Open Bug 271405 Opened 16 years ago Updated 7 months ago

Implement optional warning/confirmation prompt when sending bulk mail to many recipients without using BCC: [plenty/a lot/lots of To or CC recipients: suggest/propose using BCC instead]

Categories

(Thunderbird :: Message Compose Window, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

People

(Reporter: stpmoz, Assigned: aceman)

References

(Blocks 1 open bug)

Details

(Keywords: privacy, uiwanted, Whiteboard: [patchlove][workaround comment 45,57])

Attachments

(1 file, 1 obsolete file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; da-DK; rv:1.7.3) Gecko/20040910
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; da-DK; rv:1.7.3) Gecko/20040910

In order to limit accidental bulk mails being sent with to: or cc: the user
should be prompted whether the use of to: or cc: is deliberate or whether all
recipients should be put in BCC:. 

The threshold could be variable but for a start I suggest 10 recipients in to:
or cc: combined should activate the warning prompt. The user should also be able
to deactive the warning prompt in preferences and in a "Do not show this prompt
again" checkbox.

Obviously, this is an idea for both suite and Thunderbird.

Reproducible: Always
Steps to Reproduce:
I second this suggestion.

Sending email to many recipients is probably not a common situation for most
people, so warning them about potential dangers will be very educating. Acting
irresponsibly may not only harm the sender but also the recipients.

Here is a few examples of situations where using the To or Cc field for sending
bulk mail is dangerous:

- A company wants to send an email to all its customers. For competetive reasons
the company does not want to keep its customer list secret.

- A company wants to send an email to all its customers. The customers may want
to keep it a secret that they are customers of this company (e.g. if the company
sells Viagra).

- Somebody wants to send an email to a lot of people who do not know each other
(e.g. "I have moved - here is my new address"). One of these people have a
computer virus that sends junk to all addresses found in the person's inbox.

- Somebody wants to send an email to a lot of people who do not know each other
(e.g. "I have moved - here is my new address"). One of these people wants to
congratulate the sender and presses "Reply all" and sends a message to the
sender - and everyone else. A few other does the same. Now a few of the
recipients get annoyed and send messages to everyone saying "Please stop
spamming". This makes another person write "I don't think it's spam". And so on.
Version: unspecified → 1.7 Branch
Assignee: sspitzer → mail
Status: UNCONFIRMED → NEW
Ever confirmed: true
Component: MailNews: Main Mail Window → Message Compose Window
OS: Windows XP → All
Product: Mozilla Application Suite → Thunderbird
Hardware: PC → All
Version: 1.7 Branch → unspecified
QA Contact: message-compose
This would be a really good feature, I hope the developper will hear our voice !
In my comment https://bugzilla.mozilla.org/show_bug.cgi?id=310901#c3 on Bug 310901 I made a similar proposal.
Assignee: mail → nobody
Duplicate of this bug: 310901
Duplicate of this bug: 348345
Duplicate of this bug: 387297
Flags: wanted-thunderbird3?
I, for one, would love to see this feature implemented.
A default threshold of 10 as suggested in the initial request is too high imho. I would start at more than 5 or 3 even. Being able to set a threshold in the normal options isn't really required. I doubt that people will use it. Once they are aware of the issue and decide that they should use BCC when sending an e-mail to a specific amount of people they will do so in the future so just a "Do not show this prompt again" checkbox is sufficient.
This would be a big media win for TB3.  I have just received over 200 email addresses as cc:'d people in an email from our local police!   This could really help the adoption rate of TB.

If this is available as a plugin, I'd suggest making it a builtin...
Yeah, this is should be one of the essential features. I could not find a plugin that does it either. this is much more important than an empty subject line.
This adds a lot of value and should be seriously considered for TB 3.x.
It's also something we could sell very well, where Mozilla contributes to web hygiene (don't hurt the web by making spammers' life too easy).

