Community Wishlist Survey 2017/Anti-harassment/Allow a second email address

Allow a second email address

 
The user can be protected from account creation on, without knowing about preferences.
  • Problem: The email address associated with a wiki user account gets exposed, if the user accepts wikimail and sends answers to received mail. This creates two risks: with the knowledge of the mail address a hacker can try to take over an account, and a stalker can get knowledge of the private email address of a user and then harrass this user outside of wikipedia.
For password recovery an address with a secure mail provider is a good choice. For wikimail on the other hand a throw-away-mail-address, that can be easily replaced, if it becomes known to a stalker or the public, makes more sense.
  • Who would benefit: every user of wikimail.
  • Proposed solution: Add the option to specify a second email address in the preferences for all users.
    Add the following global preferences (email and password are already global):
    • checkboxes to select what email address to use with wikimail or none at all
    • checkboxes to select what email address to use for password recovery or none at all
      • if both boxes are checked, different temporary passwords are sent to both addresses and both are needed to login
    • checkboxes to select what email address to use for echo and other notifications
    • in a more ambitious additional approach the local echo preferences could allow the configuration of every notification type to be sent onwiki, to first address, to second address
    In a given time frame only one email address can be changed. A confirm message is sent to the new address and additionally a "cancel the change" message is sent to the other unchanged address.
    The option of two addresses would allow the use of a throw-away-email-address for wikimail. So if this address becomes known to a stalker, you can simply change this address, while keeping your secret secure email address for all other uses.
  • More comments: Nothing changes for any user who does not specify an email address or stays with one address.
Last year's wishlist survey contained four proposals to address this type of problem. Among these, this proposal got the most votes. One of the other three has been adopted by the anti-harrasment team and is now being implemented. This proposal has in the meantime been added to the workboard of the anti-harrasment team as a topic of interest. The combined votes of last year's four proposals would have been enough to put it into the top ten.

Discussion

edit

For the records, https://phabricator.wikimedia.org/T129747#2777853 offers some concerns about the proposed approach. --AKlapper (WMF) (talk) 12:34, 7 November 2017 (UTC)[reply]

  • This seems like an overly complex solution, compared to just giving everyone their own temporary email alias every time a message is sent.. Nor am I a particular fan of the UX parts of this proposal. But if we reword the proposal to "Do more to avoid disclosing the email address of users", then I'm on board. —TheDJ (talkcontribs) 15:14, 7 November 2017 (UTC)[reply]
  • We could use Structured Discussions for private messaging. You would get a nice interface to follow threads, built-in customized messaging (including an option to not receive emails) and most of the code is already here. Max Semenik (talk) 19:49, 7 November 2017 (UTC)[reply]
    That proposal seems like a similar interface to what reddit currently does with private messages, which isn't crazy to me. --Izno (talk) 19:51, 7 November 2017 (UTC)[reply]
  • The no same domain thing doesn't seem like a good idea imo, since while it sounds good with personal domains, if you use something like gmail for example, then you have to create another account at another provider rather than just use another gmail account. --Terra  (talk) 06:48, 9 November 2017 (UTC)[reply]
  • the basic idea of having a "Dysklyver@editor-en-wikipedia.org" email address to use instead of my normal email would be good, no comment on the general approach above though. I already reply via a different email account to the one which receives emails. A Den Jentyl Ettien Avel Dysklyver (talk) 16:32, 9 November 2017 (UTC)[reply]
  • I mean, although I do have an account without my name on it, I don't consider that insufficient protection, so every time I want to send a wikipedia email (except to a few people I trust), I have to go to a temporary disposable email site, get a temporary email, change my wikipedia email to that, send the email, then set my email back. It's a hassle and I seldom send emails because of that. Also the person can't auto-reply but has to send a separate email to me. A fix for this would be nice. Herostratus (talk) 05:41, 10 November 2017 (UTC)[reply]
  • The root problem is definitely an issue, would be good to fix it. Raystorm (talk) 17:18, 14 November 2017 (UTC)[reply]

@TBolliger (WMF): et al. incl. phab-discussion: I actually thought some time about retitling the proposal and decided against it for the simple reason, that I used this title last year and on phab, so it might confuse people, if I changed it. However the mockups are just that: A visualization to help people see what could be and start a discussion what should be. My intention is, that a good email address shall not be exposed. If this is picked up, the tech team is absolutly free to do two email addresses, or temporary addresses provided by wikipedia, or an internal message system that replaces wikimail, or anything else, if it addresses and solves the underlaying problem. I do not expect, that the implemented solution looks anything like my mockups. But I do hope that the proposal gets picked up by people. --𝔊 (Gradzeichen DiſkTalk) 17:53, 14 November 2017 (UTC)[reply]

