Steve Syfuhs11h ago

RE: https://mastodon.social/@JenMsft/116306515557926926

For those wondering why this has always been a point of contention for us internally is because under specific circumstances it can lead to a privacy leak.

Apps in low-ish IL or have capability enforcement need to assert that they need to know user information like username or email address. We want to do our best to protect that info. On consumer devices this is especially critical to protect so if your profile path is firstlast87 there's a good chance that's your email and all you need is to guess the dozen or so common domains and now your email is leaked.

That's why we obscure the profile folder path in cases that don't require 20 years of back compat (enterprise join scenarios).

It was never a perfect solution because balancing user privacy and practical usability for a billion odd users is...complicated...but it did act as a useful speedbump.

Show threadSteve Syfuhs

As a general rule, even if a privacy control is easily circumvented through other means, you can't just regress the privacy control itself. In these situations you have two options: don't change it OR let the user override your protections.

Our preference is to not present users with ways to shoot themselves in the foot (let's skip the discussion on whether we always get this right, please), and since profile name is only a problem for a relatively small *percentage* of users it wasn't a high priority to add an optional step during first run (and changing profile paths after the fact is a big no-no).

Leadership has revisited all these priority discussions to focus on areas of pain, even if it was affecting smaller populations, because, well, that's genuinely a good thing to do.

4:10pmWeb