Users stats privacy


#1

Hi.

I’ve just noticed that every user has access to statistics on /users page where it’s shown how many times every user visits and how many posts he/she reads and views. It’s indeed useful info but I doubt it should be available publicly by default. Anyway is there any way to limit availability of visits/reads/views stats for every user?


(Sam Saffron) #3

Closest you can get is: hide user profiles from public site setting, if you want to protect this info.

Short of that there is no way of removing this information from the payloads, you could create a custom CSS rule to hide the bits you do not want to easily expose.


#4

I see, but are you sure it’s a good idea to show such info be default? How about introducing a new option show user stats. It could be not just a boolean but trust level meaning starting what trust-level users are allowed to see other users stats (there should be possible to set moderators and admins only).

BTW hide user profiles from public means “Disable user cards, user profiles and user directory for anonymous users”. I set it on, thanks (again I’m sure it should be true by default). But it only restricts accessing info for non-authenticated users. For logged-in users it will be available.


#5

I dont quite understand what is gained by someone being able to see this - yes you can see how many posts that have been read etc and how many times they have logged on but is it really a privacy issue?


#6

I believe it is as it exposes users activity in real life.
Would you agree if Facebook shows your such activity publicly (when you logged on, how many posts did you read, how long did you stay reading, etc).


(Eli the Bearded) #7

It’s not so much as “exposes” as “makes easily available”. You can get the same (or similar depending on hidden topics) information by just crawling the site.


#8

not sure that I understand you,
how will you know a user’s last login time by crawling the site?


(David Taylor) #9

https://meta.discourse.org/users/shrike.json

last_seen_at:2017-03-20T21:48:54.722Z


(Mittineague) #10

You could guess by finding a members last post.
But if you’re talking about the Users page, last log-in isn’t given there either.
Personally, I don’t consider my “activity” stats to be a privacy concern. I certainly wouldn’t want my email address or password to be available to members. Nor would I want my Preference Settings to be easily found (less a concern). But I have no problem with what shows on the User page or my Profile


(Razaq) #11

I agree that this should be somewhat private. Maybe number of likes received or given could be displayed but definitely not login times. Even if one can get them by crawling, at least we reduce the availability of such info by removing them or at least give the user the option to show or hide it.