Community Wishlist Survey 2019/Anti-harassment/Make it possible to not expose email-addresses

From Meta, a Wikimedia project coordination wiki
Jump to navigation Jump to search
Random proposal◄ Anti-harassment  The survey has concluded. Here are the results!

Make it possible to not expose email-addresses

The user can be protected from account creation on, without knowing about preferences.
  • Problem: The email address associated with a wiki user account gets exposed, if the user accepts wikimail and sends answers to received mail. This creates two risks: with the knowledge of the mail address a hacker can try to take over an account, and a stalker can get knowledge of the private email address of a user and then harrass this user outside of wikipedia.
For password recovery an address with a secure mail provider is a good choice. For wikimail on the other hand a throw-away-mail-address, that can be easily replaced, if it becomes known to a stalker or the public, makes more sense.
  • Who would benefit: every user of wikimail.
  • Proposed solution: Add the option to specify a second email address in the preferences for all users.
    Add the following global preferences (email and password are already global):
    • checkboxes to select what email address to use with wikimail or none at all
    • checkboxes to select what email address to use for password recovery or none at all
      • if both boxes are checked, different temporary passwords are sent to both addresses and both are needed to login
    • checkboxes to select what email address to use for echo and other notifications
    • in a more ambitious additional approach the local echo preferences could allow the configuration of every notification type to be sent onwiki, to first address, to second address
    In a given time frame only one email address can be changed. A confirm message is sent to the new address and additionally a "cancel the change" message is sent to the other unchanged address.
    The option of two addresses would allow the use of a throw-away-email-address for wikimail. So if this address becomes known to a stalker, you can simply change this address, while keeping your secret secure email address for all other uses.
  • More comments: Nothing changes for any user who does not specify an email address or stays with one address.
Two years ago the wishlist survey contained four proposals to address this type of problem. Among these, this proposal got the most votes. This proposal has in the meantime been added to the workboard of the anti-harrasment team as a topic of interest. In last year's wishlist survey the proposal was overtaken in the ending of the voting by proposals that are of most use to very profient users. This email proposal (either as presented here, or alternativly in the way of an anonmous email exchange within Wikimedia) is of use to all users as users are more likely to send mails at all and users are more likely to actually answer to emails.


  • Note the linked Phabricator discussion has some exiting criticism of this proposal and some counter-suggestions that would make the UI far less complex. Anomie (talk) 15:29, 31 October 2018 (UTC)Reply[reply]
    • @°: What do you think of the related proposal from 2016? Kaldari (talk) 17:46, 1 November 2018 (UTC)Reply[reply]
      • That proposal was also entered in 2017 and I repeat, what I said before: I think my idea is the most flexible and easiest to implement, but what really matters to me that something is done. That can be my proposal, or the one with the dummy address, or a system based on flow or talk pages, or something else. If another proposal is entered again this year, I am all for merging the proposals. If this proposal is voted in the top 10, the wishlist team may implent whatever deems the team the best solution, as long as this problem gets addressed. (But I prefer my idea). --𝔊 (Gradzeichen DiſkTalk) 15:07, 2 November 2018 (UTC)Reply[reply]
  • This was proposed last year, and it should be linked prominently in this proposal somewhere. I opposed the specific implementation then and I would do the same now--the problem statement does not point to a second email address as a solution, nor an effective solution. --Izno (talk) 03:35, 3 November 2018 (UTC)Reply[reply]
    • Have you read the paragraph above your message? The proposal is not about a specific implementation, but about an urgently needed solution to a severe problem. For all 10 proposals that will be adopted by the wishlist team, the implemented solution may substantially differ from the proposal text. I have described, how I would solve the problem. And the problem is that Wikipedia is the only maior website, that exposes users email addresses to strangers. This severly hampers the project, as people do not ask questions by email for fear of exposing their address or do not answer questions that need to be answered. --𝔊 (Gradzeichen DiſkTalk) 15:04, 4 November 2018 (UTC)Reply[reply]
  • I don't a second e-mail as a problem, but it consider it a convenience feature, not a security one. 2FA authentication, which has limited implementation, helps a lot more. Tetizeraz (talk) 14:45, 3 November 2018 (UTC)Reply[reply]
    • 2FA is there, it is used by admins. Opening 2FA for other accounts is not a topic for the wishlist team but for security people. Hiding your email is however not convenience, but a basic requirement for every website with user accounts and many users that do not know each other. --𝔊 (Gradzeichen DiſkTalk) 15:04, 4 November 2018 (UTC)Reply[reply]

Hi. I'm renaming this proposal to focus on the problem statement instead of the solution. I hope that's okay. We can tweak it if you like. Thank you. -- NKohli (WMF) (talk) 18:00, 13 November 2018 (UTC)Reply[reply]

  • The obvious solution is just to have a second throw-away email address that you link to wikipedia that auto-redirects to your main email account that you check regularly. My email connected to wikipedia basically is just a redirect to my main email account, so when I get sent or send emails from wikipedia it goes through that account (and people see that account), and when I get replies they also arrive at my regularly checked address. I would think that anyone paranoid enough about personal security *wink* would do the same, and everybody else wouldn't care in the slightest, so I don't much see the point in this proposal and I don't think it should be one of ten things that community tech works on this year. — Insertcleverphrasehere (or here) 00:38, 17 November 2018 (UTC)Reply[reply]
  • Don't use email unless you are willing to expose both the address and its content. Trying to obfuscate email addresses are simply stupid. If you want a secure communication channel use a really secure channel. — Jeblad 07:57, 18 November 2018 (UTC)Reply[reply]
  • I don't understand the reason of the last image in the proposal: we can't change an email address for another one hosted on the same domain. May be it's OK for the master email address, but this does not make sense for the secondary email address we want to give to others when sending emails to them via MediaWiki. This secondary email address may be a droppable email address we'd like to change at any time, without being forced to use another provider, which may be more costly and would radically change the way these email addresses are read by their owner, forcing them to change their provider (notably if it's a webmail like Gmail), load another application (on their smartphone or tablet), and so on. In my opinion this is not necessary at all (even if we can limit these changes to only once every 4 days to limit abuses, but the MediaWiki wiki admins also have a private history log in that case to know who owned the previous secondary address; but we can understand that they must not be sollicitated multiple times every day; the 96 hours limit is probably OK to avoid surcharges on admins and allows users to reconfirm their new address easily or change it only when this is necessary, and the 96 hours also gives a small grace period during which an unexpected change may be reverted by their legitimate users, and then allows users better protecting their own account agasint abuses like impersonations and identity thefts, with the possiblity for them to contact admins to see what happened in their account). verdy_p (talk) 21:37, 29 November 2018 (UTC)Reply[reply]
    • Anyway the multifactor authentication (MFA) in Mediawiki should be available to limit the possibilities of impersonnation: after a change of email adress anyway the new adress must be confirmed from the second email address registered or by other ways proposed by the MFA implementation (SMS to a phone number, OAuth provider, PGP signatures, personnal PKI certificates, fingerprint/biometric authentication, USB key, Microsoft Live/Azure accounts, Amazon accounts, DNS registrar account associated to a secured domain name whose user is the domain owner, personal accounts on password manager clouds storing encrypted wallets protected by strictly personal master password...): there's now many ways to support MFA and users may have several MFA mechanisms activated and could desire to have at least 2 of them verified if they don't trust a single MFA provider whose internal database may have been compromized by external attacks... Users should have the choice of authentication methods and providers to become independant of these providers and improve their privacy so that no provider alone can take control of their online identity. verdy_p (talk) 21:37, 29 November 2018 (UTC)Reply[reply]