Add basic abuse reporting mechanism

[alvestrand]

In the case where the abuse comes from the abuser's provider (such as when the "abuser" is a fake identity created by the abuser's provider in order to achieve abusive outcomes like spam or phishing), sending an abuse complaint verbatim to the abuser's provider is exactly the wrong thing to do.

The abuser's provider may need to get told that sanctions have been imposed against his user, but telling him why feeds into machine learning on how to avoid anti-abuse mechanisms.

[rohanmahy]

Discussion about the potential for a reporter to forge an abusive message at interim meeting 10-Apr-2024:

• Travis says the abuse reports should go to the reporter's provider, while the hub provider is specified in the PR currently. Harald says you shouldn't reveal abuse reports to the alleged abuser's provider.
• The situation is better than if we only have AEAD, but we still may need some additional franking (by the hub using a symmetric algorithm)
• There is a risk of "outing" a pseudonymized user.

[bifurcation]

Interim 2024-04-10

• Need to address risk of forgery by reporter
  • Deployed state of the art is "franking"
  • MLS signature could help obviate the need for franking
  • Even in metadata-limited case, signature keys are used, but they're not linked to the real identity
    • Might not be able to rely much on signature here; might need franking
    • Or might need to deanonymize a participant in the event of abuse
  • Would be good to protect reporter identity in this process
• Should abuse reports go to the hub?
  • Reporter provider, hub, abuser's provider, other providers?
  • Could also augment a standard thing with out-of-band mechanisms
  • Reporter provider will get it through the submission process
  • Should not provide it to abuser's provider
  • So the question reduces to whether to provide to the hub
  • Might need more review of use cases, maybe a generic "send report to provider", irrespective of room topology
• Conclusions:
  • If we have a reporting mechanism, need to address reporter forgery
  • We should define an abuse endpoint for providing inputs to anti-abuse processes
• TODO: @rohanmahy will revise to reflect discussion, bring back to the group

[rohanmahy]

Replacing with franking based proposal in #83