As the article notes, you can trivially get around that "privacy feature" by trying to sign up with the email. If it lets you sign up there was nobody there, if it does not the email is being used by somebody else. Most sites will reject you immediately if the email is already in the system.

> RFC 7231[0] suggests something similar

Well no, RFC 7231 suggests that rather than telling an authenticated user he does not have access to a resource you can tell him the resource does not exist at all. It has nothing to do with the authentication itself, and certainly isn't suggested (let alone recommended) as a response to an invalid authentication attempt.

> valid credentials that are not adequate to gain access

How does a clear statement that the user's credentials are valid but don't give access to a resource have any relation with the rest of your comment?

If it matters, you can make it non-trivial. As with most privacy attacks, you can target an individual pretty easily.

But, if you're trolling for lots of users, the "new account" feature will have a much lower operational tempo than the authentication workflow, and for a privacy conscious organization, you can do things to make it harder for attackers. Examples: Captcha, data input validation, risk scoring, don't provide immediate confirmation, etc.

Revealing that the email address is a valid system account isn't a particularly useful piece of information to a user who isn't remembering a password. john.smith100000@gmail.com is probably taken by another John Smith. It just isn't a useful piece of information.

Given that I have received downvotes I'll try more concrete example. Imagine that you start dating a someone and they discover your email, maybe you email them. Now they then take that information and try and log into a site that you do not wish that others know you use, this may be a porn site, it may be a group that you associate yourself with, say even a feminist forum. Now if you respond that it's the wrong password people are able to deduce (given that there is also a wrong username error) that you are a user of that service.

Imagine you put your email on your cv and this is done to see if you a member of a democrat or republican website, and you are not offered a job based on your political views.

Imagine that you use your email to sign up for a government service and they take that email, do as described above, and use the information in the future to discredit you in some way.

Maybe I have missed the point, but I personally think that this is a also privacy issue and only looking at it from the perspective of UX may have undesired consequences for people.

It is certainly the case that there is a privacy issue here. However, that doesn't substantially undermine the strongest point presented in the article - that the email is already exposed, usually by refusing to create a new account if one exists with that email and it's sometimes also reported when you ask for a password reset email.

I agree with you that the thing to do is fix those issues, though, rather than abandon it here as well.

I think that could also be solved relatively easily. Just flash that you are sending an account activation email to the person trying to create an account and email the already registered user with a notification that someone tried to sign up with their email address.

I agree, neither issue is intractable.

I would rather not work somewhere where they both care what my political views are and would go behind my back to find out instead of just asking me. Likewise, if someone I date starts spying on me this way that's a no either way and I would rather know about it when they try to throw something in my face than unknowingly date a creep.

I do think there is a privacy issue, but I think it is rather minimal and as the sibling poster states, the email address is already exposed.