Can Discourse function without emails entirely?

Support
1

In a closed community with highly sensitive content, everyone wants guaranteed zero emails starting from registration. Is this possible in Discourse?

I guess we can turn emails off entirely system wide, but what about new user registrations? Now that you even support passkeys, could you make a fully functional no-emails Discourse possible?

4 Likes
2

I think you should be able to do this, if you have SSO setup.

Emails are an absolutely requirement to verify email addresses. Otherwise you’ll get hit by spam. But you can bypass this if you delegate verification to your SSO set this:

7 Likes
3

I’m on a site with email disabled, and I think that is only possible because of the SSO handling login and password resets, etc.

Without needing those, I think using onsite notifications and having no email notifications for anything works quite well. :+1:

6 Likes
4

Hey, I’ll be the devil advocate for a while. It’s not my usual interaction around here because I truly respect all of you folks.

But I guess that being the crypto guy (people say OG) and after giving a decade learning to self-host my files, nodes, websites and blablah, motivates me to share my thoughs to you.

I have 7 years supporting Discourse and I manage a community that value privacy.

They trust on me (someone can say I’m not the guy but they know that I’m their guy) and they learn how to keep their own privacy at first.

Discourse is not built with stronger privacy on mind, it’s about mostly public communities.

Primarly tech support regardless the software itself is used for different markets, concepts, nations and so on :slight_smile:

Depreceated encrypt PMs shows the reality: only 1% on the world takes care about their privacy.

Meta on Discourse is not different and I bet your own community neither (remember a lot of guys trusting on a random on internet like me, so we are all the same).

Apple, Amazon, Microsoft, Facebook, Google make money killing their users privacy. And almost everyone depends everyday on them.

Are you browsing on Chrome? You have no privacy.

It's real

Major Privacy Issues Google Faced with Chrome

1. Extensive Data Collection and Profiling

  • Chrome collects significant amounts of user data, including location, search and browsing history, user identifiers, and product interaction data. This information is linked to individuals and devices, allowing Google to build detailed profiles for ad targeting and personalization42.
  • Critics argue that Chrome’s data collection practices are more invasive than those of competitors like Safari and Firefox, and that syncing with a Google account further expands the scope of data aggregation across Google services47.

2. Third-Party Cookies and Privacy Sandbox Controversy

  • Google’s long-promised plan to phase out third-party cookies in Chrome was repeatedly delayed and ultimately paused, drawing criticism from privacy advocates and regulators. The failure to eliminate these cookies leaves users exposed to cross-site tracking and surveillance85.
  • Privacy advocates and digital rights groups, such as the Electronic Frontier Foundation, argue that abandoning the plan benefits Google’s business interests while failing to protect user privacy85.

3. Browsing History Leaks via :visited Links

  • For nearly 20 years, Chrome allowed websites to infer a user’s browsing history through the :visited CSS selector, which could be exploited for tracking, profiling, and phishing. This longstanding vulnerability was only addressed in Chrome version 136 with a new partitioning system to prevent cross-site history leaks3.

4. Personalized Ads Based on Browsing History

  • Chrome introduced features that use recent browsing history to profile users and display personalized ads. This raised concerns about transparency, informed consent, and the potential for manipulation or misuse of sensitive data2.
  • Many users and privacy experts view this as a significant privacy violation, as Chrome accesses and processes private browsing logs for advertising without clear user control2.

5. Lawsuits and Regulatory Scrutiny

  • Google has faced lawsuits alleging unlawful data harvesting from Chrome users, including accusations that private browsing data was collected and retained without proper consent. Settlements have required Google to delete private browsing histories and review its data practices7.

6. Integration with Google’s Wider Ecosystem

  • Data collected via Chrome can be combined with information from other Google products (e.g., Gmail, Maps, Android), creating comprehensive user profiles that raise further privacy concerns4.

