🚨 IMPORTANT: About Direct Messages

Dear all,

I’m afraid I have some bad news to share with you. I know that tensions are already high in some parts of the community in light of recent discussions about the site’s past, present, and future and this will not help. Please try your utmost to keep it civil as you never know how any of this is affecting the person(s) on the other end.

PLEASE READ THE WHOLE POST BEFORE REPLYING.

Yesterday, in this thread [Alternatives to private messaging] I was testing some DM stuff with another user (flagging, etc) and in this process, I realised for the very first time that as admin, I can actually access ALL direct messages on this site, not just flagged ones. Yes, you read that right. I honest to god had never noticed this before, it’s such a baffling set-up to me that it never even occured to me to check for it. Neither did Sean, Theo or anyone else know about this until yesterday afternoon. It ONLY applies to admins, NOT moderators. We have checked this.

What’s more, this appears to be the standard, default set-up on Discourse forums and not really an optional feature that can be disabled. For now, the best we could do is at the very least enable an automated audit log to be created in the event that one of us admins DOES check someone else’s DM, just like what happens every time one of us deletes a thread, approves a flag, changes someone’s username, etc etc. Like this, from when we did a test at @wewerewerewolvesonce checked one of my DMs:

Skjermbilde 2023-01-27 kl. 14.24.112426×398 34.5 KB

We’ll be happy to share this entire log with anyone who wants to see it for any reason at any time.

At this point, I’m going to have to ask you to take my word for the fact that none of us knew about this access until yesterday afternoon, which means that no one will have ever checked anyone else’s DMs for any reason whatsoever. In the time that DiS has been on Discourse, the admins have been: @sean, @1101010 stepped down in early 2019), me, @wewerewerewolvesonce, and the server admin Tom who hasn’t been logged on since 2020. No one else. I was personally mortified when I realised and definitely do not wish for this to be the case.

Either way, this is something that we SHOULD have known. Discourse seem almost offended that we DIDN’T know, and stressed just how much they’re not called PRIVATE messages. It is in place as a security measure in case of any serious issues like police matters.

I wholeheartedly and unreservedly apologise for the fact that we did not realise this sooner, and for any distress this may cause, it is on us. We are and I am sorry.

The reason I’ve explained that we did not know is in an attempt to give some peace of mind to anyone who might be feeling anxious about this – to say that even if you don’t know and/or trust any of us, hopefully you can rest assured that we haven’t been doing anything dodgy because we didn’t even know it was possible.

I realise that Friday afternoon isn’t the best time to share this kind of news, but once we DID discover this we wanted to share it with you all as soon as possible – once we had checked a few things to make sure we understood more. For example, that NO ONE else apart from ADMIN users have this access.

Now, for the way forward from this:

We’ve been looking into possible solutions, ie. if there’s any way to change this from being the standard setup.

For example, there is this encryption plugin: GitHub - discourse/discourse-encrypt: A plugin that provides a secure communication channel through Discourse.

I don’t know much about this stuff, and seeing as parts of the community are already discussing new ways of running the technical side of this place in any case, we want to ask you to share your views on what will be the best way of going forward here. Lots of you will have a better understanding of this than I do for sure.

For anyone who might be interested, here is the standard Discourse forum privacy policy for this place (doesn’t mention messages, I will be sure to edit it!). Privacy - Drowned in Sound | Community

That’s it from me. Please feel free to share your thoughts/suggestions etc.

UPDATE: Have confirmed that admins can delete a DM thread without opening it.

@moderators

Appreciate the transparency.

That’s some pretty elite level sophistry.

I’d like to 1000% echo this apology. I’m really truly sorry for not being aware of this. There was absolutely nowhere in the back end it’s mentioned or at all obvious.

I discussed this post with @whiterussian before this was posted and please be assured that now that we are aware of this that we’re looking at all possible solutions for the current site and if we transition to a different server or service provider going forward.

Thanks for letting us know – I probably have an address or two from people in old DMs from previous raffle prize things or whatever, so I’ll delete those (not that I think any of the admins will look through, but probably makes sense to just delete them to prevent anything in future).

Except messages can’t even be deleted for some reason

Haha fucks sake

^this

Yeah I wanted to clear mine as I don’t like clutter but you can’t. You have to flag them which means the admin reads it anyway

I think I’d always assumed this was the case tbh

We urgently need the ability to delete DMs in light of this.

D*scourse seem like knobs tbh. Every issue raised seems to be “you’re using it wrong”.

Yeah was reading the threads and there are some grade-A bullshit responses from them. including a seemingly serious, “I would simply not login as an Admin if I didn’t want to read direct messages” and “surely you expe t an admin to have full DB access anyway” and “if there are kids on your message board because it’s for a kids’ sports team” because, yeah sure, highly niche shit should set non-configurable policy in that way.

That said, it’s hard to know how this could be configured such that an Admin couldn’t unconfigure it later because there’s no one above admin.

Who watches the watchmen indeed.

Yup, we have to delete them for you!

I guess it’s because there are (at least) two people involved in a message thread, so the thinking is that one part shouldn’t be able to delete the whole thing?

Meant to add this actually but if anyone wants to have some messages deleted, you can either DM @admins or either one out of me, @sean and @wewerewerewolvesonce, and we promise we will delete with as little looking as humanly possible.

Is there any mass wipe feature? If you also want to remove your account, will it delete DM’s or do the posts and DMs just become anonymous?

I’d never really even thought about it before. probably would have default assumed they didn’t have access.

that said, I’m not bothered (have fun looking through the hundreds of automated pms I get when people flag my various threats to the rich and fascists) with like 3 trustworthy people being able to view them. fully understand why people would be bothered though, so yeah, its a bit of a pickle innit.

I didn’t assume it, but it’s not surprising that those will the highest access levels have access to everything - that’s fairly standard I think(?)

I too appreciate the transparency

If we could delete messages that would be great, I guess that’s a discord thing tho and out of Sean etcs hands to an extent (dunno tho obvs)

All posts and threads are swiped when a user account is fully deleted. Anonymisation of an account will not, just replace any user info.

I’m pretty sure the ability to delete DMs isn’t something we can actually enable, but I’ll double check now to make sure.