I had a law firm trying to sign up to advertise the other day, that was a weird one
Look, I'm not necessarily proposing that we dump all marketers on one desert island with a surfeit of melee weapons and a deficit of food, but I'm not necessarily opposed to the idea either.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
I do think that people need to come to terms with the fact that Coin Return is still a quasi-public space. There is no amount of protection that can be afforded that would make it possible for them to post any private information and not expect it to essentially become public. This is something that should probably be explicitly stated in some kind of membership agreement when folks sign up, too.
I share bits about my personal life, and I'm sure that with enough work and intent someone can probably piece together something that would serve as a decent summary of who I am as a person, perhaps even to the extent that they could, in theory, identify who I am if they spent enough time and money. If I wasn't comfortable with that idea then I wouldn't be sharing that information in the first place. If you care about your privacy then the only true solution is to not share something you aren't willing to have public - this includes linking to other accounts outside of CR which might themselves have identifying information.
This is generally true and I agree. The responsibility lies on each and every user to practice good information hygiene. Anything posted to any part of this forum can be seen (and hypothetically copied and disseminated) by complete strangers.
That said, I think there is a difference in degree if not in principle between the "public" forums, and the private (members-only) ones.
If somebody nefarious wants access to the members-only forums, they can sign up, wait through the probationary period, and then start scraping and grab a subset of data before we catch them. But Google, Bing, archive.org, etc. aren't going to do that.
It's the difference between
Strangers could see this and disseminate it (with moderate effort).
vs
The ubiquitous background processes of the Internet will see this and disseminate it automatically.
(But like you say, we can't guarantee complete privacy even in the members-only forums and I'm starting to wonder if we should rename 'private' to 'members only' to reflect that.)
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
We really shouldn't conflate New Member restrictions with bot restrictions. My understanding is that we're reasonably confident in our ability to keep out spam bots and scrapers altogether. So it seems very counterproductive to hide the art forums from new members who might be artists themselves, and force them to talk about video games for a while or whatever to prove they're normal. What if the art forum was the thing that would have gotten them to join?
Your questions and concerns here are valid. I have similar thoughts about the art forum specifically. But I'm not an artist, so I defer to people who are.
The point I want to make here is that bot protection and new member restrictions, while technically separate, do have some overlap. It's much easier to whackamole bots and scrapers when they're required to sign up for an account; whereas if they aren't and they remain anonymous it's pretty easy for them to circumvent (for example) IP bans.
So you're right, that while we shouldn't conflate the two topics and they aren't strictly equivalent, they aren't fully distinct either and they are related to each other.
I might not be communicating clearly what I'm proposing here. We should have a private forum category that hides it from anonymous users (no account created or not logged in). That would include search crawlers and AI art scrapers - they won't have access to private spaces like the art forum.
The point in contention here is what happens when an account is created and approved by mods, making it past our first line of defense against bots and spammers. At this point they are New Members, and we believe them to be humans who actually want to participate - we aren't likely to see a huge volume of these users. They might still have shitty political opinions, granted, we don't know them yet. But the core question is whether they should now be able to see the art forum etc, or if they have to first pass the criteria to become full voting members.
My argument is that they should be able to see the private forums at this point, and that we should offer them the benefit of the doubt and welcome them in. The benefits of doing this significantly outweigh the risks for the community overall IMO.
We really shouldn't conflate New Member restrictions with bot restrictions. My understanding is that we're reasonably confident in our ability to keep out spam bots and scrapers altogether. So it seems very counterproductive to hide the art forums from new members who might be artists themselves, and force them to talk about video games for a while or whatever to prove they're normal. What if the art forum was the thing that would have gotten them to join?
Your questions and concerns here are valid. I have similar thoughts about the art forum specifically. But I'm not an artist, so I defer to people who are.
The point I want to make here is that bot protection and new member restrictions, while technically separate, do have some overlap. It's much easier to whackamole bots and scrapers when they're required to sign up for an account; whereas if they aren't and they remain anonymous it's pretty easy for them to circumvent (for example) IP bans.
So you're right, that while we shouldn't conflate the two topics and they aren't strictly equivalent, they aren't fully distinct either and they are related to each other.
