Propose new functionalities for Decidim software
#DecidimRoadmap Designing Decidim together
**Is your feature request related to a problem? Please describe.**
Some users are very cautious about their privacy and currently in Decidim it is not possible to create private user accounts. Once you create an account on the platform, it is public and available for everyone's eyes.
The person searching their name in Google (or other search engines) will find results on the Decidim platform. Some people are extremely worried about this functionality and some will even refuse to participate unless they can do it privately.
**Describe the solution you'd like**
I'd like to be able to configure whether the public profiles functionality is active or disabled on the platform. When disabled, the public profiles would not be accessible on the platform.
Other possibility would be that this is configurable through the profile settings and the system administrator could decide the default (public or private).
After the discussion below, it would be also required that the person's name is hidden in all activities that they have done on the platform. This would apply e.g. to the profile badge in comments and proposals as well as the data exports and the API where the name would appear. In case the participant wants to remain anonymous, we could show e.g. "Participant 123" instead of the name in their profile.
**Describe alternatives you've considered**
Creating a customization per instance but this exact same request comes to us every other month now, so I think it would be sensible to consider how to solve this properly.
Given the proposed functionality, this could be also a setting per profile but in that case it should be disabled by default and only if the user wants, their profile would become public.
**Additional context**
Especially in Finland people can be extremely cautious about entering their details into any web platforms or having their name appear on public websites where other people can inspect what their neighbor is doing.
Some people feel this is a violation of their personal privacy.
**Does this issue could impact on users private data?**
Yes, it has a positive impact on users' private data as their private data won't become publicly visible on a website without them having full control over it.
**Funded by**
We can possibly find funding for this if it is agreed on.
Report inappropriate content
Is this content inappropriate?
18 comments
Conversation with Andrés
We've discussed this feature in 2017 with @xabier. Our conclusion was that it could be a "privacy theater", meaning that people could think that their privacy was guaranteed when it wasn't the case, as their activity could be researched from other ways, for instance:
by download CSV open data and filtering
by the GraphQL API and filtering
by scraping the platform
So, if a participant really want to have privacy in Decidim (and in other web platforms) then she should make changes in her environment and participant account creation, such as:
sign up with an anonymous account
don't reuse nickname from other web services
So, in Decidim we should have training contents on how you can do that if you want extra privacy. City of Barcelona even contracted Tactical Tech [0] to make a website with these training contents [1] but we didn't have time for keeping this project on going as we already had lots of things in our plate.
[0] https://tacticaltech.org/
[1] https://training.decidim.org/ - sadly only available in Spanish and Catalan
Thanks for the additional insight regarding this.
However, this does not address the particular issue we are facing:
When people sign in through automated sign in options such as Google, Facebook or Suomi.fi in Finland, their profile gets automatically created. Most users don't understand that a public profile was all of a sudden created after a successful sign in which is the biggest concern here.
If you would publicly and clearly tell people that "Welcome to vote in PB! In order to vote your name will publicly show up on this platform.", many people would stop there in Finland.
So, imagine you go to vote in a PB process. You have nothing else to do with Decidim, you just want to vote. PB process requires the city to know where you are from, so you use strong authentication to sign in. After this, you vote.
Months or years later you Google your name and you find a public profile on a Decidim instance.
Don't you think this is a privacy violation as is?
I understand people can filter the submitted data (ideas, proposals, comments, etc.) from the open data that person's activity but if they only want to vote, I don't think it's good that Decidim creates a public profile for them. This should be a decision made by each individual with their consent.
Open data or the data available through the GraphQL API also won't show up in the search engines as the public profile will. Both of these require some amount of technical knowledge in which case most people won't put in the effort. The main concern is why their name shows up in a Google search without them having control over it.
We've had multiple of these cases in the past. These are the kinds of people who won't even know how to delete their profiles themselves even if you send them instructions how to do it. We have to manually delete these people in order to comply with the laws and regulations (GDPR).
@andres Last week we launched a new site and there's been multiple people who have contacted the administration with this concern. They don't want their name to be displayed on the site.
I think those issues you mentioned are quite easily solved by just hiding the user's name everywhere on the platform (profile badges, data exports, API) + make the public profile pages completely hidden if the person wants to remain anonymous.
You cannot possibly expect non-technical people to even know what is a TOR browser or VPN. The sign up form asks for their name which is why they write their name there. The field should have a different label if you want to allow people to write something else there than their name. Also, this doesn't take away the problem with 3rd party logins which automatically provide their name to their profile.
I don't believe these people use any other service where they would need a nickname, so that won't be an issue.
Hi @ahu, some comments regarding this proposal:
To begin with, the issue of privacy is something we have given a lot of thought to at Decidim, we have asked for advice from hackers and privacy experts. Precisely the registration form incorporates the text: "Public name that appears on your posts. With the aim of guaranteeing the anonymity, can be any name." This, by the way, is easily customizable for each instance if you want to change the name of the field, for example.
