The pain of changing email address
In recent years the unscrupulous trading of user data by Big Tech companies has become fairly common knowledge. In an effort to maintain at least a shred of privacy online I decided to migrate to a privacy-first email provider. This went very smoothly. The process of updating my email address everywhere I'd used it over the last 15 years was somewhat less smooth however.
After the API billing fiasco where Reddit decided to effectively kill off third-party apps, I made the decision like many others to delete my account. This left a huge gap in my daily timewasting routine which I attempted to then fill with Mastodon, Kbin and Hacker News. For better or worse they never really filled the Reddit-shaped hole in my free time, but an unexpected side-effect was a gradual change in my personal values, specifically relating to privacy and Big Tech data farming.
I've now come to view companies like Meta and Google as online Feudal Lords and we average internet users as poor serfs, generating value but seeing little in return.
Scathing metaphors aside, I ended up creating a Proton Mail[↗] account and have been spending the last month or so slowly updating all my online profiles to use this new encrypted and privacy-friendly email address.
This also seemed like a great moment to delete accounts I no longer use, in order to reduce the spores of my online activities even further.
You may not be surprised to learn that for a lot of websites these two processes are easier said than done.
By far the most common problem is that the website offers no way of updating the email address yourself, instead you have to send them an email about it. This is even more prevalent when it comes to account deletion. The latter I can perhaps understand as a dark pattern to dissuade users from leaving, but why not let me at least update my details if I can't delete them?
I also frequently came up against websites where the email address is used as the unique identifier for the account and it's therefore not possible to change it at all. It's actually been recommended to me to create a new account instead because the customer service rep also can't change it.
And then there are the sites that just have broken account management flows that apparently weren't QA tested. Mysteriously blank pages and inexplicably disabled form inputs both made appearances.
Something else which also got me thinking is the frequent lack of verification that I am actually the account owner. Some websites would allow me to update the email address without requiring approval from the old email address and sometimes without even notifying it. Even worse were the sites where I had to manually email them to update my email address. I would email them from my new email and get a friendly response saying my account had been updated. No check if I am who I say or if I have access to the old email. Apparently knowing that an account exists with my old email is enough verification that I should be able to update it. I wonder what would happen if I just emailed them to ask to update my password.
The lessons I've taken from this process so far are two fold.
- As an internet user I should be more conservative with my personal information and think critically about which websites I sign up for. What if I am unable to change or delete this information in the future? Am I happy to have my details sitting in their database for an indefinite amount of time?
- As an application developer I should definitely ensure an easy process for users to update and delete their information, especially with regards to GDPR. These aspects of a website tend to get built as one of the first tasks and then forgotten about, but making sure the user can manage their own credentials without human interaction can save a lot of time and effort on both sides.
Bonus content:
Shoutout to Paypal for this exceptionally user-unfriendly login process:
- Paypal: "You haven't logged in in a while, please choose a verification option: Email or SMS"
- Me: chooses Email and verifies account
- Paypal: "You also need to verify by SMS"
- Me: Okay... verifies by SMS
- Paypal: "You are logging in on a new computer, please verify by SMS"
- Me: verifies by SMS again
- Paypal: "You are logging in from a new location, please verify by SMS"
- Me: verifies account a fourth time
At least they could be absolutely sure I was the owner of the account before I deleted it.