Dear all,
I’m afraid I have some bad news to share with you. I know that tensions are already high in some parts of the community in light of recent discussions about the site’s past, present, and future and this will not help. Please try your utmost to keep it civil as you never know how any of this is affecting the person(s) on the other end.
PLEASE READ THE WHOLE POST BEFORE REPLYING.
Yesterday, in this thread [Alternatives to private messaging] I was testing some DM stuff with another user (flagging, etc) and in this process, I realised for the very first time that as admin, I can actually access ALL direct messages on this site, not just flagged ones. Yes, you read that right. I honest to god had never noticed this before, it’s such a baffling set-up to me that it never even occured to me to check for it. Neither did Sean, Theo or anyone else know about this until yesterday afternoon. It ONLY applies to admins, NOT moderators. We have checked this.
What’s more, this appears to be the standard, default set-up on Discourse forums and not really an optional feature that can be disabled. For now, the best we could do is at the very least enable an automated audit log to be created in the event that one of us admins DOES check someone else’s DM, just like what happens every time one of us deletes a thread, approves a flag, changes someone’s username, etc etc. Like this, from when we did a test at @wewerewerewolvesonce checked one of my DMs:
We’ll be happy to share this entire log with anyone who wants to see it for any reason at any time.
At this point, I’m going to have to ask you to take my word for the fact that none of us knew about this access until yesterday afternoon, which means that no one will have ever checked anyone else’s DMs for any reason whatsoever. In the time that DiS has been on Discourse, the admins have been: @sean, @1101010 stepped down in early 2019), me, @wewerewerewolvesonce, and the server admin Tom who hasn’t been logged on since 2020. No one else. I was personally mortified when I realised and definitely do not wish for this to be the case.
Either way, this is something that we SHOULD have known. Discourse seem almost offended that we DIDN’T know, and stressed just how much they’re not called PRIVATE messages. It is in place as a security measure in case of any serious issues like police matters.
I wholeheartedly and unreservedly apologise for the fact that we did not realise this sooner, and for any distress this may cause, it is on us. We are and I am sorry.
The reason I’ve explained that we did not know is in an attempt to give some peace of mind to anyone who might be feeling anxious about this – to say that even if you don’t know and/or trust any of us, hopefully you can rest assured that we haven’t been doing anything dodgy because we didn’t even know it was possible.
I realise that Friday afternoon isn’t the best time to share this kind of news, but once we DID discover this we wanted to share it with you all as soon as possible – once we had checked a few things to make sure we understood more. For example, that NO ONE else apart from ADMIN users have this access.
Now, for the way forward from this:
We’ve been looking into possible solutions, ie. if there’s any way to change this from being the standard setup.
For example, there is this encryption plugin: GitHub - discourse/discourse-encrypt: A plugin that provides a secure communication channel through Discourse.
I don’t know much about this stuff, and seeing as parts of the community are already discussing new ways of running the technical side of this place in any case, we want to ask you to share your views on what will be the best way of going forward here. Lots of you will have a better understanding of this than I do for sure.
For anyone who might be interested, here is the standard Discourse forum privacy policy for this place (doesn’t mention messages, I will be sure to edit it!). Privacy - Drowned in Sound | Community
That’s it from me. Please feel free to share your thoughts/suggestions etc.
UPDATE: Have confirmed that admins can delete a DM thread without opening it.