-
-
Notifications
You must be signed in to change notification settings - Fork 52
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better privacy in screenshots #2329
base: main
Are you sure you want to change the base?
Conversation
i know this is a draft, but already some thoughts: this only affects the subtitle of one-to-one-chats in non-chatmail one-to-one chats, right? this may raise support-requests and false expectations, eg. why the email address is not removed in other places. avatars? others may expect screenshots to be authentic - which may also be important for documentation purposes. others may see this as a bug or wonder why android or desktop are different :) in many cases, when doing screenshots, the email address will be the least privacy wise compromising information :) (still, doing screenshots are and important feature that we do not want to block, there were older discussions around that) so, i am not sure functionality-wise. is that really a real-world-issue? - note, we’re getting lots of feedback, and also do user testings a lot, esp. with groups in explicitly risky situations, but afaik, this did not came to the radar yet. cc @kermoshina, @adbenitez technically, while being interesting and i sympathise with hacking around, this may also strike back on any iOS update - comments as https://stackoverflow.com/a/77841188 also imply that that is not given forever :) |
Correct. This hides the email in screenshots in that case.
I agree but imagine if WhatsApp would leak someone's phone number whenever you screenshot the conversation, that would not be great IMO, and it's basically what Delta Chat does unless you are using chatmail.
The assertionFailure at |
WhatsApp is doing exactly that - i think, they just do not care: arguably only if you did not give access to the phone book, but when it comes to privacy, that's maybe not that unusual. but sure, one should also not take WhatsApp as a privacy role model :)
that's nice! so, remaining questions are about user expectations as mentioned above. but i would not veto this PR, i just wanted to raise the questions alternative or successor might be to remove the address completely from the subtitle, that would mitigate some real-world attacks pointed out by @kermoshina at deltachat/deltachat-android#2916 (comment) also for non-chatmail or for non-guaranteed-e2ee (for guaranteed-e2ee, apart from other expectations here and there, the removal was not a big deal in practise) |
I just read through that and seems that some people want an actual private mode that doesn't show emails ever? If we make all places where we show emails PrivacySensitiveViews and have a permanent global toggle that makes them always hidden we would be able to serve the needs of those people? Idk if that is a good way. I did already run into an issue where if you use this PrivacySensitiveView in a a cell that gets a context menu it hides the privacy sensitive content in the preview (because it gets filtered by |
i do not think so :) |
ftr, this PR as we decided to remove email address unconditionally from the title bar, so this PR, while technically interesting but coming with maintenance burden, will become superfluous |
Previously if you screenshotted a conversation it included the recipients email which is not great for privacy. I prefer the email hidden in screenshots. This does not change any visuals for the user, only in screenshots/recordings is the subtitle hidden.