(In reply to comment #7)
> I, for one, would love to see this feature implemented.
> A default threshold of 10 as suggested in the initial request is too high imho.

Maybe, maybe not. On the other hand, with less than 10 recipients the probability of unintended harm is much lower, and we don't want to get on people's nerves for no reason. Especially, we DON'T want them to switch off this feature, as this will increase the likeliness of big accidents in the future which we really want to avoid.

> I would start at more than 5 or 3 even.
No (as explained above). Actually, 10 seems like a reasonable default threshold, definitely it shouldn't be below 5 as users will immediately switch that off.

> Being able to set a threshold in the
> normal options isn't really required. I doubt that people will use it. Once
> they are aware of the issue and decide that they should use BCC when sending
> an e-mail to a specific amount of people they will do so in the future so
> just a "Do not show this prompt again" checkbox is sufficient.

No. Different users have different needs. E.g. for a private person, 10 recipients might be a lot, but in a business context, users might only want the warning for bigger numbers of recipients. In the long run, this surely needs to be configurable, so it's probably better to go for configurable from the start (UI needed). Actually, we shouldn't put the checkbox on the dialogue as it's too easy to switch off. Instead, add a note saying "You can customize or turn off this warning in Tools > Options > Composition > Recipients"

An alternative UI might be a red-ish notification bar (similar to Attachment Reminder notification bar). When user adds too many recipients in to or cc, we show notification bar at the top of msg:

+-----------------------------------------------------------------------------+
| You are sending your message too more than _10_ recpients (To or CC). All   |
| recipients will see each other's email addresses, and viruses might harvest | | these addresses for unsolicited mails (spam). You should use BCC so that the| email addresses of the other recipients are hidden. What do you want to do?   |
| Customize this warning...     [Hide email addresses, use BCC] [Don't hide     mail addresses]                                                               |
+-----------------------------------------------------------------------------+
Maybe something shorter with a "More Info" link to expand.

Another interesting thing in this context is Bug 491368 (Add a warning when sending mail to certain recipients).
Keywords: uiwanted
Whiteboard: good value, mozilla-mission
It would definitively be great to propose to switch to BCC when there are too many recipied, so people annoyed by the reminder would allow to automatically hide recipients when they are forwarding their **** funny powerpoint slideshow to their whole address book.
Duplicate of this bug: 602465
Summary: Warn user with warning prompt when sending bulk mail to xx recipients without using BCC: → Implement optional warning/confirmation prompt when sending bulk mail to many recipients without using BCC: [plenty/a lot/lots of To or CC recipients]
Adding search words for better retrievability.
Summary: Implement optional warning/confirmation prompt when sending bulk mail to many recipients without using BCC: [plenty/a lot/lots of To or CC recipients] → Implement optional warning/confirmation prompt when sending bulk mail to many recipients without using BCC: [plenty/a lot/lots of To or CC recipients: suggest/propose using BCC instead]
Duplicate of this bug: 847319
Keywords: privacy
Duplicate of this bug: 998544
I like this idea.
I would propose to make a pref for the number of recipients to trigger this. Also I propose to not have the "never remind me later" as most users would turn it off at first sight and then it would never kick in when actually needed. Knowing users and enterprises would easily change the pref if needing bulk emails.

I'll check if the number of recipients is available from the compose UI (also expanding mailing lists from addressbook).
Assignee: nobody → acelists
Blocks: 1019652
(In reply to :aceman from comment #16)
> I would propose to make a pref for the number of recipients to trigger this.

I have opened bug 1081608 for this part of the fix. A decision has not been taken, so I did it with UNCONFIRMED status and without filling dependency fields.
See Also: → 1081608
aceman: should we add this to the 38 feature list?
I can look at it and if it passes by you we can think about making it an official 38 feature :)
Duplicate of this bug: 1180633
This bug would need a preference to set the threshold. That is why I filed bug 1081608. Althought that is a simple bug which only adds the default value of the preference, some discussion could arise in order to set the value of the threshold.

