moderated Changes to /leave email link


 

Hi All,

Based on the discussion on beta@ and the support issues I receive, it's clear the /leave flow needs to be fixed. I think I need to change it so that a password is required to unsubscribe via the /leave link. Here is the new flow I'm working on; please let me know what you think:

- Click the /leave link in the footer of a message, it goes to a page where you are logged out, and it says something like "To unsubscribe or change your subscription options, please log in". It will fill in your email address, but the password field will be blank. There will also be the buttons to log in via Facebook/Google/Send me a login link. Because you are forced logged out, there's no possibility of a different person's name showing up in the upper right corner.

- Once you do that, you'll be logged in and taken to the (existing) /unsub page for the group, which asks you to verify that you'd like to leave, and gives you the option to change your subscription to Special notices or a summary email. If you are unsubscribing from a parent group, it will tell you that you will also be unsubscribed from any subgroups.

- Click the unsubscribe button and it'll take you to a final page telling you that you've been unsubscribed. You may or may not receive a resub email with a link to resubscribe within 3 days (haven't decided this yet).

Thoughts?

Thanks,
Mark


Donald Hellen
 

Mark,

I can see problems with this. If a person can't simply click an
unsubscribe line to do so, they'll post in the group that they want to
unsubscribe and someone will have to do it manually for them. That
adds to moderator activity.

Donald

On Wed, 25 Oct 2017 16:38:27 -0700, "Mark Fletcher"
<markf@corp.groups.io> wrote:

Hi All,

Based on the discussion on beta@ and the support issues I receive, it's
clear the /leave flow needs to be fixed. I think I need to change it so
that a password is required to unsubscribe via the /leave link. Here is the
new flow I'm working on; please let me know what you think:

- Click the /leave link in the footer of a message, it goes to a page where
you are logged out, and it says something like "To unsubscribe or change
your subscription options, please log in". It will fill in your email
address, but the password field will be blank. There will also be the
buttons to log in via Facebook/Google/Send me a login link. Because you are
forced logged out, there's no possibility of a different person's name
showing up in the upper right corner.

- Once you do that, you'll be logged in and taken to the (existing) /unsub
page for the group, which asks you to verify that you'd like to leave, and
gives you the option to change your subscription to Special notices or a
summary email. If you are unsubscribing from a parent group, it will tell
you that you will also be unsubscribed from any subgroups.

- Click the unsubscribe button and it'll take you to a final page telling
you that you've been unsubscribed. You may or may not receive a resub email
with a link to resubscribe within 3 days (haven't decided this yet).

Thoughts?

Thanks,
Mark
The further a society drifts from truth the more it will hate those who
speak it. --George Orwell


 

Mark,

Based on my experiments showing that someone clicking on "unsubscribe" from a forwarded or cc'd message will then, if they click on "resume membership," actually have total access to that person's account, I think anything is fine as long as login is required.
--
J

 

Messages are the sole opinion of the author, especially the fishy ones.

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


 

On Wed, Oct 25, 2017 at 04:42 pm, Donald Hellen wrote:
That
adds to moderator activity.
I think that's a minor detail compared with the ginormous security hole.
 
--
J

 

Messages are the sole opinion of the author, especially the fishy ones.

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


 

Mark,

Based on the discussion on beta@ and the support issues I receive,
it's clear the /leave flow needs to be fixed.
I'll agree with that, particularly given J's identification of a security flaw with the current implementation.

I think I need to change it so that a password is required to
unsubscribe via the /leave link. ... please let me know what you
think:
Unacceptable.

I don't mean that in the ultimatum sense of "I'll stop using Groups.io" over this, but I do think it will be hugely problematic for my group members and in the long run for Groups.io.

Problematic for my group members because most are email-only. Asking them, effectively, to create an account so that they can unsubscribe from a group will undoubtedly be viewed as topsy-turvy, if not an outright scam.

Problematic for Groups.io because the more barriers there are in the way of unsubscription the more likely people are to "simply" mark the messages as spam to be rid of them.

