Propose new functionalities for Decidim software
#DecidimRoadmap Designing Decidim together
**Is your feature request related to a problem? Please describe.**
Some users are very cautious about their privacy and currently in Decidim it is not possible to create private user accounts. Once you create an account on the platform, it is public and available for everyone's eyes.
The person searching their name in Google (or other search engines) will find results on the Decidim platform. Some people are extremely worried about this functionality and some will even refuse to participate unless they can do it privately.
**Describe the solution you'd like**
I'd like to be able to configure whether the public profiles functionality is active or disabled on the platform. When disabled, the public profiles would not be accessible on the platform.
Other possibility would be that this is configurable through the profile settings and the system administrator could decide the default (public or private).
After the discussion below, it would be also required that the person's name is hidden in all activities that they have done on the platform. This would apply e.g. to the profile badge in comments and proposals as well as the data exports and the API where the name would appear. In case the participant wants to remain anonymous, we could show e.g. "Participant 123" instead of the name in their profile.
**Describe alternatives you've considered**
Creating a customization per instance but this exact same request comes to us every other month now, so I think it would be sensible to consider how to solve this properly.
Given the proposed functionality, this could be also a setting per profile but in that case it should be disabled by default and only if the user wants, their profile would become public.
**Additional context**
Especially in Finland people can be extremely cautious about entering their details into any web platforms or having their name appear on public websites where other people can inspect what their neighbor is doing.
Some people feel this is a violation of their personal privacy.
**Does this issue could impact on users private data?**
Yes, it has a positive impact on users' private data as their private data won't become publicly visible on a website without them having full control over it.
**Funded by**
We can possibly find funding for this if it is agreed on.
Report inappropriate content
Is this content inappropriate?
Comment details
You are seeing a single comment
You can check the rest of the comments here.
Conversation with Carol Romero
Hi @ahu, some comments regarding this proposal:
* To begin with, the issue of privacy is something we have given a lot of thought to at Decidim, we have asked for advice from hackers and privacy experts. Precisely the registration form incorporates the text: "Public name that appears on your posts. With the aim of guaranteeing the anonymity, can be any name." This, by the way, is easily customizable for each instance if you want to change the name of the field, for example.
* Regarding the problem with third parties, it could be configured so that when you login a warning appears that the application is going to use your avatar, your email and your name, or you could also change this flow so that participants can review and modify their nickname/avatar/name. Anyway, it seems strange to me that someone concerned about preserving their privacy would register on a platform using their identity in social networks.
* As @andres said in the previous comment, this issue requires pedagogy with users to maintain good digital hygiene and privacy, both on this platform and others.
* We think it's actually more dangerous for privacy to make the participant believe that their profile is "private" when in fact it is not. Its name will be available through other ways and not only the profile, for instance the global search, open data CSV downloads, GraphQL API, and also for external parties, like a search with the query "site:", ie https://duckduckgo.com/?q=%22Antti%22+site%3Aomastadi.hel.fi&t=hd&va=u&ia=web
Hi @carol and thanks for the clarifications!
In Finland people are extremely concerned when their name appears on a public website. Even in Facebook you can decide yourself if your profile is searchable from Google or visible to other people than your friends. Some people also feel it is a barrier for participation if they have to display their name with their proposal/idea, they don't want their neighbors lurking what they are proposing (Finnish mentality, don't ask why).
This is the biggest concern, because a) the name will automatically be visible with their proposal/idea AND b) their profile is visible when they (or their neighbor) google their name.
For the points above:
* Even when the text about anonymity is visible in the registration form, people don't realize the name becomes visible on the platform. I believe they think it just asks their name for administrative purposes (even when we have not customized the text). A direct feedback from a participant on a platform with that text visible in the registration form: "I thought the nickname would only appear and I don't understand why my name is visible on the site, can you please hide my name".
* Regarding third parties, that does not apply to strong identity providers (such as Suomi.fi) which people primarily use to manage their tax issues, public health issues, etc. online. We provide this same authentication method for Finnish citizens in Decidim using an omniauth provider. When they sign in with that method (even just for voting), a public profile is automatically created with their name. They later then become surprised and angry that they find their profile when they google their name. The default in these situations should be that a public profile won't be visible (and they could decide if they want it visible later on from profile settings).
