Change account deletion functionality to allow account anonymisation and prevent deletion of IDs

Platform(s), such as mobile, website, API, other: website, mobile

URLs (aka web addresses) of any pages, if relevant:

Description of need:
Currently, any user can choose to delete their entire iNaturalist account at any time. After initially clicking delete, users are shown a screen with text explaining the repercussions of deleting their account (how many IDs, observations, etc are lost), a warning that deletion is final, and a prompt to type in their username confirming their decision, It looks like this:

image956×997 102 KB

This feature was introduced back in 2019 as per this thread: https://forum.inaturalist.org/t/dealing-with-account-deletion/93

I think this was a good idea and much better than a single delete button without anything that may make a user think twice about it. However, I strongly believe that the current account deletion functionality needs to be improved ASAP, because the only option right now is scorched earth: if a user wants to delete their account, it deletes literally everything without a trace, with no other options. This is a terrible [non]choice.

Anoymisation options were mentioned all the way back in 2019 (see above thread), but 5 years later they still do not exist. Over the past few years, a number of users who had contributed significant numbers of IDs to iNat, at least one with literally hundreds of thousands of IDs and a number with tens of thousands of IDs, have deleted their accounts. At least three power users have deleted their accounts in the past few months. And these are only the ones that people are noticing due to high volumes of IDs disappearing; I can only imagine there are numerous accounts with perhaps only hundreds of IDs that are harder to notice when they disappear, but nonetheless still impactful.

Here are a few threads from the past couple of years:
https://forum.inaturalist.org/t/odd-amount-of-observations-without-ids/52436
https://forum.inaturalist.org/t/the-vanishing-of-a-fellow-inatter/38221
https://forum.inaturalist.org/t/deleted-account/40327
https://forum.inaturalist.org/t/deleted-identifications/14827
https://forum.inaturalist.org/t/can-observations-get-kicked-back-to-needs-id-if-an-ider-leaves-inat/36919

Each time another user deletes their account and someone stumbles upon missing IDs, comments replying to noone, etc, a new thread gets made, and the same discussion plays out over and over without any actual new functionality being implemented.

It seems ludicrous to me that someone can choose to delete all trace of an ID that they have made. Perhaps I am naive and/or missing something obvious, but I do not understand at all how an ID, provided the user has been anonymised in some way, can be interpreted under any law as constituting personal data or intellectual property. I can understand situations where a user may feel compelled to delete all of their observations for eg safety reasons, and whilst it is frustrating as an IDer to have ‘wasted’ time IDing their observations, I have no qualms with allowing a user to still delete all of their observations (or other content such as journal posts or comments) if they choose to do so. But if a user has been anonymised, and their observations are gone, an ID does not reveal any personal information about a user whatsoever.

The deletion of IDs not only causes observations to lose taxonomic resolution, eg being bumped back from species to genus, but also actively allows incorrect IDs to be reinstated if the deleted IDs were disagreeing. I have spent the past few days going through Australian plant records and fixing some blatantly wrong IDs due to a deleted account, with the user having previously added disagreeing IDs. Most of these observations were uploaded to iNat 2-3 years ago, and if I hadn’t noticed the account deletion, and figured out who it was and thus which observations to check, who knows how long they would have sat there with a wrong ID again, buried beneath the thousands of other observations that have been added in the meantime. This is not the first time I’ve had to do this, and I know many other users can sympathise with having to go back and try to put the pieces back together from literally no trace.

Obviously I am somewhat comparing apples with oranges, but a taxonomist who has gone to herbaria or museums and added IDs to specimens cannot just go back to these institutions at any time they wish, and set fire to all the det slips. The idea is absurd, and the concept is paralleled in iNat.

In my opinion, allowing IDs to be deleted automatically and en masse in this fashion delegitimises iNaturalist as a scientific resource and directly negatively impacts its reputation.

I strongly believe that this is currently one of the highest priority issues for iNaturalist. As the site continues to grow exponentially, the impact of account deletions will only increase.

Feature request details:
I am requesting a significant change to the current account deletion process. Instead of a single option, ie delete all content without a single trace, users should be offered the following two options:

1. Completely anonymise this account but retain all content.
   It’s possible to partially manually do this of course simply by changing your username and changing/deleting your name, but I imagine this could be a helpful option for users that may also want all the times they’ve been tagged in a comment to have the username changed too (if that’s something that is even possible, I have no idea). Regardless, I think having this option could maybe also make users rethink picking a ‘harsher’ option if it’s done automatically for them. I don’t care what this anonymisation looks like; ‘user123’, a random string of numbers and letters, it doesn’t matter. Whatever is easiest for staff to implement and/or is the most robust to de-anonymisation.

