Hi,
Just updated from NC18/19 to 20 and I’m appalled to discover that all email addresses are visible to any logged in user by using the share dialogue and entering a part of a name or email.
Surely this is a major privacy/user security issue and should at the very least be an option which defaults to not revealing emails.
Or have I missed a new setting somewhere. They can be hidden using custom css - but this means they are still visible by inspecting the page source.
Emails are also visible elsewhere unless you take steps to hide them ( eg contacts list and user listings which we have already taken steps to remove). This may be ok for a small OwnCloud setup but with a large number of users this is hardly good practice is it?
How are other people concealing user email addresses - is there a plugin/app available?
Nextcloud is primary a collaboration platform - and the primary goal is to make the collaboration between the users of the system as easy as possible. Majority of the users would claim bad usability if they can’t easily share their work with colleagues. Depending on the you use case you may want to slit your users population into smaller chunks. I think “Circles” app is well suited for your needs.
Hi @wwe
I think you have missed the point here.
You might think NC is some kind of platform, other people might think it provides a secure private way to share files.
You might think that the majority of users need to see each other’s email addresses - although that is clearly not required in order to collaborate online if that is your primary use for NC.
I would say that a majority of our users are not happy with exposing their emails addresses to all other users, or in some cases even to other users with whom they work closely.
We already have groups for segmenting the userverse, but that is nothing to do with personal privacy issues.
I entirely agree that there will be instances (probably those with a relatively small number of users, or in a corporate environment) using NC where email privacy is not an issue and the users are happy for everyone to see their addresses. That should be a choice, either at the organisational level or at the user level - not imposed by the underlying software system being used - that is a design flaw - failing to account for a valid and common use case.
Almost every other “platform” I have encountered allows users to opt to reveal their personal details (including this Discourse “platform” that we are using) but doesn’t force anything beyond username/handle. NC has never been good at this, but the latest change to explicitly showing everyone’s emails is a spammers wet-dream !
I completely disagree. Nextcloud is much more like Exchange - it provides a service for a closed user group. Each of the similar service i know Ms Exchange, lotus Domino has a concept of address book exposed to the users… Same as in Nextcloud. And no spammers can’t access this data as users must authenticate before they share files… it becomes an issue only in case you don’t trust the users and users don’t trust each other.
I agree with @wwe. Also, I would not consider email addresses as secret information, at least not within the same organization. If you offer Nextcloud as a service and you want completely separate organizations or groups of users from each other, you have to spin up multiple Nextcloud instancees. That’s the right way to to do it anyways. The product is simply not designed to host a multi tenant environment on one instance.
I’ll try to explain in a different way.
There is no reason why email addresses need to be visible in order for NC to be used for collaboration.
Occam’s Razor - therefore they should not be exposed unless there is an additional reason to make them available. It is just screen clutter at best, and harmful for some users at worst.
If you want to use NC as a platform for all sorts of work in a closed monolithic organisation using internal email addresses then that is fine. But what is needed in that world is not the same as what may be needed in a more fluid dynamic ‘organisation’.
At its core and its genesis NC (in the form of OwnCloud originally) was simply providing shared storage space. Admittedly a lot of bolt-ons have been added, but most of them can be categorised as feature-creep and are not really needed for the core functionality.
This is perfectly ok so long as all of the extra stuff remains optional extras. Once it starts being imposed it is intrusive. If you actually need all that stuff then you might be better off using MS Exchange or something else.
Unless your email address belongs to your employer then most people certainly do consider it private information. I would not say to users coming in to our organisation that they must make their email address available to everyone else - and a lot would certainly object if we did.
@rogerco there is pretty good reason to show the email address - display name could be dublicate while email is unique. But I understand your problem and can imagine scenarios when you want to prevent users from accessing the complete address book e.g. school cloud splitting access to individual classes…
really short test proofs the functionality you look for is built-in already!
create 3 test users test3, test4, test5
test3 can see all users and their mail address when this option is disabled
add test3 and test4 into group “sharing”
enable/check restrict users to only share with users in their groups (Admin settings > Sharing).
confirm test3 can only see test4 in the sharing dialog, and doesn’t see test5
confirm test3 can share with external users by email
Because of this exposure I am not able to use Nextcloud as a communication-tool and filesharing-tool of my school-parents without creating a lot of documents. All parents now have to accept this term in an DSGVO-Document. I really don‘t understand why the e-mail-address can’t be hidden by default. I think filesharing and communication is bound to the user, not to his e-mail-address.
