Open ojacobson opened 5 years ago
wlonk
commented
5 years ago That proposal is good.
I'll write it up and add it to the About/ToS pages, along with adding some internal documentation on process and nonce-generation, and then… do something about getting email stood up for this domain.
krveale
commented
5 years ago I think the possibility of abuse is a really important point: wheretofind.me could absolutely be used against someone's will in its current format, and would be a useful tool for the complete hooting dickholes at kiwifarms and other such places. Harassment campaigns often have people who collate together information that can be then distributed and weaponised among the horde, and sadly as it stands this'd be a very helpful tool for facilitating this. All you do is input all of the possible attack vectors to wheretofind.me without someone's consent, and then start sharing innocuous-seeming links online to your followers, who then dispense abuse en masse. Given how common it is for harassment campaigns to impersonate the people they attack, they'd probably also claim that the person shared the info themselves and was "proof" they were manufacturing drama, thus aren't really being attacked. (This claim happens a lot.) So yeah: That hadn't occurred to me as a possibility, but it's a very plausible application for the platform as it stands. The suggested method for letting people authenticate their accounts before deletion seems like a good one, too. To follow on from discussions on Pillowfort, another strategy that harassment campaigns use is to have someone follow a target and never interact with them, but then passes their posts and information back to the other members of the pack. The ability to control who follows you would be a helpful defence for that, since I've seen cases where people wrote a list of followers and started experimenting with selective bans until they figured out who the leaks were.
wlonk
commented
5 years ago I've added a contact email and the policy that @ojacobson described (with a few small modifications). See https://wheretofind.me/tos/#abuse-and-deletion
I am gonna leave this open, because I think that we need to still consider @krveale's very good points about triangulating who's hate-following you, and demonstrating ownership of accounts.
ojacobson
commented
4 years ago We recently received an abuse report that required serious thought, and we can probably use it to refine the practice and policy a bit.
About the complaint:
(Obviously, I've left out specifics that could identify the profile or the petitioner.)
This is the first time we've reviewed a profile in this level of detail, and I'll freely admit that I winged it at the time in conversation, rather than applying a principled approach up front. I'm content with the results, but justice and fairness are generally served by making the process both repeatable and reasonably transparent. Is this investigation worth codifying, either in a small way or a large one, so that the next proceeds on similar lines?
wlonk
commented
4 years ago Agree on all points.
As of this writing, no reply from the address that issued the complaint.
krveale
commented
4 years ago Thanks folks, I think this is an interesting problem that's been handled well - particularly with getting them to contact you from one of the accounts.
If we were being ULTRA paranoid, I might suggest that for future cases where you're concerned about the possibility someone's under attack - which would potentially be visible if they talked about it on some of their accounts, maybe? - contact from two accounts would be even better, just in case the person targeted has lost control of one of the accounts on the list due to a hack or social engineering or something.
Then again, if someone's talking about being attacked, I'm guessing that's a pretty intuitive flag there's a problem. On the OTHER other hand, it might also be a good reason to want to deep-six the WhereToFindMe account if people were hatefollowing? Hmm. Context I guess is always going to matter.
The main thing is that you're not automating this, which fixes 95% of problems with harassment cases.
wlonk
commented
4 years ago That's a very good point, about two accounts.
kahomono
commented
4 years ago Ya know how easy this would be if we had that Keybase integration... :)
On Fri, Apr 3, 2020 at 3:49 PM Kit La Touche notifications@github.com wrote:
That's a very good point, about two accounts.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/wlonk/wheretofind.me/issues/27#issuecomment-608627375, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE2AW2OKIOTXCJT2UILBHKLRKY4WDANCNFSM4GPHI64Q .
wheretofind.me is a social service with open signup. As we know, if everyone can use a service, just about anyone will use a service, including assholes, and including people who might change their minds later. We should be prepared for that.
I think this falls into two buckets:
Balancing this is that the removal process itself should ideally not be easily abused either, so that it isn't a channel for people to remove other peoples' wtf.me profiles at will.
I don't think this is something we can automate. Lost-password services are an obvious first step for deletion, but they do nothing for abuse and don't deal with the case where someone's lost access to the email on their account. Furthermore, manual intervention is somewhat harder to misuse, and gives us a chance to observe actual requests in the wild and determine what we might want to automate or change. We need a manual process to backstop lost password recovery.
With that in mind, here's a proposal:
deletion@wheretofind.meemail address and link to it on the site: "Added without your consent? Contact us to remove this entry."