As that discussion is irrelevant of the way the feature is finally implemented here, I have added bug 1081608 as a dependancy. This way the discussions could be made in a more untidy way.

Then, I will not ask for bug 1081608 to be landed on c-c until this one is going to land also.
Depends on: 1081608
There's really no need to have a separate bug just to create a pref for this bug. All that does is split the discussion over two bugs with no clear benefit.
Attached patch patch (obsolete) — Splinter Review
This could be it. We just need proper wording. I think there should be some question in the dialog so that the user can answer OK/Cancel or Yes/No.
Attachment #8673309 - Flags: ui-review?(richard.marti)
(In reply to :aceman from comment #23)
> This could be it. We just need proper wording. I think there should be some
> question in the dialog so that the user can answer OK/Cancel or Yes/No.

Please try to avoid OK/Cancel or Yes/No. They're usually not very clear. Some other options would be "Continue/Cancel" (ok) or "Send Anyway/Go Back" (better). There might be something better still. I'll let others chime in on the wording here.
Comment on attachment 8673309 [details] [diff] [review]
patch

Review of attachment 8673309 [details] [diff] [review]:
-----------------------------------------------------------------

I think this should go into a notification bar instead.

::: mail/locales/en-US/chrome/messenger/messengercompose/composeMsgs.properties
@@ +146,5 @@
>  addressInvalid=%1$S is not a valid e-mail address because it is not of the form user@host. You must correct it before sending the e-mail.
>  
> +## Strings used by the alert that tells the user that an e-mail address is invalid.
> +manyPublicRecipientsTitle=Too many public recipients
> +manyPublicRecipients=You are sending this message to many recipients which will see each other. Consider using the Bcc field instead of To and Cc to protect their privacy.

Maybe something like

All the N recipients will see each others e-mail addresses. To prevent this and protect their privacy you can use the Bcc field.  [Use Bcc instead]
(In reply to Magnus Melin from comment #25)
> Comment on attachment 8673309 [details] [diff] [review]
> 
> I think this should go into a notification bar instead.

Yes, this would not or less break the user's workflow. But then the check should be made immediately by reaching the limit and not at sending.

> Maybe something like
> 
> All the N recipients will see each others e-mail addresses. To prevent this
> and protect their privacy you can use the Bcc field.  [Use Bcc instead]

I like this. The [Use Bcc instead] implies a automatism. Maybe a [Let me change]   [Continue without change] where the "Let me change" could focus the first To: dropdown and shows the notification again or at least at sending and the "Continue without change" dismisses the notification bar until the next new message.
Let's not make a new module out of this similar to the attachment checker :)
For a notification bar the check would have to run periodically or on a keypress or on recipient input, so could become CPU heavy as the attachment checker (which parses whole text). We already have a checker like that for enabling the Send button.

But it seems to me the wording you guys is still about a dialog with 2 buttons. Should there be a notification bar (just informative) and then a dialog on send with the 2 options?
It'd only have to be run on adding a recipient.
My suggestion was for the notification bar text + a button that would change addresses to use Bcc instead.
When no notification bar then Magnus' text would also work in a dialog. Then the buttons could be [Let me change]   [Continue].
(In reply to Magnus Melin from comment #28)
> It'd only have to be run on adding a recipient.
> My suggestion was for the notification bar text + a button that would change
> addresses to use Bcc instead.

Automatically change all To/Ccs to Bcc?
Yes. Remember this feature would be useful not to have people send their mail to 200 people. That's not something anyone wants to try to change manually.
There exists servers which need at least one To: address. Then the sender address should be added to To:
(In reply to Richard Marti (:Paenglab) from comment #32)
> There exists servers which need at least one To: address. Then the sender
> address should be added to To:

This is handled in the code by adding "undisclosed-recipients" as recipient.
Aceman, are you awaiting my ui-r? Or is all clear how you would go further?
Flags: needinfo?(acelists)
What is the suggested location of that notification bar? If it is at the same spot as the attachment notification, I think one of them will obscure the other if fired simultaneously.
Flags: needinfo?(acelists)
Notifications have a priority, we just decide which is more important. (Once you close one, the one "under it" becomes visible.
At the same position like the attachment notification.