I tried to set my e-mail-address to private, but I can‘t because nc say it is needed for corefunctions and can‘t be set.
and in the sharing dialog I see only the displayname of this user… but in fact if your UserId is not a simple string but the email you likely can’t hide it - you might want to change your userid format…
I think this is a bad solution. You should have the possibility that participants can find each other without being in the same group. It should also be possible to hide the email within the group. What do I have a collaboration platform for? The email address is absolutely irrelevant within the platform!
It should be possible to hide the email address regardless of the group membership! I want to be able to share and chat with any person, but not see their email address. Anything else is problematic from a GDPR point of view and also pointless in collaboration platforms
I read the whole thread. Turning “Profile for new users” on or off - What does that even mean? Do new users no longer have a profile? Can you no longer write to them? Does this make sharing with them impossible? - seems to make no difference for the users. And the need of turning it off by the user for every user is not DSGVO compliant.
So, the key fact for me: Turning of the function to address any user is a solution that makes no sense at all.
Well, I tried to turn the visibility of my email-address off by setting it to private. The value is saved. Then I switched the user, reloaded the page, logged off and in again, search my other user. Email shown. Logged off, deleted the browsers cache. Logged in: Still the email address is shown. No difference for the users at all
You can still find them in the global search, share files with them or write them in Talk. But obviously you can’t send them emails anymore, if you can’t see their email address. However, they will continue to receive notification emails from your Nextcloud if they provided an email address.
Why? You don’t have to tune it induvidually as an admin, but you can. If you don’t tune it users can still decide by them self what information they want to provide and who they want to be able to see it. Or you can just turn off profiles globally.
Maybe you have a contact entry of the respective user in the contacts app that has the email address in it? Or the email address of this user is also the display name…?
you are completely wrong. Chances to have duplicate displayName for people with common names e.g. Müller and Meier are very high. email is always unique and is very useful to exactly identify the person.
as you said the point is “collaboration” and not segregation. User with account on the system and collaborating with others are expected to share some contact details. One can discuss every single piece of information from very restrictive point of view or one can set useful defaults which is the case here. If you don’t want to expose private email information - just provide every user an email address from your organization - then it’s not “personal” anymore.
Okay. So you have different options: Anybody can see anything, Anybody can see nothing and Nobody has a profile at all.
Everyone of those options is unsatisfying and not useful in a normal context. As an administrator of a collaboration tool I want to set the details for all users at the same time, what can be see and what not.
Because sharing with or writing to other people is the key functionality of a collaboration plattform.
The problem is: I can’t tune it individually. Where do I set that the email address can’t be seen in standard and reset the option for all users?
Only the contacts that are synced because they are users of nextcloud. The second user to test is new.
as you said collaboration not information. It’s not needed to collaborate.
Irrelevant for the DSGVO perspective.
Yes. Or I could create a central email-account everybody sends his work to and then distribute it to everybody again. 1990 both solutions were okay, mayby but today both solutions are worthless to mention.
No, users can always decide what other users can see.
Why do you care? Just turn profiles off globally. After that only the displayname will be shown. Anything else (probably not even that) is not feasible to bypass any DSVGO bureaucracy anyways.
And try to inform your self how other public organizations handle it that are using Nextcloud.
If they should be able to send emails to each other, they obviously have to see the email adresses they need to send emails to. But luckily you are using Nextcloud which is a modern solution where users can share files and send messages to each other without having to use a 1990s technology aka email. So what’s it gonna be? I’d say turn that profiles off, and you’ll be fine.
Whether you’ll also be fine regarding the DSVGO, by just doing that, is a question that is beyond the scope of this forum.
That’s okay, but it doesn’t work. I turned of profiles in two different nextcloud instances that are installed individually.
All settings don’t seem to change anything.
The second install is a fresh install, yet only with test-users except for the admin.
I set email to private in config.php.
Still every user (old and new) can see all others email-addresses.
I turned off profile and created a new user.
He still sees the old users mail addresses and his mail-address is shown, too, although he got no profile.
