Delete another user's account using my email address

Question

Let's suppose I have an email account: user@example.com. Then, some other user signs up on a third-party service with email-based login with my email address (by mistake or not) and then I receive a confirmation email to activate that account on my inbox. I'd like to ask the following:

1. Is it legal for me to follow the account-verification link and delete that account?
2. Is it also legal to ask for an account recovery process and do the same thing: delete the account?
3. Does the answer depend on parts' jurisdiction/location?

Answer 1

Let's assume that this is in the US (different countries have different laws but most countries have some version of these protections). The Computer Fraud and Abuse Act prohibits unauthorized access. You would be concerned with 18 USC 1030(a)(2) which punishes a person who

intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains...(C) information from any protected computer.

You might think that since it has your email, you are "authorized", but actually only the account-holder is so authorized, and exceeding authrized access

means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter

For example, deleting the account. You can ask for recovery links and delete an account only if it is your account. An account that is erroneously associated with your email address is still not your account, and you have no authorization to access an account that is not your account and where the account owner has not permitted (authorized) you to access the account for some purpose. It's a felony.

Answer 2

This answer is meant to supplement the answer by user6726 and to follow up to your comment that "it seems the world upside down, somebody uses another's identity to sign up for a service and it's the latter who must be careful not to be a criminal."

The situation might not seem so unreasonable if we consider the effect of the GDPR (and possibly similar laws elsewhere). The GDPR applies to sites (data "controllers" in the GDPR terminology) which are based in EU member states, the UK (in a slightly modified form known as the UK GDPR), and to controllers outside the EU/UK if the site offers goods/services to data subjects who are in the EU/UK, pursuant to Article 3.

In order to process personal data, the controller must have one of the 6 lawful bases for doing so. The lawful bases are (1) consent, (2) necessity for performance of a contract with the data subject, (3) compliance with a legal obligation, (4) necessity to protect a vital interest of a person, (5) necessity for the public interest or official authority, and (6) necessity for the site's legitimate interests (Article 6).

It should be quite clear that none of those would permit a normal online service to process your personal data in this scenario. They do not have your consent, they are not in a contract with you, and there are no legal obligations, vital interests, public interest, or legitimate interests for keeping that data.

Where a controller has no lawful basis for the data processing, you have the right to erasure. Article 17 provides:

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: [...] (d) the personal data have been unlawfully processed;

Article 12 provides more information on exercising your rights against controllers (including the right to erasure).

So, in your scenario, although you may have no right to access or delete the account which does not belong to you, you may have the right to require your email address to be removed from it. Going back to your comment, this seems quite a reasonable scenario: your rights extend to the aspects which affect you but not to those which do not.