2. Completely anonymise this account and delete all of my observations/comments/journal posts (basically everything except IDs).
   This option is an additional level of anonymisation by removing any comments that may indicate their identity, and observations that may reveal personal information such as home address or workplace. I would also be ok with option 2 being split into several suboptions, ie delete just my observations, delete just my comments, etc.

I do not think users should be given the option of deleting their IDs on this screen. If they want to delete their IDs, they can do so manually, one by one, as is already possible. I do not see any reasonable situation where the automatic deletion of every ID a user has ever made is something that should ever be justified or offered.

If, however, this is a deal breaker for legitimate reasons (which I don’t think exist, but I am open to explanations of course) then it can be a third option. If this is the case, I think the current warning text needs to also be amended to emphasise even more strongly the actual ramifications for other users and the scientific quality of iNat data.

If other users believe the two options should be a bit more nuanced, with other options also available, I am also keen to hear those ideas.

Also, if a scorched earth option must be included, then the deleted IDs need to have some trace retained. Whether this is through notifications, ‘ghost’ IDs, or something else, I’m unsure. Lots of options have been discussed in other threads, and I don’t know what would be best, but one of them has to be implemented as well if this is the case.

Please do not discuss reasons behind account deletion on this thread, or criticise users for doing so. Whilst I personally vehemently disagree with account deletion, it’s not fair to speculate as to why these users have done so, because there are clearly legitimate cases where users may eg have safety concerns. Please stick to either supporting or critiquing my request/suggesting changes or improvements to it.

Great idea. I knew a guy who had helped out a lot on the ID of recluse spiders (Loxosceles) of Mexico, but apparently he accidentally deleted his account, thus deleting all of those useful IDs he had added.

I agree that account deletion is a problem, and I like the idea of having more options for users who want to delete their accounts.

However, I have strong objections to allowing any anonymized content - either observations or IDs. Certainly, current practice at natural history collections (if comparing iNat to one is desirable) is to record the collector (ie, observer), and this has been the case for hundreds of years. I have seen some older specimens without collectors listed and cases with donated specimens without full info - these types of specimens are generally regarded as less valuable/reliable and often have errors associated with them. NHC records also include curators who accessioned and/or who made the ID of a specimen (though this is often the collector).

Without an ID to attach to an observation or an ID, one of iNat’s primary strengths (in my eyes) is lost: transparency. It is important to know which user made an observation or ID for a host of reasons which have been reviewed in other threads.

One way to think of this is: would we allow a user to make new observations or IDs anonymously? I think the answer is a clear “no”. If this is the case, we shouldn’t allow anonymized observations or IDs for a user who wants to leave iNat either - there’s nothing fundamentally different about this case when it comes to the value of IDs/observations. In my mind, allowing anonymized content on iNat would undermine iNat’s reputation and validity.

I’d be in favor of implementing something like a placeholder with a note that says “ID deleted” or “Comment deleted” on observations, but aside from that, I wouldn’t want any anonymized content on iNat.

I’d also be in favor of allowing users the option to delete all IDs, observations, or comments separately as this could allow for retaining some non-anonymized content that might otherwise be lost.

But (a genuine question) how is this any different to an account where the person’s username is something like ‘buglover’ or ‘canadabirds’, and they haven’t provided their name, a profile picture, a bio or any other personal details?

There are literally thousands of accounts right now where the person’s username is in a format like ‘naturalist[random number string]’. How are these any less anonymous than an account that has been anonymised by staff?

I understand the point you’re making, but I struggle to see the difference between the thousands and thousands of ‘anonymous’ active accounts right now that are allowed to exist on iNat and a purposely anonymised account.

I have some more to say about this, but I need some time to formulate my thoughts and I want to point out a distinction that i think is relevant to the discussion.

There is a difference between pseudonymization and anonymization.

I am far from an expert on this, but in the context of iNat, I would consider pseudonymization to mean that the content associated with a specific user would continue to be associated with a single user (identified by a pseudonym), but information directly linking it with that user’s original identity would be removed.

