I have no proposal how this could prevented. Cloning tickets is IMO a good idea, but of course all data will also be cloned with them! So perhaps the solution would be to remove the Not publicly visible hint?

drh added on 2008-07-23 19:44:34:
I started writing code to encrypt the email address field. But upon further thought I realized that a determined malefactor could clone the repository and then mount a dictionary attack to recover the encryption password. So while encryption does make email address harvesting more difficult, it does not make it impossible. I wonder if it is even worth the trouble....

Perhaps the right solution is (as the OP suggests) to change the bug form to say that the contact information is not displayed on any webpage but can be recovered by miscreants who go to the trouble of cloning the repository.

drh added on 2008-07-24 00:27:46:
Here is another idea: Instead of storing the email address directly, we can store an SHA1 hash of the email address. Meanwhile maintain a mapping from hash back to email address in an auxiliary database table. This auxiliary table can be used to translate the hash back into an email address for display to authorized users. But because the auxiliary table is not shared as part of a clone or sync, remote repositories are unable to recover the original email address.

There would need to be some way to share the auxiliary table with authorized users. No such mechanism currently exists and needs to be added. But on the other hand, such a mechanism might also be used to share ticket report formats, which is something else that is currently not shared but which ought to be.

drh added on 2008-07-24 02:07:00:
Problem fixed in f46fe42d6d. Contact information is stored as its SHA1 hash. The new CONCEALED table in the repository database (private data that is not synced) provides a mapping back to the original email address for trusted users.