Page MenuHomePhabricator

Allow iOS user to initiate the Vanishing process from the app
Closed, ResolvedPublic

Assigned To
None
Authored By
LGoto
Jan 25 2022, 10:27 PM
Referenced Files
F35492061: Vanish account empty.png
Aug 26 2022, 8:18 PM
Restricted File
Aug 26 2022, 7:56 PM
Restricted File
Aug 26 2022, 7:56 PM
Restricted File
Aug 26 2022, 7:56 PM
F35492009: Vanish account empty-2.png
Aug 26 2022, 7:14 PM
F35492006: Vanish account empty-1.png
Aug 26 2022, 7:14 PM
F35492004: Vanish account empty.png
Aug 26 2022, 7:14 PM
F35410512: Account.png
Aug 8 2022, 4:28 PM

Description

See parent ticket for context. In our platform, "account deletion" takes the form of the Vanishing process. Per the new Apple policy we need users to be able initiate the vanishing process via the app.

The meta process is documented here:
https://meta.wikimedia.org/wiki/Right_to_vanish

There are two paths for these requests. Accessing and editing a Special page for Renaming. Or sending an email request to the renaming queue. For our purposes I think it would be both simpler and more user-friendly to create a simple email generation form that collects the required information and submits it to the queue.

The email solution also allows for easier closing the loop on when the process is complete, or the request is rejected, but providing a contact point for the user outside their (now deleted/logged out) Wikimedia account.

Intial proposed copy:

Account deletion on Wikipedia is done by changing your account name to make it so others cannot recognize your contributions in a process called account vanishing. You may use the form below to request a courtesy vanishing[link]. Vanishing does not guarantee complete anonymity or remove contributions to the projects.

This will be a form:

To initiate the vanishing process please provide the following:
Username:
User or user talk pages for deletion:
Additional inforrmation:

If you want to leave Wikimedia projects but do not care about your past associations or if you intend to rejoin Wikipedia in the future, simply stop editing. You may optionally add {{Retired}} to your user page.

If you want to edit using another username, you can log out and create a new account or use changing username[link] and clean start[link] instead.

If you want to hide personal information, consider oversight[link].

The Wikimedia projects will delete personal information about editors and contributors (most likely on user and user talk pages) at their request, provided it is not needed for administrative reasons (which are generally limited to dealing with site misuse issues).

Personal information related to encyclopedia articles and persons mentioned therein are not covered by the account vanishing process. Instead, please see the relevant editorial policy on biographical articles[link], which contains full details of editorial directives, and actions to take if dissatisfied.

Designs

You can find the designs in this Figma file

Vanishing request work flow

  • Contributor can access vanish request form from Account
  • If contributor taps 'Send request' could trigger
    • Mail app
    • Request to download request app
  • If contributor sends or doesn't send the email and the contributor returns to the request screen they will see 'Vanish request' modal. Once the contributor taps 'OK' they are returned to an empty request form page.
Settings > AccountEmpty requestFilled requestEmailModalEmpty requestAccount
Account.png (812×375 px, 24 KB)
Vanish account empty-1.png (812×375 px, 43 KB)
Vanish account filled.png (812×375 px, 43 KB)
Email.png (812×375 px, 29 KB)
Vanish account empty-2.png (812×375 px, 44 KB)
Vanish account empty.png (812×375 px, 43 KB)
Account.png (812×375 px, 23 KB)

If contributor leaves request form with filled request an action sheet gets triggered, if request is empty the action sheet doesn't get triggered.

