Develop policy around username expiry

I don't think we should go off of something based on Twitter's 6-month no-updates expiration policy since that's a site that you're expected to post at least every so often. It's a blogging site. But Drupal is a community.

- My vote is that accounts that can be removed are ones that have never been logged in since creation (user logs in once but never logs in again) and the account must be at least a year old.
- Any kind of copyright or trademark infringement should be a legal matter and user admins cannot take action. Forward request to appropriate entity.

Users that want to register with a name won't be able to contact the user with the desired username since in D6 users need to be logged in to use contact forms. Frankly I'm not much for time-based user account expirations. If someone has already registered "davereid" on a site I want to register on, I pick a different one, deal with it, and then move on. If an account has never logged in however, I have no problem deleting.

Just a reminder that accounts aren't just there for posting, but also for 1) mailing lists, 2) issue subscriptions (on 6 as well?) and the contact form.

Even if someone hasn't logged in for a while doesn't mean they do not use the account. A user may even use it to log in on groups.drupal.org.

I would leave it to the user to "give away" their username.

The recent issue teached us that the policy should be simple: every such issue will be wontfixed.

I support one of:

• Names never expire, they never revert to anyone else, they remain forever, posts or not.
• Names expire, but only if there have been a) no posts, b) no "ping me" configurations (i.e., issue tracker subscriptions, etc.), c) no CVS activity, and d) it's been longer than a year.

Inclusive of:

• Legal requests to Drupal Association.

The webmasters queue is no place to settle name claim disputes. I agree, nobody's account should be handed over to someone else. For one thing, who's who? There is no proof. As the snert stated in the other thread, people can spoof all kinds of email addresses through proxies, IP spoofing, etc.

Trademark disputes? Ugh. I can see both sides of that, and don't like getting "talk to the hand" kinds of policies from various websites when attempting to file a claim. But that's the last thing people volunteering to help manage Drupal.org should need to deal with.

This is how MichelleC ended up with Michelle.

Actually, the account belonged to the girlfriend of a long time user and he said she didn't care. On g.d.o, "Michelle" was taken by some unknown person who never used the account and I was given permission to just take the name over since it was inactive. The exact same situation as we had in the issue that spawned this one. Except I'm not an internet marketer and didn't claim any sort of trademark. I simply wanted the name.

Michelle

I would do a rename. Your UID has some significance around here and it wouldn't be fair to give a new person an older UID just because they want the name.

Michelle

Rename the accounts and add _inactive to the old account's name (e.g. accountname_inactive). Maybe we can add some kind of d.org module addition to show the data from #12 on the user/x page visible to users with the 'administer users' permission.

Inactive for a year + never logged in = recycle it.
BUT the thing is that to make such a request in the issue queues here you'd have to register with a dummy username first. And by posting give it a post history. That's a failed process.
What most humans would do would be - like Dave - just use a new name.

If we really wanted to help the first-time user experience then the unused usernames should be pre-emptively cleansed so as to clear the decks for new applications.

This idea has some problems...
... But really, never posted and never logged in? It's gotta clearly be trash.

What most humans would do would be - like Dave - just use a new name.

I think we still want this to be the norm. This issue doesn't come up often, now, and I think we want to keep it that way and not spend lots of time changing names around for folks. When I registered, Michelle was taken so I just went with MichelleC. No biggie. I do that on a lot of sites. But then I was able to get "Michelle" on IRC when it expired (they expire after 8 weeks) and took that. At that point, I really wanted to match my d.o nick and my IRC nick to avoid confusion. So I went looking to see if "Michelle" was actually using it. Otherwise I wouldn't have bothered.

I'd say most folks are going to be just fine picking an alternate name. What we need to decide is what to do in those occasional cases where someone really, really wants an existing name that is taken by someone who never used it. Either allow it or don't but make it consistant because allowing it for some and denying it for others is not cool.

Michelle

@webchick: When I said names "expire", I meant, they get deleted. I did NOT mean that they get taken over based on a request. It is very important, for me, that the numerical user ID of a nick is different than the original one. The workflow would be something like a) a year passes, b) automated code deletes the account, c) interested party registers a new account, with the (now deleted) name, and starts over.

Preservation of history is incredibly important to me - a decent amount of my Work and Interests have gone to ensuring that it never changes (which is why I continually rail against allowing people or functionality to edit forum posts, or removing e-mail discussions in favor of centralized web-based discussions, etc.).

Allowing a) a name to be taken over by someone [given unique person B the same user ID as unique person A] or b) allowing an existing name to be renamed to something else were not intended by my recommendations.

