My question is, do you think this is a privacy risk? Is it violating a user's privacy if somebody can check to see if they are using a site or service or not just be entering their email address into a registration form?
If it is a privacy issue, do you think it matters for non-sensitive sites? For example, it's pretty obvious that an adult website or a job search site really needs to protect the identity of their registered users. But, what if it's something like Goodreads or Amazon, where knowing somebody is a member isn't really a sensitive thing?
Does the convenience of a user knowing if they've already registered on the site before figuring out a password and doing a captcha ever outweigh the potential privacy concerns?
- User enters email in registration form and submits.
- You return a thank you message saying that you sent instructions to the email address.
If the email address doesn't exist in your database, the link is for user creation and choosing a password.
If the email address was in the database, your email says that someone tried to register with the same email address, ask the person if it was them, and ask them if they forgot they had an account with the service. You may provide a link to the sign-in page, or to reset the password.
External visitor has no information on whether the email has an account or not, and the owner of the email has all the information.
People can mitigate this by using email canaries. Email canaries are email aliases that allow for an address to be tied to a specific entity and thusly thrown-away should that entity break their trust. Not all email providers support creating aliases but people should absolutely research which ones do.
My question is, do you think this is a privacy risk?
Yes. This is why creating obscure canaries are a good idea. Obscure meaning not putting the entity/company name in the address but having a way to map it to said entity. In Fastmail there is a comment field for each alias. In postfix this could be done in configuration comments.
Canaries are also important to mitigate some of the cross-site tracking and mapping of people. Emails are used exactly like cookies in this sense. Businesses track and sell who is using what sites so they can better map who can be sold what products. When people use more obvious canaries such as putting the name of the business in the alias it causes these companies to get upset because they have to exclude it from tracking. Some are even starting to label it as fraud despite not being so. This is why canaries/aliases should be obscure and only the creator should know who they map to.
Whether or not I am a member of amazon is a very serious privacy issue for me depending on who sees that information and correlates it with other info.
For security, this terrible lazy way of relying on email causes a lot of problems for users. Access to your site should not depend on a central point of failure: users' email. Believe me when I say getting your email pwned is made even more horrible by the fact that random accounts are now also compromised. Doesn't matter if you use a password manager. If you use 2fa, you have to have some means of reseting accounts other than email, else you're just federating to email.
If you just want to federate thr real authentication to their email provider them use Oauth2 with Google, Github, Facebook and Microsoft. Let them do auth but don't require email.
At this rate email will outlive ipv4! Lol
If the data isn't public and sensitive...
You know, if the email address is the right one, then the registration form would be sent (and delivered, most of the time) to it, but if it's not - then not. So for the emails there is no reason to disclose the existence of the account with such email at all.
But you should occasionly check you mail bounces and attempts to register with an existing addresses.
1. the feature of password recovery/reset is unavailable.
2. other users won't be able to directly contact you via email (and therefore this prioritizes privacy over other features/functionality).
As others have suggested, you can use the email for sending a context specific magic link for signin/registration completion.