Anonymization would mean that each observation/ID/comment can no longer be linked back to a particular user (because a user might be identifiable based on their identification habits, the location of their observations, etc.). All content would have to either be attributed to a single account for all deleted users or each item would have to be independently assigned to a random anonymous user ID.

This proposal is suggesting the first of these scenarios, correct?

That’s a good distinction that I neglected to think about. I am open to either, whichever people think is more appropriate

Please, please do this, iNaturalist. Or else simply prohibit deletion of ID’s & comments.

While

these may be pseudonyms, they are not anonymous per se as @spiphany pointed out. It is possible to determine what other observations the user has IDed, observations they’ve made, flags, etc. - The user has a history on iNat that is interrogable by other users. Additionally, the username is linked to an email address and IP addresses which staff can access in the rare case that there are issues.

With an anonymization option, a user’s profile page would not be accessible, and it would be impossible for any other user to interrogate their history on the site. Once there were more than a few anonymized power users, their site activity would be an indistinguishable lump of contributions. “Anonymous” would be the most prolific iNat user in perpetuity.

I think pseudonymization (sp?) would prevent most of the problems with anonymization. However, I don’t see how this would be fundamentally different to a user logging in, changing their username and wiping account details, and leaving forever. I don’t think a pseudonymization option (as opposed to an anonymization option) would get a user choosing to pseudonymize anything that they can’t already do (though happy to hear otherwise). I also don’t think this type of functionality would end up being much different than some previous proposals for freezing accounts or designating accounts with deceased owners (excepting the change/removal of username and PII). NB: I support both of those.

However, it probably wouldn’t be too difficult for someone determined to assess which previous user a pseduonym referred to. Only true anonymization would really offer privacy benefits I would think.

For the record, I would personally support removing the ability to delete IDs, but I think staff have indicated pretty strongly that this will not be considered. Even in light of this, I would still not want anonymization.

A couple of other adjacent issues to consider:
What happens to the content of other users who have interacted with the anonymized user? Are any mentions of the anonymized user in the other users’ posts edited automatically to change the username? If not, the anonymized user loses privacy (ie, I can still potentially tell that an observation or ID is the anonymized user’s depending on what comments others have left), but if the mention is changed, this involves a loss of information for commenters or other users who have their content changed (which I would not be in favor of).

Is the anonymized user’s original name then available again? Or is it permanently unavailable? If it is available again, this could definitely lead to confusion. Come to think of it, this is actually an issue with deleted accounts as is if the name becomes available again…

If you are quick enough, tiwane can retrieve and reinstate the info - which he did for a friend who lost her iNat profile around the Update Your Email process. Oops! Gone

But back to IDs - for me - ‘half’ the value lies with WHO IDed That as That. I don’t care whether you use a 'nym or Herr Professor Doktor Sowieso. I look at your profile, if there is no info then at your obs. Also none? Well then your pattern of IDs and most especially when you leave comments - why it is, or is not that. Those explanatory comments would be an even greater loss than a mere ID.

You are going from John IDed all the green legged spiders. John has left. There’s a chunk of his GLS IDs missing. But an anonymised GLS ID has no value - who was the identifier, do they know GLS or was that a ‘thank you for looking’ ID?

And I cannot ask Anonymous to explain. Or to reconsider when taxonomy changes.

It was a couple years ago, and I don’t remember his username or real name :(

No the window is more like a week - where they still have backup. But tiwane persevered!

To start off with, I absolutely think that a better way of handling account deletion is absolutely essential and long overdue. My comments here are meant not to hinder implementation of some solution, but to try to work through some of the considerations that need to be addressed when deciding what these changes would look like.

There are some non-trivial questions that would need to be resolved. IDs in particular present some significant challenges.

I agree with many of @cthawley’s comments. I suspect that if someone is deleting an account for safety reasons, pseudonymization would not be sufficient, because essentially all that account deletion would do would be replace a previous user name with a new one. However, I don’t know what percentage of account deletions are motivated by safety concerns rather than, say, conflicts or frustration.

If IDs are kept as active IDs and IDs from all deleted accounts are assigned to the same generic user, what happens if there are multiple IDs from different deleted users on a single observation, since iNat only allows one active ID per user? This is not a hypothetical question: I know of at least a couple of serial account deleters – people who deleted their account because they were upset or got suspended, and then a few months later created a new account and ID’d some of the same observations before subsequently deleting that account, and so forth. It is also conceivable that a particular community within iNat might experience conflicts within the community or frustrations with the platform that results in multiple individuals with similar interests and ID activity all deleting their accounts.

