this post was submitted on 27 Aug 2023
302 points (93.4% liked)
Privacy
32159 readers
851 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
For marketing emails I totally agree.
For important account security and verification emails, no I don't think that should be done without being able to log into the account.
If somebody breaks into your email, they shouldn't be able to compromise everything silently
This is a good point. Maybe you could have some sort of exit plan such as 3 emails confirming that you have been unsubscribed at 1d, 30d and 365d. This way if the email takeover is temporary then the user will eventually see a warning but there is still a finite amount of emails still to be received.
It isn't perfect, because an attacker could set up filters or something so that these aren't noticed. But at this point the attacker could set up a filter to hide the regular account emails so it really isn't any worse.
I think in most cases confirming you own the email should be sufficient to unsubscribe.
In high security situations there should be a more extensive method, but it should still be possible. Perhaps the timed unsubscribe, i.e. a month of access. Or mailing a letter to the account holders address. (I.e. take 4 weeks to give the account holder time to opt out)