Because you are forced logged out, there's no possibility of a
different person's name showing up in the upper right corner.
What is it you are trying to fix here?

If I'm logged in that's my name in the upper right corner. If the link specifies an account other than the one I'm logged in with then fail the link. Have it go to a landing page that tells me that I clicked on a link from someone else's message and politely refuse the unsubscription request. There's no reason to log me out and ask me to log into someone else's account (which I hopefully can't do).

If I'm not logged in when I clicked the link then the forced logout had no effect. But I supposed that makes it harmless.

If I'm not logged in, what if the landing page for the link emphasizes the "Send me a login link", but instead of calling it that call it something like "Verify this email address" and explain why that needs to be done. De-emphasize the alternative of logging in with a password or Facebook/Google.

That will at least minimize the consternation of an email-only user.
They may not like having to go another round of email just to unsubscrbe (and I don't blame them) but it beats asking them to create an account.

Shal

--
https://groups.io/g/Group_Help
https://groups.io/g/GroupManagersForum


 

On Wed, Oct 25, 2017 at 07:01 pm, Shal Farley wrote:
If I'm not logged in, what if the landing page for the link emphasizes the "Send me a login link", but instead of calling it that call it something like "Verify this email address" and explain why that needs to be done.
This seems to me to be the only acceptable alternative, IF it can be done and would work. The problematic situation is when the person clicking on "unsubscribe" (a) is a groups.io member with a different email address from the one they are clicking on the link from (because the email was a forward or cc), (b) is not currently logged in, and (c) after clicking on "unsubscribe," proceeds to click on the "resume membership" email that they get in the confirmation. Currently, that takes them to the home page of the other person's account.

Would this solve that?
 
--
J

 

Messages are the sole opinion of the author, especially the fishy ones.

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


 

J,

This seems to me to be the only acceptable alternative, IF it can be
done and would work.
This part is mostly an alteration of the text labels and descriptions on the landing page Mark said he was intending to create. So I think it would work.

The problematic situation is when the person clicking on "unsubscribe"
(a) is a groups.io member with a different email address from the one
they are clicking on the link from (because the email was a forward
or cc), (b) is not currently logged in, and (c) after clicking on
"unsubscribe," proceeds to click on the "resume membership" email that
they get in the confirmation.
In this scenario Bob (the person doing the clicking) isn't logged in to any account, and no one has yet been unsubscribed from anything. So any address verification email should not have a "resume membership" link.

We hope at the landing page of the link Bob will recognize that the pre-filled email address isn't his and he either stops or he changes it to his. If he changes it to his own address fine! He receives the verification email, clicks to log in to his own account, and unsubscribes himself, which was he wanted in the first place. He may then receive the "goodby" notice from Mark with a "resume" link (the one Mark hasn't decided about yet).

Granted, a certain fraction of the time we can expect that Bob will click without noticing the email address. The protection here is that Bob won't receive the verification email. At that point nothing has happened, and even if Alice receives the verification email and clicks through all she's done is log in to her own account. Perhaps she's a little confused as to why she got that email, but Mark can put language in the email to explain why it was sent, and that she should ignore it if she didn't ask for it.

Currently, that takes them to the home page of the other person's
account. Would this solve that?
I'm pretty sure it would.

Testing these scenarios, using multiple browsers on a single computer, it is very easy to get confused about which hat you're wearing at the moment, and what the person with that hat knows and doesn't know. It would be easier if you had access to a library or classroom with several computers so that you'd have to physically move from computer to computer when you change hats - helping to make it a more realistic test scenario.

Shal


Maria
 

On Wed, Oct 25, 2017 at 05:01 pm, J_Catlady wrote:
I think that's a minor detail compared with the ginormous security hole.
 
Completely agree with you J.
I fully support Mark's proposal.

