Users can unintentionally leak their private messages to the Giphy-Api, when accidentally pressing the GIF button after typing a message.
I don't have any solution to that problem without impacting convenience for normal users of the feature. But I still think this is a problem.
+1, I think this is a problem since the GIF Button doesn't disappear when your message is over X chars long.
But it's anonymous, so is it really a big deal?
Yes it is. The message can contain all kinds of information. Let's say you send a phone number or an address to someone. Or a link that contains a session ID (those are just a few examples).
Thanks for the feedback, however, our new design moved the GIF button to a different location (bottom of the screen), making it less likely to be tapped accidentally.
That's exactly where it was when I accidentally tapped on it! On the bottom of the screen, between the scribble and microphone symbols.
The problem is, that the GIF button is near the text field, where the message is typed in. This makes it quite easy to accidentally tap on it when setting the cursor to a position inside of the text field.
Instead of not changing anything, it would be a good idea at least, to build in a safeguard when the text exceeds a certain length or contains one whitespace or something.
Or you could require the user to always confirm before sending the data to giphy.
Instead of not changing anything, it would be a good idea at least, to build in a safeguard when the text exceeds a certain length or contains one whitespace or something.
In the old version, the GIF button would disappear if text was too long. With the current UI I don't see how that could work :/ As for containing a blank space, I think that's a _bad_ idea, because users may _want_ to look up something containing a blank space.
Or you could require the user to always confirm before sending the data to giphy.
This would break usability terribly, as you would have to tap on "confirm" in the 99% of cases when you actually _want_ to look up a gif. Also, users can still accidentally tap "confirm" if they don't mean it, so the problem of exposing plaintext to the API is not really solved.
Finally, I'd say this: this is an edge use case. I don't think there's many instances of people accidentally tapping the GIF button while also having typed very sensitive information. And even when they do (correct me if I'm wrong) the information is still being anonymized, which reduces the risks of that info being associated with you. I feel like the chances of Wire redesigning the UI entirely is higher than the chances of Wire taking care of this issue: they have more important things to take care about.
A note for the future might be this: make sure that when looking up a gif, a user has to
Even though the probability of something _important_ (however that is defined) might be low, but it is still more than significantly higher than the probabilities of data leakage you would accept when designing cryptographic systems. And you wouldn't rely on claims like something being anonymized in that case (the service gets at least the IP address and the content of the API request).
By looking at the length of the text or if it contains spaces, I don't mean to disable the GIF button entirely, but add a confirmation in these cases. Although that would then be an inconsistency that might be bad for the user experience because it might seem arbitrary to most users.
Being able to type in a search term only after pressing the GIF button would solve the issue, but at the loss of at least some convenience (although I personally think the gains are worth it).
I know that there have been compromises to be made. And you also can't protect users from, let's say accidentally sending a message to the wrong person or chat group and leaking private information that way. But I want this concern to be taken seriously and carefully considered at least.
Update: Signal has introduced support for Giphy and put a lot of effort into making it respect the users privacy as much as possible.
I have accidentally done this several times and was worried about exactly this problem. I'm very disconcerted to find that it is indeed leaking information to an external API. The button is extremely close to my keyboard's word-suggestion interface, and to the textbox which I click into to move the cursor/make edits. It's basically a huge "PRIVACY LEAK" button sitting right between the text and keyboard waiting to get pressed.
Why is this issue closed? This is a huge privacy leak that has actively happened to me multiple times already.
I would VERY much like if it had a new, blank search field when you press the Gif button, rather than automatically immediately sending whatever I had typed in the message field. I never use gif search, ever, but here it is making my chat client leak private information when I misclick, and I can't even remove it.
This kind of issue makes me severely distrust the general attitude towards security in the Wire team. Especially given that you dismissed it so easily and closed it without a fix.
Why is this issue closed?
@phoenixeliot Because they don't really care about users' privacy on here. It's just a publicity stunt.
They didn't even care if you can use wire with microG or not. https://github.com/wireapp/wire-android/issues/10
Use a proper an app that has been built for its users' privacy and security and done by people who are just doing it because they can, not because they want to make some shekels.
You should check out https://conversations.im/
+1 for this! There needs to be an option for disabling sending my private messages to a third party.
Even if it's anonymous, that doesn't solve the problem if I send a message to my friend:
Please buy me a california roll from the sushi place: Use my Visa CCN = 123456789. Expiration 01/22.
^ Then it doesn't matter if the message is securely & anonymously sent to the 3rd party!
My intention on using Wire is to be able to send such confidential information to someone privately. But if it's sent to a 3rd party, it obliterates any security model that Wire intends to build.
This would break usability terribly, as you would have to tap on "confirm" in the 99% of cases when you actually _want_ to look up a gif. Also, users can still accidentally tap "confirm" if they don't mean it, so the problem of exposing plaintext to the API is not really solved.
I (and probably many of your users who use Wire as their secure messaging app) literally want to use the gif button 0% of the time.
I am reopening this one. Addressing this concern is not high on our list of priority as we have missing features and bugs that we need to address first, but this could be a good candidate for a contribution from the community, if anyone wants to have a go at it.
It could be solved by adding a setting for "3rd party integrations" in the advanced options, that would add/remove the GIF button from the toolbar. What do you think @jennifergoertzen ?
I think that's a good idea.
If we were to add the option to advanced settings, I think we need to make sure there is copy that makes it clear what this will affect. Many people who use Wire may not make a connection between "3rd party integrations" and the GIF button on the toolbar.
If someone from the community would like to contribute, the Wire Design team could assist with the accompanying copy.
Most helpful comment
The problem is, that the GIF button is near the text field, where the message is typed in. This makes it quite easy to accidentally tap on it when setting the cursor to a position inside of the text field.
Instead of not changing anything, it would be a good idea at least, to build in a safeguard when the text exceeds a certain length or contains one whitespace or something.
Or you could require the user to always confirm before sending the data to giphy.