And note that /deleting history/ (where history could be as simply stated as "the creation of an account on drupal.org") is different than /changing history/ (i.e. changing the unique essence behind an established user ID). One is simple loss of facts, the other is changing them. Bad or incorrect documentation is far worse than no documentation.

With that said, I have no moral problem with Person A willfully granting Person B the use of their "Person A" nick. However, based on my previous statements, which I feel more strongly about than human generosity (which can be disastrously thickheaded), I wouldn't be able to accept that conceit.

@webchick: And, yes, I always assumed this would be an automated process. As evidenced today and yesterday, humans who love each other and work together still tend to disagree, and not in clear "this side is the winner" ways. The more cold, hard, and emotionless we can make this, the better. I had assumed we'd automate all of the inactivity checks, deleting them as they were matched, and merely informing interested parties about said automation, and let them handle the potential sniping of the name when it expires. You know. Just like domain names.

No problem with #1 or #3.

2 causes a problem with me, as it implies ("for example": MAY not MUST) that a user could change their account name to relinquish it to someone else. I have no problem with "username_inactive" being blocked/banned. I have a problem with "Person A" becoming "Person C" so as to give up their first choice to "Person B". We've already seen this abused on d.o, where someone will say some nasty flame, find out they've been indexed in the search engine and gasp, their employer is looking at it, and "please, can you rename this or delete it, rowr?"

Allowing someone to change their username AND rewriting all their history to this new identity, is a bad thing. Most sites don't allow this in any way, shape, or form. I care little to speak for why those sites did it, but as a historian and researcher, it changes history for the worst.

My guess would be that we are going to purge about 70-80% of accounts on Drupal.org if we purge inactives after a year.

We should hold and do some research. Many people come to drupal.org, create an account. Don't have any thing to post, we can be quite intimidating, so they never log in. They poke around for a while. 3 years later, they realize, Drupal's become awesome, I want to use it now and try log back in. But their account is now gone?

I had one of these calls with a major Canadian University on Friday, where they actively evaluated Drupal 4.6 and are now returning to using it after several years. Should the welcome back really be, we deleted your account?

The subtext is we are punishing inactives by removing their username. Let me know if I am misunderstanding the rules. Also, the reminder emails is bad and likely to generate a lot of spam complaints as many users won't remember having registered in the first place, and they certainly never agreed to get emailed if their accounts went inactive.

Infrastructure maintainers see: https://infrastructure.drupal.org/node/38 "http://groups.drupal.org repeat usage analysis". I also calculated repeat usage for Drupal.org at one point as well, but don't know where the data is.

See http://redeye.firstround.com/2008/01/after-the-techc.html for guidance in how to calculate repeat usage. We might also want to look at unique visitors through awstats over years. What is our cookie lifetime on d.o?

Kieran

After more discussion on IRC, with concerns voiced by webchick, stephthegeek, amazon, and myself, the ultimate conclusion was: the easiest thing to actively do is nothing at all. Attempting to define inactivity, or the various ways and workflow for changing a username (due to human kindness or otherwise) is fraught with what ifs, and so forth.