Maria


Maria
 

On Wed, Oct 25, 2017 at 07:01 pm, Shal Farley wrote:
Problematic for my group members because most are email-only. Asking them, effectively, to create an account so that they can unsubscribe from a group will undoubtedly be viewed as topsy-turvy, if not an outright scam.
It is so incredibly easy to use the "email me  link to login" link that I don't agree with this at all.
It's not really "creating an account" it's logging in to the web interface of an account you ALREADY actually have by virtue of being subscribed.
Email only users are going to be less and less as the users become younger. Most already do the hybrid option, I'd imagine.
What Mark is proposing is way easier than deleting an account - which is what you would have to do with Facebook, insta, snapchat, slack, etc. - and even with those when you want to change your delivery options you must login.

Just because groups.io has this wonderful ability to be used by email or web - or both, doesn't mean we need to stick to email list / mailing list / listserv behaviors.

Maria


 

On Thu, Oct 26, 2017 at 01:17 am, Shal Farley wrote:
The protection here is that Bob won't receive the verification email.
And then he THINKS he's unsubscribed himself, but actually nothing has happened? I think that doesn't really fly.

Testing these scenarios, using multiple browsers on a single computer, it is very easy to get confused about which hat you're wearing at the moment, and what the person with that hat knows and doesn't know.

I fully tested and reproduced the scenario and found that "Bob" was able to get total access to "Alice"'s account. I was so stunned at what I was seeing that about the fifth or so time I started meticulously notating every step. It's possible that I still got confused. I did ask at the time for someone to try to reproduce what I'd found, but apparently there were no takers.
 
--
J

 

Messages are the sole opinion of the author, especially the fishy ones.

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


 

On Thu, Oct 26, 2017 at 06:21 am, HR Tech wrote:
It is so incredibly easy to use the "email me  link to login" link
...or a simple email asking to be unsubscribed. From the howls of protest you'd think that would be armageddon.

It's not as if groups.io is some advertising email list which you'd expect to be able to click on "unsubscribe" from the actual email or be cursing because you never asked to be on it. The person affirmatively joined groups.io. Asking them to lift a finger to leave it does not seem so much to ask.
 
--
J

 

Messages are the sole opinion of the author, especially the fishy ones.

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


Maria
 

On Thu, Oct 26, 2017 at 08:34 am, J_Catlady wrote:
It's not as if groups.io is some advertising email list which you'd expect to be able to click on "unsubscribe" from the actual email or be cursing because you never asked to be on it. The person affirmatively joined groups.io. Asking them to lift a finger to leave it does not seem so much to ask.
Precisely. Since abuse of direct add leads to suspension - groups on groups.io are mostly membership groups and as such the unsubscribe should not be treated like an unsubscribe from a mailing list you have no idea how you got on. Especially thinking forward to when more membership type modules may be added etc... It's entirely reasonable to expect login.

Maria


 

On Thu, Oct 26, 2017 at 08:43 am, HR Tech wrote:
Since abuse of direct add leads to suspension
And since direct-add members are given a chance, upon direct add, to refuse membership
 
--
J

 

Messages are the sole opinion of the author, especially the fishy ones.

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


 

Maria,

It is so incredibly easy to use the "email me link to login" link
that I don't agree with this at all.
The problem with Mark's proposal is only partially the ease of use. It is mostly the verbiage of "log in" - that carries the connotation of having or creating an account to log in to. Worse, the presentation Mark described made the password box prominent with the other log in methods there "also".

My proposal did not change the ease of use, only the verbiage. I suggested to make the "Email" link most prominent and label it something like "Verify this email address". That avoids any connotation of having or creating an account.

It's not really "creating an account" it's logging in to the web
interface of an account you ALREADY actually have by virtue of being
subscribed.
That's technically true, but entirely hidden from the email-only group member. I don't think it is appropriate to confront them with that reality at the moment when all they want to do is unsubscribe.

Shal


 

J,

And then he THINKS he's unsubscribed himself, but actually nothing has
happened? I think that doesn't really fly.
Not at all my intent. The link's landing page should make it unequivocally clear that nothing has happened yet, and that no unsubscription will occur until the user verifies the email address.

Thinking a little further, this semantics and mechanism could be made a bit clearer, I think, if the email verification were based on a code passed in the email, rather than a link. The landing page would have an entry box to fill in that code. This would emphasize the fact that there's another step required (receiving the code) before one can unsubscribe.

