Best way to expose email address of request to its author
10 views
Skip to first unread message
Anas Ambri
Oct 7, 2022, 11:53:28 AM10/7/22
to Alaveteli Dev
Hello there!
This is a feature request for asktheeu.org, but I imagine that it would be useful for other sites as well.
One of the EU agencies listed on asktheeu has been using their own portal to respond to FOIs. However, to provide access to requests made through asktheeu, they have usually asked for the email address associated for each request, which is automatically generated by alaveteli, and is hidden. Therefore, the staff behind asktheeu had to resort to responding manually to every request to share that email address.
This is a feature request for asktheeu.org, but I imagine that it would be useful for other sites as well.
One of the EU agencies listed on asktheeu has been using their own portal to respond to FOIs. However, to provide access to requests made through asktheeu, they have usually asked for the email address associated for each request, which is automatically generated by alaveteli, and is hidden. Therefore, the staff behind asktheeu had to resort to responding manually to every request to share that email address.
To continue keeping the request email address hidden, it seems that the best way would be simply to include it in the notification email sent at the request creation.
What does everyone think of this approach?
PS: I've created an issue on GitHub to discuss this specifically for asktheeu, if you're interested
What does everyone think of this approach?
PS: I've created an issue on GitHub to discuss this specifically for asktheeu, if you're interested
Gareth Rees
Oct 14, 2022, 11:41:11 AM10/14/22
to Alaveteli Dev
Hey!
This is an issue we face on WhatDoTheyKnow too, and we're starting to keep track [1] when we spot them. We've started calling authorities out for refusing emailed requests (illegal in UK) [2] and these response links are quite high on our radar for similar campaigning.
FragDenStaat also have a similar issue [3], which they solved by writing some code to handle these automatically.
Alaveteli does have a workflow for authorities wanting to respond by post, and we've been thinking that this ought to get updated to reflect a more general set of off-site responses [4] such as this.
We really try to avoid exposing the request email in Alaveteli to be confident only the authority can respond, and to prevent spam bots getting hold of it and sending junk to requests.
The authority should receive the unique email address in the From header of the email – there's no need to include it in the body of the email sent to them.
> To continue keeping the request email address hidden, it seems that the best way would be simply to include it in the notification email sent at the request creation.
Including it in the footer of notifications to users is probably the safest place to add it, as we do try to automatically redact request emails when they appear on the site.
Alternatively we could add a link in the Actions menu, as you suggested in your initial private email to us. We'd want that action to only be available to the requester though, rather than any logged in user, so yeah, there would be some more work in patching that in.
Hope that helps.
Best,
[2] https://www.mysociety.org/2022/08/01/public-bodies-refusing-emailed-foi-requests/
[3] https://fragdenstaat.de/en/blog/2022/08/16/we-cracked-the-frontex-code/
[3] https://fragdenstaat.de/en/blog/2022/08/16/we-cracked-the-frontex-code/
Reply all
Reply to author
Forward
0 new messages