All posts in the topic Replacing registered e-mail address in message body with link to Profiles (Short link)
Summary
- There are 6 posts — by 3 authors — in this topic.
- Latest post made by Michael JasonSmith at Jan 16 22:58 UTC
While slightly obscuring clift (at) publicus.net in the web view avoids
some spam harvesting, we've received our first complaint from someone
who feels their privacy has been violated because someone else form the
e-mail world replied and included their deducible e-mail in the message.
Have we considered redacting all e-mail addresses that are registered on
the site and instead inserting a link to the Profile page associated
with that e-mail?
Steven Clift
As a strict answer to your question, no we have not thought about redacting
email addresses ☺ Let me finish my coffee…
Steve, I will mirror your post back to you, to ensure that I understand it. In
the case you cite there were two privacy breaches:
1. A user's email address was disclosed when the user
posted a message to a group (a dissemination breach)
2. The user received an off-list message from another
group member (an invasion of privacy) — which was
possible because of the first breach.
Your proposal, Steve, is that we provide the option of redacting the user's
email address from the From line, and replacing it with the address of the
group. Then the only way to contact other members off-list (on most sites)
would be through the Request Contact page on the profile. This page does not
allow the user to enter in any text in order to *mitigate* the effect of the
invasion of privacy.
A down-side to redacting the email addresses is that it would be more difficult
for recipients to tell who posted the message. Whenever a post is made to the
group, the recipients' privacy is breached (invasion), and they have a right to
quickly and easily know who breached it. It is not a big privacy problem, but I
would rather not create more!
In addition, Email is a *heavily* used system, and altering fundamental parts
of it — such as redacting the From address — would create usability problems.
For example, leaving a message unread, depending on who sent it. I suspect that
redacting the From address would be as aggravating as moving the main
light-switch in your bedroom a couple of centimeters ☺
I see another, larger, problem in the case you cite, Steve: the user was
surprised that his or her email address was disclosed. I encourage all
GroupServer sites to have a public, and clear, privacy statement. On OGN our
privacy statement explicitly states that “Your name and email address will be
disclosed to all members of a group when you post a message to the group.” The
prototype registration pages that I am writing have the privacy policy repeated
on the Request Registration page, and on the Edit Profile page, as well as
linked from the standard footer. It does not mean that the users will read it,
but it is a start.
I am also surprised that the user was surprised. Normally people receive
messages from a group for a while before posting. A user would normally notice
the email addresses in the messages from the group… unless he or she was
Web-only. In this case, the user would *have* to rely on the privacy statement
on the site.
On Thu, 2008-01-17 at 10:54 +1300, Michael JasonSmith wrote:
> Your proposal, Steve, is that we provide the option of redacting the
> user's email address from the From line, and replacing it with the
> address of the group. Then the only way to contact other members
> off-list (on most sites) would be through the Request Contact page on
> the profile. This page does not allow the user to enter in any text in
> order to *mitigate* the effect of the invasion of privacy.
I'm also confused here. Does the proposal regard changing the obscured
email address eg. clift (at) publicus.net (which would be easy), or
changing the From: address?
What Steve actually said was:
"...privacy has been violated because someone else form the
e-mail world replied and included their deducible e-mail in the
*MESSAGE*..." (emphasis mine)
In the message body case, well, yes, I think we can probably do better
that the way we currently obscure it. However, this is *not* a privacy
breach -- the list is public, anyone can join it, and common observation
skills should tell a user that all email comes From: the email of the
user sending it (which makes any obscured email in the body moot).
If they have always been web only, that is a slightly different case, as
Michael has correctly explained. Given that it shows you the email
address that you'll be posting the message from, even in web only mode,
I'd suggest that even in web only mode it should be fairly obvious
(though we could make it even more obvious by explicitly stating that at
the time of posting I guess).
It was in the message.
The person probably didn't understand that e-mail participants could see her
e-mail in the From: (something that I think should stay and IMHO web posters
should be given the private reply option like Google Groups does), but having a
version of her e-mail reposted on the public web is what raised up her dander.
A short cut to clift (at) publicus.net might be to simply put in clift(at) and
leave the rest blank ... the only problem is that e-mail addresses meant to be
displayed for contacting people would the become dead ends.
On Wed, 2008-01-16 at 16:44 -0600, Steven Clift wrote:
> It was in the message.
>
> The person probably didn't understand that e-mail participants could see her
e-mail in the From: (something that I think should stay and IMHO web posters
should be given the private reply option like Google Groups does), but having a
version of her e-mail reposted on the public web is what raised up her dander.
>
> A short cut to clift (at) publicus.net might be to simply put in
> clift(at) and leave the rest blank ... the only problem is that e-mail
> addresses meant to be displayed for contacting people would the become
> dead ends.
IMO, in the email that goes *out* to people, it would be silly for us to
modify it at all, given that the email address has already been exposed
in a much more convenient location (ie. the From: field).
In the *website* version, I think we should probably be hiding the email
addresses better. That isn't a privacy issue IMO, it just makes it even
harder for spammers.
> "...privacy has been violated because someone else form the
> e-mail world replied and included their deducible e-mail in the
> *MESSAGE*..." (emphasis mine)
I was unsure where in the message the deducible email was: I presumed
the From-line in the header, but I am more that willing to accept that I
presumed wrong and the email address was in the body ☺
If the user's email address was disclosed in the body of a email
message, sent by another group member, I would argue that the user has
experienced a privacy breach; the breach was made by the user who
included the email address in the body of the message. On OGN, this is
in violation of a strict interpretation of our privacy policy, and the
breaching-user could be kicked. However, the breach is reasonable, given
users' common experience with email.
Redacting the email address of logged-in users would not be too hard to
implement, but we are constrained for development resources at the
moment.
Currently the obfuscation of email addresses is done very crudely
retval = text.replace('@', ' ( at ) ')
To redact the address, we would have to parse out each address
(*shudder*)
EMAIL_RE = r'[a-zA-Z0-9\._%-]+@([a-zA-Z0-9\-]+\.)+[a-zA-Z]{2,4}'
emailRe = re.sub(EMAIL_RE, emailRepl, text)
The "emailRepl" would then look each address up
user = self.context.acl_users.get_userByEmail(email)
and replace the email with the a link to the user's profile
if user:
email = '<a href="/contacts/%s" title="Profile of %s">%s</a>' % \
(user.getId(), user.getProperty('fn', ''),
user.getProperty('fn', ''))
else:
email = email.replace('@', ' ( at ) ')
Damn your interesting problems, I have almost written the thing ☺
[Not to self: add a URL property to Custom Users.]