Admin Attention Privacy Questions related to Personal Information and Private Messages

[dalpat077]

What is the policy of these forums insofar as they relate to personal information provided when signing up (in particular email address used to sign up). Have these forums been hacked recently that anybody knows of? Furthermore: is such information covered by privacy laws of some kind? Put another way: is there any way that the forum hosts can be compelled by a government agency (for example) or any other interested party to provide such information?

With regard to PM's: what is the policy insofar as privacy between individuals involved in a private conversation? Are such fair game to Staff, Administrators, and Moderators? Also and at what point are the contents of a private message or private conversation permanently deleted (if ever)? Rumor has it that the contents of a private message or private conversation are only deleted once BOTH parties have left the conversation. Any clarity on this or a correction to said rumor?

 

[S.J.B.]

Have these forums been hacked recently that anybody knows of

I'm not aware of any such instance.

Furthermore: is such information covered by privacy laws of some kind? Put another way: is there any way that the forum hosts can be compelled by a government agency (for example) or any other interested party to provide such information?

Presumably their are ways to force Bluelight to disclose this information, if we were given a warrant for example. It is not something we would ever do voluntarily. I'm not aware of any actual instances of Bluelight being served a warrant for user information.

With regard to PM's: what is the policy insofar as privacy between individuals involved in a private conversation? Are such fair game to Staff, Administrators, and Moderators?

No one except the participants sees a PM conversation, unless one of the participants "Reports" a message, in which case it will be visible to staff.

Rumor has it that the contents of a private message or private conversation are only deleted once BOTH parties have left the conversation.

This is correct. If I have a PM conversation with you and you delete the conversation, I would still have my copy of it.

 

[dalpat077]

Hi @S.J.B.

Thanks for taking the time and going to the trouble of answering my many questions. All understood.

One last one though (which has always confused me):

This is correct. If I have a PM conversation with you and you delete the conversation, I would still have my copy of it.

Assuming you still have the PM conversation open with both (or many) participants: if you "edit" a PM post that you have posted in a PM conversation then does it (the edit) update ALL of the other conversations for all users on that PM conversation or is the edit limited only to the PM conversation that is viewable only to you yourself?

 

[S.J.B.]

Assuming you still have the PM conversation open with both (or many) participants: if you "edit" a PM post that you have posted in a PM conversation then does it (the edit) update ALL of the other conversations for all users on that PM conversation or is the edit limited only to the PM conversation that is viewable only to you yourself?

It will apply the edit to everyone's copy of the message.

 

[HeadphonesandLSD]

Concerning e-mail addresses: You should use a different e-mail address for every website you sign up for. Some email providers will allow you to make temporary addresses that send mail to your main account. You should get in the habit of using throw away emails or at least having an email address you use for things not tied to your real identity. No matter how well meaning the admins are and how secure the server is there is always the possibility that someone will access the server and get a copy of the database at some point. The avoid this use unique emails, passwords, usernames, and change your password often.

Using unique emails and passwords will mean one compromised account won't compromise all your accounts. Using unique usernames makes it harder to track you across the web.

Furthermore: is such information covered by privacy laws of some kind? Put another way: is there any way that the forum hosts can be compelled by a government agency (for example) or any other interested party to provide such information?

I don't know where BL's server is located but generally all it takes for law enforcement to get this type of information is having a warrant. You don't really have a choice as the owner. You either comply with the warrant or your hosting company drops you. Worse case the domain name and server is seized if you do not comply with a lawful order. There are precautions a website owner can take like not keeping server logs but that only does so much. Since a lot of warrants have a gag order you aren't legally allowed to announce this type of thing to the users of the website. It's up to you to protect yourself from this. Use a VPN or tor if you're worried about this and don't post information about yourself like pictures, your real name, your exact location, things of that nature.

With regard to PM's: what is the policy insofar as privacy between individuals involved in a private conversation? Are such fair game to Staff, Administrators, and Moderators? Also and at what point are the contents of a private message or private conversation permanently deleted (if ever)? Rumor has it that the contents of a private message or private conversation are only deleted once BOTH parties have left the conversation. Any clarity on this or a correction to said rumor?

Private messages are stored as plain text in the database. They are fair game to anyone that has access to the database or is given permission to read them through the staff interface for private messages. The staff have a control panel for managing the forum where they have lots of options. One of these options is a tool to search PMs by username. Anyone with permissions to see that page can read every PM in the database.

The intention of that feature is for staff to be able to check if someone is sending spam or abuse through the PM system. Most people I know with access to that information only uses it for that purpose but it's totally possible just to browse PMs for fun. If you're worried about this but still want to use PMs to have private conversations with other users you can encrypt your messages. This requires exchanging keys with any user you want to send encrypted messages to off site. You can use PGP to do this: https://en.wikipedia.org/wiki/Pretty_Good_Privacy

I wouldn't bother and would just take any conversation you want to keep private off site. Exchange email addresses with the user you're interested in sending encrypted messages to and use PGP.

I can't remember if messages are deleted from the database if both parties delete their copies. You should assume they aren't because this can always be disabled if the admins really want to. In older versions of the software used here both parties had their own copies of messages IIRC. The new PM system works more like threads so I believe only one copy of each message is stored in the database.

 

[Kara Kava]

I don't know for sure but i don't think the police care about us. Now of you were bragging you were the biggest fentanyl importer to the UK or that you killed or was going to kill people probably

 

[Kara Kava]

Come to think of it though you're right i.e. probably get in more shit from authorities here re: some of my political posts than my Fentanyl (and other drug) related posts! Isn't that an irony! Lol!

