Impersonation and reading private messages


(Lee_Ars) #1

Continuing the discussion from Why is there an impersonate button?:

This is an old topic, but I wanted to bring it up and add some additional perspective from something that recently happened at Ars Technica.

NSA leaker Ed Snowden was once a poster on the Ars forums. Someone put the pieces together, using a username that Snowden had used at lots of other places, and Buzzfeed led off with a big story complete with screenshots of his posts from the Ars forums. We did our own piece on it, using additional excerpts from his forum posts to try to paint a picture of what Snowden said and did online. A few days later, we followed it up with another longer piece centered around several years’ worth of his contributions to the Ars IRC server—every bit of which was taken from user-contributed log files (we don’t log IRC at all).

The Ars community reaction was mixed, but there was a significant subset of users—many of which were folks who’d been posting at Ars for 10+ years—who felt shocked and betrayed that Ars would spotlight a poster’s public posting history like that, even though none of the information was private in any sense of the word. Both articles’ discussion threads were lively; another thread surfaced in our off-topic general forum, and a fourth appeared in the Help & Feedback forum.

The general reaction to “exposing” a user’s public data, even a user who was unquestionably an enormously important and newsworthy figure like Snowden, included a very large amount of community anger. If Ars had grepped through the database to also look at his account’s private messages, which we did not, that rage would have been far greater—and, in my opinion, it would be completely justified. It was the correct call to include public forum postings and public IRC channel talk in those stories; including PM contents (if there were any—want to reiterate that we absolutely did not look) would have been wrong.

I disagree wholly with @Sam’s post about how mods & admins need to be able to read users’ private messages in order to combat abuse. Private messages should always be unreadable by staff without a high amount of effort—users have a reasonable expectation of privacy, and Discourse should stick to the model followed by every other forum application that I am aware of and not allow staff to casually view other users’ PMs via impersonation.

I bring up the Snowden incident because it’s not a matter of whether or not you “trust” the admins, as @codinghorror said in the predecessor thread. In this particular case, the poster was thrust into the public spotlight and became newsworthy. Does that make his private messages fair game for publication, along with his public postings?

Users should have the ability to block PMs from abusive accounts. If an offending user does something so egregious that simply reporting that abuse and blocking them isn’t enough, and a moderator or admin needs to take additional action, then the moderator or admin should ban the user, change his/her password, log in as them, and view the messages. That way, the mod or admin has left appropriate footprints—by changing the password, they broke the glass over the “IN CASE OF EMERGENCY BREAK GLASS” cover, and the abuser has to request access to his/her account in order to get back in.

The impersonation ability is indeed extremely handy for checking permissions and viewing the forum in user mode, but it gives the impersonating mod or admin access to information which should be private—more to the point, to things which the user rightfully expects are private.

At the very least, the default FAQ (not the jargon-filled TOS, but the human-readable FAQ) should be modified so that it is explicitly stated that moderators and administrators have the ability to read private messages. Other forum applications I’ve used, including phpbb and vanilla, do not have this capability without digging into the database directly.

Admins can clearly see all private messages of all users
Admins can see private messages in user's profiles?
Permission Changes (moderators have less)
Possible to make private conversations actually private?
Ways to retract an initial PM?
Global "Enable Privacy" feature
Admins can see private messages in user's profiles?
(Brentley Jones) #2

I agree 100%. I also don’t believe I should be able to view a Private Message I’m not part of, even if I’m admin. I accidentally stumbled on a private message because it was shown in the “Clicked Links” part of the analytics on the dashboard, and I thought it was a normal topic.

(Jeff Atwood) #3

I think you’re talking about two very different things here:

  1. Being able to view private messages as a staff member of a forum. (by the way, this does not require impersonation in Discourse, I can click through right now and read whatever PMs I want to on the messages tab of any user account. Any staff member can.)

  2. Choosing to publish private messages on a large, public website as a journalist.

I really struggle to see the connection between these two concepts.

You have the reasonable expectation that if you personally email me something, I won’t turn around and publish it on my Coding Horror blog that has 150k+ readers without, say … asking you first, right? But there’s nothing in the email itself that fundamentally prevents me from doing this, is there?

(Lee_Ars) #4

D’oh, I didn’t know that. That moves the focus off of “impersonation,” then, and onto that functionality specifically.

