Unencrypted usernames in shared links break anonymity

privacy

(ljpp) #1

Most forums operate with a level of user anonymity - usernames are used instead of real names. The social sharing functions of Discourse however show the username in an unecrypted format, such as:

https://meta.discourse.org/t/s3-upload-bucket-cdn-url-and-bucket-name-in-cname/42549/2?u=ljpp

?u=ljpp

Now if I would share this link using the Discourse’s built in function, using my real-name Facebook or Twitter account, it is very easy for anyone to make the connection in between the real person and my username on the forum.

The usernames in the shared URL should not be in clear text format, but hidden/encrypted in some way. Or is there some other unique identifier you could use?

Also I am not sure where collecting the statistics of the users making shares is all that important. Perhaps more interesting data would be that whose posts are most shared? So the username identifier should be of the post author, not the one doing the sharing.


(Jeff Atwood) #2

Ummm… no? That link contains your Username, not Full Name. Usernames are never hidden from anyone, but Full Name can be depending on your site settings.


(ljpp) #3

Let me try to rephrase.

If Facebook member Jeff Atwood keeps sharing forum links with ?u=codinghorror, it is pretty obvious that Jeff Atwood = codinghorror.

While the shared link only contains the username, it is there in every shared link that a logged in user spreads around. It doesn not take a Sherlock Holmes connect the dots.


(Jeff Atwood) #4

Usernames are never hidden. They are always public. If you mean disclosure to a third party website via sharing of links, well technically a link to that site discloses that the site exists, too.

And for people that care about this sort of thing there is always the handy delete key…


(Mittineague) #5

How so?
How can you tell just by seeing codinghorror that codinghorror is Jeff Atwood unless you already know that?

You see “mittineague” here, do you know my name?

And if it bothers anyone, shared links work fine without the ?u=publicly_visible_membername


(ljpp) #6

@Mittineague

Share something with me on Facebook, and I’ll tell you. I know your username here - now if it starts popping up connected to a real persona…

Online privacy is a pretty big deal nowadays, as related topics are being covered in the mainstream media.


(Jeff Atwood) #7

On some sites they can suppress full name, but he means sharing a link on Twitter lets people know maybe you are that username on the target site via the link text.


(Michael - DiscourseHosting.com) #8

I do agree that this can be a breach of privacy: people are disclosing their forum usernames implicitly and not everyone is aware of that, nor are people aware that this part can easily be removed from the link.

Why not make this a site setting (default ON) ?


(Sam Saffron) #9

I am fine with that as a PR, but you would automatically lose all the sharing badges (first share, nice share, good share, great share) if you disabled usernames there.


Twitter shared URL has a query string
(Jeff Atwood) #10

Perhaps, but this is the first time I’ve ever heard the concern and it smells awfully hypothetical to me. If there were clearer real world examples from others where this was, y’know, an actual problem, I’d be more sympathetic.


(ljpp) #11

Perhaps cloaking/encrypting the usename would be a better approach then? Or do the users have some other unique identifier, like a number, that could be used to collect the sharing stats?

@codinghorror You are a bit of an exceptional case, as you have branded Mr. Atwood as codinghorror. Vast majority of forum members use aliases/usernames to hide their identity. That is why most forums operate with usernames in the first place.


(Sam Saffron) #12

Yes, we could encrypt/hide it, but I am just not enthused to do any work here as this is the first complaint we have heard about this AND we have zero paying customers complaining about this.

If someone feels passionate about this they should submit a PR


(cpradio) #13

I really think most people who really want to protect their privacy are either going to 1) use the URL in the address bar, or 2) delete the u=your_username_here from the URL before posting it.

I know I occasionally remove it, but not due to privacy concerns, more so because I don’t want it to look like I am benefiting from posting the link.


(Rafael dos Santos Silva) #14

Citation needed?

Most people use the same username (or something similar) on every site.

My username on Steam, Gmail, Reddit, Github, Battle.Net, etc is very similar.


(Stefano Costa) #15

Yesterday I came across Hashids: http://hashids.org/ and I thought replacing ?u=username with the user_id hashid could be a rather simple solution to this problem, for both privacy and social (“I don’t want to benefit from posting this link”) reasons.


(cpradio) #16

Except hashids wouldn’t do that. It is still unique to me, others who see the post with said hash would still see it looking like a referal link of some sort. The only way to achieve that social goal is to not put it in at all. Again, I remove it manually, but I rarely remove it. I only do it for very unique situations and I’m not finding it to be a chore for me.


(Mittineague) #17

Personally, I think in some cases I would prefer my member name to be exposed rather than my member id.

An id might not be as readily recognizable as a member name, but a member id is much more personal IMHO


(Jay Pfaffman) #18

Control-L control-C will copy the URL of the current topic and the reply that you entered the page on and not require you to edit out the username. It’s actually easier than using the share link anyway.

Yeah, that’s the real problem: security and privacy are a chore.