From the workflow I would say first should the attachment notification be shown. By pressing the send button, after the user chooses through the requester he wants not to add the attachment, the bulk mail warning can be shown. When he adds an attachment the bulk warning appears automatically as it's the only one now.
(In reply to Magnus Melin from comment #36)
> (Once you close one, the one "under it" becomes visible.

That is the catch I ask about. We probably want the bar here to be ignorable so that the user does not need to close it.
Thinking about it I'd say they could come just in order of appearance. They come from different parts (adding addresses vs writing the mail) of the work-flow so one would assume the user would have seen the earlier notification already.
Whiteboard: good value, mozilla-mission → good value, mozilla-mission, [good first bug][lang=js]
is this complex for a good first bug?
Flags: needinfo?(acelists)
Whiteboard: good value, mozilla-mission, [good first bug][lang=js] → [good first bug][lang=js]
This is a good first bug. There is even a patch that implements it :) Somehow we just want to convert it to a notification. Hopefully running it on adding any recipient will not break the 4000 recipients use cases.
Flags: needinfo?(acelists)
Duplicate of this bug: 1356393
_13 YEARS_ WITHOUT reaction and implemetation? Please set higher priotity of this bug!
(In reply to Magnus Melin from comment #25) 
> Maybe something like
> 
> All the N recipients will see each others e-mail addresses. To prevent this
> and protect their privacy you can use the Bcc field.  [Use Bcc instead]

Good idea but also there should be legal information. Part of people "has nothing to hide". 

Additional buttons:
first - people don't read massege boxes and clicks the first button - [Help] - here description about privacy and visibility of e-mail adresses. 
second - [Go back]
4th- [move all from CC to BCC]
5th- [move all from To to BCC]
I should get back to this :)
Meanwhile, there is an addon that does this: https://addons.mozilla.org/thunderbird/addon/use-bcc-instead/
Whiteboard: [good first bug][lang=js] → [good first bug][lang=js][workaround https://addons.mozilla.org/thunderbird/addon/use-bcc-instead/]
Duplicate of this bug: 1464607
This function should be a standard due to GDPR (2016/679) law in EU. Not addition but standard function. Default Threshold 5 persons (configurable) and there should ba a guide why and when to use BCC. Majority of people do not know why ans when should use the BCC. 

Because people doesn't read warnings and info boxes, the first dialog box should contain information and second dialog box should contain question "Do you really want to send e-mail to %d people without use of BCC?" and link to guide second time.

In my opinion it is well-known security problem. Mainly in companies.
It is also important to note that the add on mentioned in comment #45 no longer works in TB 60. Please make this standard functionality.
Hi everyone, I am new to the Open source world but would like to take this up. Please let me know if I can start with it and what are the things that I should start with.
Hello, see the patch attached in this bug and comment 25.

Pointer for using notification bar: https://searchfox.org/comm-central/search?q=msgNotificationBar&case=false&regexp=false&path=mail
(In reply to Magnus Melin [:mkmelin] from comment #28)
> It'd only have to be run on adding a recipient.
> My suggestion was for the notification bar text + a button that would change
> addresses to use Bcc instead.

So, it should run only when number of receiver's shoot max limit. For this, there need to be some checker that continously, checks the current receiver's list count. Is such a checker required, if yes, Is it already there? If not, any pointers to how can I add such a checker.
I don't think there is one. 
document.querySelectorAll("#addressingWidget .addressingWidgetItem").length gives you the number of items

See https://searchfox.org/comm-central/source/mail/test/mozmill/composition/test-reply-addresses.js#78
Why not implement three radio button like: 

-> "Notification to use BCC instead"

In settings -> compostion -> general

As soon as more than one recipient is chosen the sender will get a notification ("You are sending to a group of recipients. Do you want to use BCC instead?) and the possibility (Button) Yes/No.

