Disable DM visibility from Admins

Hi !

As we’re making our forum using Discourse, I noticed that admins have access to private messages for the users of the site…

However, that poses both problems for data privacy and GDPR - why would we need to access this data - and just overall weirdness from having access to private exchanges between users of our sites.

We’re pondering about disabling the Private Message from the site entierly to avoid this, but we were wondering if there was another option, for instance to disable this feature and visibility even for admins ?

Ty !

Discourse does nothing to imply that the messages are secret; you refer to “private messages”; but the UI does not. It refers only to messages you can send to individuals or groups of users.

Suggesting that it may be a GDPR violation seems novel. Could you elaborate on that point? It may help to have some idea of the focus for your online community - are people there to discuss health issues, a video game, or something else? It could influence the probable content of messages.

Ultimately, if something truly does constitute private and personal information, I’m not sure it belongs on a forum at all. Users have no reason to suspect that moderators won’t have access to content submitted on the platform, and as I mentioned above, the UI studiously avoids giving that impression.


Being able to disable this and the ability to deanonymize anonymous users are definitely two things that would make discourse much better, if they existed as a site setting for example.

The current encrypted messaging plugin does not enforce it for all users.

1 Like

Yeah, they’re labelled as personnal messages, but that might be something worth reporting to the user.

For the GDPR, it could be a violation if we do not disclose officially that we have access to this data, or that access to data is not relevant - though for moderation purpose it could be good.
And even outside of that, we’re not rlly comfortable and would like to either offer a safe communication channel between users or just remove it.

ty for the answer !

1 Like

Your admins need the ability to look at all activity across your site. If you don’t trust your admins to use this capability ethically, then you have an issue with who is administering your community, not a feature of the community software.

Don’t forget that admins can also read personal messages directly from the database.

Your users should have no expectation of privacy in personal messages, they’re just topics with user-based permissions. Site operators are as responsible for potentially infringing content in PMs, as they are the more public sections of a site.

The GDPR says nothing about the above. Again there’s zero expectation of privacy, and again it’s an expectation that the site operators have access to this data.


It’s not rlly a distrust of admins abusing the feature - as we only have staff being admin -, but overall privacy for users.
I’ll communicate this point of view internally, ty !

They aren’t by default; has the label been changed on your forum?


I don’t personally share this concern, but you could always include it in a site notice if it would make you more comfortable with the situation. I can appreciate that peace of mind is important. :smiley:

When it comes to the GDPR, Discourse displays user-submitted data in topics, messages - and chats, if you have installed that plugin - which is the purpose the user had in mind when providing that data in the first place. Their consent is provided at that time. Provided that the user can request a copy of their data & delete their account (Discourse offers both features), it should be perfectly safe in a legal context. You aren’t obtaining the data from a third-party or sharing it with one (I assume?).

You are expected to have access to it. Performing moderation is not just a right that you have, but is increasingly a legal responsibility you bear. Both European institutions and member countries of the EU have sued large companies for failing to adequately moderate their online spaces to shield their users from harm. Nowhere in the GDPR does it specify that you must only have access to content following a report from another user. Indeed, I’m not sure such would be considered sufficient.

There are probably legal or law enforcement reason why personal messages would have to be visible to trusted users (i.e. admins). This recent new item

maybe of relevance and so too the scienttific paper

it summarises.