Summary Table

Issue Description Source
Data Collection & Profiling Chrome collects and links vast amounts of personal data for profiling and ads 427
Third-Party Cookie Phase-Out Failure Google’s delays and reversal on cookie removal leaves users exposed to tracking 85
Browsing History Leak via :visited Links Exploitable CSS feature leaked browsing history for decades; only recently fixed 3
Personalized Ads from Browsing History Chrome uses recent browsing activity for ad targeting, raising transparency and consent issues 2
Lawsuits & Regulatory Action Legal challenges over alleged unlawful data collection, including in private browsing modes 7
Google Ecosystem Data Integration Chrome data combined with other Google services for extensive profiling 4

These issues have contributed to ongoing debates about Chrome’s suitability for privacy-conscious users and have prompted some to recommend alternative browsers with stronger privacy protections47.

  1. https://www.reddit.com/r/browsers/comments/146srua/is_chromes_lack_of_privacy_a_big_issue/
  2. Is Google Chrome violating your privacy? Scary new notification spooks users - here’s what you can do | TechRadar
  3. Chrome 136 fixes 20-year browser history privacy risk
  4. https://www.wired.com/story/google-chrome-browser-data/
  5. Google Confirms Bad News For 3 Billion Chrome Users
  6. How Chrome Safe Browsing keeps your browsing data private - Computer - Google Chrome Help
  7. Google Chrome and antitrust: Will a new owner solve the browser’s privacy problems? | Vox
  8. https://www.wired.com/story/google-chrome-third-party-cookies-privacy-rollback/
  9. Understand privacy in Chrome - Google Chrome Help
  10. Privacy concerns with Google - Wikipedia
  11. https://www.gen.uk/index.php?page=Home&option=Blog&article=20241003

So, back in topic, going on SSO route for real privacy means to self-host the service on local hardware or encrypted HD/SO.

I think Authentik -tested with Discourse- is our best bet for those who want open-source, community, respect and common sense.

I like to suggest e-mail alias services like Duck or Addy (better to self-host, from my perspective).

And move to LibreWolf ASAP.

Best wishes for your community and project. It’s good to see discussions about the major vortex on Internet.

2 Likes
5

I was very disappointed when Discourse stopped supporting encrypted messaging. We were using it like a lot.

Thanks for the hint.

When considering setting up an email-less Discourse instance, there is no way to get hit by spam.

When I say “email-less”, I really mean that in the absolute meaning. It’s not that difficult, most of it already exists in Discourse: you can just turn off sending out any emails completely. The only two missing bits are:

  1. Initial setup for the first admin account, which weirdly requires an email.
  2. New user signup.

I advocate for a single global switch such as “Email-less Discourse”, which will disable email and make it unnecessary throughout the application.

If the user installs the Discourse app, he’ll get all the updates through it, no need for an email.

If ther user uses a keypass, no need for an email either.

If no digest emails are sent, no need to verify emails.

Frantly, no need to have any email associated with an account at all.

I may sound a bit overwhelming, but in the same time, it is a) not that difficult to complete the remaining/missing 5% that hard-require email, and b) in my practice, it’s a legit case to have a email-less community, and it’s not very unique of an idea - in multiple web shops you can already “buy anonymously”, i.e. you can interact with the platform and even place an order without ever revealing your email. 4chat is yet another example that requires no user email but is huge.

I guess all that’s missing is the will of the Discourse team to embrace the idea and complete a few tweaks to make Discourse truly email-less capable. It’s almost there already.

1 Like
6

you can skip this as well with a command line during setup, I can’t remember off top of head

2 Likes
7

You email initially for setup However. We had a test site running with no email server after. Invite link may work for signup. We didn’t test invite link but manually activated accounts.

This pluginay help. But would verify in this post that it is still current. Looks like fork was released in March

8

Here is another idea. For communities focused on privacy/anonimity, allow to use SimpleX instead of emails. So that a user can sign up by receiving a confirmation link via SimpleX from Discourse, and receive any transaction “emails” to their SimpleX chat.

9

So you need to host your own SMP server and take care about their privacy issues and IP leaks.

You probably want to read this and this.

If you want real privacy you need to keep away from clearnet.

The greatest enemy of knowledge is not ignorance, it’s illusion of knowledge.

1 Like
10

Thanks for the links, I’ll go through them, although no need to sound like a smart alec.