Proposal :LightWayUp wrote: As an on-going effort to make what should have been publicly available to the community since the beginning -- feedback and suggestions -- more open, this suggestion submitted through the ticket system is being made viewable for everyone. More of my suggestions will be made freely viewable in the future.
The following is the complete suggestion ticket's content, except for NxDs' previous response which has been removed for privacy considerations. Peaceful discussions and constructive criticisms are welcome.
Submission time : 2018-06-07 17:25:46
Ticket number : 2469
Implement opt-in account management service.
1. By allowing members to configure automatic account removal, the number of inactive accounts could be reduced, releasing valuable server resources.
2. By allowing manual account deletion, members have more freedom and control over their own data.
1. It's NOT a goal to allow members to request permanent and total data deletion, including in-game chat logs, forum posts, private messages, submitted tickets, ExtremeCraft Discord server chat logs, activity logs and other automatically or manually recorded data, from the server.
2. It's NOT a goal to have forum activities or activities in ExtremeCraft Discord server count as in-game activities, and used for resetting the counter responsible for tracking the number of days of account inactivity.
These non-goals may be submitted in the future as separate suggestions.
1. Automatic account management :
The account management service should be disabled by default. Email address(es) is mandatory for activating the service. Provided email address(es) are used for notifying members regarding their automatically account management and deletion status. More details are described below.
The service should allow members to set the amount of time to wait for before deletion takes place. For example, one could choose to delete account after 1 month, 3 months or 6 months of inactivity. These numbers are just examples and do not necessarily represent the real options available if the service is implemented.
Members who have automatic account deletion enabled would receive one or more emails as reminders when the deletion date is approaching. The email should clearly state that by logging into ExtremeCraft server in Minecraft before any action has been made, they can and will reset the counter responsible for tracking the number of days of account inactivity.
By sending emails to members who have this service enabled, we can be more certain that they do want to proceed on with the automatic deletion process, and that they understand the consequences of this action, including inability to obtain ExtremeCraft related items previously purchased from BuyCraft again after the account deletion. More previously raised concerns are addressed or discussed below.
2. Manual account deletion :
Members should be in control of their own account and data.
The ability to manually delete account, or to configure settings to enable automatic account management and deletion should be enabled when all of the following conditions are met.
- The member has no significant offences or bad behavior track records : Currently or previously banned players will not be able to use the features, either for a prolonged, predefined, fixed length of time, or permanently. Member whose number of offences exceed the threshold also can't utilise these features. The offences to consider may either be all offences since account creation, or "recent offences" which are ones recorded within last 90 days. Threshold, for example, may be 3 offences in the past 90 days. Exceeding this number disables the member's ability to use the features, either for a predefined, fixed length of time, or permanently. These numbers are just examples and do not necessarily represent the real limitations if the feature is implemented.
The automatic account deletion service will be cancelled and not automatically started again if the member makes one or more significant offences, or enough offences to exceed the threshold mentioned earlier, after the features is enabled.
- The member has provided one or more email addresses. At least one is mandatory.
Concerns and solutions :
1. Implementation difficulty :
As the automatic account management service is disabled by default, we should NOT expect all or most people to enable it. As the number of members enabling the service would probably not be high, sending emails should not take much server resources. Plus, emails are only sent when an account is considered inactive and is approaching the end of configured wait time for account deletion.
The offences could be tracked automatically. No human intervention is required for enabling or disabling services and features for accounts.
2. Legality issues :
By using either one or both of the two features, the member has to agree to additional terms. The terms should NOT be "somewhat ambiguous or vague". They should be stated on the "Legal" page of this website and the page for enabling or using the features. They should clearly state that account deletion involves partial or total removal of personal data and information, and purchase history and ownership of items obtained from BuyCraft store will also be removed. No refund should be given, to be consistent with the current "no refund" policy.
3. System abuse :
Disable the manual account deletion feature for accounts created within last 30 days, until the account has existed for more than 30 days. Automatic account management service should still be partially enabled as actions are only taken after configured wait time for account inactivity has been reached. Options less than 30 days, if there is any, should be disabled for accounts created within last 30 days, unless the account has existed for more than 30 days.
4. Account ownership verification :
Account ownership needs to be verified through emails. This is possible, as enabling the service requires at least one mandatory email address. Upon attempting to enable the service or to manually delete the account, an verification email will be sent, and the account owner needs to proceed on by following the verification link contained in the email.
In the event an account is compromised, it would not have any difference with the one compromised when these features aren't implemented. More is discussed below.
Response to previous reply ( or replies ) :
By : NxDs
At : 2018-06-01 11:50:31
For the second concern, it is now addressable with the solution stated above in the "Details" section.
For the first concern :
Without the features implemented, anyone with account password can still access the account, change the current password without the original owner knowing, then either wait 30 for the account to be deleted if no purchases has been made on BuyCraft, or log in in-game and intentionally violate the rules, causing the account to be permanently banned, if some purchases have been made. Since the original owner does not have access to the account, he/she/they can't submit a ban appeal to reverse the action.
With these two features implemented, the account could be deleted through automatic account management or manual deletion, but for the process to continue, actions have to be verified through emails. If the person compromising the account doesn't configured or reconfigure the email address, the verification will not pass and the process would stop. However, even if the email address is changed by the compromising person, it would at worst only have the same effect as that of what could already be achieved now, which is to wait for the account to be purged or to intentionally have it banned. In any case, the account could only be more secure, not less.
While some issues are unavoidable, most can be addressed with reasonable solution. This change could allow members to have more control over their own accounts, and should bring much more benefits than problem, some of which already existed. Implementing opt-in account management service and manual account deletion would most certainly provide better experience for members in the ExtremeCraft community.
This is a proposal to ask for reconsideration of the previous suggestion, but with much more details and solutions added. Further discussions are welcome.