Online Identities: Forgotten but Not Dead

Nowadays there's a lot of concern and discussion about identities, about how to manage them and keep them secure and private. But there are some identities that many people are forgetting about. And that's no surprise, because the identities I'm talking about are clearly "forgotten identities." As someone who has been testing and using web-based services and applications since the early 1990's, I've signed up for and created user accounts on easily a thousand different services. And in most cases I use these services for a short time and then never return. But what happens to these forgotten accounts? Do they get deleted? Especially in the cases where I ask a service to remove an account? Or do they sit around forever? In most cases they sit around forever, in fact in many services, such as Facebook, it is impossible to delete an account. And the fact that we all have these forgotten but not dead accounts could add up to trouble.

Jim Rapoza

Nowadays there's a lot of concern and discussion about identities, about how to manage them and keep them secure and private. But there are some identities that many people are forgetting about. And that's no surprise, because the identities I'm talking about are clearly "forgotten identities."

As someone who has been testing and using Web-based services and applications since the early 1990s, I've signed up for and created user accounts on easily a thousand different services. And in most cases I use these services for a short time and then never return.

But what happens to these forgotten accounts? Do they get deleted? Especially in the cases where I ask a service to remove an account? Or do they sit around forever?

In most cases they sit around forever; in fact in many services, such as Facebook, it is impossible to delete an account. And the fact that we all have these forgotten but not dead accounts could add up to trouble.

I recently spoke to an eWEEK reader who saw one of these old accounts rise from the dead like Dracula in an old Hammer film.

This reader had been an early beta tester of the popular World of Warcraft online role playing game. He had tested the game, sent in his beta test notes and then walked away from the game.

But then two years later, his e-mail account started getting activity notices from this game account, which was strange since he hadn't touched the account in that time frame. Attempting to log into the World of Warcraft account he found that the password had been changed but since his e-mail was still associated with the account he was able to get a new password. Logging into the game he was surprised to find a credit card associated with the account, a card that was not his.

Now this wasn't a case of identity theft (the card wasn't in his name) but an online account associated with his name was being used for clearly nefarious purposes (most likely to test out stolen or fraudulently acquired credit card accounts). And one could easily envision situations where the risk to the user would be much worse.

If you're thinking that this couldn't happen to you as you don't use online games such as World of Warcraft or Second Life, guess again. How many e-commerce sites have you shopped at once, created an account and then never returned to? What about free webmail accounts? Or social networks? Old ISPs?

Face it, even casual Web users can quickly amass a large number of old and mostly unused Web identities. And they are just sitting there waiting to be found and used by someone.

What's the solution to this problem? Some might say universal identity systems such as OpenID will fix this as people will just have one identity that they use on multiple sites. But you'll still have standalone accounts on each of these sites, which could still be compromised in a number of ways.

To me the best solution is to completely delete these old accounts, but most sites and Web services are resistant to this idea. For them, identities and the data they contain are a potentially lucrative revenue stream and they want to make it hard for people to leave their services (if only to be able to make dubious claims of x number of users).

There has been some discussion of an Internet users bill of rights, and if such a thing did come about, a good addition would be the right to completely remove old accounts.

But until that day comes, be vigilant of the identities and user accounts you create and have created in the past. Just because you don't use them anymore doesn't mean someone else won't.