+++ This bug was initially created as a clone of Bug #163498 +++

Accidentally sending a message to a (larger) mailing list in the open via To or Cc may violate data protection laws and have serious real-world repercussions. As seen in similar bug 163498 (8 duplicates), a number of users have requested a way of ensuring/enforcing BCC for mailing list recipients as a matter of ux-error-prevention. This RFE tries to suggest a strict and straightforward implementation, while avoiding the assumed complexity of bug 163498.

Note: The current multiple Bcc warning (hidden pref: mail.compose.warn_public_recipients.threshold) is good, but it's still error-prone as it does not enforce Bcc privacy, and it's also not flexible because the triggering threshold will be one-for-all. E.g., user might have list of 25 work team members which can be sent out in the open, but other lists of more or less than 25 members may be privacy sensitive (customers, patients, human rights advocacy, support groups etc.). We discussed a "hard" alert on multiple Bcc's, but that would still be inflexible and we couldn't make that hard enough.

Proposal for implementation/behavior

• Implement Enforce Bcc checkbox on the Edit list dialog.
• Save the enforceBcc property on the card in a VCard compatible way.
• In contacts sidebar:
  • For single selection of enforceBcc mailing list, disable Add to To and Add to CC buttons/context menus, and double-clicking the mailing list item will add it to Bcc.
  • For multiple selection including an enforceBcc mailing list, also disable Add to To and Add to CC buttons (if list-bcc is not fully enforced, it's pointless!).
• In main AB: using Write on an enforceBcc mailing list will add it to Bcc.
• I'm not sure about a good behaviour for recipient autocomplete in non-Bcc fields like To or Cc.
  • Perhaps we shouldn't return enforceBcc mailing list results inside To or Cc fields at all.
  • Or we return it with some visible enforceBcc indicator and push it into Bcc anyway after autocompleting in To or Cc.
  • Just allowing autocompleting an enforceBcc mailing list in To or Cc would seem to violate the notion of enforceBcc flag.
• If in spite of having marked the mailing list as enforceBcc, the user exceptionally wants to add the list to To or Cc anyway, we already offer several easy ways of moving the list pill from Bcc to other fields (e.g. Move to To/Cc from pill context menu).

(In reply to Jorg K from bug 1588439 comment #5)

You could request an enhancement to mark certain mailing lists as BCC only, which comes close to bug 163498.

I would really suggest this is wontfix. We're warning already. AND we have the mail.compose.warn_public_recipients.aggressive which will in addition have you click ok in an alert if you go over the limit.