Page MenuHomePhabricator

Create a policy defining what kinds of user data may or may not be pushed
Open, MediumPublic

Description

Pushing messages about users over the network via third-party push providers creates a potential privacy risk for users. To help manage this risk, we need to create a policy to identify the kinds of data that may be pushed and that may not, prior to any deployment.

As a way of getting our heads around the problem, we could audit the existing Echo notification messages to create a list of the kinds of data that are currently used, then evaluate them for privacy risks.

AC

  • Audit existing Echo Notification messages and create a list or typology of the kinds of data they contain
  • Create a policy defining what types of data may or may not be send in push notifications over the network
  • That policy is linked from the mw:Push_Notifications_Infrastructure project page or the decisions page.
NOTE: This task may be unnecessary if all platforms use an approach in which an empty message is pushed to the client in order to prompt the client to wake up and retrieve messages directly from Wikimedia servers.

Event Timeline

Discussion has been ongoing. Another meeting is set up to cover in greater detail.

For v1 this is not a major concern since we're not pushing any data from Echo through the third-party push providers. The architectural decision of making clients request mwapi directly to pull the notification content mitigate the privacy risks hereby listed.

As a matter of fact, no data other than the type of the notification (and possibly timestamps) will be sent through these providers.

Echo is output notification data in the following data structure:

{
    "header": "SomeUser thanked you for your comment in \"‪Topic_title\".",
    "compactHeader": "SomeUser thanked you.",
    "body": "Hello @SomeUser, we have worked on this issue for a while, as you can see here…",
    "icon": "thanks",
    "links": {
        "primary": {
            "url": "https://www.mediawiki.org/wiki/link/to/the/topic",
            "label": "View comment"
        },
        "secondary": [
            {
                "url": "https://www.mediawiki.org/wiki/User:SomeUser",
                "label": "SomeUser",
                "tooltip": "",
                "description": "",
                "icon": "userAvatar",
                "prioritized": ""
            },
            {
                "url": "https://www.mediawiki.org/wiki/Talk:Page_of_the_discussion",
                "label": "Page of the discussion...‬",
                "tooltip": "Talk:Page_of_the_discussion",
                "description": "",
                "icon": "speechBubbles",
                "prioritized": ""
            }
        ]
    },
    "iconUrl": "/w/extensions/Thanks/userTalk-constructive-ltr.svg"
}

The example above is for Thanks in a Flow page, but the data available is represented by header, compactHeader, body, icon, links, iconUrl and it's usage is documented here.

MSantos subscribed.