Impersonation and reading private messages

privacy

(Lee_Ars) #23

Right—I keep using the word “friction” because I don’t mind the ability being present and usable. But I do believe it should require effort to engage and leave visible traces (definitely in log files, and preferably user-visible, too—a notification of “$STAFF_NAME has read the conversation $SUBJECT_NAME” as a pop-up notification in the notification area, for example).

Cloaking or hiding the ability isn’t the answer, and it sounds like there’s pretty general agreement that an audit trail is a good idea. I’m cool with that :smiley:

I would absolutely run that plug-in without hesitation. It absolves me as the admin of a lot of responsibility and liability. I’d want it as a user, too, for the same reason that I don’t exchange IMs with anyone who doesn’t use OTR encryption.


Privacy plugin that makes it more difficult for admins to read PMs
(Kane York) #24

I tried to play around with impersonation, and…

How do you exit impersonation mode?
I solved it by logging out and back in again.

Whatever the proper method is, it certainly needs more discoverability…


(Jacob) #25

I would love to see this plugin. I really don’t like the facts mods/admins can view private messages. Private messages should be just that, private. The, “What if there is illegal activity in pms.” is absolutely ridiculous and it’s scary to think mods/staff would casually look at my private messages.

That pretty much sums it up and obviously logging staff actions is a start, but staff does not need to see pms at all. I can’t think of a single good reason.


(Eero Heikkinen) #26

I’ve run a community where people would routinely discuss very private subjects. Personal traumas, sexuality, that kinda stuff. More intimate conversations would happen in PMs. Now, people will not find it safe to open up if there is a chance of someone eavesdropping on their private conversations.

Our previous platform didn’t allow admins to view personal messages. Access to the database was limited to the minimum amount of persons necessary, who were screened for trustworthiness. Even that was the source of permanent discussion and concern, raising some what-ifs regarding privacy.

From our point of view, having unconstrained staff access to PMs is a problem. Leaving traces is a start, but would prefer a setting to turn it off. Even better would be the proposed plugin to encrypt messages. We actually discussed it before, but it turned out to be unfeasible to implement with that platform.


(Shiv Kumar) #27

I think the way log_in_user and current_user work currently is when a moderator wants to impersonate a user, they, more or less, log out of their account and fully log in as the user they are trying to impersonate. So, it’s not really impersonation, per sé. It’s more like you’re literally becoming that user. @sam, does that sound about right?

Why not store one $redis key when a moderator logs in (the original_user) and a second $redis key when a moderator chooses to impersonate a user (the impersonated_user)? The idea here is that if both an original_user and an impersonated_user exist, then you should be able to…

  1. Stop impersonating that user and default back to the original_user by clicking on a [very obvious] ‘Stop impersonating’ button. Currently, you have to log out to stop impersonating and then log back in with your moderator credentials.
  2. Restrict moderators from performing certain actions, such as viewing private messages.

Unfortunately, I don’t have time right now to put together a PR for this, but I’m hoping that the general idea can be floated and considered for integration into Discourse. Happy to collaborate with somebody, too.


(Jeff Atwood) #28

With recent changes only admins have full access, so moderators can no longer read PMs. This reduces the surface area considerably.


(Lee_Ars) #29

For what it’s worth, this is a good use-case for PGP. If someone needs to communicate something very private via PM, it doesn’t take more than an extra few seconds to compose the message offline in a text editor, encrypt with PGP or GPG, and then cut-n-pate the enciphered text into the PM window and send that instead. No need to wait for a forum plug-in—you just need the public key of your intended recipient (and, of course, a public/private keypair of your own).

This brings up a well-worn point, though, and that’s communicating with encryption can be inconvenient. This is probably worth breaking off into a side-topic to discuss further, but there are tools to make it…well, if not easy, then at least less cumbersome.


#30

Yes! Exactly. I don’t know why so many people don’t get this. Public domain means your info is public, period. Legally there is NO expectation of privacy in public which is, for example, why it is perfectly legal to film anyone or anything in public so long as you’re not selling the footage (or someone’s image) for profit.

If you want to keep something personal while transmitting it online this is still possible but don’t expect to use software like Discourse to accomplish that goal. Use something like BitMessage instead as a communication tool.

Also agree. I like to call it simply an issue (feature in this case) of checks and balances. Internal policing is better than no policing right? If an individual acts out, breaks the rules, or tries any sneaky business those actions are logged for admins to see.

Something similar to this happened on one of our past communities but on a very small scale. It took a couple days for us to catch it but with our relatively easy access (using Invision Power Board at the time) we were able to review user PMs that were self incriminating.

So I can absolutely confirm the usefulness and necessity of accessibility to user PMs.

And to reiterate, an expectation of privacy in public is the stuff of fairy tales.


(Hoist) #31

I have a friend that’s a moderator on a Swedish airsoft forum and they have a forum part for buying/selling/trading airsoft gear. They have on occasion had problems with scammers. And the only way they could gather enough information to report this to the police was since they could read PMs and restore deleted PMs.


(Adam Capriola) #32

I think the term “private message” is what creates the expectation that the messages won’t be seen by others. That’s just how most other forum software works – the messages can’t be conveniently viewed by other users, even by administrators.

If there is a “private category” (only certain groups can see it), then users who have access will expect that at the very least administrators will be able to see the content as well (but not necessarily some/any moderators). Private messages should be treated as if they are private categories.

I’m ok with the presumption that administrators should be able to see private messages, but definitely not moderators unless specifically granted permissions. Not all moderators are equal on the totem poll.

I do wish there was more of a barrier to entry though – I clicked through to a user’s PM by mistake because I was confused by what I was seeing. I thought it was a conversation I was included in, but I somehow missed the notification. It’s not the norm to be able to so easily view PMs like that. I would have thought I needed to impersonate the user first.


(Jeff Atwood) #33

This is already the case, moderators can no longer see PMs or secure categories.


(cpradio) #34

Really? As I’m fairly certain I can.

I just open one of my PMs, and then change the last 3 digits in the URL and I can get to other PMs (with some guessing).

Here is how my user is defined:


Moderators can access PMs that they are not invited to
(Jeff Atwood) #35

Different issue. Via the UI, it is not possible.


(Mittineague) #36

@cpradio can you get to this PM?

https://meta.discourse.org/t/anytexthere/12759?source_topic_id=8485

(cpradio) #37

No, but I’m not a moderator on meta. So that would be more difficult. It is my understanding that moderators shouldn’t be able to see other’s PMs, and if that is the case, it isn’t working properly :wink:


(Mittineague) #43

Just a thought, I don’t mean to tell anyone how to do it. But …

Currently Topics and PMs share the same path syntax. eg.

domain/t/titletext/###

By finding the numbers of any two adjacently created Topics it can be deduced that numbers falling between them are PMs

The title text is not relevant, Rails uses the number, so the title text does not need to be known.

Perhaps having a “p” instead of the “t” would be better?


(Dave McClure) #44

The missing numbers could also be topics in private categories or deleted topics, etc…


(Kane York) #45

In addition to this, everybody gets a PM when they sign up, further obscuring the possibility of getting any useful information out of the numeric distribution.


(Jeff Atwood) #48

Just to summarize current state:

  • only admins can read PMs, not moderators

  • mods can read flagged PMs while the flag is active

  • topics do track who has read them, so this data has been available from day zero

This topic is now closed. New replies are no longer allowed.


(Arpit Jalan) #49

There is a new site setting log personal messages views to log Admin PM views for other users/groups in staff action logs. The setting is disabled by default.