Community Wishlist Survey 2017/Anti-harassment/Allow a second email address

Allow a second email address

Problem: The email address associated with a wiki user account gets exposed, if the user accepts wikimail and sends answers to received mail. This creates two risks: with the knowledge of the mail address a hacker can try to take over an account, and a stalker can get knowledge of the private email address of a user and then harrass this user outside of wikipedia.

For password recovery an address with a secure mail provider is a good choice. For wikimail on the other hand a throw-away-mail-address, that can be easily replaced, if it becomes known to a stalker or the public, makes more sense.

Who would benefit: every user of wikimail.

Proposed solution: Add the option to specify a second email address in the preferences for all users.
Add the following global preferences (email and password are already global):
- checkboxes to select what email address to use with wikimail or none at all
- checkboxes to select what email address to use for password recovery or none at all
  - if both boxes are checked, different temporary passwords are sent to both addresses and both are needed to login
- checkboxes to select what email address to use for echo and other notifications
- in a more ambitious additional approach the local echo preferences could allow the configuration of every notification type to be sent onwiki, to first address, to second address
In a given time frame only one email address can be changed. A confirm message is sent to the new address and additionally a "cancel the change" message is sent to the other unchanged address.

The option of two addresses would allow the use of a throw-away-email-address for wikimail. So if this address becomes known to a stalker, you can simply change this address, while keeping your secret secure email address for all other uses.

signup
preferences page
notfications preferences
change a mail address
change a mail address

More comments: Nothing changes for any user who does not specify an email address or stays with one address.

Last year's wishlist survey contained four proposals to address this type of problem. Among these, this proposal got the most votes. One of the other three has been adopted by the anti-harrasment team and is now being implemented. This proposal has in the meantime been added to the workboard of the anti-harrasment team as a topic of interest. The combined votes of last year's four proposals would have been enough to put it into the top ten.

Phabricator tickets: phab:T129747
Phabricator: Tag in Anti-Harrasment

Proposer: 𝔊 (Gradzeichen Diſk ✉Talk) 09:32, 7 November 2017 (UTC)[reply]

Translations: none yet

Discussion[edit]

For the records, https://phabricator.wikimedia.org/T129747#2777853 offers some concerns about the proposed approach. --AKlapper (WMF) (talk) 12:34, 7 November 2017 (UTC)[reply]

This seems like an overly complex solution, compared to just giving everyone their own temporary email alias every time a message is sent.. Nor am I a particular fan of the UX parts of this proposal. But if we reword the proposal to "Do more to avoid disclosing the email address of users", then I'm on board. —TheDJ (talk • contribs) 15:14, 7 November 2017 (UTC)[reply]
- I agree with your concerns, TheDJ. The proposed solution seems over-complicated, but the root problem of disclosing email addresses is definitely a problem worth looking into. @°: Would it be OK for me to re-phrase your proposal as a problem to solve, rather than this exact solution? — Trevor Bolliger, WMF Product Manager 🗨 18:32, 13 November 2017 (UTC)[reply]
We could use Structured Discussions for private messaging. You would get a nice interface to follow threads, built-in customized messaging (including an option to not receive emails) and most of the code is already here. Max Semenik (talk) 19:49, 7 November 2017 (UTC)[reply]
That proposal seems like a similar interface to what reddit currently does with private messages, which isn't crazy to me. --Izno (talk) 19:51, 7 November 2017 (UTC)[reply]
The no same domain thing doesn't seem like a good idea imo, since while it sounds good with personal domains, if you use something like gmail for example, then you have to create another account at another provider rather than just use another gmail account. --Terra ❤ ^(talk) 06:48, 9 November 2017 (UTC)[reply]
the basic idea of having a "Dysklyver@editor-en-wikipedia.org" email address to use instead of my normal email would be good, no comment on the general approach above though. I already reply via a different email account to the one which receives emails. A Den Jentyl Ettien Avel Dysklyver (talk) 16:32, 9 November 2017 (UTC)[reply]
I mean, although I do have an account without my name on it, I don't consider that insufficient protection, so every time I want to send a wikipedia email (except to a few people I trust), I have to go to a temporary disposable email site, get a temporary email, change my wikipedia email to that, send the email, then set my email back. It's a hassle and I seldom send emails because of that. Also the person can't auto-reply but has to send a separate email to me. A fix for this would be nice. Herostratus (talk) 05:41, 10 November 2017 (UTC)[reply]
The root problem is definitely an issue, would be good to fix it. Raystorm (talk) 17:18, 14 November 2017 (UTC)[reply]