I don’t think that’s quite the right comparison. I think it’d be more applicable to say that if I e-mail you something, I have the reasonable expectation that Google (or whomever does email for wouldn’t be able to read it without some amount of administrative friction. In the email example, you’re not the admin—you’re the recipient.

For user-to-user PMs, the site admins & moderators aren’t the recipients. The understanding is already in place that PMs are private, since that’s expected behavior—before you mentioned it just now, I’d no idea that an admin could simply read user PMs via the admin control panel because it didn’t even occur to me that functionality exist (it certainly doesn’t in phpbb or vanilla).

The big overriding issue, and big reason I bought up Snowden, is because of user expectations. “Frictionless” PM reading is very different functionality from existing forum software. Users felt a strong sense of ownership over what they posted in public and expressed significant anger at the idea of that being published on the front page; users felt that their conversations, even though they were “public,” were semi-private because they were taking place on a message board that required registration to post. That they were essentially conversing on a stage in front of an audience didn’t change their perception—or their reactions.

That outrage would have been much greater—and much more justified—if admins had also had easy access to private messages, where the expectation to privacy is much, much greater.

It just…I dunno, it’s hard to put into words. I spent a long, long time as a sysadmin before I started writing for Ars, and it’s a deeply-ingrained idea that access to a user’s personal data by an admin should always leave a very visible audit trail. Being able to view a user’s PMs as part of my admin access feels wrong, and I can’t think of any legitimate use case off the top of my head. “Abuse” is better dealt with by other means—I don’t need to put my users in a panopticon just to keep order.

Admins can still read anyone's PM's by downloading the database
Admins can still read anyone's PM's by downloading the database
Privacy plugin that makes it more difficult for admins to read PMs
(Luke Larris) #5

The problem is, you can remove all staff snooping functionality for PMs from the software, yet still be able to read them if you have access to the database.

(&! (bitandbang)) #6

Well, I believe @Lee_Ars said that the admins shouldn’t be able to access the PMs without going through some serious trouble to get them. I’d say that going into the database, finding the users messages, and going through them manually constitutes that. It’s much, much, much more likely that admins will abuse (if you’d like to call it that) the feature if it is so easily handed to them.

Admins can still read anyone's PM's by downloading the database
(Jeff Atwood) #7

There is a massive difference between the mere ability to see something versus choosing to publish it in a highly trafficked public place for the world to see. Huge. Colossal. Enormous. (insert additional words from thesaurus here)

No admin control panel needed:

  • visit a user page, any user page as a staff member
  • click the Messages tab
  • start readin’ away

These people are morons a bit out of touch with reality. Public data is public.

Think harder. What if I start sending you abusive PMs? What if a creeper starts PMing some visibly “female” account uncomfortable, but within the spirit of the forum guidelines, messages? What if the PMs expose bugs in the software that need to be addressed? Is it OK for vicious personal attacks to happen in PMs, so long as both parties hate the person being attacked enough to make them? Is it OK to be a dick in my house (or worse, do something actually illegal) as long as you, y’know, keep your voice down while doing it so nobody can really hear you?

I think that’s a fine requirement and one that Stack Exchange has moved toward strongly – you can view personal stuff like a user’s email address but it takes an explicit click to do so, and it is also logged as a staff action in that user’s profile. Sounds good to me! We don’t have this yet, though, and we need it for a broad spectrum of staff actions including both moderator stuff (I banned this user) and admin stuff (I changed this setting).

The last time this came up, we had also talked about PMs being only easily visible when flagged. But that doesn’t cover many of the cases I described above, either.

Admins can still read anyone's PM's by downloading the database
Admins can still read anyone's PM's by downloading the database
Privacy plugin that makes it more difficult for admins to read PMs
Feedback on new :hamburger: and user menus
(Luke Larris) #8

@bnb very true.
Personally, I’m totally for the feature. If someone abuses it on a forum I’m on, I don’t really care, I treat all content I put on forums as public information. Recipients can easily screencap PMs and they’re also available in the database, so making it easier for admins doesn’t make a difference to me.
And as an admin, it can help me prevent abuse on the community, as well as keeping things legal too.

(Brentley Jones) #9

I think I need to jump through at least one hoop before I can read someone else’s PM. I literally accidentally saw information I wasn’t supposed to. On other software I have to go out of my way to view someone else’s PM, and I like it that way.

Right now it feels way too easy.

