PMs - Private or Not?

Discussion in 'Security and Legal' started by Zook, Apr 29, 2015.

  1. Zook

    Zook Regular Member

    Joined:
    Feb 11, 2015
    Messages:
    16
    Likes Received:
    0
    Location:
    Houston, Texas
    First Name:
    Randall
    This may or may not have been discussed in the past, but Id like to have some discussion regarding the reading of PMs as it relates to security purposes. I know any forum owner can easily access this data via the database or by utilizing any one of several hacks that are available from a variety of sources. From what information I have been able to gather, much like an employer/employee relationship, data delivered though a forum's server becomes the property of the forum owner and can therefore be accessed at the owners discretion.

    How that data is used is where the legalities can become an issue. In my opinion the only valid reason for a forum owner to read member's PMs is strictly for security purposes to protect the forum owner and to protect the members, such as when a member has made physical threats towards another member or is conducting illegal activities such as selling stolen merchandise via PM. Well in the seven year history of my forum, I have unfortunately had both of these happen and has motivated me to open this discussion.

    I know that a forum's privacy statement should reflect that PMs are not private and upon reading privacy statements from a couple of the big two forum companies, this is covered though it is written in some very cryptic, legalese language. Id like to know if any of you have experienced a situation that would call for screening a persons PMs and what if any action did you take? I do know this is a sensitive issue and many refuse to openly discuss this, but for those who will, what is you take on this?
     
    Last edited: Apr 29, 2015
  2. Jack Rouse

    Jack Rouse Regular Member

    Joined:
    Jun 8, 2014
    Messages:
    147
    Likes Received:
    19
    I have had issues in the past where the PM system has been used to "steal" members to take part in other forums in the same niche, so I am very wary of PM's, If and when I get a decent membership again, newcomers will not be allowed to use the PM for a certain time.

    As for reading them, Xenforo no longer calls them "Private Messages" instead they are referred to as "Conversations" and as such I would definitely read any from members who I felt I didn't trust.

    I also know of some admins who post in proxy accounts as an ordinary member, to catch out those trying to recruit or anything they don't like.
     
  3. Janet H

    Janet H Administrator Admin Talk Staff

    Joined:
    Jul 24, 2014
    Messages:
    46
    Likes Received:
    10
    Location:
    Pacific NW

    I don't think that there are any fool-proof ways to prevent abuse but there are various schemes to slow it down.. A couple come to mind:

    Denying messaging to new or low post count members
    Filtering messages for links, e-mail addresses or even phone numbers and then suspending messaging after repeated instances.
    Neither of these require human interaction but both have some drawbacks. In particular, new members are the most likely to need to reach out via a PM for account assistance.
     
  4. AWS

    AWS Administrator Admin Talk Staff

    Joined:
    Feb 1, 2010
    Messages:
    1,610
    Likes Received:
    692
    Location:
    Joliet, IL U.S.A.
    First Name:
    Bob
    I am one of the few forum admins that have a policy that PM's are private and will remain private between the parties involved on any site I own.

    I see a trend where admins install a hack and read people PM's and then if they don't like what is said in them they ban the users. Nothing in the TOS says anything about the possibility that private messages may be read. I think this is low and any admin that does it should not be running a forum.

    I have and will again stand up for a users right to privacy. I was subpoenaed to turn over one of my sites PM data between 2 users. One was suing the other over something. I fought it and in the end the judge ruled in my favor. I don't know what happened as far as how the law suit went and didn't even care. Things are different today so maybe it would turn out different if it happened again.

    No matter what I would fight it again.
     
  5. Janet H

    Janet H Administrator Admin Talk Staff

    Joined:
    Jul 24, 2014
    Messages:
    46
    Likes Received:
    10
    Location:
    Pacific NW

    It's a tough issue and I agree that reading private content is pretty low. Regarding court orders, this is a slippery slope as well but it's tough to know where to draw the line. In the case of a squabble between two members - it's pretty easy to say no but in the case of say a pending prosecution of a pedophile it might be a different deal. If you have forum members who are young-ish this might be a real concern and one I've encountered.
     
  6. GTB

    GTB Regular Member

    Joined:
    Jun 30, 2009
    Messages:
    1,792
    Likes Received:
    270
    Makes sense not letting new members use the PM system, if having the option to set it based on post count required. I don't have that option with phpBB, if I did I'd be using it without a doubt.

    Reading PM's as admin I've got mixed views about now. One time I'd have said a real no, no doing it. But the way spammers are now on the web, they will use any means on a forum to spam things. I think as long as an admin doesn't share in public what they read in PM's, not share it with anyone else either - it still remain private information. Then don't see a problem with it really, I think users of a forum have to expect nowadays that an admin may read their PM's if things look suspect.

    I have only read a users PM message the once only, that was with my present forum and spotted the user in question was trying to tell another member after they first joined and posted - to go join another forum instead (TAZ), saying mine was too quiet. I've said nothing to that user spotted doing it since, but it just goes to show what can be spotted happening behind your back using the PM system for it.
     