@TBolliger (WMF): et al. incl. phab-discussion: I actually thought some time about retitling the proposal and decided against it for the simple reason, that I used this title last year and on phab, so it might confuse people, if I changed it. However the mockups are just that: A visualization to help people see what could be and start a discussion what should be. My intention is, that a good email address shall not be exposed. If this is picked up, the tech team is absolutly free to do two email addresses, or temporary addresses provided by wikipedia, or an internal message system that replaces wikimail, or anything else, if it addresses and solves the underlaying problem. I do not expect, that the implemented solution looks anything like my mockups. But I do hope that the proposal gets picked up by people. --𝔊 (Gradzeichen Diſk ✉Talk) 17:53, 14 November 2017 (UTC)[reply]

OK, that's fair. I'm looking forward to seeing how people discuss this proposal, I think it's definitely a hole we should look into plugging. — Trevor Bolliger, WMF Product Manager 🗨 00:20, 15 November 2017 (UTC)[reply]
IMO 1) educating people about email security is a better investment (Google supports second factor via TOTP, U2F and all kinds of other things; if set up properly, an email account at a decent provider is hard to steal) 2) a simple workaround is to set up a mail filter to forward user mail to your secondary email account. Again educating people about that seems like an easier path. We should make sure the sender of wikimail and security mail is different, if we don't already. 3) there should be an Echo notification when you request a password reminder. (Not that useful now, will be a lot more useful when Echo gets push notification support.) --Tgr (WMF) (talk) 01:10, 17 November 2017 (UTC)[reply]
- "Educating about security is better": You cannot educate people who do not want to be educated. Wiki authors are not tech people. German admins have publically protested against being forced to update their years-old 6-byte password to this terrible overlong 8-byte password. They are also alienated by the idea to have to carry a smartphone for 2FA with them, if they want to login to wikipedia in a public library. The reasoning is that "it's only wikipedia, not a bank account!" and "we have backups for the case of a security break." Authors come to Wikipedia, start editing, do not think about security/tech/bullies, and then are terrified, when they get harrassed, then leave this unfriendly project. It is still a good idea to offer 2FA to all, to nag users with more than 500 edits or "passiver Sichter" rights to use 2FA and to force admins, users with more than 1000 edits and "aktiver Sichter" to use 2FA. But still new users do not think about security. --𝔊 (Gradzeichen Diſk ✉Talk) 17:27, 17 November 2017 (UTC)[reply]
  I'd imagine the people who dislike extra security measures and do not care much about their account being breached, and the people who worry about their email address leaking and would set a secondary email, to be disjunct groups. Sometimes you might want to force to some measure of security on people whether they want it or not, but this wish is not about that. --Tgr (WMF) (talk) 19:37, 17 November 2017 (UTC)[reply]
As the signup-mockup-picture drew some criticism: How about a signup-wizard, that asks for the username on the first page, the password on the second and so on? --𝔊 (Gradzeichen Diſk ✉Talk) 20:51, 19 November 2017 (UTC)[reply]
The UI looks unwieldy. Asking for two email addresses on registration (even though both are optional) is a cognitive burden for editors registering a new account. Perhaps call the auxiliary "account recovery email" instead, and only gently prompt after a few days/edits. We can also have other account recovery options later on, because the problem is only one method of self-serve account recovery (e-mailing sysops doesn't count). --Kakurady (talk) 14:19, 29 November 2017 (UTC)[reply]
Comment I support the Anti-Harassment team working on a suitable solution to this problem, but no, Community Tech resources are better spent elsewhere. MER-C (talk) 11:47, 4 December 2017 (UTC)[reply]
I have absolutely no advanced computer skills, but it seems to me that, in my online auction days, that my e-mails with the other side of the transaction went to a randomly generated e-mail address connected with the person's account (something on the order of random code@onlinecompany.com). Is that something that can be done on WP? -- Dolotta (talk) 17:33, 7 December 2017 (UTC)[reply]
Not sure if this is a good solution to the problem, or a solution at all. The problem is that you want a priority channel and a throw-away channel, now both are the same. I would propose that all interactions with other users goes on a separate thread, where some (all) interactions are private and anonymous by default. When a user writes a private message only a transcript is sent to the recipient, and both must agree on letting the thread be non-anonymous or non-private. (Yes this can be implemented as part of the Flow-system.) — Jeblad 22:45, 10 December 2017 (UTC)[reply]
As product manager for the WMF's Anti-Harassment Tools team I have created a project concept page at Community health initiative/Do more to avoid disclosing the email address of users to track this proposal. We have not prioritized developer time to work on this, but want to have our thoughts organized if we decide to do so. — Trevor Bolliger, WMF Product Manager 🗨 23:54, 13 December 2017 (UTC)[reply]

