Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Help text displayed to submitters about PGP is not actionable #567

Open
brassy-endomorph opened this issue Sep 10, 2024 · 1 comment
Open

Comments

@brassy-endomorph
Copy link
Collaborator

brassy-endomorph commented Sep 10, 2024

Is your feature request related to a problem? Please describe.

On the submissions page, if the recipient does not have PGP key, this text is displayed:

Your message will NOT be encrypted. If this message is sensitive, ask test to add a public PGP key. Here's how they can do it.

Since this is meant to be an anon whistleblower line, it shouldn't require out of band contacting nor should it encourage those with sensitive data to expose themselves.

Someone might have data about Area 51, and they may think that only the data is sensitive, but not the fact that they have it. They might then send a text, email, or submit to Hushline saying "I have Area 51 data I want to send, so upload a PGP key." This exposes them.

Describe the solution you'd like

The warning should continue to exist, and it should be above the text input box. and it should be full sized text, not smaller like it currently is.

The link in the help page is going to be confusing for the submitter. They don't need to know how a user uploads a PGP since they won't be the one doing it. They might not know or even care what PGP is. Maybe we don't want to say PGP at all. Having the docs linked in that message might be confusing. If I'm a leaker, what am I going to think when I see "Getting Started a Hushline Operator?" Do I want to be an operator? What does that even mean?

We could add a checkbox that says "Request that the recipient upload a PGP because you would like to contact them securely." When this is ticked, a banner is displayed when the recipient logs in. Also, on that particular message, there is some visual notification in their inbox. When they click the page, there is another banner that says "this user wants you to use PGP."

@glenn-sorrentino
Copy link
Member

That's just in testing. Messages are disabled entirely until a key has been uploaded.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: BL-P3 - Important Bugs & UX
Development

No branches or pull requests

2 participants