Page MenuHomePhabricator

Bugzilla email address privacy concerns
Closed, DeclinedPublic

Description

Author: stevesliva

Description:
Users are not advised upon creating an account at MediaZilla that their email
address will become their username and be visible to anyone on all MediaZilla
bug reports voted on or created by that user.

At the least, the create a new account page should advise users of the lack of
email address privacy. (Personally, I assumed that email would be required to
confirm that I was a real live person, and then allow me to create an account,
not for becoming my username.)


Version: unspecified
Severity: enhancement
URL: http://bugzilla.wikipedia.org/createaccount.cgi
See Also:
https://bugzilla.mozilla.org/show_bug.cgi?id=218917

Details

Reference
bz148

Event Timeline

bzimport raised the priority of this task from to Lowest.Nov 21 2014, 6:43 PM
bzimport set Reference to bz148.
bzimport added a subscriber: Unknown Object (MLST).

To be reported to bugzilla team.

phillip.stewart wrote:

A little is already done. @ is used instead of @.

See: https://bugzilla.mozilla.org/show_bug.cgi?id=261326
Bugzilla spam prevention (tracking anti-spam-spiders/harvesters bugs)

ayg wrote:

*** Bug 11048 has been marked as a duplicate of this bug. ***

There's a number of third-party patches/tweaks to BZ to suppress display of email addresses unless one's logged in and such. Clearer display of privacy info would also be good!

https://bugzilla.mozilla.org/show_bug.cgi?id=219021 is marked FIXED upstream:
"Email addresses should only be displayed to logged in users"

Should make it to a future release... (3.4?)

Bulk-assigning open BZ issues to Fred.

fvassard wrote:

This will get corrected in the upcoming version of Bugzilla, which should make it here very soon.
Resolving.

ibloodyhatespam wrote:

Please note that making email addresses invisible until you register just moves the problem up a tiny bit, spambots can easily register (as they do on various types of forum) and then still harvest email addresses.

What would help is either making email addresses invisible permanently (except for admins), or providing the user a choice between showing his email address (only for registered users, of course) or hiding it altogether.

  • Bug 9872 has been marked as a duplicate of this bug. ***

Marking this fixed with the BZ 3.4 upgrade, bug 16777. E-mail addys aren't shown to unregistered users anymore.

Reopening -- the upstream bug that was fixed doesn't solve the problem that email addresses are used as a primary identifier and are exposed to other users.

  • Bug 29852 has been marked as a duplicate of this bug. ***
  • Bug 11898 has been marked as a duplicate of this bug. ***

Unassigning from fvassard at wikimedia dot org

(In reply to comment #13)

Reopening -- doesn't solve the problem that email addresses are used as
a primary identifier and are exposed to other users.

Upstream for that is https://bugzilla.mozilla.org/show_bug.cgi?id=218917

Upstream ticket has an initial patch, so there is a small chance to see this in Bugzilla 5.0.

Related: a request for comments to move our bug reporting and more to Phabricator, where users' email addresses are kept private.

https://www.mediawiki.org/wiki/Requests_for_comment/Phabricator

Details about the potential migration from Bugzilla to Phabricator are being discussed at

Migrate Bugzilla to Phabricator
http://fab.wmflabs.org/T39

+ dependent tasks.

With the move to [[w:Phabricator]] approved, this request about visible email addresses in Bugzilla is Lowest priority. We are focusing in Wikimedia Phabricator Day 1.

Aklapper claimed this task.

Wikimedia has migrated from Bugzilla to Phabricator. Hence closing as "declined".

Phabricator does not expose your email address, hence this is resolved/fixed in Phabricator terms.