mox icon indicating copy to clipboard operation
mox copied to clipboard

Published 20 hours ago verified publisher icon mjl-

Resurfacing Mails as Privacy Concern

Open RobSlgm opened this issue 9 months ago • 3 comments

Steps to reproduce

  1. Create a new account
./mox config account add test1 [email protected]
./mox setaccountpassword test1 somesecretpassword
  1. Add content to the mailbox (through webmail or other means).
  2. Remove the account
./mox config account rm test1
  1. Verify that the account is inaccessible and emails are not received using the original address.
  2. Re-create the account with the same email address:
./mox config account add test1 [email protected]
./mox setaccountpassword test1 sameordifferent

Observation:

Despite account removal, emails from the original mailbox resurface with the recreated account using the same email address.

Concern:

This behavior can lead to privacy issues. Users who intend to permanently delete their accounts and emails might be surprised by the ability to recover emails simply by recreating the account. This could potentially contradict user expectations regarding the "right to be forgotten" and data deletion.

Recommendation:

  • The documentation should be updated to explicitly state that mox config account rm does not permanently delete emails.
  • Consider implementing an option for irreversible mailbox deletion alongside account removal or making it the standard, with the option only to remove the account definition.

Additional Notes:

  • The password used during account recreation can be the same or different from the original password.
  • This behavior might be intentional for scenarios like account recovery, but it's IMHO crucial to ensure user awareness and provide clear options for permanent deletion.
  • As current work around just delete the data directory of the account

RobSlgm avatar Apr 29 '24 06:04 RobSlgm

Thanks for raising this issue. This isn't the right behaviour. I think it's we should just really remove the account data. Admins should have backups. In the admin webinterface we can ask for confirmation. We could also force an admin to specify a flag to "mox config account rm", to indicate they really mean to remove the account, but that's probably a step too far.

The other option is moving the account data to some directory, out of the way. But the risk is that it is never cleaned up and lingers (like it does now!).

mjl- avatar Apr 29 '24 20:04 mjl-

I did run into this as well, agree with @RobSlgm .

./mox config account rm test1 should remove account config and data

If you think there is a good use for keeping account's data, that data should still be linked to the account config.

Maybe a better way would be to have: ./mox config account disable test1 Keeping both account's data and config. This would also be more clear than adding a flag to rm.

To be more clear, both: ./mox config account rm --keep-data test1 or ./mox config account rm --delete-data test1 would be less clear.

x8x avatar May 01 '24 08:05 x8x

thanks for the feedback. "mox config account rm" now indeed simply removes all files (first moving the directory from data/accounts/ to data/tmp/). there is no disable yet. to achieve a disabled account, an admin can either set a new password and not tell the user and/or remove all email addresses configured for the account.

mjl- avatar May 09 '24 14:05 mjl-

Fixed in v0.0.12

RobSlgm avatar Oct 23 '24 05:10 RobSlgm