Most definitely. Politicians care about themselves and their image, not us druggies

 

[TheLoveBandit]

Private messages are stored as plain text in the database. They are fair game to anyone that has access to the database or is given permission to read them through the staff interface for private messages. The staff have a control panel for managing the forum where they have lots of options. One of these options is a tool to search PMs by username. Anyone with permissions to see that page can read every PM in the database.

The intention of that feature is for staff to be able to check if someone is sending spam or abuse through the PM system. Most people I know with access to that information only uses it for that purpose but it's totally possible just to browse PMs for fun.

Just to clarify this bit as it relates to Bluelight and how we operate. There are damn few with access to the server or database. At times we've had as many as 2-4 hands in the server, these days there is me+our_host+a_contractor(when needed), nobody else on staff (or off staff for that matter). As for a 'staff interface for private messages', there is a control panel but it does not have access to PMs. Perhaps there is an add-on for that, but in all our history, the stance has been to respect people's privacy. Therefore PMs are never read by staff unless we are included in on them. Alternatively, if you find something in a PM that DOES require staff attention, you have the REPORT function available to flag it for us and we can contact you to sort out the details. But, as a general rule, nobody has ever browsed 'PMs for fun'.

 

[HeadphonesandLSD]

Just to clarify this bit as it relates to Bluelight and how we operate. There are damn few with access to the server or database. At times we've had as many as 2-4 hands in the server, these days there is me+our_host+a_contractor(when needed), nobody else on staff (or off staff for that matter). As for a 'staff interface for private messages', there is a control panel but it does not have access to PMs. Perhaps there is an add-on for that, but in all our history, the stance has been to respect people's privacy. Therefore PMs are never read by staff unless we are included in on them. Alternatively, if you find something in a PM that DOES require staff attention, you have the REPORT function available to flag it for us and we can contact you to sort out the details. But, as a general rule, nobody has ever browsed 'PMs for fun'.

Wasn't implying you did just making people aware that it's possible and they should operate under the assumption anything in a PM can be read. The danger isn't so much the staff, it's a bad actor getting access somehow. There are websites where staff reading PMs is common place but typically when the news comes out (if it ever does) it creates a scandal. The PM control panel was an add-on in the old days but I think it got baked in as a standard feature at some point. I might be wrong and thinking of another software that does it by default.

In the forums I ran we always had it in case we had to deal with a reported PM and restricted access to it to one or two people. I got paranoid after someone used the PM system to send mass spam and creepy users harassing female users via PMs. I used to go so far as hardcoding a list of userids that could see it so people wouldn't obtain access by flipping permission switches. Sounds like you do the same. The less cooks in the kitchen the better.

 

[JessFR]

Honestly if you really truly want to ensure your conversations are private, either use pgp, or even better, don't have them on bluelight (but also still use pgp).

Id say the odds of someone on staff reading your PM's through the database are pretty much zero, but yeah there's always the risk of a law enforcement warrant. So if that's something you're worried about, use encryption and please kindly have the conversation somewhere else.

But if all you're worried about is someone learning private non illegal stuff, I certainly wouldn't worry.

 

[jose ribas da silva]

i can imagine all the mods going through my posts, private messages, personal computer and even inside my mind in order to find more pictures/information about my penis

 

[CFC]

The PM control panel was an add-on in the old days but I think it got baked in as a standard feature at some point

It's still only via an add-on (the same one), which we don't have.

 

[HeadphonesandLSD]

i can imagine all the mods going through my posts, private messages, personal computer and even inside my mind in order to find more pictures/information about my penis

You're joking but that's what the Feds are doing on a daily basis. Imagine all the dick pics they've collected over the years.

It's still only via an add-on (the same one), which we don't have.

Maybe it's IPB that made it a standard feature. Hard to keep up.

 

[HeadphonesandLSD]

As for the rest i.e. privacy and encryption etc. and the rest? Having been in IT for many years and even having written software to encode database details for one or two clients during said period of my IT career: I don't trust ANY of this shit. The technology available to some of these agencies, probably most of which we've never even heard of or know about, will allow access to ANYTHING if they want it badly enough. In my case: knowing the encryption algorithm that I was using inside and out I could STILL access the data while not knowing their own chosen encryption keys (I know this because it was put to the test as a database had become corrupt and I had to restore it and then re-encrypt the contents to make it usable to the client again). Fair enough: it was a LONG time ago and there's been many advances made (exponentially) over the years in all things IT including encryption strength and methods. But still: don't have much faith in it.

Smart man. Anyone with a IT background knows nothing to do with computers and the internet should be trusted. They have back doors from the factory in every computer, smart phone, and electronic device. Modern CPUs have an OS running above ring 0 that you can't modify, turn off, or audit. Smartphones have the baseband chip. Any device can be accessed remotely over the networks/internet any time they want. All data going over the backbones is cached and stored in large Government owned data centers forever. The encryption doesn't even matter to the NSA. If they want the keys you're using they can just grab them from your own machines. There are rumors about them having computers that can break all known encryption anyway. Even if they can't grab your keys like that all they have to do is arrest you, seize your equipment, and hit you with a wrench until you give them what they want. If you manage to resist they'll just hold you in a cell for years and keep pushing the court date back. We really got fucked when they passed the Patriot Act.

Encryption is mainly useful for keeping everyone but the NSA from seeing what you're doing. Old equipment doesn't really help you because they have known exploits for all of it. I could go on for hours about this stuff but I'll spare anyone lurking my rants on the subject.

 

[Jabberwocky]

i can imagine all the mods going through my posts, private messages, personal computer and even inside my mind in order to find more pictures/information about my penis

I was only made a mod yesterday and already I can’t think of anything else but your penis.

 

[jose ribas da silva]

I was only made a mod yesterday and already I can’t think of anything else but your penis.

It is addictive, i can undestand what you are going through