Earlier this week, an acquaintance of mine found himself trapped in a Kafka-esque nightmare, a nightmare that should make all of us stop and think. He wants to remain anonymous so let’s call him Bob. Bob was an early adopter of all things Google. His account was linked to all sorts of Google services. Gmail was the most important thing to him – he’d been using it for four years and all of his email (a.k.a. “his life”) was there. Bob also managed a large community in Orkut, used Google’s calendaring service, and had accounts on many of of their different properties.

Earlier this week, Bob received a notice that there was a spam problem in his Orkut community. The message was in English and it looked legitimate and so he clicked on it. He didn’t realize that he’d fallen into a phisher’s net until it was too late. His account was hijacked for god-knows-what-purposes until his account was blocked and deleted. He contacted Google’s customer service and their response basically boiled down to “that sucks, we can’t restore anything, sign up for a new account.” Boom! No more email, no more calendar, no more Orkut, no more gChat history, no more Blogger, no more anything connected to his Google account.

::gasp:: My heart threatens to attack my throat at the mere idea of losing four years worth of email. ::shudder:: Or what if this blog disappeared? Like, OMG. {insert horror film music here}

Luckily, Bob is well-connected. His friends in high places forwarded his story to powerful people inside Google. Today, his account was restored. While such a restoration should provide a sigh of relief, it’s also a bit disconcerting. What if Bob hadn’t been so well connected? What other kinds of damage can phishers do to people who have so many of their key tools linked together under a common account?

Most tech companies blame phishing victims. Basically, the general sentiment is that if people weren’t so stupid, there wouldn’t be a problem. Yet, there is great research on Why Phishing Works that shows that even sophisticated users can be deceived. While education is important, it is unrealistic to expect all users to keep up with the developments of scammers’ deceptive techniques. Consider the story of Clementine, a 13-year-old citizen of Gaia Online who fell victim to a phishing attack and had her account deleted without recourse. Once again, Clementine’s saving grace was that she had connections, but it took a long time and she was written out of her primary social space in the meantime.

When companies host all of your data and have the ability to delete you and it at-will, all sorts of nightmarish science fiction futures are possible. This is the other side of the “identity theft” nightmare where the companies thieve and destroy individuals’ identities. What are these companies’ responsibilities? Who is overseeing them? What kind of regulation is necessary?

There’s also a flip-side to this story. Google was able to restore his account because they kept everything on backup servers. In this case, Bob didn’t want to have all of his content deleted. But what if he had deleted it himself and expected it to be deleted permanently? Who should have the right to recall his data and under what circumstances? I find it particularly haunting that there is no way to delete your Facebook account. You can only “deactivate” it, but you can reactivate it at any time and everything will come right back. What if you don’t want to go down on Facebook’s permanent record?

These are the issues that worry all sorts of privacy and identity types. They are the cornerstone of books like Daniel Solove’s The Digital Person and Simson Garfinkel’s Database Nation. Yet, as with identity theft, few people stop to think about data loss until it happens to them. But perhaps we should. How would you feel if the company hosting your email suddenly decided to disappear you? Or if Facebook/MySpace/Flickr/Xanga/etc. decided to delete your account right now? (There are plenty of examples of this one too. For example, many celebrities have found their accounts obliterated because company reps think that they’re fake. And then there was Friendster…) Imagine if you had no path of recourse. Talk about disempowering!

In thinking about this, your first response should be to back up your data. (And grumble loudly about all of the places where this isn’t possible.) But what’s your second step? What kind of legislation is necessary to address this? What kind of data recovery (or non-recovery) policies should companies have?

Update: Check out this case of a guy being banished from Facebook for reasons that the company refuses to explain to him (in a Kafka-esque nightmare). This is particularly intriguing given that the company is trying to make Facebook a universal platform. If Facebook becomes a platform, what rights to due process do users have?