I might not be communicating clearly what I'm proposing here. We should have a private forum category that hides it from anonymous users (no account created or not logged in). That would include search crawlers and AI art scrapers - they won't have access to private spaces like the art forum.
The point in contention here is what happens when an account is created and approved by mods, making it past our first line of defense against bots and spammers. At this point they are New Members, and we believe them to be humans who actually want to participate - we aren't likely to see a huge volume of these users. They might still have shitty political opinions, granted, we don't know them yet. But the core question is whether they should now be able to see the art forum etc, or if they have to first pass the criteria to become full voting members.
My argument is that they should be able to see the private forums at this point, and that we should offer them the benefit of the doubt and welcome them in. The benefits of doing this significantly outweigh the risks for the community overall IMO.
This does not seem to address the legal requirement that we cannot be incorporated the way that CoRe is without having a barrier of entry that means we are not open to the public.
Perhaps I misread an earlier post, but it seems to be that your argument on that point is "I don't think it matters." Please correct me if I'm misunderstanding or mistakenly misattributing you. If not though, knowledgeable people with expertise in this exact area say it does matter and is important, so what else do you have to offer to override that? Because I'm inclined to trust them on this point since I'm not a lawyer and don't often deal with public policy or tax law and corporations.
We really shouldn't conflate New Member restrictions with bot restrictions. My understanding is that we're reasonably confident in our ability to keep out spam bots and scrapers altogether. So it seems very counterproductive to hide the art forums from new members who might be artists themselves, and force them to talk about video games for a while or whatever to prove they're normal. What if the art forum was the thing that would have gotten them to join?
Your questions and concerns here are valid. I have similar thoughts about the art forum specifically. But I'm not an artist, so I defer to people who are.
The point I want to make here is that bot protection and new member restrictions, while technically separate, do have some overlap. It's much easier to whackamole bots and scrapers when they're required to sign up for an account; whereas if they aren't and they remain anonymous it's pretty easy for them to circumvent (for example) IP bans.
So you're right, that while we shouldn't conflate the two topics and they aren't strictly equivalent, they aren't fully distinct either and they are related to each other.
I might not be communicating clearly what I'm proposing here. We should have a private forum category that hides it from anonymous users (no account created or not logged in). That would include search crawlers and AI art scrapers - they won't have access to private spaces like the art forum.
The point in contention here is what happens when an account is created and approved by mods, making it past our first line of defense against bots and spammers. At this point they are New Members, and we believe them to be humans who actually want to participate - we aren't likely to see a huge volume of these users. They might still have shitty political opinions, granted, we don't know them yet. But the core question is whether they should now be able to see the art forum etc, or if they have to first pass the criteria to become full voting members.
My argument is that they should be able to see the private forums at this point, and that we should offer them the benefit of the doubt and welcome them in. The benefits of doing this significantly outweigh the risks for the community overall IMO.
This does not seem to address the legal requirement that we cannot be incorporated the way that CoRe is without having a barrier of entry that means we are not open to the public.
Perhaps I misread an earlier post, but it seems to be that your argument on that point is "I don't think it matters." Please correct me if I'm misunderstanding or mistakenly misattributing you. If not though, knowledgeable people with expertise in this exact area say it does matter and is important, so what else do you have to offer to override that? Because I'm inclined to trust them on this point since I'm not a lawyer and don't often deal with public policy or tax law and corporations.
I'm not a lawyer so I don't claim to know anything about how those rules work, I'll defer to our TT experts on that. But it seems to be somewhat negotiable because we do have a bunch of forums that are fully public. So if we can satisfy this legal requirement by having just a couple members-only forums, can we satisfy it by having just one? If so I would choose Politics as the one that's most sensitive. I'd also like to know if there have been any other explorations around solving this that would have fewer side effects than limiting visibility of subforums.
We really shouldn't conflate New Member restrictions with bot restrictions. My understanding is that we're reasonably confident in our ability to keep out spam bots and scrapers altogether. So it seems very counterproductive to hide the art forums from new members who might be artists themselves, and force them to talk about video games for a while or whatever to prove they're normal. What if the art forum was the thing that would have gotten them to join?
Your questions and concerns here are valid. I have similar thoughts about the art forum specifically. But I'm not an artist, so I defer to people who are.