Privacy plugin that makes it more difficult for admins to read PMs
(Lee_Ars) #10

I don’t think any of those scenarios would be helped by a staff member being able to read a user’s PMs without restriction or audit trail, no. In any situation involving unwanted abusive or harassing PM, it would be far more immediately effective—and far more in the spirit of Discourse’s community-driven approach to moderation—if the recipient of the abuse could block the sender from sending them PMs and flag the messages for review, either both in a single action (like twitter’s block-n-flag for spam, except abuse instead of spam) or as two steps (first block, then flag). The corrective action taken by a staff member remains the same; there’s just an additional step to them getting eyes on the message. The first priority in that situation is shielding the person from further abuse, and that should be something the person receiving the abuse is empowered to do.

If the PMs expose bugs, then repro should include PM’ing a staff member to demonstrate. Screenshots of the bug might be important, but I still don’t think unrestricted access to PMs is justified for this.

I’m not sure about the last two things you mention—I promise I’m not trying to put words into your mouth, but the way I read what you’re saying (with both parties in the exchange hating the other) it comes across as you advocating a staff member actively perusing private messages looking for compliance to the posting guidelines in the same manner as a staffer would peruse the public forums. Apologies if I’m not reading that right—blame the wine, it’s late here!—but that’s what it seems like to me. If that is the intent, then I disagree, profoundly.

Good to hear! I definitely support logging admin actions, and even something as simple as recording that “Staff member X read private message Y” included in the overall logging scheme would make me feel a lot better. And, like I stated in the OP, I’d also feel a lot better about a formal modification to the FAQ that makes it clear that staff can read PMs (I’ve been meaning to revise my own test forum’s FAQ and TOS, and I’ll add it to my own when I do).

Please also don’t get the impression, @codinghorror, that I’m trying to be unpleasant—I think you guys are doing fine work with Discourse and I enjoy using it. I appreciate the dialog you guys are willing to have with us as users and potential admins, even if not all of us can actually code :smiley:

(Sam Saffron) #11

I think we are in agreement here, we would like to introduce a fairly strong audit trail for mods that logs

  • Which mods looked at which PMs
  • Which mods looked at which user’s private email address
  • Which admin impersonated who, with a full trail
  • Tons of moderation actions (who banned who, who blocked who, etc)

This will not happen overnight, it is fairly complex, but it it will happen eventually

Admins can still read anyone's PM's by downloading the database
(Lee_Ars) #12

Totally understand that this isn’t an overnight type of request, and I’m thrilled to know that it’s on the list. Makes me feel better about using Discourse. @sam, if I ever find myself in Australia, I’m totally going to buy you a cake or a beer or a kangaroo pie or whatever it is you folks like to eat down there!

(Jeff Atwood) #13

Let me use an extreme example to make a point. Let’s say a few of your members decide to form a child pornography ring on your forum. They use your forum as their cover. They act on your forum as “regular” users, post on topic regularly, etcetera. But behind the scenes, they are PM-ing each other child porn. Since all these users are complicit, they aren’t going to be flagging anything.

With the admonition that “admins and mods can never look at PMs unless they are flagged”, you’d have no idea that your forum is being used in a child pornography ring. And no way to find out, either, because these co-conspirators are not going to flag each other, no how, no way. Are you comfortable with child pornography (embedded pictures, etc) flowing around on your forum as PMs? Are you?

Granted, extreme example, but any illegal activity could fit the bill here – substitute any criminal activity you like to taste.

Feedback on new :hamburger: and user menus
(F. Randall Farmer) #14

How would you know to look?

So, why would you go looking at their PMs, even if you could?

I’m not arguing that it should be impossible to read PMs, but you always need a good reason. Sometimes that reason is a court order, other times it is because someone complains. But, it seems the only way this particular threat could be detected is by actively reading all private PMs (definitely not reasonable) or depending on some text scanning software to hunt out potential child molesters. That requires serious database creation/machine learning. This also doesn’t really make sense.

What am I missing?

(Jeff Atwood) #15

There’s a PM counter on the /admin page. If you see unusual, consistent levels of PM activity from certain accounts, you might wonder why.

Certainly the purpose of a forum is not as a PM backchannel, and that kind of near-constant PM usage with very superficial public posting, would be quite odd indeed from a user account: 490 PMs, and 3 posts?

