Add a warning when checking personal messages from a user public profile, as an admin

I won’t discuss here how and why an admin should be able to read direct messages from other people (it has been discussed many times). Also, renaming them “direct messages” rather than “private message” here was smart. I won’t discuss Discourse Encrypt either. My message is about communities that don’t use this plugin.

However, I have a little request, which follows my experience described here:
https://meta.discourse.org/t/feature-request-regular-mode-for-admins-and-moderators-something-like-sudo-for-the-ui-basically/211617/19?u=canapin

I also add that if we need to paste a screenshot of a public profile in our forum for any reason, users could be surprised that our screenshot contains the “direct messages” tab from a user public profile!

Since 99.% of users think “private message” means “really private” on the Internet because they were never educated about this, then implying, saying, or explaining to them that administrators can easily read “private” messages could (would?) cause a backslash.

A few years ago, I read a little testimony here (I couldn’t find it with the search engine, but I’d like to read it again if someone finds it!), where a user encountered this situation, he explained that 50 of his users went away from his forum.
Someone replied that’s just how private messages work on the internet in general, in this kind of software, at least.
But the first person replied something like “and yet, 50 of my users left anyway”.

You can explain to your users all you want and with all the best arguments you have, people may just not 1) understand and 2) realize or decide that they don’t trust you after all

On Discourse, a lot of moderation tools or actions are obvious. Extra menu, tools, buttons, various warnings, red things, stuff like this…
But on a public user profile, with this particular “direct message” tab, nothing: just the regular “direct message” button that displays the user direct message list (in which we can even add ourself as a new participant if I’m not mistaken!).

Of course, we are administrators, responsible and ethical and stuff, and users must implicitly trust us when they register on our website.

But I think adding a little something to the ability to read direct messages would be a good thing.

Whether it is a confirmation popup like “You’re about to read other people’s direct message: OK / CANCEL”, or having this tab invisible by default, but set it visible via an admin setting (until we uncheck, or for some fixed duration), or having the “direct message” tab with a different color…
I don’t know. But just a little something that explicitly says that clicking this tab is a moderation or administration action, and not a regular action.

Yes, that makes sense. “This action might expose information that is perceived as private by this user, do you want to proceed?”

I would also suggest making Admin - Users - Log personal message views by Admin for other users/groups. default to true,

and if enabled, include a warning ‘This action will be logged’ in that popup.

You mean this right?

Yes exactly. My remembering was wrong and mixed up 50 users and 50% (but maybe he had 100 users total, who knows ). Thanks for finding this out.

I always enable it on my forums, and I admit that I don’t exactly see the point of having this togglable: why one wouldn’t want to log this? Almost everything is logged anyway, and reading other users’ direct messages is a particularly sensitive/intrusive action.
I’m also in favor of having it enabled by default.

Yeah this is a bit alarming. Does Full Mod also have this access to Messages when in User Menu? Or is this just Admin?

Imho this should be togglable if a mod does have the ability without needing to use a plugin. If not mistaken this could cause issues with European countries that have stricter privacy laws.

Administrators only. I used “moderation” in my message, but it was meant as “a moderation action as an admin”.
Again, the goal of the topic is just a proposition to make the direct messages button on public profiles visually (from a confirmation popup or hiding it by default in some admin settings or whatever) more an administration action than a regular action.

Edit I’d prefer not the discussion derivates on legal/privacy stuff, just on design stuff, please, though I understand the concerns (which has been discussed many times, as said in my topic).

You’re mistaken. There is no law that says moderators cannot access PM’s
(There is no law that says admins can - or cannot - access them either).

If you’re referring to the GDPR then that is more complex. It basically boils down that there has to be a good reason and a good process around it.

That’s a relief. But wholeheartedly agree there should be a warning with exploring that option as it can pose all sorts of issues.

We had a mod promoted to admin that was using that to invade and insert themselves into Direct Messages. Fortunately he was not permitted to hold the position long after his transgressions were reported.

I myself was not aware as Admin I have that function until your post. I have clicked a topic link that a user posted that turned out to be link to a PM/DM and was able to view it. In which that scenario should also give a popup imho as well.

Thank you for exposing this issue.

That is what I am referring to. While not over familiar with it. I imagine you might be able to be okay if it is disclosed that pm/dm are not private maybe.