This also relates to another problem with keeping IDs by deleted users as active IDs (counting towards the community ID). If a user deletes their account because they are angry or upset or overwhelmed and then decides, some time later, that they still want to participate on iNat and therefore creates a new account, there is a high probablility that they may end up IDing some of the same observations they ID’d before, because presumably their interests and skills have not radically changed. If their previous IDs have been assigned to an anonymous or generic deleted account, there is no way to determine which IDs are affected by this. It would also be very easy for someone to deliberately abuse this in order to manipulate the validation process.

There is also a question about what an ID means if they are fully anonymized, i.e., can no longer can be attributed to any specific user. The legitimacy of an ID is connected with the fact that it was made by a particular person – even if we only know that person by a pseudonym (their user name), it is still possible to examine that ID in the context of that person’s other activities to assess the plausibility of the ID. An unattributable ID means that there is no one vouching for it or taking responsibility for it.

In the previous discussions, I came to the (reluctant) conclusion that I do not see any way for IDs from deleted users to continue to be treated as active IDs. I think it would be useful for them to continue to be displayed (e.g., equivalent to withdrawn IDs), either with attribution to a specific pseudonym or as being from “a deleted account”.

What I do see as absolutely essential is that a note be left when content has been deleted (instead of the “delete without a trace” system that currently exists). I have actually been thinking about formulating a feature request for this, because I think it is important for other reasons besides account deletion and trying to reconstruct lost IDs. When active accounts delete IDs and comments it is similarly problematic: in both cases, they make conversations and ID processes incoherent – it is often very difficult to figure out what happened because there is no indication whatsoever that something was originally there and is now missing.

I think another important part of the equation is not just mitigating the effects of account deletion and providing users more options when doing so, but also reducing the number of accounts that get deleted. Obviously the reasons for deletion are manifold and complex and it is not my intention to get into a discussion of motivations here. What I’m wondering about is something like an option to (temporarily or permanently) declare one’s account to be inactive instead of deletion. Notifications and tagging would be turned off, inactive users would be greyed out or removed from the leaderboards, and they would have to go through a reactivation process in order to use their account again.

For some users, this might be an acceptable alternative to account deletion – e.g., if they feel a need to “turn off” their account because they no longer plan to participate but do not necessarily wish to remove their previous contributions. It would also be relevant for users who wish their account to be formally deactivated after their death. I can potentially see such a setting as being useful as a sort of “out of office” notice for users who wish to take a break from iNat and don’t want to be reachable or feel obliged to check notifications during that time.

Possibly an inactive account setting could be integrated with a “cooling off” period prior to account deletion – i.e., before the account is deleted, it would be assigned inactive status for several weeks; at the end of this period the user would be asked to confirm that they still want to delete their account permanently, with the choice to leave it as inactive or reactivate it instead.

Just adding a thought:
If there’s an inactive account setting, I would like to see for inactive accounts:
a) observations accept community ID
b) identifications accept taxonomic updates

I think there should definitely be multiple options for deletion, even if it’s something you already can do (like delete biography, profile picture, change username, unsubscribe from email, etc).

I’d support making it harder to do a full delete, and making the default option deactivation of some kind.

Perhaps even when doing a full delete, the observer could be informed that their account will continue to exist offline for, say a month, so that if they change their mind during that period there is the possibility to recover it. That would make it easier to reverse a delete done in a moment of high emotion and later regretted.

I think GitHub’s account deletion policy does exactly what you’re hoping to accomplish. By associating identifications and comments with something similar to the ghost user, the information could remain on the site in a useful way.

Here’s an example repository where I transferred ownership to a new account and deleted my old one: (filtered commit history to illustrate ghost user).

As you can see, useful information remains (who did what and when), but the account no longer exists. In this case I had added a name to the account. I believe there are instances where it can just be a username, but I’m not entirely sure.

just woke up and had the chance to read everyone’s comments since my last reply. Really appreciate everyone’s votes, feedback and suggestions.

First my most important clarification. In my original post, any time I said anonymise, I actually meant pseudonymise. This was clumsy/inaccurate on my part failing to differentiate between the two, so thanks to @cthawley and @spiphany for correcting me on that.

so I definitely did not intend to suggest that

should be the solution here at all, again, that’s my bad for poor word choice.

