User privacy options and ability to disable public profiles

AH 24/02/2021 14:36

UPDATE

We have developed this as a separate module for the time being:
https://github.com/mainio/decidim-module-privacy

During the development we also noticed that it would be highly useful to have certain controls within the programming API to support all this and require less core overrides:
https://github.com/decidim/decidim/pull/11036

**Is your feature request related to a problem? Please describe.**

Some users are very cautious about their privacy and currently in Decidim it is not possible to create private user accounts. Once you create an account on the platform, it is public and available for everyone's eyes.

The person searching their name in Google (or other search engines) will find results on the Decidim platform. Some people are extremely worried about this functionality and some will even refuse to participate unless they can do it privately.

**Describe the solution you'd like**

I'd like to be able to configure per profile whether the public profiles functionality is active or disabled for that user. When disabled, the public profiles would not be accessible on the platform and the user's information would be completely hidden or otherwise anomymized on the platform.

This should be is configurable through the profile settings and the system administrator could decide the default (public or private). Under the profile pages we should have a new section named "Privacy settings" where we would provide the following options:

"Profile publicity" - Enable public profile ON / OFF toggle
"Private messaging" - Enable private messaging ON / OFF toggle
"Private messaging" - Allow anyone to send me a direct message, even if I don't follow them ON / OFF toggle
This option is currently under the notification settings but should be moved under the privacy settings

After the discussion below, it would be also required that the person's name is hidden in all activities that they have done on the platform. This would apply e.g. to the profile badge in comments and proposals as well as the data exports and the API where the name would appear.

If the user has decided to make their profile private, their name should not appear next to their comments anymore or next to anything that they have created on the platform, such as proposals, collaborative drafts, meetings, debates, etc. The profile badge should be completely hidden for people who decided to make their profile private afterwards.

The public profile option should be disabled by default when the user registers to the platform through the registration form or any OmniAuth authentication option. When the user is about to perform a publicly visible action on the platform, the user should be shown an explicit popup which states what consequences this has. The popup should be shown if the user has their public profile disabled at the moment and disabling the public profile should prevent the user from performing any public activity on the platform altogether. Only if they allow their profile to be public with explicit information about what is shown publicly in the profile pages, they are able to perform public activities on the platform.

From the popup, the user should be able to give their consent to publish their profile with all the information listed on the mentioned popup. After the consent is given, the user is able to perform the public action on the website. This consent should be stored in the users table with a timestamp when the consent was given.

If the user decides to make their profile private after performing the public action, again their public profile should disappear from the website and their information should be hidden or anonymized from every place where it can be shown on the platform.

**Describe alternatives you've considered**

We are going to implement this as a module that we can add to any Decidim instance. We are hoping that some of this work could be later on integrated back to the core to make these options more widely available for Decidim users.

It has been agreed with the product team that in case we need to add any abstractions to support this functionality to the core already today, we can create such PRs and they would be accepted as long as they maintain the current functionality by default.

**Additional context**

Especially in Finland people can be extremely cautious about entering their details into any web platforms or having their name appear on public websites where other people can inspect what their neighbor is doing. After the discussion below, this is clearly not only Finland specific but this same problem appears in other contexts too.

Some people feel this is a violation of their personal privacy.

**Does this issue impact on users private data?**

Yes, it has a positive impact on users' private data as their private data won't become publicly visible on a website without them having full control over it.

**Funded by**

We have funding to develop these features.

Filter results for: Awaiting funding

Comment

Liked by Virgile Deville and 5 more

Liked by

Virgile Deville

Pauline Bessoles

Oliver Azevedo Barnes

Wouter Tebbens

álvaro ortiz

Pierre Mesure

Comment details

You are seeing a single comment

View all comments

Carol Romero 05/05/2021 11:21

Hi @ah, some comments regarding this proposal:

To begin with, the issue of privacy is something we have given a lot of thought to at Decidim, we have asked for advice from hackers and privacy experts. Precisely the registration form incorporates the text: "Public name that appears on your posts. With the aim of guaranteeing the anonymity, can be any name." This, by the way, is easily customizable for each instance if you want to change the name of the field, for example.