Ways to post confidential info for moderator eyes only?
(Erlend Sogge Heggen) #16

The transparent traceback is a great step forward, but I still don’t like how easy it is to breach on people’s privacy. Maybe Snowden isn’t the best example. It’s too grand, too serious.

Imagine instead, a forum run by 13-year olds. I’ve certainly been in that exact position myself, and I figure this age group is definitely within Discourse’s target group. Admins & moderators at this age are more prone to bad judgement calls when they’re given too much power. Personal gripes could quickly lead to leaked conversations concerning love, sex, family, economy and so on. Hell, if two 13-year olds decided to share nude pics with one another, then you’d be the criminal for watching them.

Sure the traceback would prevent monitoring from happening in secret, but it’s much easier for an abusive admin to take something (mod traces) out than it is to add something new in (reading PMs).

So that’s my concern. I’ll think of more solutions next.

(Juffin) #17

From a perspective of admin i see how this feature can be VERY useful.
From a perspective of normal user i see this as frightening flaw in privacy EVEN THOUGH i fully understand that administrators can read anything out of the database.

As for today i highly doubt there are a lot of 13 y olds fluent with ruby and amazon aws and wanting a forum.but i see the point.

i think if this option should be available it should only be to administrators, on a large forum with many mods this can quickly get out of hand.

(Erlend Sogge Heggen) #18

You need basic Linux know-how, not Ruby, to set up Discourse, and I think you’re gravely underestimating 13 year old geeks, but that’s all besides the point. I’m thinking ahead to when setting up a Discourse forum is as easy as starting a Tumblr. When that’s a reality, admin controls need to be as abuse-proof as possible.

So I look at Sam’s bullet list and I go:

  • Which mods looked at which PMs - NO: Just don’t give them access, the end.
  • Which mods looked at which user’s private email address - YES
  • Which admin impersonated who, with a full trail - YES
  • Tons of moderation actions (who banned who, who blocked who, etc) - YES

For hosted forums, I want some method of “legal override” in place. Maybe an unlock key that admins would have to request from the (or wherever the hosting service will reside) webmasters in order to open PMs on a per PM or per user basis. Or maybe admin-reported PMs (e.g. ones showing the kind of suspicious pattern Jeff described) could be viewed by the hosting service webmasters only.

I’m not sure yet what the perfect solution sounds like, but when it comes to hosted forums, I think viewing PMs should only be possible by the service providers themselves, not your average forum admin. That way, true or false positives, they’ll only be viewed by someone who can be properly held accountable.

When you work part time in a kindergarten, you have to abide by the law of confidentiality. Discourse network super admins should be held accountable to similar such laws, because they have a lot of sensitive data right at their fingertips. Your average forum admin on the other hand should not have to bear that burden.

Privacy plugin that makes it more difficult for admins to read PMs
(J. Bruni) #19

I personally like the way it is. I see the PM feature as a “concession”, a “privilege” in a primarily public space. People should use another service if content privacy is their concern. I appreciate the Stack Exchange sites approach: there is no PM at all! Can we turn PM off at Discourse? As an admin, I wouldn’t like people plotting stuff under wraps, using the tool I’m providing. Just make it clear in the FAQ / TOS / PP that administrators can easily access PMs to prevent abuse (indeed, discouraging its use).

In the other hand, even though I like transparency a lot, I understand there are other use cases, point-of-views, preferences and approaches, equally valid, just like mine. I’m not sure how a broad open source software like this should tackle such divergences: stick to an arbitrary point of view? Or make everything a configurable “preference”?

In fact, it is not hard to imagine a larger organization scenario where allowing “mere moderators” to see people’s PMs would be an inconvenience. So, even being happy, comfortable and satisfied with current behaviour, I can feel the pain others are having. The fact is that I just wanted the team to acknowledge that there is people, as me, that actually likes the choices already made and the current behaviour. Thanks!

(Simon) #20

While I totally disagree with @codinghorror on this topic and especially the child-porn argument (like terrorism, it is used to justify everything), I think he is free to implement what ever he wants. It should just be made very clear, that this “feature” exists. Maybe show a message explaining that mods/admins can (and will?) read everything when someone writes their first PM.

However, I think if Discourse allows mods/admins to read everyones PMs through the normal interface, it should be not that easy:

There should be at least a red, evil looking button you have to press three times on two different devices before the software gives you access to PMs of a user, even if you impersonate them (ok, maybe one click is enough). And it definitely should be logged.