From c9b40c23c4e03591a14fecb2634d5bb8bb8fc8a5 Mon Sep 17 00:00:00 2001
From: Dan Mizzi-Harris <dmizzi-harris@gitlab.com>
Date: Thu, 19 Jan 2023 14:25:01 +0000
Subject: [PATCH 1/2] feat(Obfuscation): add obfuscation guidelines

---
 contents/usability/obfuscation.md | 39 +++++++++++++++++++++++++++++++
 nav.json                          |  4 ++++
 2 files changed, 43 insertions(+)
 create mode 100644 contents/usability/obfuscation.md

diff --git a/contents/usability/obfuscation.md b/contents/usability/obfuscation.md
new file mode 100644
index 000000000..6c08f2c8f
--- /dev/null
+++ b/contents/usability/obfuscation.md
@@ -0,0 +1,39 @@
+---
+name: Obfuscation
+---
+
+At GitLab, we take user privacy and security seriously. As part of this we use obfuscation to protect sensitive information in our product. Obfuscation is the practice of making sensitive information difficult to understand or read. This helps prevent items such as email addresses or access tokens from unintentionally being made public.
+
+## When to use obfuscation
+
+- Use email obfuscation when handling user-submitted information that is not intended to be public. For example, on Service Desk issues accessed by users with Guest access.
+
+<todo>Add guidelines for other types of obfuscation</todo>
+
+## Access tokens
+
+Tokens are used to authenticate a user and authorize their access to certain resources. If a token is compromised, an attacker could potentially gain unauthorized access to those resources. Obfuscating the token in the UI makes it more difficult for an attacker to find and steal the token, helping to protect the user's account and resources.
+
+<todo>Add obfuscation patterns for tokens</todo>
+
+## Email Addresses
+
+There are a few reasons why it may be harmful to users if their email address is unintentionally exposed. For example, it could lead to spam and unwanted emails, phishing attempts, or even identity theft.
+
+To protect our users' email addresses we use the following pattern for obfuscation:
+
+- Show the first two letters of the username followed by 5 asterisks `*`. Duplicate the character followed by 5 asterisks if the username is a single character.
+- Show the `@` symbol.
+- Show the first letter after the "@" symbol followed by 5 asterisks `*`.
+- Show a `.`.
+- Show the first letter of the TLD (top level domain) followed by 2 asterisks `*`.
+
+For example, the email address `see@me.co.uk` would be obfuscated as `se*****@m*****.u**` and `getsuperfancysupport@paywhatyouwantforit.accounting` would be obfuscated as `ge*****@p*****.a**`.
+
+This pattern balances the needs for privacy and useful information by protecting email addresses while still providing a way to differentiate between them.
+
+It's important to consider the context in which the email address is being displayed, and make sure the email is obfuscated only when necessary.
+
+## Passwords
+
+<todo>Add section for passwords</todo>
diff --git a/nav.json b/nav.json
index e6ca9fff0..4c3e4cb5e 100644
--- a/nav.json
+++ b/nav.json
@@ -456,6 +456,10 @@
             "title": "Loading",
             "path": "loading"
           },
+          {
+            "title": "Obfuscation",
+            "path": "obfuscation"
+          },
           {
             "title": "Onboarding",
             "path": "onboarding"
-- 
GitLab


From 1539127aca908905249339c1c1c2ff8069044bb9 Mon Sep 17 00:00:00 2001
From: Amelia Bauerly <abauerly@gitlab.com>
Date: Fri, 27 Jan 2023 17:53:49 +0000
Subject: [PATCH 2/2] feat(Obfuscation): add obfuscation guidelines

---
 contents/usability/obfuscation.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contents/usability/obfuscation.md b/contents/usability/obfuscation.md
index 6c08f2c8f..4675ba8ab 100644
--- a/contents/usability/obfuscation.md
+++ b/contents/usability/obfuscation.md
@@ -6,7 +6,7 @@ At GitLab, we take user privacy and security seriously. As part of this we use o
 
 ## When to use obfuscation
 
-- Use email obfuscation when handling user-submitted information that is not intended to be public. For example, on Service Desk issues accessed by users with Guest access.
+- Obfuscate [email addresses](#email-addresses) when handling user-submitted information that is not intended to be public. For example, on Service Desk issues accessed by users with Guest access.
 
 <todo>Add guidelines for other types of obfuscation</todo>
 
-- 
GitLab