Empty requestFilled requestTrying to leave by '<Back' triggers action sheetAccount
Vanish account empty.png (812×375 px, 43 KB)
Vanish account filled-1.png (812×375 px, 43 KB)
Vanish account filled.png (812×375 px, 48 KB)
Account.png (812×375 px, 23 KB)

Access

  • From the explore feed the contributor can request to vanish their account by tapping on Settings > Account > Vanish account

Request form
Copy:

  • Page title: 'Vanish account'
  • Title: 'Vanishing process'
  • Next: 'Vanishing is a last resort and should only be used when you wish to stop editing forever and also to hide as many of your past associations as possible. 'To initiate the vanishing process please provide the following'
  • Username section (this is uneditable): 'Username and user page' with automatic insertion of users [username]
    • Next: 'Additional information' - optional
  • Next: 'Account deletion on Wikipedia is done by changing your account name to make it so others cannot recognize your contributions in a process called account vanishing. You may use the form below to request a courtesy vanishing. Vanishing does not guarantee complete anonymity or remove contributions to the projects.'
  • Button: 'Send Request'

Email

  • The email will be sent:
    • to: renamers@wikimedia.org
    • subject: Request for courtesy vanishing
  • Email text:
    • Hello, 
This a request to vanish my Wikipedia account. Username and user page to vanish: [Username] Additional information: [Optional]

End of flow modal
Modal copy:

  • Title: Vanishing request
  • Next: Illustration
  • Next:
    • If you completed your vanishing request, please allow a couple of days for the request to be processed by an administrator.
    • If you are unsure if your request went through please check your Mail app.
    • If you have further questions about vanishing please visit Wikipedia:Courtesy vanishing.
  • Button: 'OK'
Additional notes for QA

You can test this screen in the Settings > Account > Vanish screen against the requirements in this description.

Note that when you tap "Send request" button, it will attempt to open an email compose screen using whatever default email app you have set up on your phone (could be Apple's Mail, or the Gmail app, for example). At this point we no longer have control and it is up to the user to finish sending the email from their email app. For testing, please only send the email from an account that you actually want vanished. For the purposes of testing this ticket, there's no need to send the email. The end of flow modal should present whether you sent the email or not.

Event Timeline

LGoto triaged this task as Medium priority.
LGoto moved this task from Needs Triage to Product Backlog on the Wikipedia-iOS-App-Backlog board.
JMinor renamed this task from create UI and text proposal for account deletion requirement to Allow iOS user to initiate the Vanishing process from the app.Feb 8 2022, 6:16 PM
JMinor updated the task description. (Show Details)

Per our meeting this should be located in the Account screen of settings, "Request Account Deletion" and opens the form described above.

Tsevener moved this task from Ready for Development to Doing on the iOS-app-v6.9.3 board.
Tsevener added a subscriber: OTichonova.

Recapping our question for @OTichonova in planning:

Since quite a bit can go wrong (no email client set up, never tapped Send on email client) and we have no way of knowing if things were successfully sent or not, maybe we should consider displaying the final modal mock on the Vanishing screen rather than automatically popping back to the Account screen and showing it there. Reason being that it would be annoying if they didn't want to set up email at this point, but the app automatically backed out and lost their additional comments. Alternatively, we can also keep their draft "Additional comments" in memory until they back out of the Account screen, so they'll have a chance to go back to the vanishing screen with their last comments pre-populated.

Hi @Mazevedo! I am following up from Thursday's meeting, I updated the ticket with the discussed workflow and added some screens in the description.

Mazevedo moved this task from Needs Design Review to Needs QA on the iOS-app-v6.9.3 board.
Mazevedo subscribed.

@cmadeo @OTichonova @Mazevedo

Update from some early design feedback from @cmadeo on this task: Add back button arrow to the Back button.

iOS navigation back buttons do not allow us to present an action sheet to the user when they tap, so I had to set up our own custom back button and disable the navigation back swipe gesture in order to display the draft confirmation sheet. Unfortunately I'm not able to easily add BOTH back button text and an arrow. One option might be to present this whole screen modally with a close button rather than pushed on from the right - that will more closely match the draft discarding action sheet that I see in Mail, and we wouldn't be fighting the navigation bar so much. The static navigation bar on scroll also might feel more natural this way, being in a separate stack from Account (which does collapse on scroll).

It's a larger change that may take a day or two to work out, but I just thought I'd mention it as an option if y'all feel strongly about it.

Update: I should also point out that I was seeing TWO back buttons on iOS 16. I haven't dug into it yet, but a close button would mean we don't have to look into that bug.

