rfk
commented
6 years ago 🗡 ; we can bring this back as a concrete issue when we're ready to work on it.
Closed rfk closed 6 years ago
rfk
commented
6 years ago 🗡 ; we can bring this back as a concrete issue when we're ready to work on it.
Currently, we don't keep track of any historical data on which client_ids as user has granted access to their account. We track the active tokens for each client_id, but if a user revokes those tokens, then we have no record that the client_id was even granted access to the user's data.
This lack of historical data makes it hard for us to automate certain important compliance obligations. For example, if a user deletes their account, we currently have to push that deletion event out to all reliers, because we don't know which reliers may be holding data about which users. Similarly, when a user changes their primary email, we push out a notification to all reliers, even ones that the user has not granted permission to view their email address.
@shane-tomlinson discussed this a bit recently, and came to the conclusion that the benefits of keeping this historical data outweigh any potential privacy concerns with maintaining it, so let's figure out how to make that happen. (To be clear, we would not keep it forever; the historical data would get deleted if the user deletes their account).