Establish script to remove deleted and inactive accounts.

[ashercodeorg]

The aim of the script is to remove all PII, PPII, and information owned by thirty day deleted users and seven year inactive users. Spec (probably somewhat out-of-date already).

VOCABULARY: Throughout, we use the term "purge" to refer to this removal of PII, PPII, and information owned. Throughout, we use the term "clean" to refer to the removal of the information while leaving the skeleton holding that information intact.

Given this involves data retention, adding explicit lists to this PR of the data we explicitly want to destroy and the data we explicitly want to keep.

DATA TO DESTROY

• USER
  • display name
  • username
  • fine geolocation data
    • address, city
    • latitude, longitude
  • IP addresses
  • associated email addresses (including hashed emails)
  • passwords (even if encrypted)
  • oauth provider UID
  • all SOLR data
  • all Pardot data
    • Pardot data
    • contact_rollups
    • contact_rollups_daily
• TEACHING
  • section names
  • all Pardot data
• PROFESSIONAL DEVELOPMENT
  • all channel-backed projects (standalone or in lessons)
  • all data in data tables (even if used in lessons)
  • all uploaded assets (even if used in lessons)
  • free response survey question responses
  • open ended text responses
  • all Pardot data
  • peer review content
• CONTENT
  • all channel-backed projects (standalone or in lessons)
  • all data in data tables (even if used in lessons)
  • all uploaded assets (even if used in lessons)
  • free response survey question responses
  • open ended text responses
  • all Pardot data

DATA TO KEEP

• USER
  • gender
  • locale
  • coarse geolocation data
    • state
    • country
    • postal code
  • birthday
  • user_type
  • oauth provider
  • urm, races
• TEACHING
  • section information other than section name
  • follower information
• PROFESSIONAL DEVELOPMENT
• CONTENT
  • school_info_id (TODO(asher): REALLY?)
  • paired programming information
  • puzzle ratings
  • non-free response survey question responses
  • professional development attendance information
  • peer reviews other than the content

[ashercodeorg]

Looking for a high-level review, confirming that it is sensical to perform this process semi-manually rather than create triggers and dependent destroys within our models. Assuming so, please let me know whether you would prefer a bunch of incremental PRs or a long PR (expecting some back and forth).

[ashercodeorg]

For better or for worse, there are unique indexes on username, email, etc. How do we want to manipulate these fields while maintaining the DB constraints? Do we want to relax the DB constraints?

[ashercodeorg]

How do we want do delete the level_source? Does it make sense to wipe its data (also md5?), keeping the row otherwise intact? Do we want to purge the whole row?

Note that, in both cases, there are implications for other users that happen to have the same level_source_id.

[Hamms]

why are we destroying the level source at all and not just the user level?

[ashercodeorg]

Because we are fine with maintaining a record that the student did work, we want to eliminate the work that was done. This is motivated by student privacy law, I believe.

[Hamms]

shouldn't we then update the user_level to no longer point to a level_source and delete the level_source only if there are no longer any user_levels pointing to it?

[ashercodeorg]

It isn't at all clear to me what makes the most sense, from a product or from a engineering perpsective (thus my starting this thread). If we could delete the level source only if there were no user_levels pointing to it, that'd be awesome. Unfortunately, we are lacking the index on user_levels.level_source_id to allow us to carry this out efficiently (practically).

Note that we do have an index on activities.level_source_id. That said, there would be some complexity in trying to make use of it, as we'd have to consult both activities and activities_old (the backup table from before our overrunning the ID counter).

[Hamms]

Unless I'm misunderstanding something, deleting the level source indiscriminately seems like it isn't even an option, given how significant the impact would be on other users.

How bad would it be to simply remove the pointer from deleted user to level source and potentially have orphaned level sources floating around?

[ashercodeorg]

My belief is that this is not considered acceptable by product. Otherwise, I agree, this would be the easy answer.

For now, I'm going to suggest we not focus too much on this, as product still needs to finalize their requirements.

[Hamms]

What's the thinking behind doing this manually as opposed to relying on dependent destroys?

[ashercodeorg]

My concern with dependent destroys is that this pipeline only happens on "hard"-delete, not "soft"-delete. So we'd need to invoke this pipeline in a manner distinct from user.destroy, where we want the soft-delete dependent destroys but not the hard-delete dependent destroys.

Also, it seems less error prone to keep data deletion to a script. Though I could be very mistaken on that.

[Hamms]

I think I like the overall idea of doing this manually and carefully, but it does seem pretty error-prone; I'm not sure whether I'm more worried about things that should be deleted getting skipped and being orphaned or about the act of deleting something causing other things that we don't want to delete to break.

I'm in favor of this all being in a single large PR, in the hopes that that will make it easier to notice something that got missed.

[Hamms]

why are we destroying the level source at all and not just the user level?

[Hamms]

Should Artist and Playlab be included in this?

[ashercodeorg]

Most definitely. Amongst many other things...the exact list is still getting sorted out.

[Hamms]

should this be a soft delete?

[ashercodeorg]

Per the TODO, I need to get a definite answer. Note that, after thirty days, the two are equivalent (as a soft-deleted user then has delete_user_and_dependencies run on it).

[ashercodeorg]

Ready for review... PTAL.

[ashercodeorg]

Actually, just kidding. There are a few more changes that I want to refactor from the script into models.

[ashercodeorg]

Those refactor changes have been made, PTAL.

[Hamms]

I'm still quite concerned about this.

[ashercodeorg]

Noted. As am I. But I'm pretty sure @jeremydstone is not... (at least, I'm doing what I'm told).

[ashercodeorg]

Per offline discussion with @jeremydstone, this has been changed to severe the link between the user's level-backed progress and the user (see commit d39f371) rather than remove the actual student work (image). PTAL.

FYI @poorvasingal @Hamms @jeremydstone.

[Hamms]

should this be unless failed_ids.empty??

[ashercodeorg]

Yes. Done (using if failed_ids.any?).

[Hamms]

does this imply that purged users are expected to fail validation?

[ashercodeorg]

No, purged users are expected to pass validation, I've gone to some trouble to make sure of that. That said, I want the purged_at update to get persisted, whether or not the user is valid.

[jeremydstone]

This is maybe the scariest part to me. An area where we could be doing the right thing under the letter of our TOS/Privacy policy and yet have kids come in the in morning to discover all their stuff nuked.

[ashercodeorg]

Feel welcome to take the issue up in the spec or with @poorvasingal directly.

[poorvasingal]

Teachers will have a super clear warning that their student accounts (that don't have a personal login) will get deleted if they delete their own account. I also don't think it's a common scenario for teachers to delete their accounts so I am not super worried.

[ashercodeorg]

SELECT user_type, COUNT(0)
FROM users
WHERE deleted_at IS NOT NULL
GROUP BY 1;
+-----------+----------+
| user_type | COUNT(0) |
+-----------+----------+
| student   |    71937 |
| teacher   |     6710 |
+-----------+----------+

[jeremydstone]

The code looks good. Would like to have an interactive conversation with @ashercodeorg around testing, risks & mitigation prior to merge.

[ashercodeorg]

Per offline conversation, merging so that this can be tested in isolation on adhoc and test environments.