Regarding the problem with third parties, it could be configured so that when you login a warning appears that the application is going to use your avatar, your email and your name, or you could also change this flow so that participants can review and modify their nickname/avatar/name. Anyway, it seems strange to me that someone concerned about preserving their privacy would register on a platform using their identity in social networks.

As @andres said in the previous comment, this issue requires pedagogy with users to maintain good digital hygiene and privacy, both on this platform and others.

We think it's actually more dangerous for privacy to make the participant believe that their profile is "private" when in fact it is not. Its name will be available through other ways and not only the profile, for instance the global search, open data CSV downloads, GraphQL API, and also for external parties, like a search with the query "site:", ie https://duckduckgo.com/?q=%22Antti%22+site%3Aomastadi.hel.fi&t=hd&va=u&ia=web

AH 05/05/2021 11:42

Hi @carol and thanks for the clarifications!

In Finland people are extremely concerned when their name appears on a public website. Even in Facebook you can decide yourself if your profile is searchable from Google or visible to other people than your friends. Some people also feel it is a barrier for participation if they have to display their name with their proposal/idea, they don't want their neighbors lurking what they are proposing (Finnish mentality, don't ask why).

This is the biggest concern, because a) the name will automatically be visible with their proposal/idea AND b) their profile is visible when they (or their neighbor) google their name.

For the points above:

Even when the text about anonymity is visible in the registration form, people don't realize the name becomes visible on the platform. I believe they think it just asks their name for administrative purposes (even when we have not customized the text). A direct feedback from a participant on a platform with that text visible in the registration form: "I thought the nickname would only appear and I don't understand why my name is visible on the site, can you please hide my name".

Regarding third parties, that does not apply to strong identity providers (such as Suomi.fi) which people primarily use to manage their tax issues, public health issues, etc. online. We provide this same authentication method for Finnish citizens in Decidim using an omniauth provider. When they sign in with that method (even just for voting), a public profile is automatically created with their name. They later then become surprised and angry that they find their profile when they google their name. The default in these situations should be that a public profile won't be visible (and they could decide if they want it visible later on from profile settings).

I understand it maintains a good digital hygiene when you have to act with your name. You think more what you do online when you do it with your name, I believe I understand the thinking behind that. But the consensus at least in Finnish cities is that they would rather moderate the unwanted content from the platform than add barriers for entry because it causes them extra work. Right now the only workaround (which people are ACTUALLY using) is that they call the civil servants with their ideas or submit their idea on paper or by email. Then the employees have to submit it to the platform with their shared group account. This causes unnecessary extra work for the civil servants rather than just adding the ability to act privately on the platform.

We don't think it is dangerous for privacy if we ACTUALLY make the profile _private_ as described above. This would mean that in the global search, open data CSV downloads, GraphQL API and search engines their name would not be visible. If they decide to act privately, their name would be replaced with something like "Participant #123" or something along those lines.

Carol Romero 05/05/2021 12:55

Hey @ah thank you for the elaborated answer!

I understand that this is really a situation that is quite particular to the Finnish context 😅.
To separate the different problems and to give you some ideas that we have in @product in the medium term:

Regarding the registration form, we have yet to rethink it and remove fields from the form that are not strictly necessary. Personally I quite like the Reddit signup flow, where you only enter email, nickname and password once. We think the registration form should evolve to a similar model. With that, we would no longer have the real name problem (participants would still be able to access their profile and fill it in if they wanted to, name will be filled with the nickname by default). We hope to discuss this when we start the platform redesign process later this year.

As for the oauth options, IMO for each instance we would have to work with the expectations of that community. If culturally the expectation is not to show the real name perhaps it could be made even more explicit when selecting the different Finnish identification systems?