Regarding the problem with third parties, it could be configured so that when you login a warning appears that the application is going to use your avatar, your email and your name, or you could also change this flow so that participants can review and modify their nickname/avatar/name. Anyway, it seems strange to me that someone concerned about preserving their privacy would register on a platform using their identity in social networks.
As @andres said in the previous comment, this issue requires pedagogy with users to maintain good digital hygiene and privacy, both on this platform and others.
We think it's actually more dangerous for privacy to make the participant believe that their profile is "private" when in fact it is not. Its name will be available through other ways and not only the profile, for instance the global search, open data CSV downloads, GraphQL API, and also for external parties, like a search with the query "site:", ie https://duckduckgo.com/?q=%22Antti%22+site%3Aomastadi.hel.fi&t=hd&va=u&ia=web
Hi @carol and thanks for the clarifications!
In Finland people are extremely concerned when their name appears on a public website. Even in Facebook you can decide yourself if your profile is searchable from Google or visible to other people than your friends. Some people also feel it is a barrier for participation if they have to display their name with their proposal/idea, they don't want their neighbors lurking what they are proposing (Finnish mentality, don't ask why).
This is the biggest concern, because a) the name will automatically be visible with their proposal/idea AND b) their profile is visible when they (or their neighbor) google their name.
For the points above:
Even when the text about anonymity is visible in the registration form, people don't realize the name becomes visible on the platform. I believe they think it just asks their name for administrative purposes (even when we have not customized the text). A direct feedback from a participant on a platform with that text visible in the registration form: "I thought the nickname would only appear and I don't understand why my name is visible on the site, can you please hide my name".
Regarding third parties, that does not apply to strong identity providers (such as Suomi.fi) which people primarily use to manage their tax issues, public health issues, etc. online. We provide this same authentication method for Finnish citizens in Decidim using an omniauth provider. When they sign in with that method (even just for voting), a public profile is automatically created with their name. They later then become surprised and angry that they find their profile when they google their name. The default in these situations should be that a public profile won't be visible (and they could decide if they want it visible later on from profile settings).
I understand it maintains a good digital hygiene when you have to act with your name. You think more what you do online when you do it with your name, I believe I understand the thinking behind that. But the consensus at least in Finnish cities is that they would rather moderate the unwanted content from the platform than add barriers for entry because it causes them extra work. Right now the only workaround (which people are ACTUALLY using) is that they call the civil servants with their ideas or submit their idea on paper or by email. Then the employees have to submit it to the platform with their shared group account. This causes unnecessary extra work for the civil servants rather than just adding the ability to act privately on the platform.
We don't think it is dangerous for privacy if we ACTUALLY make the profile private as described above. This would mean that in the global search, open data CSV downloads, GraphQL API and search engines their name would not be visible. If they decide to act privately, their name would be replaced with something like "Participant #123" or something along those lines.
Hey @ahu thank you for the elaborated answer!
I understand that this is really a situation that is quite particular to the Finnish context 😅.
To separate the different problems and to give you some ideas that we have in @product in the medium term:
Regarding the registration form, we have yet to rethink it and remove fields from the form that are not strictly necessary. Personally I quite like the Reddit signup flow, where you only enter email, nickname and password once. We think the registration form should evolve to a similar model. With that, we would no longer have the real name problem (participants would still be able to access their profile and fill it in if they wanted to, name will be filled with the nickname by default). We hope to discuss this when we start the platform redesign process later this year.
As for the oauth options, IMO for each instance we would have to work with the expectations of that community. If culturally the expectation is not to show the real name perhaps it could be made even more explicit when selecting the different Finnish identification systems?
What I mean in the end is that we don't see this as a core Decidim functionality. Do you think it's possible to make this development as a module or overrides in your app? However, I think the privacy debate is important and we can continue to explore alternatives to improve it. If anyone else want to chime in and give feedback regarding all the issues that we're discussing it'd be awesome to have more opinions in this matter.
The first point I would very much support, this would indeed solve the described problem for the direct registration users.
For the oauth options, we could default to not saving the name but it is a necessary field and without it, the user record won't save. Also, I believe the nickname is automatically generated from the name right now and if we remove the name, the users would have to create their nickname on the platform. Imagine the confusion the user would get when they come ONLY for PB voting and the system asks their nickname... I don't think this would be good either.
I really think it would be very beneficial to have the "privacy" options available under the user profile where they could decide e.g. about the visibility of the public profile (and default it to hidden or make the defaults configurable for admins). We could fork the user related functionality to its own module but it's not easy to manage in a module because we would have to override parts of the user model, user forms and the user views. This sort of stuff that strongly relates to existing core functionality is quite hacky to put in a module. + it becomes hard to manage every time there are core changes related to the users.
If you strongly feel in @product that the publicity of the profiles is a must in Decidim, I would really want to open the conversation further into how can we make it so that it wouldn't have any effect in the current functionality in instances by default but for system administrators we could add options to add these privacy options available for the users.