The point I want to make here is that bot protection and new member restrictions, while technically separate, do have some overlap. It's much easier to whackamole bots and scrapers when they're required to sign up for an account; whereas if they aren't and they remain anonymous it's pretty easy for them to circumvent (for example) IP bans.
So you're right, that while we shouldn't conflate the two topics and they aren't strictly equivalent, they aren't fully distinct either and they are related to each other.
I might not be communicating clearly what I'm proposing here. We should have a private forum category that hides it from anonymous users (no account created or not logged in). That would include search crawlers and AI art scrapers - they won't have access to private spaces like the art forum.
The point in contention here is what happens when an account is created and approved by mods, making it past our first line of defense against bots and spammers. At this point they are New Members, and we believe them to be humans who actually want to participate - we aren't likely to see a huge volume of these users. They might still have shitty political opinions, granted, we don't know them yet. But the core question is whether they should now be able to see the art forum etc, or if they have to first pass the criteria to become full voting members.
My argument is that they should be able to see the private forums at this point, and that we should offer them the benefit of the doubt and welcome them in. The benefits of doing this significantly outweigh the risks for the community overall IMO.
This does not seem to address the legal requirement that we cannot be incorporated the way that CoRe is without having a barrier of entry that means we are not open to the public.
Perhaps I misread an earlier post, but it seems to be that your argument on that point is "I don't think it matters." Please correct me if I'm misunderstanding or mistakenly misattributing you. If not though, knowledgeable people with expertise in this exact area say it does matter and is important, so what else do you have to offer to override that? Because I'm inclined to trust them on this point since I'm not a lawyer and don't often deal with public policy or tax law and corporations.
I'm not a lawyer so I don't claim to know anything about how those rules work, I'll defer to our TT experts on that. But it seems to be somewhat negotiable because we do have a bunch of forums that are fully public. So if we can satisfy this legal requirement by having just a couple members-only forums, can we satisfy it by having just one? If so I would choose Politics as the one that's most sensitive. I'd also like to know if there have been any other explorations around solving this that would have fewer side effects than limiting visibility of subforums.
It's not just a legal requirement. I'm going to ask again: have you looked around at the world and the Internet as it is today? Do you see how those have changed in the last 10, 15, 20 years? Can you try to understand why some people might not want everything they say, or create, or reveal to trusted members of this community, to be freely available to the general public?
+2
FishmanPut your goddamned hand in the goddamned Box of Pain.Registered Userregular
We really shouldn't conflate New Member restrictions with bot restrictions. My understanding is that we're reasonably confident in our ability to keep out spam bots and scrapers altogether. So it seems very counterproductive to hide the art forums from new members who might be artists themselves, and force them to talk about video games for a while or whatever to prove they're normal. What if the art forum was the thing that would have gotten them to join?
Your questions and concerns here are valid. I have similar thoughts about the art forum specifically. But I'm not an artist, so I defer to people who are.
The point I want to make here is that bot protection and new member restrictions, while technically separate, do have some overlap. It's much easier to whackamole bots and scrapers when they're required to sign up for an account; whereas if they aren't and they remain anonymous it's pretty easy for them to circumvent (for example) IP bans.
So you're right, that while we shouldn't conflate the two topics and they aren't strictly equivalent, they aren't fully distinct either and they are related to each other.
I might not be communicating clearly what I'm proposing here. We should have a private forum category that hides it from anonymous users (no account created or not logged in). That would include search crawlers and AI art scrapers - they won't have access to private spaces like the art forum.
The point in contention here is what happens when an account is created and approved by mods, making it past our first line of defense against bots and spammers. At this point they are New Members, and we believe them to be humans who actually want to participate - we aren't likely to see a huge volume of these users. They might still have shitty political opinions, granted, we don't know them yet. But the core question is whether they should now be able to see the art forum etc, or if they have to first pass the criteria to become full voting members.
My argument is that they should be able to see the private forums at this point, and that we should offer them the benefit of the doubt and welcome them in. The benefits of doing this significantly outweigh the risks for the community overall IMO.
This does not seem to address the legal requirement that we cannot be incorporated the way that CoRe is without having a barrier of entry that means we are not open to the public.