  • OK, that's fair. I'm looking forward to seeing how people discuss this proposal, I think it's definitely a hole we should look into plugging. — Trevor Bolliger, WMF Product Manager 🗨 00:20, 15 November 2017 (UTC)[reply]
  • IMO 1) educating people about email security is a better investment (Google supports second factor via TOTP, U2F and all kinds of other things; if set up properly, an email account at a decent provider is hard to steal) 2) a simple workaround is to set up a mail filter to forward user mail to your secondary email account. Again educating people about that seems like an easier path. We should make sure the sender of wikimail and security mail is different, if we don't already. 3) there should be an Echo notification when you request a password reminder. (Not that useful now, will be a lot more useful when Echo gets push notification support.) --Tgr (WMF) (talk) 01:10, 17 November 2017 (UTC)[reply]
    • "Educating about security is better": You cannot educate people who do not want to be educated. Wiki authors are not tech people. German admins have publically protested against being forced to update their years-old 6-byte password to this terrible overlong 8-byte password. They are also alienated by the idea to have to carry a smartphone for 2FA with them, if they want to login to wikipedia in a public library. The reasoning is that "it's only wikipedia, not a bank account!" and "we have backups for the case of a security break." Authors come to Wikipedia, start editing, do not think about security/tech/bullies, and then are terrified, when they get harrassed, then leave this unfriendly project. It is still a good idea to offer 2FA to all, to nag users with more than 500 edits or "passiver Sichter" rights to use 2FA and to force admins, users with more than 1000 edits and "aktiver Sichter" to use 2FA. But still new users do not think about security. --𝔊 (Gradzeichen DiſkTalk) 17:27, 17 November 2017 (UTC)[reply]
      I'd imagine the people who dislike extra security measures and do not care much about their account being breached, and the people who worry about their email address leaking and would set a secondary email, to be disjunct groups. Sometimes you might want to force to some measure of security on people whether they want it or not, but this wish is not about that. --Tgr (WMF) (talk) 19:37, 17 November 2017 (UTC)[reply]
  • As the signup-mockup-picture drew some criticism: How about a signup-wizard, that asks for the username on the first page, the password on the second and so on? --𝔊 (Gradzeichen DiſkTalk) 20:51, 19 November 2017 (UTC)[reply]
  • The UI looks unwieldy. Asking for two email addresses on registration (even though both are optional) is a cognitive burden for editors registering a new account. Perhaps call the auxiliary "account recovery email" instead, and only gently prompt after a few days/edits. We can also have other account recovery options later on, because the problem is only one method of self-serve account recovery (e-mailing sysops doesn't count). --Kakurady (talk) 14:19, 29 November 2017 (UTC)[reply]
  •   Comment I support the Anti-Harassment team working on a suitable solution to this problem, but no, Community Tech resources are better spent elsewhere. MER-C (talk) 11:47, 4 December 2017 (UTC)[reply]
  • I have absolutely no advanced computer skills, but it seems to me that, in my online auction days, that my e-mails with the other side of the transaction went to a randomly generated e-mail address connected with the person's account (something on the order of random code@onlinecompany.com). Is that something that can be done on WP? -- Dolotta (talk) 17:33, 7 December 2017 (UTC)[reply]
  • Not sure if this is a good solution to the problem, or a solution at all. The problem is that you want a priority channel and a throw-away channel, now both are the same. I would propose that all interactions with other users goes on a separate thread, where some (all) interactions are private and anonymous by default. When a user writes a private message only a transcript is sent to the recipient, and both must agree on letting the thread be non-anonymous or non-private. (Yes this can be implemented as part of the Flow-system.) — Jeblad 22:45, 10 December 2017 (UTC)[reply]
  • As product manager for the WMF's Anti-Harassment Tools team I have created a project concept page at Community health initiative/Do more to avoid disclosing the email address of users to track this proposal. We have not prioritized developer time to work on this, but want to have our thoughts organized if we decide to do so. — Trevor Bolliger, WMF Product Manager 🗨 23:54, 13 December 2017 (UTC)[reply]

Voting

edit