Announcing Changes to Receipt URL Permissions

Sheena Trepanier
Sheena Trepanier Expensify Team, Approved! Accountant, Expensify Student Ambassador Posts: 1,362 Expensify Team
edited November 2019 in Product Updates

We wanted to take a moment to update everyone on a change we made to improve the security of receipt URL links in Expensify.

Going forward, users can only view receipts if they have sufficient permissions needed to view receipt images via the receipt URL. This directly affects customers who share receipt URL links for invoicing or auditing purposes. 

What’s changed?

As of November 4, 2019, receipt URLs will only display receipt images to individuals with the required permissions. If you do not have the necessary permissions to view a receipt, you will receive a 403 error and the following message.

Permissions needed to view receipt images via URL

In order to view receipts via URL, you must meet at least one criterion from the list below.

  • You are the receipt owner

  • Be an auditor of the policy the receipt is submitted on

  • Be an admin of the policy the receipt is submitted on

  • The report submitter has shared the report with you

FAQ: I’m sharing receipt URLs with clients, how do I get them access to view the receipts now?

Sharing receipt images with others is an important functionality for many customers. To preserve the security of your expense information, it will now be necessary to ensure your client or auditor has access to the receipts in Expensify. You can do this in one of three ways.

  1. Work with your IT department to grant the client or auditor an email they can use to access Expensify and the receipt images. This account will need a policy invite and the auditor role view receipt URL images.

  2. If they already have an Expensify account, you can grant that account the necessary permissions to view receipt images. The account will need a policy invite and the auditor role at minimum to view receipt URL images.

  3. If you don’t want to add them to your policy, you can ask them to create a free account using their email. Then, once this account exists, the report can be shared with them to grant them access to view receipt URL images.

A more manual alternative would be to download receipt images individually as needed by clicking the following button on an individual receipt:

«1

Comments

  • Jason_Richards_25
    Jason_Richards_25 Expensify Customer Posts: 21 Expensify Admirer
    Receipt security? Why does a receipt image need security? This change is terrible.

    The new receipt sharing options offered are not feasible for how our organization bills some expenses back to our customers. You expect an AP department at an organization that does not use Expensify to just set up a free account to view receipts- like it's that easy and they do not have to go through security processes on their end before starting to use a new software?

    Have current Expensify customers asked for receipt security? This is the perfect example of how out of touch Expensify is with customers and how expense information is used.
  • Sheena Trepanier
    Sheena Trepanier Expensify Team, Approved! Accountant, Expensify Student Ambassador Posts: 1,362 Expensify Team
    edited November 2019
    Hi @cslim, @Jason_Richards_25, and @guyellis1988, thanks for joining the conversation here!

    I would really like to advocate for you all and was hoping you could answer a few questions for me so I can share this feedback?

    1. Who is the main user of receipt URLs -- Is this a client, an auditor, or someone in your company who doesn't necessarily use Expensify?
    2. How are you currently utilizing the receipt URLs -- Are you exporting them to a spreadsheet and sharing a spreadsheet with your client?
    3. If you're sharing them with clients, how is the client using them? What are they using them for?
    4. If you knew that receipt URLs were going to stay secured as they currently are now, what other tools in Expensify would you need to continue using the system? 
    Thanks so much for the valuable feedback and for getting back to me!
  • Sheena Trepanier
    Sheena Trepanier Expensify Team, Approved! Accountant, Expensify Student Ambassador Posts: 1,362 Expensify Team
    Hi @Robert, thanks for joining as well. Would you be open to answering the questions below so I can track the feedback?
    1. Who is the main user of receipt URLs -- Is this a client, an auditor, or someone in your company who doesn't necessarily use Expensify?
    2. How are you currently utilizing the receipt URLs -- Are you exporting them to a spreadsheet and sharing a spreadsheet with your client?
    3. If you're sharing them with clients, how is the client using them? What are they using them for?
    4. If you knew that receipt URLs were going to stay secured as they currently are now, what other tools in Expensify would you need to continue using the system? 
    @cslim and @Jason_Richards_25 -- thank you so much both of you, for taking the time to provide the information I requested.

    I have shared this feedback with the team and am following the discussion closely. As I learn more information that is relevant to this change I'll be following up with everyone on this thread. Talk to you soon!
  • cslim
    cslim Expensify Customer Posts: 7 Expensify Newcomer
    @Sheena Trepanier would be great if the product team can give us an update. This is impacting our business. And if this is not resolved anytime soon, we really have to move to something else for next month’s expense management.
  • Nicole Trepanier
    Nicole Trepanier Expensify Team Posts: 498 Expensify Team
    I just want to let everyone know that we are tracking customer demand for this feature to be reversed. This isn't a short process as we need to see if there is more demand here than there was to secure these URLs before we decide if and when we need to change it. I can't provide an ETA for this decision. I am so sorry for the frustration this has caused you. 
  • cslim
    cslim Expensify Customer Posts: 7 Expensify Newcomer
    Hi @Nicole Trepanier  

    Thanks for the update but unfortunately no ETA is not great. Let me (and I hope I speak for the rest of the Expensify customers) give you a date to come back to us.