Perhaps I misread an earlier post, but it seems to be that your argument on that point is "I don't think it matters." Please correct me if I'm misunderstanding or mistakenly misattributing you. If not though, knowledgeable people with expertise in this exact area say it does matter and is important, so what else do you have to offer to override that? Because I'm inclined to trust them on this point since I'm not a lawyer and don't often deal with public policy or tax law and corporations.
I'm not a lawyer so I don't claim to know anything about how those rules work, I'll defer to our TT experts on that. But it seems to be somewhat negotiable because we do have a bunch of forums that are fully public. So if we can satisfy this legal requirement by having just a couple members-only forums, can we satisfy it by having just one? If so I would choose Politics as the one that's most sensitive. I'd also like to know if there have been any other explorations around solving this that would have fewer side effects than limiting visibility of subforums.
I disagree that politics is the most sensitive, given that we specifically highlighted the risk to our vulnerable members just talking about their lives in chat and the highest personal security risks mostly occur there.
We really shouldn't conflate New Member restrictions with bot restrictions. My understanding is that we're reasonably confident in our ability to keep out spam bots and scrapers altogether. So it seems very counterproductive to hide the art forums from new members who might be artists themselves, and force them to talk about video games for a while or whatever to prove they're normal. What if the art forum was the thing that would have gotten them to join?
Your questions and concerns here are valid. I have similar thoughts about the art forum specifically. But I'm not an artist, so I defer to people who are.
The point I want to make here is that bot protection and new member restrictions, while technically separate, do have some overlap. It's much easier to whackamole bots and scrapers when they're required to sign up for an account; whereas if they aren't and they remain anonymous it's pretty easy for them to circumvent (for example) IP bans.
So you're right, that while we shouldn't conflate the two topics and they aren't strictly equivalent, they aren't fully distinct either and they are related to each other.
I might not be communicating clearly what I'm proposing here. We should have a private forum category that hides it from anonymous users (no account created or not logged in). That would include search crawlers and AI art scrapers - they won't have access to private spaces like the art forum.
The point in contention here is what happens when an account is created and approved by mods, making it past our first line of defense against bots and spammers. At this point they are New Members, and we believe them to be humans who actually want to participate - we aren't likely to see a huge volume of these users. They might still have shitty political opinions, granted, we don't know them yet. But the core question is whether they should now be able to see the art forum etc, or if they have to first pass the criteria to become full voting members.
My argument is that they should be able to see the private forums at this point, and that we should offer them the benefit of the doubt and welcome them in. The benefits of doing this significantly outweigh the risks for the community overall IMO.
This does not seem to address the legal requirement that we cannot be incorporated the way that CoRe is without having a barrier of entry that means we are not open to the public.
Perhaps I misread an earlier post, but it seems to be that your argument on that point is "I don't think it matters." Please correct me if I'm misunderstanding or mistakenly misattributing you. If not though, knowledgeable people with expertise in this exact area say it does matter and is important, so what else do you have to offer to override that? Because I'm inclined to trust them on this point since I'm not a lawyer and don't often deal with public policy or tax law and corporations.
I'm not a lawyer so I don't claim to know anything about how those rules work, I'll defer to our TT experts on that. But it seems to be somewhat negotiable because we do have a bunch of forums that are fully public. So if we can satisfy this legal requirement by having just a couple members-only forums, can we satisfy it by having just one? If so I would choose Politics as the one that's most sensitive. I'd also like to know if there have been any other explorations around solving this that would have fewer side effects than limiting visibility of subforums.
To be honest: we're not sure. That said, it's easiest to only have "non member" and "member" and just have member be all-encompassing for things like private viewing or voting.
I had a law firm trying to sign up to advertise the other day, that was a weird one
My favorite spammer signup remains a military academy trying to do so.
Oh my god why didn't y'all let them through?!
They did get through! This was back before we locked down user signups to manual approval only and it slipped in in the daily flood of new accounts that just signed up to drop their corporate logo as a userpic and their link in their bio. I was catching 5-20 of those daily for awhile in the summer and fall.
Most of them never got so far as verifying their email, much less actually posting.
