Enable user deletion

[drasko]

Currently it is not possible to delete user in Mainflux.

As per GDPR regulations (and per @janko-isidorovic suggestion), we must enable user deletion, and this would probably mean also some/all of the following:

• delete all thing data owned by that user
• delete all channels owned that user
• delete all things owned by that user
• delete the logs created by the user actions
• delete the user
• create the report on what is deleted

[drasko]

Also, this PR should cover user entity updates - like changing of the password.

[nmarcetic]

@drasko IMHO this PR will be huge, changing user password is also not small feature, maybe is better idea to move change/recovery password to another PR.

[chombium]

IMO we should not simply delete the changes that the user has made in the system. As the feature request is written, the user can interact with the system change some things in the physical world (maybe do some harm) and then delete everything and leave (almost) no traces. We must leave an option for traceability what has happened in the system and provide means for auditing. Another thing is what will happen with the timeseries data in the databases. We'll have data which would come from a device and channel which no more exists in the system. For data consistency we could deactivate the things and channels that belong to the user and anonymize the user data.

In some organizations usually all the "things" like chip access cards, vehicle OBD dongles, smart sensors etc. are not simply thrown away when a person leaves the organizations, but they are reassigned no another member. Some organizations want to keep history of usage of the devices or do some other kind of analytics on top of the data in the system. If we delete them from our system we should at least offer an export functions so that the data can be processed in another system. Sometimes in some countries and organizations there are legal and regulatory obligations and business reasons to keep the data as well.

Of course, all of these things are more analytical processing on top of the data processed by Mainflux, but we must at least offer to our users an option to fulfil their legal, regulatory and business requirements. Whatever we do in this direction we have to document in detail what Mainflux does and how it stores and processes the data, so that the users clearly know how long and where the data is stored if they want to build some other custom tools around Mainflux.

Regarding EUGDPR we should also offer a possibility to the users when they offboard to export their data. I think it would be better to open another (umbrella) issue for EUGDPR because there are much more things to do like asking for and managing consents for data processing and storage, access logs for accessing personal and person sensitive data, audit logs etc. If we make all of the EUGDPR requirements as part of other features we could easily lost track of what has been implemented and what is still missing.

What are your thoughts on this?

[nmarcetic]

@chombium Exactly! GDPR is huge and new issue related to this regulation is required. Here is some references, so you can get idea what should be done.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights_en https://techblog.bozho.net/gdpr-practical-guide-developers/

[willcharlton]

Is it possible to enable the 6 bullet points in the description and make a separate ticket for GDPR? These are not constraints in all regions and it would be nice to offer something now, with an enhancement (GDPR) on the roadmap.

Thanks!

[drasko]

@willcharlton this makes sense.

However, I am afraid how this can't be resolved without groups (admins), and also - how things or channels can exists without an owner.

@nmarcetic @chombium @anovakovic01 @dusanb94 what is your opinion - how can we delete user if we do not have an admin? Also - once we would have groups and admins - when we delete user, what will we do with his things? Move them to the user's admin? Delete them? Keep them in a system in some "deactivated" state (without owner)?

[nmarcetic]

@drasko I don't see this related how to delete a user if we don't have an admin Its a separate entity/role IMHO not related. How you will delete admin if you don't have superadmin ? The only thing to do it is when you delete user it will trigger deletion of all his resources, this ofc trigger some new problems and complexity but I don't see other way and reason to keep anything in DB after user deletion (yes its risky but be careful what you are doing. In the right hand's any tool is a weapon). I think its also one part of GDPR, you can't keep any track of user's records after he deletes his account, I am not deeply familiar with GDPR, but we should check.

[manuio]

@drasko I agreee with @nmarcetic. Users should be able to delete their accounts without admin. From UI side it can be done from the profile of the user. I would split the issue and keep delete user logs and create report for a GDPR issue, and delete all data and delete user for this one which would be pretty fast to do.

[chombium]

@drasko, @nmarcetic, @manuio as I've written before, at least for legal reasons we can not simply delete every piece of data related to a user. In most of the countries the data has to be kept for a certain amount of time. In Europe that's usually 10 years. It would be nice if we as a provider of data processing platform (data processor in terms of EUGDPR) provide the people who operate Mainflux (the people who gather and use personal data - data controller in terms of EUGDPR) means to fulfill some of the legal duties. I think that no one want's to simply delete and lose the data and therefore apart from implementation of the user deletion it would be good if we at least provide some means of exporting the user data in some machine readable format (csv, json...). The option for data export when a data controller (the user who owns the data) opts to get out is also one of the requirements for GDPR:

(g) at the choice of the controller, deletes or returns all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data

EU GDPR Article 28 Paragraph 3 point g

To clarify @nmarcetic's doubts about keeping the data, the data can be kept if there are legal needs or a clear business purpose, but the it can not be used to identify a natural person. This means it has to be anonymised. A simple scenario from logistics, a company has a fleet management solution and a driver leaves the company. The driver can request data deletion, but the company still has interest to track how many hours/kilometers the driver drove or how much fuel does he spent. The definition 26 about data protection from the EUGDPR says:

(26) The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

This means that we'll have to do data anonymization. The other definitions and regulations regarding the processing and keeping data for statistical reasons are defined in Chapter IX

As for the current situation as we want to enable our users to be EU GDPR compliant I agree with @manuio to split the whole EUGDPR topic few separate issues. Regarding the user delition I think we can start with:

• Data export
• User deletion
• Audit logs (creating reports of what actions have been taken and who has accessed the personal sensitive data)

[nmarcetic]

Wow @chombium thanks for the clarification. I dunno much about GDRP and all this ^ is really complicated and out of IoT scope but in the other way related :) We must study more.

[rodneyosodo]

@dborovcanin This is closed by https://github.com/absmach/magistrala/pull/2122