This comment was removed by OTichonova.

Hi @Tsevener,
Thank you for the update/comment.
As discussed we will replace the '< Back' with just the '<'.
Below is the updated design.

Vanish account empty.png (812×375 px, 44 KB)

Not to throw a wrench into this... but I was just wondering...

  1. The vanishing process says: "If you send the mail directly, please include some kind of proof that the account is indeed yours." I don't see that being taken care of in any sort of way here. Some proof is needed, or anyone could just get anyone else's account vanished...
  2. Has this process been discussed with the team having to do the vanishing ?
  3. The vanishing process doesn't delete the email address of the account in the WMF databases right ? Pretty sure that is up to the user to do via Special:ChangeEmail right now. I think that according to Apple's definition this is actually required... "Offer to delete the entire account record, along with associated personal data"...

@TheDJ we are working with our CRS folks to engage with 1 and 2 and determine how feasible/suitable this approach is.

For 3, this solution was defined in consultation with our legal team which reviewed Apple's policy and, given our platform's quite limited and unusual approach, this was a sufficient way to satisfy the policy. While I understand your concern, neither you nor I are lawyers nor Apple store reviewers, so I will continue to consult with our Legal team on how to best address this requirement within the very limited platform capabilities in this area.

For 3, this solution was defined in consultation with our legal team which reviewed Apple's policy and, given our platform's quite limited and unusual approach, this was a sufficient way to satisfy the policy. While I understand your concern, neither you nor I are lawyers nor Apple store reviewers, so I will continue to consult with our Legal team on how to best address this requirement within the very limited platform capabilities in this area.

Hmm in my 13 years experience of submitting iOS apps, Apple is being pretty clear. Delete PII if possible and expected by consumers (so yes for an account, but not for a bill for instance). Basing our implementation on “what we legally can get away with” is what Facebook does and why Apple constantly has to make the rules stricter.

From the App Store guidelines

Apps must also provide the customer with an easily accessible and understandable way to withdraw consent.

As an eu consumer I would expect my email to disappear from the database and not be able to show up in any later data leaks, when I have followed this process.

From the account deletion explainer/FAQ

only offering to temporarily deactivate or disable an account is insufficient.

Technically what vanishing does if u ask me.

Keep users informed

Nowhere does this explain to me how to get my e-mailadres removed or that it is being retained.

  1. The vanishing process says: "If you send the mail directly, please include some kind of proof that the account is indeed yours." I don't see that being taken care of in any sort of way here. Some proof is needed, or anyone could just get anyone else's account vanished...

An idea to do this at scale, would be to generate some Id in the public logs and then include that Id in the email. But as not everyone can create pages, this might not be that easy to do without creating a small extension to handle generating such an id

Why are we having to funnel all of this via email, instead of just directing the requester in to the rename queue https://meta.wikimedia.org/wiki/Special:GlobalRenameRequest?

Dmantena subscribed.

Currently, we're blocked on this. We're awaiting the trust & safety email address to use in-app.

We should use the same email that is used for other inbound vanishing requests via email: privacy@wikimedia.org

We are using the email process because the special page is not well supported or particularly useable for mobile user and we as a team do not have expertise or capacity to make changes to it.

We should use the same email that is used for other inbound vanishing requests via email: privacy@wikimedia.org

We are using the email process because the special page is not well supported or particularly useable for mobile user and we as a team do not have expertise or capacity to make changes to it.

But aren't you sending this to renamers@wikimedia.org - which is just going to clog up the VTRS renamers queue, making the volunteer renamers still have to go log on and deal with this, plus also deal with authenticating the users? If they just used the on-wiki form everything would be in one place, easy for the renamers to process, and most importantly the authentication would already be handled. I'm not seeing that the new workflow this may create is only going to be serviced by WMF employees, is it?

@ABorbaWMF TestFlight build 6.9.4 (1987) is available to test for this email change. You may need to dig into the TestFlight menus (Versions & Build Groups) to find it, since we've also have 7.0.0 deploying nightly.