Forums | Mahara Community
Privacy and the profile page
14 May 2014, 17:54
At UC we have a number of examples of new users using their profile page for assignments. Depending on the nature of the assessment this presents obvious privacy and other issues. Students are told that all pages are private until shared - but this doesn't apply to profile page - an exception to the rule.
Students new to Mahara do this because it's easy - the page is already created and shared with everyone - mearning the teacher (who potentially has no idea of the issue) can see it.
One student I spoke to was in the habbit of handing in assignments at the last minute, not uncommon, and it wasn't until three assignments into semester they started creating pages.
We would like your some feedback and discussion around the following:
We would like to have Mahara use an opt-in strategy for profile sharing - rather than the "you can't opt out at all, and everyone can see this page" approach that is currently in place.
To guide students in sharing a popup could make some recommendations - and also alert them about being careful about posting personal information - or whatever.
Adding a default e.g. "Friends" could be an option but may also have downsides, e.g. when you accept a friend to be polite but don't really want them to see your profile.
At the end of the day this approach probably suits Mahara's philosophy of deliberate sharing, rather than the "always on" public approach of Facebook. (They can use FB for that!?)
Looking forward to hearing thoughts.
22 May 2014, 12:58
Mahara does not currently have an "opt-in" setting for profile sharing, but there is an existing setting to change it from mandatory sharing to "opt-out".
Administration -> "Configure Site" -> Users -> "Logged-in profile access"
This setting is enabled by default, and what it does is force profile pages to be visible to logged-in users, with no ability for the profile owner to rescind that permission. If you disable it, then the profile page will start out visible to logged-in users, but the profile owner can go to the "Edit access" screen for that page and rescind that access.
Even with that setting disabled, profile pages are still a little special:
- They start with a "logged-in user" share, whereas normal pages start with no sharing
- If you remove all sharing from a profile page, logged-in users will still see a minimal placeholder with your display name, user icon, and controls to send messages and request friendship; and the message "Full access to this user profile is restricted".
I think you raise a good point. If a site disables this setting, then it is perhaps more likely that would prefer the system to be "opt-in" rather than "opt-out". So perhaps new profile pages should be entirely unshared by default.
Or alternately you could add a set of checkboxes below this setting to specify that new profile pages get shared by default with Public, Logged-in Users, and/or Friends. Or I suppose you could go more granular still and specify for each of Public, Logged-in, and Friends, whether each is shared by default, not shared by default, or mandatory. But that might be granularity overkill.
22 May 2014, 16:04
Yes I found that setting, thanks. After the logged-in users was made optional I realised I couldn't do the same for "institution members".
All our users are in the one institution - so removing logged-in users makes no difference.
In the case of a switch for opt-in - then yes profiles would be private by default - which is what we want to be able to do.
We also want users to be have the control to make their profiles private if they want to - which fits in with Mahara's philosophy as a personal environment. Forcing sharing just doesn't seem to fit this picture?
In the first instance, letting the admin choose opt-out or opt-in at a site level should cover the major use cases. As long as users can truely opt-out! :)
Then in subsequent versions, perhaps, granular options could be added?
Thanks for thinking about this, it's coming up as a bit of an issue for users new to Mahara.
27 May 2014, 18:16
Hm, I see what you mean. If you are a member of any instution besides "No Institution", then your profile page is force-shared with all members of the institution...
Yep, that's definitely an oversight. There should be an institution setting to disable that. I've filed a bug in Launchpad: https://bugs.launchpad.net/mahara/+bug/1323490
02 June 2014, 17:31
Hi Aaron and Shane,
Actually, it was not an oversight at the time but the required functionality for this feature by the funding party. ;-) But it would be good to have it be more flexible.