Can admin and mods read private messages?
This is a feature I wouldn't expect in forum software, since traditionally such systems like phpBB don't have it out of the box. It also seems wrong on a base trust level even before we got to the modern era of GDPR etc. etc.
Yet Discourse has this out of the box much to my own surprise and I thought but why would you need it?
Other than tracking abuseive PM's between waring users, which could easily be stopped by the recipient being able to ban PM's form a user. I didn't initially see the valid use case.
The point was made by Atwood, Discourse creator, that for example certain types of nefarious rings might use your PM system to share illicit material undetected. Think the worst kind.
- That is a very valid point and one worth exploring.
However it's still strange being able to read anyones private messages and that users also may simply assume that their messages are private. Few think about databases and that once a person has access to a database they can in theory access any of the info but it's not frictionless access. Discourses implementation is as simple as reading your own PM.
What I felt would be a better solution, more admin friendly and simply effective at addressing the problem, would be to have a system that monitors the PM activity and volume of all user accounts.
For e.g. - A threshold is set with some criteria - then imagine a 0 post or very low post count user has more than 2 pm's a day it's reported and flagged in stats. Imagine another user has 100's of PM's per day or hour, it's flagged with more force, because such activity would be highly suspicious. A whitelist system would handle the good guys and magybe not flag (like mods) but still report their activity too, if required.
So of my 10,000 imaginary forum users how do you find the 4 or 5 who are abusing the system, with little effort but with pinpoint accuracy fast?
Second to that there could also be threshold limits set that users can only read and send x pm's per day until they clock up some rep, which would act as a massive disincentive to abuse the PM system for nefarious and illegal activities. (apologies if such a feature is already there, I'm not 100% familiar yet with all of nodeBB functionality and feature set but getting there).
Open access for admins to PM's does not mean you will easily find and therefore stop the problem. Access only helps you determine if it is a problem on a PM per PM basis, how do you even know which user acc PM's to start looking at - it is still needle in a haystack.
What you need are PM analytics as an admin in the first instance! - therefore it's not an access issue!
I find the Discourse implementation a good example of solving a real niche problem but with the wrong solution applied or at least the 50% wrong.
I would really like to see a PM report/abalytic system in nodeBB natively, as a core security feature to tackle this issue - that can auto lock crazy PM behaviour.
Warning + notices to users easily administered by default, that PM's are not publicly viewable but admin viewable if x. y and z occurs.
The crazy thing is Discourse team originally implemented this and gave moderators access.
That's just insane IMHO, even as an Admin I am not really comfortable with that once click power - it's clearly open to I would say more abuse that what it tries to solve.
It speaks volumes about Discourse's userbase if the default concern of PMs is pedo rings.
TBF my impression was this came across as a post feature extreme justification, as many were equally uncomfortable with the implementation, had questions and raised similar concerns.
That it never occurred to me or others doesn’t mean such activity is not happening. I would imagine if it’s done it’s most effective when automated with bots. Using PM system as the exchange. I have no clue how prevalent this might be.
I’ve only recently read intel agencies use gamer boards for comms and not even pm posts either!
It’s a big world out there!