    Please let us know an update by end of this week (22nd Nov). If there is no update, I will take that the this "security" feature remains. This will be a deal breaker for us and we will be migrating off Expensify. We as a business already has expenses unpaid and stuck - that's for September and October, and now November as we continue to use Expensify. We cannot operate like this for another month.
  • samuel
    samuel Expensify Customer Posts: 2 Expensify Newcomer
    There should be a few easy options going forward:
    1. Give some customers the capability to opt out of new features like this one;
    2. Consider creating a new role "External Auditor" that is required to login but can only access receipts.
  • Jason_Richards_25
    Jason_Richards_25 Expensify Customer Posts: 21 Expensify Admirer
    @Nicole Trepanier Expensify tells customers about the change a week after it goes into effect and then provides zero alternatives? Excellent customer service shown here.

    This change must be due to the new Expensify card, either a regulatory requirement or a way to push customers to it.
  • maasj
    maasj Expensify Customer Posts: 29 Expensify Aficionado
    edited November 2019
    I just discovered this issue.

    I can totally understand why some customers don't want their receipts to be public on the web.  If you can't even imagine why then you don't care at all about privacy.  I envy your life.  :smile:

    But to change existing behavior like this, without warning, and without a way to revert back for those who are willing to accept the privacy implications, is pretty anti-customer behavior.

    Our use case is that we have a years-old procedure of exporting reports via CSV and then a custom script processes that CSV file in order to:
    • import transaction data into our non-standard accounting system
    • make backups of receipt images in case we ever stop using Expensify or Expensify loses their copies due to a computer disaster or Expensify ceases to exist (those things do happen)
    • generate custom notifications when someone charges an expense to someone else's fund/budget (via Tags)

    We started a project a while back to use the API (which didn't exist when we first started using Expensify) to get what we need instead of using manual CSV exports, but we didn't get that project over the finish line.  I hope the API provides the ability to get receipt images.  If getting them manually via the web app is the only way now, that's really not cool.

    Interestingly, e-Receipts are still publicly available.  While not as likely to have incriminating information like the restaurant server's phone number on the married CEO's receipt, e-Receipts can still leak information that some people would rather be private.

    So right now some receipts require authentication and some don't, with no way for the customer to control the behavior for either type.  I doubt that any customer asked for this particular outcome.

    Please give us a policy setting for receipt privacy!  Please!  I think the default should be that they're private and require authentication, but don't force that on your customers.  Let customers choose to be more risky if they want to be.  Give them a big warning or make them sign a waiver or something, but give 'em the choice, especially when the system operated that way for years.

    Please!
  • Victoria O'leary
    Victoria O'leary Expensify Success Coach - Admin, Expensify Team, Expensify Student Ambassador Posts: 110 Expensify Team
    Hi @maasj

    Thanks for joining the conversation and providing another perspective on the issue of privacy!

    We hear you and understand this change might not work for everyone. As was mentioned earlier in the thread, we're working through feedback to see if there is enough demand for the feature to be reversed.

    This isn't going to happen overnight because it does take time to gather enough user cases on both ends of the spectrum so we can understand customer demand. We'll keep you informed on this thread so keep an eye out 👀
  • maasj
    maasj Expensify Customer Posts: 29 Expensify Aficionado
    @Victoria O'Leary - You don't need to "reverse" the change.  It doesn't have to be an either-or.  Just give your customers the option to choose.  We can handle it.  :smile:

  • maasj
    maasj Expensify Customer Posts: 29 Expensify Aficionado
    I checked the API docs yesterday and I don't see any way to download receipts with it.  So it seems like there's currently no way to automate the process of downloading receipts.  Is that correct?
  • Karisa Latta
    Karisa Latta Expensify Success Coach - Admin, Expensify Team Posts: 147 Expensify Team
    Hey everyone!

    While we're still working on gathering feedback and looking at our options, have you tried to see if a report PDF would be a good workaround? When you download a report to PDF, you get all the line item data as well as all the receipt images.

    You can choose to only have receipt thumbnails or you can choose to add full page receipt images to the PDF. You can then share that PDF file with anyone who needs it. You can also break out the images/pages to customize which receipt images you send off. [Neat tool here.]

    Since the report PDF downloads a local copy to your computer, it does not have the receipt security limitation (the limitation only affects receipt URLs).

    This won't help all use cases mentioned here, but I hope it benefits at least a few of you.
  • Jason_Richards_25
    Jason_Richards_25 Expensify Customer Posts: 21 Expensify Admirer
    @maasj
    @Susanna_De_Bari1
    @samuel
    @cslim
    @Layne
    @guyellis1988
    @StephanieL789
    @Robert

    Everyone vote up on previous and new comments as this is how Expensify views feedback as important or not.
  • Cortney Ofstad
    Cortney Ofstad Expensify Success Coach - Admin, Expensify Team, Expensify Student Ambassador Posts: 173 Expensify Team
    @cslim thank you for providing that additional context. Please note that the feedback on this post has been shared with the Expensify team directly. However, at this point we don't have any update or additional information about this change the receipt URLs. I apologize for any hassle that this causes, but as soon as there is an update, we will make sure to let everyone know.