0
smof[Growling historic on the fury road]Registered Userregular
I feel like "20 posts or lurking for 20 days" is such a trivial requirement that I don't really understand the big deal about it. If someone wants to be part of this community then posting or hanging out in it is what they presumably want to do anyway. Like I am trying to imagine a person who can see us talking about movies, games, music, sport, etc and think "I don't want to be part of this community", but as soon as they see us talking about art and politics they're all in.
I don't know if this will contribute anything, but just to use as an example.
I had to go digging through 10 years worth of posts to find something I wanted to preserve in the Coin Return Museum. Over the course of 3 days, I found out more than I ever wanted to about individual PA posters. These were posts scattered over all sorts of threads, most of them not even particularly sensitive, but they were there, readable, and allowed me to put together a fairly complete picture of people, where they were, who they were, what they looked like (cause, you know, there are threads where people post pictures of themselves), and much, much more. I'm very happy all of that is getting the big ol heave ho (or, at least I hope PA Corp just deletes everything after we leave, instead of keeping it around perpetually).
Given the current socio-political climate? I personally would want only G&T, and even then probably only the "G" part of G&T, to be viewable to New Members prior to further gatekeeping.
0
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
I do think that people need to come to terms with the fact that Coin Return is still a quasi-public space. There is no amount of protection that can be afforded that would make it possible for them to post any private information and not expect it to essentially become public. This is something that should probably be explicitly stated in some kind of membership agreement when folks sign up, too.
I share bits about my personal life, and I'm sure that with enough work and intent someone can probably piece together something that would serve as a decent summary of who I am as a person, perhaps even to the extent that they could, in theory, identify who I am if they spent enough time and money. If I wasn't comfortable with that idea then I wouldn't be sharing that information in the first place. If you care about your privacy then the only true solution is to not share something you aren't willing to have public - this includes linking to other accounts outside of CR which might themselves have identifying information.
This is generally true and I agree. The responsibility lies on each and every user to practice good information hygiene. Anything posted to any part of this forum can be seen (and hypothetically copied and disseminated) by complete strangers.
That said, I think there is a difference in degree if not in principle between the "public" forums, and the private (members-only) ones.
If somebody nefarious wants access to the members-only forums, they can sign up, wait through the probationary period, and then start scraping and grab a subset of data before we catch them. But Google, Bing, archive.org, etc. aren't going to do that.
It's the difference between
Strangers could see this and disseminate it (with moderate effort).
vs
The ubiquitous background processes of the Internet will see this and disseminate it automatically.
(But like you say, we can't guarantee complete privacy even in the members-only forums and I'm starting to wonder if we should rename 'private' to 'members only' to reflect that.)
I think relabeling "Private Forums" as "Members-Only Forums" makes a lot of sense as it sets the appropriate context overall, not just in relation to any private information posted but also in terms of the broader forums.
This isn't to say that any expectation of privacy is moot - it's more to just set a realistic outline to the conversation at hand. We can certainly do things to make it more challenging for bots to scrape content, for example. But based on the parameters we've been provided in terms of legal groundwork, sustainability, etc. I think we would be hard-pressed to justify having onerous policies in place for new members in the hopes of preventing privacy breaches.
If anything, like with many crimes, the risk of being identified comes more from the folks who know you than not, particularly given the history of the forums and the kind of behaviors people engage in when they get real mad at each other.
+1
Led ZepherinRussian warship, go fuck yourselfRegistered Userregular
I have a question. I understand logging things like IP addresses and MAC addresses and various other identifiable information for security purposes.
The flip side of that is, all of that information is able to be subpoenaed. Has there been any consideration of not logging this information… So that if there is a subpoena that comes from a hostile party/government/etc. The answer is we don’t keep that information.
Is that technically possible? Or is it something the host keeps and we don’t have a choice.
Probably the best you can do is to make sure it's heavily encrypted and know a good lawyer, who is willing to help you drag things out in court to shutdown bad faith attempts (aka a lawyer that is either willing to do it completely pro bono or only charges once the subpoena is successfully fought off and the offending party is successfully sued for punitive damage).
Again though, this goes back to don't do things that draw legitimize attention to the forum by a government. It's not just don't post shit that is illegal, but also don't go do illegal shit elsewhere online, while making it very clear that you're a member here. It's a much harder for the government to demand certain identifiable information if they can point to any offending content or go "but so-and-so was very vocal about being a member on CoRE and we're going to use that as an excuse to demand all user IP and MAC addresses because they likely tried recruiting from that board."