    Last edited: Apr 30, 2015
    Jack Rouse likes this.
  7. Jack Rouse

    Jack Rouse Regular Member

    Joined:
    Jun 8, 2014
    Messages:
    147
    Likes Received:
    19
    This is exactly what I suffered from, and had I had the ability to read PM's I could have put a stop to it.
    Now I am wary of it, and if need be, I will create a ghost account, and use that to spot any potential threats, I would also have no hesitation in banning the member instantly.
     
  8. GTB

    GTB Regular Member

    Joined:
    Jun 30, 2009
    Messages:
    1,792
    Likes Received:
    270
    You don't need a mod installed to read PM's, it can be done via the database table with phpMyAdmin. In my case mentioned above, I have no mod installed to read PM's. I'd sent a PM to a member about what they posted and later wished I'd not sent it to them, was being a bit harsh and the PM had not been marked as read yet. So went into the DB table to delete the PM sent "before being read" and saw some exchanges taking place between two suspect members. So had a read and spotted it by accident more than anything.

    As said, it's the only time I've ever read PM's between people. And wasn't really done intentionally on purpose.
     
    Last edited: Apr 30, 2015
  9. Zook

    Zook Regular Member

    Joined:
    Feb 11, 2015
    Messages:
    16
    Likes Received:
    0
    Location:
    Houston, Texas
    First Name:
    Randall
    I totally agree that it is not cool to randomly read member's private messages and would never have done so except that a member was selling stolen merchandise from one of my sponsors and almost by accident did I find out it was happening. A member messaged me and informed me of a great deal another member offered her on a piece of equipment for her motorcycle, a $1500 reverse gear kit for a Harley Trike. She asked if I thought the deal was legit. It did seem like a way too good to be true price on a brand new reverse kit, so upon checking out the seller's info, turns out he was the purchasing agent for one of my biggest sponsors and had used a generic username, but had registered with his name @ the company's email address, which was the same as my sponsor's business email address. That was the dumbness that got him caught! Turns out he had sold about a dozen of these along with other equipment that was stolen from my sponsor so I felt I had an obligation to alert my sponsor of the thefts. I talked to two attorneys before copying and providing the PMs, it is legal in the USA.

    A bit later this happened: I found out though my hosting security staff that my asst administrator had made a SQL injection and had downloaded my database with all of my members contact information. Through PM inspections I found out she was planning on starting a competing forum so I dropped the hammer on her.

    I did not originally believe that reading PMs was anything I would ever do, non of my business and to this day I rarely do, but if there is someone suspect, I would not hesitate to do so today. This may not apply to everyone, but I would advise you that there are certainly cases for securing your site.
     
    Last edited: Apr 30, 2015
  10. GTB

    GTB Regular Member

    Joined:
    Jun 30, 2009
    Messages:
    1,792
    Likes Received:
    270
    I think no user who joins a forum should be naive thinking their private messages will never be read. You only need look at the mods created for XenForo and vBulletin to do it, how popular they became - especially so for vBulletin 3. To know many forum admins do read PM's. I have mixed feeling about using the mod because most admins don't use it for the purpose of spying on what members say to one another, but as an extra anti-spam tool for using at their disposal to spot them abusing the PM system..
     
    Last edited: Apr 30, 2015
  11. Zook

    Zook Regular Member

    Joined:
    Feb 11, 2015
    Messages:
    16
    Likes Received:
    0
    Location:
    Houston, Texas
    First Name:
    Randall
    The NSA captures and screens every phone call, text message and email of mine and everyone elses in the USA and many other countries. NO ONE should really expect that complete privacy is the norm anymore. It really bugged me when I found out the government was screening my phone calls and emails, but I finally realized that will not change and I really have nothing to worry about, nor do any of my members who are not committing a criminal act.
     
  12. GTB

    GTB Regular Member

    Joined:
    Jun 30, 2009
    Messages:
    1,792
    Likes Received:
    270
    Well I've seen some forums in past that completely disabled the PM system due it being abused, they had enough of it keep going on. Telling members if doing something like selling a forum license that they need take it to email instead.

    I've seen that a few times, forums disabling the PM system.
     
  13. Zook

    Zook Regular Member

    Joined:
    Feb 11, 2015
    Messages:
    16
    Likes Received:
    0
    Location:
    Houston, Texas
    First Name:
    Randall
    Thanks for all of your feedback on this subject..I know it is a very controversial subject.
     
  14. Michelle Kelly

    Michelle Kelly Someone who fumbles while they stumble

    Joined:
    Jan 21, 2017
    Messages:
    18
    Likes Received:
    3
    Location:
    Australia
    First Name:
    Michelle
    To me PM's are private period on my forum. I know I can access them by accessing the database directly. But once I justify to myself that its ok to read PM's for some reason then its easy to keep justifying for other things. Eventually I would reach a point where I would read them regardless of the reason. Kind of a slippery slope. Better to do it through official means such as when a member reports a PM and obligated to act on it.

    But in general a person should not assume that what the put in a PM is private on any forum. If a person really does want privacy they should encrypt the message with some kind of encryption routine and give the key only to the person it is intended for in the first place. That way if anyone intercepts it, then its not in plain text for them to read.
     
  15. King G

    King G King G

    Joined:
    Dec 22, 2016
    Messages:
    8
    Likes Received:
    0
    I know its a delicate issue but i would tell members that pms are not private but rather conversations
     

Share This Page