-> The other radio button could be "Send mails generally as BCC". 

-> Another: "Do not ask". 

Another possibility would be to be able to define email groups to be sent as BCC or To generally. So during to creation of your mail groups you could chose whom to put into the "BCC" mail group and whom to put in a "To" mail group.

This is really an important feature.
Duplicate of this bug: 1527910
Flags: needinfo?(acelists)
Flags: needinfo?(aceman3000)

https://addons.thunderbird.net/en-US/thunderbird/addon/use-bcc-instead-c/ is another workaround, but apparently only for v64 and newer.

Whiteboard: [good first bug][lang=js][workaround https://addons.mozilla.org/thunderbird/addon/use-bcc-instead/] → [patchlove][workaround comment 45,57]

(In reply to Wayne Mery (:wsmwk) from comment #58)

https://addons.thunderbird.net/en-US/thunderbird/addon/use-bcc-instead-c/ is another workaround, but apparently only for v64 and newer.

It says here about this addon while trying to install:

"Not compatible with thunderbird 60.6.1"

(64bit version) on Mint Cinammon 19.1

I use 32-bit version of Thunderbird and I also need this addon or proposed patch. $ years ago aceman published workaround (in attachment). Why it is not added to thunderbird?

WIP patch with the notification bar.
Open for comments if this is the right direction and what needs polishing yet.

Attachment #8673309 - Attachment is obsolete: true
Attachment #8673309 - Flags: ui-review?(richard.marti)
Flags: needinfo?(acelists)
Attachment #9061185 - Flags: feedback?(richard.marti)
Attachment #9061185 - Flags: feedback?(mkmelin+mozilla)

(In reply to Nadia from comment #60)

I use 32-bit version of Thunderbird and I also need this addon or proposed patch. $ years ago aceman published workaround (in attachment). Why it is not added to thunderbird?

Because it was deemed to not be the right solution. I have now uploaded a new one according to the requests.

Comment on attachment 9061185 [details] [diff] [review]
271405.patch v2 WIP

f- because when I choose "Use Bcc instead" the notification bar hides and it sends still with To. And only the first recipient gets the mail.

I've also set the pref to 2 to see the notification earlier. After entering the second email address with return (the focus goes to the third, empty To: field) the notification pops up and speaks of 3 recipients. This is wrong, I entered only two. The notification should appear when three recipient are entered.
Attachment #9061185 - Flags: feedback?(richard.marti) → feedback-
Comment on attachment 9061185 [details] [diff] [review]
271405.patch v2 WIP

Review of attachment 9061185 [details] [diff] [review]:
-----------------------------------------------------------------

Didn't try it, but I think the direction looks ok

::: mail/locales/en-US/chrome/messenger/messengercompose/composeMsgs.properties
@@ +169,5 @@
>  addressInvalidTitle=Invalid Recipient Address
>  addressInvalid=%1$S is not a valid e-mail address because it is not of the form user@host. You must correct it before sending the e-mail.
>  
> +## Strings used by the notification about many public recipients.
> +manyPublicRecipients=All the %S recipients will see each others e-mail addresses. To prevent this and protect their privacy you can use the Bcc field.

the second sentence could be

You can protect their privacy by using the Bcc field, which means recipients can't see who else got this message.