Shal


 

On Thu, Oct 26, 2017 at 11:06 am, Shal Farley wrote:
Thinking a little further, this semantics and mechanism could be made a bit clearer, I think, if the email verification were based on a code passed in the email, rather than a link. The landing page would have an entry box to fill in that code. This would emphasize the fact that there's another step required (receiving the code) before one can unsubscribe.
And this is simpler than just requiring (and facilitating) a login?
 
--
J

 

Messages are the sole opinion of the author, especially the fishy ones.

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


 

J,

And this is simpler than just requiring (and facilitating) a login?
I think it is conceptually simpler than being emailed a link, which then takes you to yet another landing page. The link's sole advantage is that it is a click rather than a copy/paste.

However recall that my concern is for email-only members. Faced with a landing page that demands a log in - even an emailed link to log in - their likely reaction is "explative no, I want to unsubscribe not log in". So at that point they close the page in disgust and either contact me to unsubscribe them, or they mark the group's messages as spam and fume at what a lousy service Groups.io is because it won't even let you unsubscribe.

A better alternative, IMO, to a landing page that requires a login would be to go back to the idea of using a mailto: link that creates a message to the group's +unsubscribe command. On the whole _that_ seems a lot simpler.

Shal

--
https://groups.io/g/Group_Help
https://groups.io/g/GroupManagersForum


Maria
 

Another reason I am in favor of requiring a login is that what we mostly get in our group are people who accidentally unsubscribe - when in reality they just wanted fewer emails.
This happens quite a bit and that takes moderator time to fix and rejoin them and help them pick better settings.
I think having to login will help a lot with this as they will take a second to actually realize what they are doing and pick the correct option.
Some people who are email only - may not realize the various other options available - like digest or summary or special notices or no email... and they might actually be looking for that, not to leave the group. Again, this actually happens in our group and then we get emails from these people wondering why they aren't getting emails any longer...

Maria


 

On Thu, Oct 26, 2017 at 02:40 pm, Shal Farley wrote:
likely reaction is "explative no, I want to unsubscribe not log in"
I do see the point. It's like, someone wants to end a relationship and you make them have a sit-down dinner with you first, when even a drink is too much and they want the hell out. So make them log in but don't call it that! Do that "confirm" thing. Call it "confirming" they want to leave. Wasn't that one of the suggestions here? I'm losing track.

A better alternative, IMO, to a landing page that requires a login would be to go back to the idea of using a mailto: link that creates a message to the group's +unsubscribe command. On the whole _that_ seems a lot simpler.
I "voted" for that one during the last round of this, but I think there was some technical reason why it couldn't be done. Wouldn't that come from the forwarded/cc'd (problematic) email, resulting (as now) in the wrong member being unsubscribed?

--
J

 

Messages are the sole opinion of the author, especially the fishy ones.

I wish I could shut up, but I can't, and I won't. - Desmond Tutu


 

Maria,

I think having to login will help a lot with this as they will take a
second to actually realize what they are doing and pick the correct
option.
I don't see how the word "login" is necessary to this goal. All that's needed is that the page they get to after verifying their email address present the various options. It could be the /unsub page Mark referred to or even the normal Subscription page, which has unsubscribe as a red button on the very bottom.

Note again, I'm not saying the person shouldn't be effectively logged in at that point. I'm saying that the language of it, as proposed, is entirely wrong for the mind-set of an email-only member. You say "log in", I say "verify your email address". Pretty much the same thing in mechanism, but entirely different psychologically.

Again, this actually happens in our group and then we get emails
from these people wondering why they aren't getting emails any
longer...
Maybe someone needs to research how these people are initiating their unsubscription, and what information is presented to them in each case.

If these are email-only members then the likely mechanisms are:

1) Automatic unsubscribe by marking a message as "spam",
2) Clicking through the unsubscribe link in an email message,
3) Using the +unsubscribe command,
4) Other?

I think the first three cases have distinct records in the activity log, so you may be able to see if there's a pattern that suggests which path needs improvement.

Shal