Page MenuHomePhabricator

Phabricator account email address requirement contradicts linked wiki Privacy Policy
Closed, ResolvedPublic

Description

When registering an account on Phabricator:

1. If third-party cookies are not enabled, registration will fail, complaining about a lack of cookies but not specifying which ones are needed. This happens even if cookies from the relevant domains are enabled.

Desired fix: If cookies (or scripts) are not accepted by the user, tell the user which cookies (scripts) they must enable. Make registration work without third-party cookies, or failing that tell the user that they must enable them for the duration of the registration, and can then turn them off.

  1. The privacy policy agreed to during the registration says that no e-mail is required; this contradicts the UI, which requires one.
  1. No information is given about the reasons for requiring an e-mail or the purposes for which it will be used, not even the usual bland assurance that "Your e-mail will not be publicly posted".

    Desired fix: Either don't require an e-mail or explain why it is needed and what it may be used for.

Details

ReferenceSource BranchDest BranchAuthorTitle
repos/phabricator/deployment!25T214251phabPrivPolicywmf/stableaklapperUse WMF Non-wiki privacy policy
Customize query in GitLab

Event Timeline

Desired fix: Either don't require an e-mail or explain why it is needed and what it may be used for.

We do that on https://www.mediawiki.org/wiki/Phabricator/Help : "A valid email address will also be required for verification, but not shown to other users."

Aklapper reopened this task as Stalled.EditedJan 20 2019, 2:37 PM

Ah, it looks like this task consists unfortunately of several different things, so let me reopen this task. For future reference, please only one issue per task. Thanks!

Desired fix: If cookies (or scripts) are not accepted by the user, tell the user which cookies (scripts) they must enable. Make registration work without third-party cookies, or failing that tell the user that they must enable them for the duration of the registration, and can then turn them off.

Which exact "third-party cookies" is this about? We do not require external scripts as far as I know? I cannot reproduce any problem in a browser with the setting "Only accept cookies from sites you visit" enabled.

The privacy policy agreed to during the registration says that no e-mail is required; this contradicts the UI, which requires one.

  1. I go to phabricator.wikimedia.org and click "Log in"
  2. I choose "Log in or Register - MediaWiki"
  3. I end up on the "Log in" page of https://www.mediawiki.org
  4. I enter my credentials and click "Log in"
  5. I click "Allow" in the "phabricator-production needs permission to access information on all projects of this site on your behalf" dialog which has a "Privacy Policy" link in the corner going to https://foundation.wikimedia.org/wiki/Privacy_policy

Do you mean that one? Clear steps to reproduce welcome - thanks!

Thank you for the very clear question, Aklapper, it makes my bug report look rather shoddy by contrast. Indeed, your numbered list is exactly what I did. After giving my unified login credentials and pressing "Allow", I got the message

"Registration Failed
Your browser did not submit a registration key with the request. You must use the same browser to begin and complete registration. Check that cookies are enabled and try again."

If this message could say "You need cookies enabled for [list of domains]", it would be much more helpful to those with cookie settings other than "on" and "off".

I had cookies from wikimedia.org and phabricator.wikimedia.org enabled, and it still failed repeatedly. Even after clearing all cookies and cookielikes and closing and restarting the browser, it did not work. I then enabled third-party cookies and it worked; I was registered. I've since turned them off again and have had no problems.

Due to the limitations of my browser's settings, the enabling of third-party cookies was done through an add-on. I am looking into whether there is a problem with the add-on, but I assumed, possibly incorrectly, that there is some point here at which a domain does something with cookies from another domain.

Apologies for the multi-part task, and thank you for the link to https://www.mediawiki.org/wiki/Phabricator/Help. Could a question-mark icon or some such next to the e-mail field link to that help page?

"A valid email address will also be required for verification, but not shown to other users" does not really explain why it is required. "We don't want to be flooded with trolls" is a legitimate reason, but in that case an exception might be made for established wiki editors of good repute. In either case, if e-mail is required for Phab registration, this exception probably needs to be noted in the linked https://foundation.wikimedia.org/wiki/Privacy_policy:

"Because we believe that you shouldn’t have to provide personal information to participate in the free knowledge movement, you may:

-Read, edit, or use any Wikimedia Site without registering an account.
-Register for an account without providing an email address or real name."

The privacy policy does list some Wikimedia sites which are exceptions, but the list does not include Phab.

Another side issue, but I got 16 emails within a day of registration using the default settings, which seem to ~never notify where one can e-mail. I changed the default settings, so fixed, but it's a bit intimidating. I'd have been happy to express a preference for notifications over e-mails during registration. Probably not worth changing unless a fair number of others feel the same way.

Cookies: I think https://phab.wmfusercontent.org/ is the culprit. The string in Phab's code base is in /src/applications/auth/controller/PhabricatorAuthController.php:

'Your browser did not submit a registration key with the request. '.
'You must use the same browser to begin and complete registration. '.
'Check that cookies are enabled and try again.'));

In Wikimedia we could locally overwrite that and mention domains, by using translation.override in https://phabricator.wikimedia.org/source/operations-puppet/browse/production/modules/phabricator/data/fixed_settings.yaml . See https://www.mediawiki.org/wiki/Gerrit/Tutorial if you are interested in proposing a patch in Gerrit (against the operations/puppet repository).

if e-mail is required for Phab registration, this exception probably needs to be noted in the linked https://foundation.wikimedia.org/wiki/Privacy_policy:

That's also my current understanding. Could you create a separate task about that specifically?

I'd have been happy to express a preference for notifications over e-mails during registration.

https://www.mediawiki.org/wiki/Phabricator/Help/Managing_mail is linked from https://www.mediawiki.org/wiki/Phabricator/Help#Receiving_updates_and_notifications . We link to that Help page from the Phabricator frontpage.

Aklapper changed the task status from Stalled to Open.Jan 20 2019, 9:33 PM
Aklapper renamed this task from Difficulties registering a phabricator account via mediawiki; UI text to Difficulties registering a Phab account if third-party cookies are not enabled; email address requirement contradicts Privacy Policy.Feb 25 2019, 6:50 AM

I cannot reproduce any difficulties registering a Phab account if third-party cookies are not enabled in Chromium 114.
Chromium 114. "Settings > Privacy and security > Block third-party-cookies" is enabled.

Aklapper renamed this task from Difficulties registering a Phab account if third-party cookies are not enabled; email address requirement contradicts Privacy Policy to Phabricator account email address requirement contradicts linked wiki Privacy Policy.Jul 13 2023, 9:32 AM
Aklapper updated the task description. (Show Details)

Currently, the page within Phabricator at https://phabricator.wikimedia.org/auth/start/?next=%2F which allows logging in or registering a user account links in its footer to https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy and https://foundation.wikimedia.org/wiki/Policy:Terms_of_Use/Phabricator .

Issue: That current Privacy Policy URL says for example "You do not need to create an account to use any Wikimedia Site. If you do create an account, you do not need to give us your name or email address." That is misleading in case of Wikimedia Phabricator as it is required to set an email address when registering a user account in Wikimedia Phabricator.

What to do?

Historical context: T198: Draft a terms of use

I contacted the WMF Legal team on 2023-07-13 about this. Their reply in privacy queue Zendesk ticket #66277 was:

I conferred with a few people and we agree with your assessment that the non-wiki privacy policy is more appropriate for phabricator than the currently linked main privacy policy.