Voting[edit]

Support —viciarg⁴¹⁴ 08:12, 28 November 2017 (UTC)[reply]
Support ·addshore· ^{talk to me!} 10:37, 28 November 2017 (UTC)[reply]
Support --Liuxinyu970226 (talk) 12:49, 28 November 2017 (UTC)[reply]
Support Long overdue. Muhraz (talk) 13:07, 28 November 2017 (UTC)[reply]
Support Donald Trung (Talk 🤳🏻) (My global lock 🔒) (My global unlock 🔓) 13:17, 28 November 2017 (UTC)[reply]
Support Sadads (talk) 13:34, 28 November 2017 (UTC)[reply]
Support Jc86035 (talk) 14:37, 28 November 2017 (UTC)[reply]
Support should have implemented long ago. - Mailer Diablo (talk) 15:12, 28 November 2017 (UTC)[reply]
Support - Darwin ^Ahoy! 16:59, 28 November 2017 (UTC)[reply]
Support --NaBUru38 (talk) 17:04, 28 November 2017 (UTC)[reply]
Support — Draceane ^talk_contrib. 17:52, 28 November 2017 (UTC)[reply]
Support Gripweed (talk) 21:29, 28 November 2017 (UTC)[reply]
Support Thomas Obermair 4 (talk) 21:37, 28 November 2017 (UTC)[reply]
Support Much higher priority than any changes in the MediaViewer right now. This should be No.1 on the list and then the rest. --Hedwig in Washington (talk) 02:40, 29 November 2017 (UTC)[reply]
Support Shizhao (talk) 02:50, 29 November 2017 (UTC)[reply]
Support 𝔊 (Gradzeichen Diſk ✉Talk) 06:50, 29 November 2017 (UTC)[reply]
Support Sebastian Wallroth (talk) 06:56, 29 November 2017 (UTC)[reply]
Support goal, but Oppose a 2 email address solution. —TheDJ (talk • contribs) 17:00, 29 November 2017 (UTC)[reply]
- @TheDJ: on 7 nov 15:14 you named some conditions under which you would be "in". I think, that I actually addressed all of them in my post on 14 nov 17:53. You then raised no more concern, but you are still not in? Please elaborate. --𝔊 (Gradzeichen Diſk ✉Talk) 21:53, 29 November 2017 (UTC)[reply]
  - @°:, sorry, i had not noticed that part of the discussion. It would be much better if you could at least refer to that from the proposal section, because I totally didn't notice. —TheDJ (talk • contribs) 12:56, 30 November 2017 (UTC)[reply]
    - Thanks. A second mailbox would have been helpful for me, as I recently received 2000 mails from commons. Even so they were send to my wiki-folder, they still might have exceeded the mailbox quota. --𝔊 (Gradzeichen Diſk ✉Talk) 05:05, 1 December 2017 (UTC)[reply]
Support Joshualouie711 (talk) 19:32, 29 November 2017 (UTC)[reply]
Support Seb26 (talk) 21:47, 29 November 2017 (UTC)[reply]
Support --g (talk) 00:26, 30 November 2017 (UTC)[reply]
Support - long needed. George Ho (talk) 01:14, 30 November 2017 (UTC)[reply]
Support I like the private messaging in structured discussions idea proposed in the discussion. Daylen (talk) 01:15, 30 November 2017 (UTC)[reply]
Support Zhangj1079 ^talk 01:58, 30 November 2017 (UTC)[reply]
Support the problem statement. Oppose the "two email" solution. --Izno (talk) 02:57, 30 November 2017 (UTC)[reply]
Support--L736E ^{tell me} 08:03, 30 November 2017 (UTC)[reply]
Support Like tears in rain (talk) 11:35, 30 November 2017 (UTC)[reply]
Support Gato Preto (talk) 14:53, 30 November 2017 (UTC)[reply]
Support The underlying problem (exposing your e-mail adress when answering to a wikimail) needs adressing. This seems like a decent solution. Vachovec1 (talk) 17:41, 30 November 2017 (UTC)[reply]
Support --OrsolyaVirág (talk) 19:35, 30 November 2017 (UTC)[reply]