I agree that in probably 99% of cases it wouldn’t make a difference, but if maybe the person wasn’t thinking straight, they hadn’t considered the straightforward approach of doing this manually, and they were then explicitly given that choice, maybe that 1% would pick that option, and to me that would be worth having it presented

I agree with you, and mentioned this in my original post:

I personally don’t think this is a issue. I actually think the current situation is more confusing for people where a username is tagged in a comment, they click on it, and it takes them to the mole page. For the many users that don’t know about account deletion/how it works, this is an immediate source of confusion as to why the hyperlink takes them to a non-existent page that is used as a generic error message for a few things.

A good question, and I’m kind of indifferent on this because I can see pros and cons of both options. On the one hand I definitely agree it could cause confusion (although as you say, this already exists now with the status quo). On the other, if someone’s username was ‘johnsmith’ or something, there are going to be plenty of other johnsmiths joining trying to create that username anyway, and if they didn’t get it, making john_smith or john-smith or johnsmith1, so I don’t see much difference between the two.

but if the concern was safety, they would pick option 2 right? If a user has been both pseudonymised and had their observations, comments and journal posts deleted, that would surely be sufficient in my mind re safety.

yes good point I hadn’t considered. And I’m not sure of the best solution. Perhaps along the ghost ID lines, deleted IDs enter a ‘limbo’ state where they initially still function as an active ID, but as soon as another user comes along and adds a new ID to that observation, they become ‘inactive’ and no longer contribute to the community ID?

point taken, but people already do this now via sock puppets, so it would not be a novel problem to deal with per se

yes agreed, bad wording on my part

I can understand your position, but I personally strongly disagree, given that any user can currently already manually ‘inactivate’/pseudonymise their own account by editing their username, removing their real name and/or profile picture and/or bio. How is a user who has done that, with all of their IDs remaining active because they simply log out and never log back in, any different to a deleted user having their IDs pseudonymised by staff using the exact same process?

I actually considered adding this as an option 3 to my original proposal, and would definitely be in favour of this.

I support this one!

At the beginning of my post I discarded the idea of pseudonymizing deleted accounts, precisely because users can essentially already do this themselves. My assumption is that if someone is actively making a decision for account deletion, they therefore want a more extreme action [1], so really only anonymization is left, and I don’t see that as being compatible with IDs remaining active.

For users who don’t want their content affected, I proposed the alternative of a reversible inactive status for the account.

Again, I was considering this in the context of anonymized IDs, which mean that there would be no way to detect the new accounts; at present it may often be possible to identify sockpuppet accounts based on similarities in ID patterns or other user-related information (IP addresses etc), but this is lost when there is no longer any attribution to an identifiable unique user.

[1] The motivations for taking the step of deletion are relevant, I think. As I understand some of the comments in the past threads, some users have indicated that the appeal of deleting their account (rather than just logging out and never coming back) would be precisely in its destructive effects. For users who have experienced ongoing, unresolved frustrations with either some of the structural limitations of iNat or interpersonal frictions, it may feel important to have the option to able to remove one’s contributions (including IDs) en masse, because the decision to leave iNat is more than just choosing not to continue participating, but connected with a feeling that iNat/the community does not deserve to continue to benefit from one’s efforts and energy.

Now, whether or not users should be able to remove their past IDs or not is a different question.

There is also a question of whether some account deletions would be avoidable by fixing some of the underlying limitations that lead to such unresolved IDer frustrations (e.g. site development has not always seemed to place importance on making improvements that would benefit IDers; there have been some notable cases where existing conflict-resolution mechanisms have very obviously failed, etc.).

For most cases, I agree with you for sure. But I genuinely believe that there are cases where a person may be in a particular mindset such that they have no intention of having to manually change their username etc (even though it’s relatively easy and quick to do so of course, it would probably seem a tedious and annoying thing to do for some people intent on deletion and in a bad frame of mind), but then when attempting to delete they see this option and think ok actually I’ll pick that since it’s done for me with a single click.

I have no doubt as well that there are probably some users who either don’t realise they can change their username at any point, or simply don’t think to apply that as a solution at the time.

I’m almost certainly talking about a small minority of cases, I’ll readily admit that, but as I mentioned earlier, if having that option available prevents even a small handful of account deletions, that’s a net positive in my book, especially if those users just happened to be significant contributors