With respect to the op though. We should let this part of the conversation conclude. Though if you have some insights to share please do in a pm. Thanks for clarification.

Yes, absolutely, the proposed warning would be an important part of the forementioned process.

Another thing I experienced yesterday.

An admin selected the content of a direct message, quoted it, and copy-pasted the result in our moderation private category. It looked like this (I’m allowing myself to show it since there absolutely no sensitive information):

image767×398 33 KB

So I clicked the quote’s title to see the topic (which led to one of the last messages, not the first message of the direct discussion):

image2498×1369 101 KB

I liked both messages because I first thought it was a public topic. The only clue on my screen that indicated it was a direct message where I wasn’t a participant was the user list under the title, in the header… On which my attention was absolutely not focused. Because I was reading the messages.

I scrolled up to read the other messages and the first thing I saw was the envelope icon in front of the topic’s title (I could have seen the section with the participants, but again, my brain ignored it):

image2498×1369 143 KB

So I realized my “mistake” and un-liked the messages.

Obviously, I understand that I was able to see the topic’s content as I was an admin.
But maybe some sort of similar warning (see my first post and other people’s suggestions) could be set-up? Maybe a popup warning when clicking the topic’s link, similar to what @RGJ suggested, something like “you’re about to see a direct message in which you’re not a participant” or something like that?

I’m not sure. I didn’t face this issue for 3 years using Discourse, so it might be a rare case… But anyway, my little mistake happened and it’s very possible that I could have even replied to the topic without even knowing it was a direct message in which I was not included, which could trigger an issue (regular users seeing an admin directly replying in their “private” discussion )

As a community manager who has dealt with communities with incredibly sensitive topics (Mental Health communities, Fringe Adult communities, Crypto communities) I heavily support this, including a seperate log file for Admin perusal every time it is used, who used it, and to view which user.

For instance, in one community I helped manage (Which was really a large quantity of smaller, more tight knit communities), I had to create and implement a policy as we had situations where Admins were viewing messages from people in their hyperlocal community, just because. Eventually we setup a conflict of interest situation where you couldn’t deal with a case if it was someone you had dealings with, or was in your local area (large remote group of CMs)

When we enabled logging, we had to fire FOUR CMs, as it turned out that they were using their powers to effectively spy on their local community. Other CMs had admitted to doing the action also until we wrote policy against it.

I continue to advocate for something like this or removing admin’s ability to view PMs and impersonate. Possibly as a site setting at install… there are so many discourse communities which are not typical message boards. So many of us who don’t need/want the admin role to me the eyes that can see all info as some of us use it for sensitive info and in business groups.

There’s been a constant push back from the devs and others here always justifying why admins should have the current access levels to manage a community, but rarely do they actually listen to the fact that there are admins of communities literally asking to either heavily restrict and log any of that activity or remove the functionality.

I think it would be useful to have an at install/initial setup, disabling impersonate and DM access… with an all admin/moderator required input to approve a global setting change to enable it on a live community with a disabled install.

Call it a max privacy vs standard community installation.

There are too many use cases and applications at this point for discourse communities not to think about this kind of stuff…

In my opinion there should be 2 tiers for admins. Instead of just admin and Mod. With top admin with full access but as mentioned a clear warning if venturing so-to-speak in sensitive areas. As it is not made clear that someone is going to view personal messages. A top admin should be able to be trusted. A secondary admin may have elevated access to be able to update forum or add/modify themes & components.

Even adding a command that needs to be ran on the root server to enable/disable might be an idea as an added security peace of mind.

On one side if a user needs a mod/admin in a pm they can invite one. Or if say a site thar has youth involved then the commandline switch can be used when required.

I fully support this, related to impersonating users from top-level admin with server access account.

And I hope reading people private messages will gone with encrypt plugin.

That’s not completely related, but we have some “protection” of this kind (sort of) for permanently delete a post:

I would recommend the Encrypt plugin as it sdds end to end encryption to pm/dm. Not easy to circumvent. Only members invited in the pm/dm can read those messages.

Not sure if this applies to Group mailboxes. Probably not.

For people interested, here is a theme component that moves users’ PMs initial access from their page to the admin page with a new button (keeping the intent in the admin context): Alternative User PMs Button For Admin. I hope that helps!