[FEATURE REQUEST] Anonymize posts on user deletion

At the moment, it is only possible to delete users via the mmctl CLI tool. When doing so, all posts and replies sent by the user are deleted, together with the files they posted. A pull requests has been submitted to replace mentions (@username) with a generic tag (@deletedUser).

However, besides this obvious remainder of user data, there is also a number of messages that can tell details about the user to be deleted without direct mentions. The easiest case would be a message with both an @-mention and a mention of the user’s first name: “Btw, Kristine was asking about the suite booked for the conference last month, does anybody know something about that? ” – “I guess that’s been Andrew and his new girlfriend, they had some sort of arrangement with Matt. @andrew?”

Obviously, deleting only the @andrew is not sufficient here. One would also have to replace the first name – and maybe even the entire message. I don’t know of any ruling on this to date, but taking GDPR seriously, one would presumably have to delete all data about the user, even if it is only in indirect mentions. Therefore, and also because it would be great to make the user deletion process more convenient, here is my suggestion:

Matttermost is missing a user deletion frontend. I would suggest adding a section in which, while a user is being deleted, the administrator can go through related posts (based on @-mentions, first name, last name, and short name) and decide whether to obfuscate certain parts, delete them entirely, or to keep them as they are. Of course, there are also cases where it is in a company’s legitimate interest to preserve messages despite them carrying personal information about deleted users. In the suggested frontend, it would be necessary to have a look at the context, i.e., certain messages before and after the message in question.

1 Like