FWIW, we've gone through these issue with two clients.
In another case there was a serious problem, as the admins invited people from the city council to a process, and this generated public profiles for all those users, without anybody realizing it.
Do you think we should make more prominent the current message? Now it says "Public name that appears on your posts. With the aim of guaranteeing anonymity, can be any name."
What invitation form is that? Administrators of a participatory process? Participants in an assembly?
I think this should be better explained in the invitation form, so admins know that this is a "loaded gun" and they should be careful using these invitations.
I think the main label (Your name) is much more prominent in terms of perception than that of the label. So the solution would be to actually change the main label to something like "Nickname", but that generates the inverse problem. I think when you set up a site you have the expectation of being able to not require a real identity at a conf level.
Can't recall exactly. The city council set up a private process for city workers, they invited with an CSV to +200 users, public profiles got generated and indexed, I think even those that didn't act on the invitation, someone saw their name in a Google result, and complained (GDPR breach...)
I agree with this, as I tried to mention above. If you expect users to write something else there than "your name" or "name", the label of the field should be something else. Maybe "First name"?
The helping text is really small, comes AFTER the field and many people don't even read any further explanations if the text is longer than two-three words.
Conversation with Oliver Azevedo Barnes
This is a very interesting discussion, and I endorsed the proposal on the premise that it's something I can see users wanting, and not just in Finland.
Though I'd argue that if it's general enough for a whole country, that it might be enough to consider for core? If the whole of Catalunya had this demand, I imagine it probably would. This is one discussion worth having: core vs specific, Catalunya vs international. Clear criteria and boundaries might be useful for both the association and partners, so the feature request process has less friction - feature requesters will know what has a better chance of being accepted into core or not, and the association will spend less time explaining what makes it into core or not.
About privacy theater: my take is that privacy, like security, is a spectrum, not an all-or-nothing thing. In the end even with TOR, VPN, etc, nothing is 100% private or secure. Not having one's own name on a public profile is one layer that complements others, depending on how private a user wants to be. If that's well signaled, then the user will know what to expect.
On the other hand, I also see the benefit of having public profiles, for maintaining the quality of discussion, less trolling, etc. And in our own use specific case, liquid democracy, people not having public profiles might even make it difficult for others to delegate their vote to them. People might delegate to active private users, but it's a whole different level of confidence delegating to verified, public profiles. This is of course not a core concern - I just mean to illustrate with a scenario where public profiles is preferrable.
Thanks a lot for this insight @oliverbarnes !
I'd be also interested to hear from others what their thoughts are regarding this.
Ping @virgile_deville @Pops @wtebbens @furilo
Conversation with Wouter Tebbens
I tend to agree with @ahu: that people should have the option to be excluded from being indexed with their profile name. So while @andres and @xabier have a point that one can participate with full or reasonable anonymity, there's other people who are ok to put their name on their profile but don't want to automagically show up in search results elsewhere. I understand your point @carol that we should hide as much the options that are not absolutely necessary. So I'm not sure where in the onboarding process one would put this option. Maybe a section in the registration form that is hidden by default but one can open for extra options?
I agree with you
From my point of view, I am able to accept the arguments for and against anonymizing a user. It is not just the case in Finland. GDPR is a strong argument against arrogant data miners like Google. It's okay that their appetite for private data is curbed.
Access to open data is also fine, as long as the data does not contain personal data of specific people.
At the same time, the complete anonymisation of a user at registration fundamentally reduces their credibility, even though their identity is then verified by other processes. We are still living people and we need to be trustworthy even in unverified discussions. The only universal method is our personal name. Anywhere, such as in comments.
Decidim is a tool for direct democracy, it's not a regular social network. That's how I understand Decidim and that's why I decided to support it. If it were a social network with the unfettered freedom to post all sorts of nonsense.
For me, the solution is for Decidim to offer the option of anonymizing the profile. For serious events such as voting, access to this section of Decidim would be restricted or outright non-public from the outside. Under control of admins.
Any publicly visible statements made by specific people would be anonymized to the form "Citizen-1" Citizen-258" or similar.
I apologize if I am unnecessarily repeating theses that have been said many times here.
BTW: Just in my own case you see an "anonymous name" which is taken with OAuth from a Google account. Please don't take this as a distrust of your community, but precisely for the reasons expressed above. At the same time, it's not a problem for me to introduce my real name to other community members more closely, it just doesn't add any value to the topic at the moment.
I believe that Decidim will evolve into great software!
Conversation with Antti Hukkanen
We are getting more complaints from users who are very upset why their profiles are public and appear on Google.
It is very hard to create a module for hiding the public profiles because we have to touch so many parts of the core and keep them in sync. It would be great if we could find a solution that we could incorporate to the core.
We just went through yet another security audit and this was identified as a privacy issue on the Decidim platform.
Add your comment
Sign in with your account or sign up to add your comment.
Loading comments ...