Support Dromedar61 (talk) 20:36, 30 November 2017 (UTC)[reply]
Support Sahaquiel9102 (talk) 21:33, 30 November 2017 (UTC)[reply]
Support Daniel Case (talk) 00:47, 1 December 2017 (UTC)[reply]
Support --Tigerzeng (talk) 15:54, 1 December 2017 (UTC)[reply]
Support — Hmxhmx 16:11, 1 December 2017 (UTC)[reply]
Support ديفيد عادل وهبة خليل 2 (talk) 20:07, 1 December 2017 (UTC)[reply]
Support Xavi Dengra (MESSAGES) 22:48, 1 December 2017 (UTC)[reply]
Support SEMMENDINGER (talk) 23:43, 1 December 2017 (UTC)[reply]
Support the problem, Oppose the second email thing. Terra ❤ ^(talk) 06:40, 2 December 2017 (UTC)[reply]
Support Szoltys (talk) 12:05, 2 December 2017 (UTC)[reply]
Support ~Cybularny ^Speak? 12:14, 2 December 2017 (UTC)[reply]
Support Emir of Wikipedia (talk) 15:52, 2 December 2017 (UTC)[reply]
Support Patar knight^chat/_{contributions} 21:00, 2 December 2017 (UTC)[reply]
Support No comments on the specific implementation details, but the general principle is a good one. A private messaging system that does not use email addresses would help greatly with the problem too. Boing! said Zebedee (talk) 21:46, 2 December 2017 (UTC)[reply]
Support Winged Blades of Godric (talk) 16:27, 3 December 2017 (UTC)[reply]
Support TheNavigatrr (talk) 01:08, 4 December 2017 (UTC)[reply]
Support Tiputini (talk) 07:10, 4 December 2017 (UTC)[reply]
Support --Unterstrichmoepunterstrich (talk) 08:14, 4 December 2017 (UTC)[reply]
Support Davidpar (talk) 15:17, 4 December 2017 (UTC)[reply]
Support giving editors the option of adding a second email address but Oppose making it a required thing - Let editors have the choice if they want to it or not and maybe put something along the lines of "Enter a second email if you want but it's not necessary). –Davey2010^Talk 15:35, 4 December 2017 (UTC)[reply]
Support Fixer88 (talk) 17:11, 4 December 2017 (UTC)[reply]
Support Ronhjones (talk) 18:26, 4 December 2017 (UTC)[reply]
Support Yeza (talk) 23:19, 4 December 2017 (UTC)[reply]
Support if it's not mandatory. Lofhi (talk) 17:50, 5 December 2017 (UTC)[reply]
Support Support should have implemented long ago. LaMèreVeille (talk) 21:07, 5 December 2017 (UTC)[reply]
Support A great idea. Orielno (talk) 22:01, 5 December 2017 (UTC)[reply]
Support I suppose this is easier than setting up a WikipediaPrivate Messaging System? And no, PMing on the IRC doesn't fulfill the needs, esp as WP:911 isn't on the freenode. enL3X1 ¡‹delayed reaction›¡ 03:44, 6 December 2017 (UTC)[reply]
Support Yohannvt (talk) 12:00, 6 December 2017 (UTC)[reply]
Support As per TheDJ -glove- (talk) 16:16, 6 December 2017 (UTC)[reply]
Support JAn Dudík (talk) 08:50, 7 December 2017 (UTC)[reply]
Support Dolotta (talk) 17:26, 7 December 2017 (UTC)[reply]
Support Alangi Derick (talk) 15:10, 8 December 2017 (UTC)[reply]
Support MichaelMaggs (talk) 13:36, 9 December 2017 (UTC)[reply]
Support Pharos (talk) 16:55, 9 December 2017 (UTC)[reply]
Support Nigo0909 (talk) 02:44, 11 December 2017 (UTC)[reply]
Support GoboFR (talk) 10:53, 11 December 2017 (UTC)[reply]
Neutral. I Support that we should solve the problem of single email for everything (a more secure one is needed for password recovery than for answering spammers) but I Oppose the proposed solution as overly complex to use and to manage — NickK (talk) 13:20, 11 December 2017 (UTC)[reply]