* I understand it maintains a good digital hygiene when you have to act with your name. You think more what you do online when you do it with your name, I believe I understand the thinking behind that. But the consensus at least in Finnish cities is that they would rather moderate the unwanted content from the platform than add barriers for entry because it causes them extra work. Right now the only workaround (which people are ACTUALLY using) is that they call the civil servants with their ideas or submit their idea on paper or by email. Then the employees have to submit it to the platform with their shared group account. This causes unnecessary extra work for the civil servants rather than just adding the ability to act privately on the platform.
* We don't think it is dangerous for privacy if we ACTUALLY make the profile *private* as described above. This would mean that in the global search, open data CSV downloads, GraphQL API and search engines their name would not be visible. If they decide to act privately, their name would be replaced with something like "Participant #123" or something along those lines.
Hey @ahu thank you for the elaborated answer!
I understand that this is really a situation that is quite particular to the Finnish context 😅.
To separate the different problems and to give you some ideas that we have in @product in the medium term:
* Regarding the registration form, we have yet to rethink it and remove fields from the form that are not strictly necessary. Personally I quite like the Reddit signup flow, where you only enter email, nickname and password once. We think the registration form should evolve to a similar model. With that, we would no longer have the real name problem (participants would still be able to access their profile and fill it in if they wanted to, name will be filled with the nickname by default). We hope to discuss this when we start the platform redesign process later this year.
* As for the oauth options, IMO for each instance we would have to work with the expectations of that community. If culturally the expectation is not to show the real name perhaps it could be made even more explicit when selecting the different Finnish identification systems?
What I mean in the end is that we don't see this as a core Decidim functionality. Do you think it's possible to make this development as a module or overrides in your app? However, I think the privacy debate is important and we can continue to explore alternatives to improve it. If anyone else want to chime in and give feedback regarding all the issues that we're discussing it'd be awesome to have more opinions in this matter.
* The first point I would very much support, this would indeed solve the described problem for the direct registration users.
* For the oauth options, we could default to not saving the name but it is a necessary field and without it, the user record won't save. Also, I believe the nickname is automatically generated from the name right now and if we remove the name, the users would have to create their nickname on the platform. Imagine the confusion the user would get when they come ONLY for PB voting and the system asks their nickname... I don't think this would be good either.
I really think it would be very beneficial to have the "privacy" options available under the user profile where they could decide e.g. about the visibility of the public profile (and default it to hidden or make the defaults configurable for admins). We could fork the user related functionality to its own module but it's not easy to manage in a module because we would have to override parts of the user model, user forms and the user views. This sort of stuff that strongly relates to existing core functionality is quite hacky to put in a module. + it becomes hard to manage every time there are core changes related to the users.
If you strongly feel in @product that the publicity of the profiles is a must in Decidim, I would really want to open the conversation further into how can we make it so that it wouldn't have any effect in the current functionality in instances by default but for system administrators we could add options to add these privacy options available for the users.
> Even when the text about anonymity is visible in the registration form, people don't realize the name becomes visible on the platform
FWIW, we've gone through these issue with two clients.
In another case there was a serious problem, as the admins invited people from the city council to a process, and this generated public profiles for all those users, without anybody realizing it.
> FWIW, we've gone through these issue with two clients.
Do you think we should make more prominent the current message? Now it says "Public name that appears on your posts. With the aim of guaranteeing anonymity, can be any name."
> In another case there was a serious problem, as the admins invited people from the city council to a process, and this generated public profiles for all those users, without anybody realizing it.
What invitation form is that? Administrators of a participatory process? Participants in an assembly?
I think this should be better explained in the invitation form, so admins know that this is a "loaded gun" and they should be careful using these invitations.
> Do you think we should make more prominent the current message?
I think the main label (Your name) is much more prominent in terms of perception than that of the label. So the solution would be to actually change the main label to something like "Nickname", but that generates the inverse problem. I think when you set up a site you have the expectation of being able to not require a real identity at a conf level.
> What invitation form is that?
Can't recall exactly. The city council set up a private process for city workers, they invited with an CSV to +200 users, public profiles got generated and indexed, I think even those that didn't act on the invitation, someone saw their name in a Google result, and complained (GDPR breach...)
> I think the main label (Your name) is much more prominent in terms of perception
I agree with this, as I tried to mention above. If you expect users to write something else there than "your name" or "name", the label of the field should be something else. Maybe "First name"?
The helping text is really small, comes AFTER the field and many people don't even read any further explanations if the text is longer than two-three words.
Loading comments ...