Continuing the discussion from Why is there an impersonate button?:
This is an old topic, but I wanted to bring it up and add some additional perspective from something that recently happened at Ars Technica.
NSA leaker Ed Snowden was once a poster on the Ars forums. Someone put the pieces together, using a username that Snowden had used at lots of other places, and Buzzfeed led off with a big story complete with screenshots of his posts from the Ars forums. We did our own piece on it, using additional excerpts from his forum posts to try to paint a picture of what Snowden said and did online. A few days later, we followed it up with another longer piece centered around several years’ worth of his contributions to the Ars IRC server—every bit of which was taken from user-contributed log files (we don’t log IRC at all).
The Ars community reaction was mixed, but there was a significant subset of users—many of which were folks who’d been posting at Ars for 10+ years—who felt shocked and betrayed that Ars would spotlight a poster’s public posting history like that, even though none of the information was private in any sense of the word. Both articles’ discussion threads were lively; another thread surfaced in our off-topic general forum, and a fourth appeared in the Help & Feedback forum.
The general reaction to “exposing” a user’s public data, even a user who was unquestionably an enormously important and newsworthy figure like Snowden, included a very large amount of community anger. If Ars had grepped through the database to also look at his account’s private messages, which we did not, that rage would have been far greater—and, in my opinion, it would be completely justified. It was the correct call to include public forum postings and public IRC channel talk in those stories; including PM contents (if there were any—want to reiterate that we absolutely did not look) would have been wrong.
I disagree wholly with @Sam’s post about how mods & admins need to be able to read users’ private messages in order to combat abuse. Private messages should always be unreadable by staff without a high amount of effort—users have a reasonable expectation of privacy, and Discourse should stick to the model followed by every other forum application that I am aware of and not allow staff to casually view other users’ PMs via impersonation.
I bring up the Snowden incident because it’s not a matter of whether or not you “trust” the admins, as @codinghorror said in the predecessor thread. In this particular case, the poster was thrust into the public spotlight and became newsworthy. Does that make his private messages fair game for publication, along with his public postings?
Users should have the ability to block PMs from abusive accounts. If an offending user does something so egregious that simply reporting that abuse and blocking them isn’t enough, and a moderator or admin needs to take additional action, then the moderator or admin should ban the user, change his/her password, log in as them, and view the messages. That way, the mod or admin has left appropriate footprints—by changing the password, they broke the glass over the “IN CASE OF EMERGENCY BREAK GLASS” cover, and the abuser has to request access to his/her account in order to get back in.
The impersonation ability is indeed extremely handy for checking permissions and viewing the forum in user mode, but it gives the impersonating mod or admin access to information which should be private—more to the point, to things which the user rightfully expects are private.
At the very least, the default FAQ (not the jargon-filled TOS, but the human-readable FAQ) should be modified so that it is explicitly stated that moderators and administrators have the ability to read private messages. Other forum applications I’ve used, including phpbb and vanilla, do not have this capability without digging into the database directly.