What I mean in the end is that we don't see this as a core Decidim functionality. Do you think it's possible to make this development as a module or overrides in your app? However, I think the privacy debate is important and we can continue to explore alternatives to improve it. If anyone else want to chime in and give feedback regarding all the issues that we're discussing it'd be awesome to have more opinions in this matter.

AH 05/05/2021 13:24

The first point I would very much support, this would indeed solve the described problem for the direct registration users.

For the oauth options, we could default to not saving the name but it is a necessary field and without it, the user record won't save. Also, I believe the nickname is automatically generated from the name right now and if we remove the name, the users would have to create their nickname on the platform. Imagine the confusion the user would get when they come ONLY for PB voting and the system asks their nickname... I don't think this would be good either.

I really think it would be very beneficial to have the "privacy" options available under the user profile where they could decide e.g. about the visibility of the public profile (and default it to hidden or make the defaults configurable for admins). We could fork the user related functionality to its own module but it's not easy to manage in a module because we would have to override parts of the user model, user forms and the user views. This sort of stuff that strongly relates to existing core functionality is quite hacky to put in a module. + it becomes hard to manage every time there are core changes related to the users.

If you strongly feel in @product that the publicity of the profiles is a must in Decidim, I would really want to open the conversation further into how can we make it so that it wouldn't have any effect in the current functionality in instances by default but for system administrators we could add options to add these privacy options available for the users.

álvaro ortiz 05/05/2021 13:18

Even when the text about anonymity is visible in the registration form, people don't realize the name becomes visible on the platform

FWIW, we've gone through these issue with two clients.

In another case there was a serious problem, as the admins invited people from the city council to a process, and this generated public profiles for all those users, without anybody realizing it.

Andrés 05/05/2021 13:33

FWIW, we've gone through these issue with two clients.

Do you think we should make more prominent the current message? Now it says "Public name that appears on your posts. With the aim of guaranteeing anonymity, can be any name."

In another case there was a serious problem, as the admins invited people from the city council to a process, and this generated public profiles for all those users, without anybody realizing it.

What invitation form is that? Administrators of a participatory process? Participants in an assembly?

I think this should be better explained in the invitation form, so admins know that this is a "loaded gun" and they should be careful using these invitations.

álvaro ortiz 05/05/2021 13:51

Do you think we should make more prominent the current message?

I think the main label (Your name) is much more prominent in terms of perception than that of the label. So the solution would be to actually change the main label to something like "Nickname", but that generates the inverse problem. I think when you set up a site you have the expectation of being able to not require a real identity at a conf level.

What invitation form is that?

Can't recall exactly. The city council set up a private process for city workers, they invited with an CSV to +200 users, public profiles got generated and indexed, I think even those that didn't act on the invitation, someone saw their name in a Google result, and complained (GDPR breach...)

AH 05/05/2021 13:59

I think the main label (Your name) is much more prominent in terms of perception

I agree with this, as I tried to mention above. If you expect users to write something else there than "your name" or "name", the label of the field should be something else. Maybe "First name"?

The helping text is really small, comes AFTER the field and many people don't even read any further explanations if the text is longer than two-three words.

Reference: MDC-PROP-2021-02-16247
Version number 5 (of 5) see other versions

Fingerprint

The piece of text below is a shortened, hashed representation of this content. It is useful to ensure the content has not been tampered with, as a single modification would result in a totally different value.

Value: e302499e75cb486f10ad972a4ebd6bb4128bbc1e3cd5a442605cf00fef6fe470

Source:

