Ethics: admin should access private messages in strict read-only mode

Letting admins (and optionally mods) read private messages can be useful. But most of our users don’t think it is a good idea, so it is better if they don’t know and there is no way for admins to accidentally let everyone suspect that such a feature exists.

One of our competitors has recently lost more than 50 active users just because there were a proof that mods can read private messaging threads! There were a real scandal - it was read by many users; it all ended up in users leaving the forum (some of them have registered with us).

We do not like the idea of our mods reading PMs, so we switched it off. However, while we, the admins, rarely read PMs to understand what’s happening behind the scenes when there is a hot discussion, I noticed that I can do any of this: “like”, “share” and even “invite” others to the discussion. In my view, this should be OFF - admins should be able to read in READ-ONLY mode (strict), with no way to accidentally do anything that would disclose such a feature.

Letting everyone know about such a feature will not work - partially because of our mentality, partially because Russian/Ukrainian-speaking people do not trust each other as much as people in other nations do (not sure which ones?). Thus, it is not an option nor a partial solution for our forum. It is not possible to adequately explain to our users that whatever day do, it is a normal feature that we always can read everything and anything right in the database. Most of the users strictly believe that PMs are really hidden from everyone, including admins. It is simply not the right time for our nation to think and understand that who owns the forum also has access to PMs at any time.

If not as a default feature, it would be very helpful to at least be able to SWITCH OFF any edits/actions that admins can do while reading PMs where they do not participate personally.


I never understood this. If you’re an admin, you presumably have access to the underlying database. Does that not bother people? If not, why would having access to it in the app itself be a concern? If it does bother people, how do they think the internet works?

1 Like

An average user in my community does not understand the following things:

  • what is database
  • what is underlying database
  • what is a server
  • what is an admin other than the owner
  • how internet works

I am not into teaching my users to make them become advanced users, it is simply impossible. Many of them are aged 40+ and are not so internet/computer friendly. For them, reading personal messages sounds unacceptable. You either accept their thinking or you lose their loyalty. Full stop.

P.S. I’m sure my case is not a rare example, especially in post-USSR regions and in developing countries.

The other admin did not too, and lost loyalty of their 50+ users as soon as the subject raised.

1 Like

Interesting. It’s not enough to tell them that every admin of every website they use can see everything they do? Shouldn’t they be happier with a website that doesn’t lie to them about what they can access?

I don’t have a horse in this race, but this request just seems very strange to me.


[quote=“KevinWorkman, post:2, topic:33400, full:true”]
I never understood this. If you’re an admin, you presumably have access to the underlying database.[/quote]
Surely you can be a forum admin without having shell or root access to the server and/or database, no?


The only way to ensure an admin cannot read the messages is end to end clientside encryption, which is very unlikely to happen.

The only real action you can take here is to explain to the users, and/or encourage them to use say PGP in messages…

For completeness: I researched doing this automatically or semi-automatically in Discourse with PGP a while ago, and concluded that it is currently not viable.


Still though, regardless of what you think of the OP’s users, it seems reasonable that maybe admins shouldn’t be able to like, reply to or invite to another users messages?


yeah, it makes no sense. You could, but then users would have to manage their own keys, and that would end badly, really fast. If you manage their keys it’s just another step before being able to view the message.
A good key with a password could theoretically be stored on the server, but that would be a usability nightmare (and if needed could be decrypted on next use).

On the other hand discourse seems to make it a bit too easy to listen in/participate, but that’s just my opinion… (and it may be usefull - but it does feel wrong)

That’s my main point. I don’t propose any PGP, but rather just restricting the actions listed above while an admin reads someone else’s PMs.

In my opinion, it shouldn’t be allowed to happen in the user interface. It would be better if it were secure, but its not ok to make it easy. If someone is harassing people in a forum, reports from multiple users should be all evidence an admin needs.

Then do not log in as Admin or only log in as Admin when you need to change site settings or download a backup. This was covered ad nauseam in previous topics on the same issue…

Closed as duplicate topic.

1 Like

I mean, I guess it depends on how you’re defining the word “admin”. Somebody has to have access to the information, unless you encrypt everything, which has its own problems as other have pointed out.

I don’t have any strong opinions on this. It just seems funny for Discourse, which is designed for the next 10 years of the internet, to cater towards people who don’t know how the internet works.

1 Like

A car is designed to last at least 10 years or so. That doesn’t mean every driver is expected to know how internal combustion engines work. But the drivers DO expect the cars to be safe, and that if they take it in to the dealer, that the service tech can’t just casually look at their equipment and see everywhere they’ve driven and every passenger that’s been in the vehicle.