mysociety / alaveteli

Provide a Freedom of Information request system for your jurisdiction
https://alaveteli.org
Other
389 stars 195 forks source link

Add email details to zip download #6517

Open garethrees opened 3 years ago

garethrees commented 3 years ago

Requested by Belgium.

What we need : Adding to the Alaveteli zip file the header of each email, so that the information commission accept it.

De : Adresse mail d’envoi (email From) Envoyé : Date et heure d’envoi (Sent + date/ hour)

À : Adresse mail de l’expéditeur (email To) Objet : Intitulé du mail (Subject)

We include all of these attributes, but we hide the details. Here's an example exported correspondence PDF from a public request on transparencia.be.

Screenshot 2021-09-14 at 11 16 47

We wouldn't want to expose the email addresses to anyone but the requester, so we'd have to have a slightly different PDF generation mechanism for the signed-in request owner.

garethrees commented 3 years ago

Related to https://github.com/mysociety/alaveteli/issues/215.

RichardTaylor commented 3 years ago

I'm wary about revealing the request address even to the requester, it could be used to spoof a response. A requester is perhaps the most likely person to spoof a response.

As I recall in the UK we've had the odd Information Commissioner's case officer requesting such information from users. It used to be the UK ICO required copies of correspondence to be sent to them too, but over time they've got better and currently in practice they are now happy to accept just a link to the request page on WhatDoTheyKnow.com to work from, but as far as I know they haven't made that their official published policy yet.

My inclination would be to challenge the regulator's policy / practice first rather than seek to resolve this by development work.

In terms of demonstrating a message has been received the log lines shown via the "delivered" link are probably most useful, and cover much of the information being referred to here. They are already public - with the secret part of the request address redacted, perhaps a redacted report based on them could be included, perhaps optionally, in the PDF download?

Viewing correspondence online is surely easiest for a regulator? Perhaps there are problems though, such as confirming the state of a page at a particular time.

Perhaps the aim should be for Alaveteli sites to seek to work closely with regulators, and aim to become trusted by regulators. A good regulator would surely want to work with Alaveteli sites to, for example, provide early warnings of systemic issues with a public body's FOI responses.

I'm surprised we don't, as far as I can see, have a ticket for special features for users from a regulator, so I've started such a ticket https://github.com/mysociety/alaveteli/issues/6521

garethrees commented 3 years ago

The ticket was created to document a suggestion/need; I agree with the broad theme of @RichardTaylor's comments above. I like the idea of some sort of additional log that we slip in to a requester's download for some extra muscle when reporting a request to a regulator.

garethrees commented 1 year ago

This has come up in the context of a pro user sending the UK ICO a zip export, which they rejected as they felt it didn't contain enough information to progress the complaint:

You have provided us with a copy of the request and of the acknowledgement received. However these appear to have been downloaded from the ‘What Do They Know’ (WDTK) website and do not show either the sender or recipient email addresses, nor a reference number for the request from the public authority. Unfortunately, the WDTK link included within the correspondence does not work as it says that ‘The page doesn’t exist’.

We consider that, at the present time, your complaint is not eligible for us to progress as we lack sufficient information.

I'm not sure I buy this. The request sender, recipient, subject line and contents ought to be enough for the authority to supply more details. Still, it's an interesting example of something happening in practice. In this case we've directed the user at the "Share by private link" feature as that will meet the needs of the ICO, but one to keep in mind.

garethrees commented 1 year ago

Related to https://github.com/mysociety/alaveteli/issues/7504.

HelenWDTK commented 1 year ago

The ICO currently ask for:

They do still accept WDTK links as an exception to the above. What I think they are looking for, particularly in section 10 cases, is evidence that the request was sent as stated.

WilliamWDTK commented 1 month ago

To note that, as of recently, in the UK, the Information Commissioner's Office accepts a direct link to the request on their online form: image