{"body":{"en":"<p><strong>UPDATE</strong></p><p>We have developed this as a separate module for the time being:<br><a href=\"https://github.com/mainio/decidim-module-privacy\" rel=\"noopener noreferrer\" target=\"_blank\">https://github.com/mainio/decidim-module-privacy</a></p><p>During the development we also noticed that it would be highly useful to have certain controls within the programming API to support all this and require less core overrides:<br><a href=\"https://github.com/decidim/decidim/pull/11036\" rel=\"noopener noreferrer\" target=\"_blank\">https://github.com/decidim/decidim/pull/11036</a></p><p><strong>**Is your feature request related to a problem? Please describe.**</strong></p><p>Some users are very cautious about their privacy and currently in Decidim it is not possible to create private user accounts. Once you create an account on the platform, it is public and available for everyone's eyes.</p><p>The person searching their name in Google (or other search engines) will find results on the Decidim platform. Some people are extremely worried about this functionality and some will even refuse to participate unless they can do it privately.</p><p><strong>**Describe the solution you'd like**</strong></p><p>I'd like to be able to configure per profile whether the public profiles functionality is active or disabled for that user. When disabled, the public profiles would not be accessible on the platform and the user's information would be completely hidden or otherwise anomymized on the platform.</p><p>This should be is configurable through the profile settings and the system administrator could decide the default (public or private). Under the profile pages we should have a new section named \"Privacy settings\" where we would provide the following options:</p><ul><li>\"Profile publicity\" - Enable public profile ON / OFF toggle</li><li>\"Private messaging\" - Enable private messaging ON / OFF toggle</li><li>\"Private messaging\" - Allow anyone to send me a direct message, even if I don't follow them ON / OFF toggle</li><li class=\"ql-indent-1\">This option is currently under the notification settings but should be moved under the privacy settings</li></ul><p>After the discussion below, it would be also required that the person's name is hidden in all activities that they have done on the platform. This would apply e.g. to the profile badge in comments and proposals as well as the data exports and the API where the name would appear.</p><p>If the user has decided to make their profile private, their name should not appear next to their comments anymore or next to anything that they have created on the platform, such as proposals, collaborative drafts, meetings, debates, etc. The profile badge should be completely hidden for people who decided to make their profile private afterwards.</p><p>The public profile option should be disabled by default when the user registers to the platform through the registration form or any OmniAuth authentication option. When the user is about to perform a publicly visible action on the platform, the user should be shown an explicit popup which states what consequences this has. The popup should be shown if the user has their public profile disabled at the moment and disabling the public profile should prevent the user from performing any public activity on the platform altogether. Only if they allow their profile to be public with explicit information about what is shown publicly in the profile pages, they are able to perform public activities on the platform.</p><p>From the popup, the user should be able to give their consent to publish their profile with all the information listed on the mentioned popup. After the consent is given, the user is able to perform the public action on the website. This consent should be stored in the users table with a timestamp when the consent was given.</p><p>If the user decides to make their profile private after performing the public action, again their public profile should disappear from the website and their information should be hidden or anonymized from every place where it can be shown on the platform.</p><p><strong>**Describe alternatives you've considered**</strong></p><p>We are going to implement this as a module that we can add to any Decidim instance. We are hoping that some of this work could be later on integrated back to the core to make these options more widely available for Decidim users.</p><p>It has been agreed with the product team that in case we need to add any abstractions to support this functionality to the core already today, we can create such PRs and they would be accepted as long as they maintain the current functionality by default.</p><p><strong>**Additional context**</strong></p><p>Especially in Finland people can be extremely cautious about entering their details into any web platforms or having their name appear on public websites where other people can inspect what their neighbor is doing. After the discussion below, this is clearly not only Finland specific but this same problem appears in other contexts too.</p><p>Some people feel this is a violation of their personal privacy.</p><p><strong>**Does this issue impact on users private data?**</strong></p><p>Yes, it has a positive impact on users' private data as their private data won't become publicly visible on a website without them having full control over it.</p><p><strong>**Funded by**</strong></p><p>We have funding to develop these features.</p>"},"title":{"en":"User privacy options and ability to disable public profiles"}}

This fingerprint is calculated using a SHA256 hashing algorithm. In order to replicate it yourself, you can use an MD5 calculator online and copy-paste the source data.

Essential

Preferences

Analytics and statistics

Marketing

User privacy options and ability to disable public profiles

Liked by

Please log in

Cookie settings

Essential

Preferences

Analytics and statistics

Marketing

User privacy options and ability to disable public profiles

Share

Liked by

Confirm

Please log in