::: mailnews/mailnews.js
@@ +851,5 @@
>  // When there is no disclosed recipients (only bcc), we should address the message to empty group
>  // to prevent some mail server to disclose the bcc recipients
>  pref("mail.compose.add_undisclosed_recipients", true);
>  
> +// The number of public recipients before we offer BCC addressing.

unclear from the description if it's < or <=

@@ +852,5 @@
>  // to prevent some mail server to disclose the bcc recipients
>  pref("mail.compose.add_undisclosed_recipients", true);
>  
> +// The number of public recipients before we offer BCC addressing.
> +pref("mail.compose.warn_max_public_recipients", 10);

10 is fairly small. maybe 15?
Attachment #9061185 - Flags: feedback?(mkmelin+mozilla)

10 is fairly small. maybe 15?

No. Due to GDPR the default value should be 5 + possibility of changing the value in settings.

Additionally if domains are different, the limit should be 2.

Additionally if domains are different, the limit should be 2 (max 2 different domains in "To" + "CC" fields).

@Nadia, can you back this claim with proof? I find it hard to believe the GDPR is this specific about sending emails.

(In reply to Nadia from comment #66)

Additionally if domains are different, the limit should be 2.

What? Sending an email to three members of my family, who use different freemailers, already should trigger this? I should send email as BCC to my family members? Because of GDPR????

Hundreds of mails in my inbox would match this condition. And for 99% of them, BCC is not the better option.

If you trigger this warning all the time, this will only cause people to disable the warning completely or increase the limit to 999. Better choose a reasonable default so it triggers only in cases where it is required.

10 is a good start I think.

I'd say 5 is a good start, GDPR or not. Less is overkill with too much chance BCC is not desired and thus receiving too many notifications. More than ten allows for too many e-mails to slip through.
It's too bad we don't really have any statistics. In my case maybe 95% of my e-mails have a single recipient, 4% have two to three recipients and only 1% have four or more.

Here are my personal stats. I analyzed ~ 4500 mails I sent myself since 2002, not the ones I received. This is a private email account.

5,2% of the mails I sent have more than one To-recipient, i.e. at least 2.
1% has at least 3 To-recipients
0,09% have at least 4 To-recipients
Only a single mail had 5 To-recipients (and no mail had more).

10,5% have at least one CC recipient
0,9% have at least two CC recipients
0,09% have at least three CC recipients
No mail has more than three CC recipients.

1,2% have at least one BCC recipient.

Note these statistics only consider the number of CC- or To-recipients, but do not add both. This is due to the simple grep way I used to get these numbers, it would be more complicated to get better numbers.

From these numbers, it seems a limit of 5 would have only triggered once or twice in 17 years. But I am also not somebody who is sending massmails.

I believe a corporate mail account would look a lot different, as people tend to CC their boss, colleagues, ticketing-systems and so on. I may do a statistics of a corporate mail account later.

My statistics are similar. Good will be 5 persons for personal use and work use. I only considered work related e-mail but not personal ones.

Due to GDPR will be good solution to ask during installation, how Thunderbird will be used (for work or personal stuff)?
In work related use a limit on domain count can be crucial. Sending of one e-mail to 4 clients may lead to legal isseus.

This is about avoiding unintentional mass mailings to large number of people. There is no need to have the notification for small numbers of people. Even a small project, or some mailing to say family can easily involve more than 10 people.

Duplicate of this bug: 1576661

Since this feature is about preventing data leaks, would it not make sense to set a priority on this enhancement request? This has been open for 15 years now, think about how many people could have been warned before making a mistake.

Duplicate of this bug: 1582689
See Also: → 1180633

I took over https://addons.thunderbird.net/en-US/thunderbird/addon/use-bcc-instead/ from the original author, because I used it: https://addons.thunderbird.net/en-US/thunderbird/addon/use-bcc-instead-c/
The old and new versions together have about 800 users.

My use case is sending out newsletters and announcements to members of local meeting groups. Typically I have a mailing list of 10 to 20 people and I want to avoid putting it on the TO or CC line.

The addon also has the facility to set the default recipient on the compose window to TO. I know some that people use the addon only for that.

Correction:
The addon also has the facility to set the default recipient on the compose window to BCC.

You need to log in before you can comment on or make changes to this bug.