<amazon>	Morbus: I think the drupal.org site maintainers are responsible for the content on Drupal.org. The Drupal association is responsible for making sure the servers are upgraded so they don't die. So I think folks like you have a bigger say than the D.A.
<webchick>	Morbus, We're not re-cycling user IDs, as you asked. So are you saying we should *never* allow users to give up their usernames to others? This is the case I'm trying to describe in #2. Feel free to re-word it so it sounds less like I'm trying to imply something different. :)
<Morbus>	webchick: yes, i suppose i am saying that. if username A is active enough to respond to a change request, he automatically fails the inactivity test, and it shouldn't be changed.
<webchick>	Morbus, But username A is *offering* to help username B.
<Morbus>	webchick: at the expense of history.
<webchick>	Morbus, What if username A has never posted to d.o so there is no history to unravel? The request goes straight to username A's contact form, which reaches her by email. I guess in that case "wait for the auto-deletion routine"
<Morbus>	webchick: then A should get deleted immediately, and B should be informed to create a new one.
<amazon>	webchick: we need to protect the spectators http://blogs.forrester.com/charleneli/images/2008/03/20/social_technographics_explained_4.jpg. It means that a huge part of our community, will never post, but that doesn't mean they are so unworthy, they should have their accounts deleted.
<webchick>	amazon, If they've not logged in in 1+ years? and never posted anything? I know some people *mostly* lurk. But not to post *anything* in over *one* year?
<Morbus>	the inactivity law should apply to change requests too. if the user has been active on d.o in measurable ways, generosity doesn't apply. they fail the inactive test. if the user HAS been inactive on d.o, but for less than a year, and happily agrees to relinquish the name (either through email, IRC, or as their first-post to d.o), then the account can be deleted immediately, and user B can create a new account.
<amazon>	webchick: yeah, I wouldn't be surprised if 75% of the people with usernames don't post
<stephthegeek>	but still come back
<webchick>	amazon, Then great! When they get the email that says "Hi, there! We noticed you haven't logged in in over a year! If you'd like to keep your account, please come visit us again!" maybe we'll get them back. ;)
<amazon>	webchick: who wants to send that email to http://drupal.org/user/10
<Morbus>	a user who doesn't post on a site but uses it a lot is no different than an anonymous user. the account is pointless.
<webchick>	amazon, It's *only* for people who ave *never* postd.
<Morbus>	right. who have never shown a heartbeat.
<stephthegeek>	Morbus, i think still *having* the account is encouraging
<webchick>	amazon, So if you have *never* posted and you have not logged in for > 1 year, I deem you don't exist.
<amazon>	seems pretty harsh to me.
<webchick>	I have no problems with people who login every other month and are quiet.
<Morbus>	nor i.
<webchick>	So we could even say it ONLY applies to people for whom that's true. That'd help assuage amazon's concerns, maybe. We could also send them an interim one after 6 months or something to just ping them and say "hey! what's up! We haven't seen you around lately"
<Morbus>	the lurking people aren't affected by this.
<webchick>	Morbus, they are if they don't login.
<amazon>	Morbus: my concern is that out of 400K users accounts, I suspect 350K aren't active in logging in or posting. And we are implementing a rule that's going to impact a lot of people.
<webchick>	amazon, Ok. You *did* see the part where this *only* applies to people who have *never once* posted *any* content, right?
<amazon>	webchick: yeah, that's probably 350K out of 400K users
<Morbus>	amazon: if they haven't created any meaningful history, there's no reason for us to maintain their records.
<webchick>	I kind of agree. What's the point in registering to a website if you only logged in once and never posted anything? If you're truly a spectator, why register an account in the first place?
<amazon>	webchick: the nature of d.o is that for most people, there isn't a reason to login.
<webchick>	And if you're not, why not do something (just ONE thing!) with the account when you have it?
<stephthegeek>	webchick, i dunno... there's something to be said for "saving" your account for later... a service or site piques your interest... you "reserve" yourself a place there... and maybe don't come back for a year or two
<Morbus>	amazon: if there isnt' a reason to login, the corollary is there's no reason to create an account.
<webchick>	stephthegeek, I suppose that's true.
<Morbus>	if we accept that as true, why do we care?
<webchick>	stephthegeek, But wouldnt' the email notification in advance help solve that issue?
<stephthegeek>	webchick, but i'm not saying we absolutely have to care or support that. if people kept email accounts over long periods of time....
<webchick>	"Oh, crap! I totally forgot I created that account a year ago. Let me go check out this Drupal thing like I've been meaning to.."
<stephthegeek>	i like the email thing, regardless
<Morbus>	i like the email thing too. i believe inactive_user already handles that.
<stephthegeek>	even if it's not "we're emailing you because we're going to delete you"
<webchick>	In general I love the complete hands-off, cold, objective, etc. approach.

Emphasis mine:

<webchick>	I'm also fine with just saying "No. [Sailor-talk] off. We don't delete or change accounts."
<Morbus>	i'm perfectly fine with that too.
<webchick>	But anything in between there just seems like a whole lot of hassle.
*	stephthegeek dittos
<Morbus>	that would be a much clearer case.
<Morbus>	cos we're already going down grey areas on what it means to be inactive.
<Morbus>	and amazon's concerns, etc.
<Morbus>	"do nothing" is the easiest thing to do.
<webchick>	Yep.
<webchick>	So who wants to summarize that in the issue? ;)

Amazon:

• If a user has forgotten they registered at d.o to righteously complain about the spam, they there's a pretty good chance they won't notice that their account has been deleted. They are more likely to forget they registered and simply register anew.
• I have the same rebuttal to your 4.6 evaluator: usernames clashing is a rarity. If their account got deleted, and they hadn't actually done anything with it (since downloading 4.6 doesn't require an account), what's the big deal with simply re-registering? You'll get no ego-boosting or elitism from anyone if you have an early uid, but didn't actually do anything with the site until last month.

Issue closed, we do what I said and webchick confirmed (and I have the last word in such a debate, hah!)