transition to iCloud.
Though what throws me off is "Welcome to the Apple Online Store". Very specific. Too specific.
Has this email been used for purchases from Apple, at the very least?
I'm not sure I would have contacted Apple about this, given their penchant for punishing security researchers who bring problems to their attention.
What I don't fully understand is if the attacker doesn't need access to the email account in question, why would they even use valid email addresses? Wouldn't it be less risky to use bogus addresses?
It's because most registration form not only checks that the email address you entered is valid but also whether it exists. This is done by using nslookup to query for a domain's MX record and then checking the specific address.
Let me tell you a story, sorry if it is somewhat OTish, but I really feel related to the programmingzen guy. Back when I got my Gmail address I got a 6 char username account of the form name+surname initial. My name is Pedro, its not that common but neither is it a bizarre name. At the moment, I can count 5 different people who sometimes think they own my e-mail address, or have e-mail addresses that are similar enough to mine so that people usually mails me instead of them.
About a month ago, one Pedro subscribed to Redbox. It seems Redbox has kiosks where you can instantly subscribe and order your first DVDs there, those kiosks do no mail validation. Someone used my e-mail on the kiosk, and ordered his first DVD. I got the receipt in my inbox.
At first I thought he would realize he did something wrong and fix his Redbox account from his computer later. He didn't. In fact, he somehow managed to order more DVDs, so I got more receipts in my inbox. I used the password recovery feature and logged to his (or mine?) Redbox account. There was no way to delete it, neither was it possible to avoid getting receipts by e-mail.
I contacted Redbox support asking them to close the account, or at least stop sending me receipts. This was their proposed solution to my problem:
As long as he or she keeps using your email address, you’ll continue to get receipts. To avoid receiving them, please block the sender’s email address or mark the messages as spam. If those options don’t work, you might need to contact your email provider.
So yeah, Apple is not the only one who doesn't care about people who by chance get subscribed to their services.
Fortunately, after about three weeks, Redbox started mailing me and asking me for e-mail validation with big red banners and all caps subjects. I didn't reply to any of those e-mails, and it seems they finally deleted the account.
Free anecdote: Once, one of the other Pedros mom died. That week my inbox was completely surreal, and sad.
PD: I live in Argentina. So no, free DVDs where not an option for me.