Edit: On the encryption, by strong I mean something that will both take a really long time to brute force and also can't be easily bypassed by a government going to CoRe's webhost and asking for all that information and the means to easily decrypt it without the knowledge of the board.
ChanusHarbinger of the Spicy Rooster ApocalypseThe Flames of a Thousand Collapsed StarsRegistered User, Moderatormod
arguably our number one tool for keeping out bad actors has been the ability to view their IP address when they attempt to sign up
i don't know how you maintain functional security without being able to do that
Allegedly a voice of reason.
+15
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
There is no practical solution to that problem, especially not for an organization like Coin Return. I'm talking more broadly about not being traceable, rather than IP addresses specifically. The second you go to a website, unless you are taking steps like using a VPN, you are traceable. This is very similar to the discussion around the PA forum content and GDPR - if you wanted privacy, that ship set sail the second you hit Post Comment.
See also: the email address you use to create your account, the browser you use to navigate the internet, etc.
If the government is bothering to present Coin Return with warrants and subpoenas then I think would be a sign of larger issues at play, issues that cannot be accounted for by any amount of workshopping community guidelines.
Even if Coin Return wasn't intended to be open and partially visible to the public, the very nature of how internet forums operate require some amount of digital footprint to exist.
If someone cares about obfuscating that digital footprint, most of the means to do so necessarily need to be performed on the individual user's end.
Can tell you right now on other forums and sites I help run, it's entirely pointless for us to care about IP addresses anymore what with everyone being on carrier-level NAT and constantly changing IPs anyway due to cellphones and VPNs. We ban via entire subnets as it is when we do ban by IP, otherwise bans are by username. Trying to ban or track specific IPs is like chasing ghosts in 2025. It's been like that for a very long time. We just looped around to people re-rolling addresses by signing out of AOL and signing back in, lol
It's very possible to run a script that wipes IP addresses of accounts that haven't logged in after say, 90 days. Reddit does it. If an account is in good standing and they haven't posted in 3 months, there isn't really an use for hanging onto the information.
Can tell you right now on other forums and sites I help run, it's entirely pointless for us to care about IP addresses anymore what with everyone being on carrier-level NAT and constantly changing IPs anyway due to cellphones and VPNs. We ban via entire subnets as it is when we do ban by IP, otherwise bans are by username. Trying to ban or track specific IPs is like chasing ghosts in 2025. It's been like that for a very long time. We just looped around to people re-rolling addresses by signing out of AOL and signing back in, lol
It's very possible to run a script that wipes IP addresses of accounts that haven't logged in after say, 90 days. Reddit does it. If an account is in good standing and they haven't posted in 3 months, there isn't really an use for hanging onto the information.
this is not remotely my area of expertise so forgive me if it's a stupid question
but if that's all the case, then isn't it uniquely fruitless to try and hunt someone down by their IP address online? Isn't the same thing that makes it unhelpful for banning people also making it uhelpful for identifying people?
Can tell you right now on other forums and sites I help run, it's entirely pointless for us to care about IP addresses anymore what with everyone being on carrier-level NAT and constantly changing IPs anyway due to cellphones and VPNs. We ban via entire subnets as it is when we do ban by IP, otherwise bans are by username. Trying to ban or track specific IPs is like chasing ghosts in 2025. It's been like that for a very long time. We just looped around to people re-rolling addresses by signing out of AOL and signing back in, lol
It's very possible to run a script that wipes IP addresses of accounts that haven't logged in after say, 90 days. Reddit does it. If an account is in good standing and they haven't posted in 3 months, there isn't really an use for hanging onto the information.
this is not remotely my area of expertise so forgive me if it's a stupid question
but if that's all the case, then isn't it uniquely fruitless to try and hunt someone down by their IP address online? Isn't the same thing that makes it unhelpful for banning people also making it uhelpful for identifying people?
barring having made it unhelpful intentionally, it's not the same thing because in theory someone with subpoena powers can correlate data. that is: a post was made by a user with IP address A at a certain time; that address belongs to ISP B; ISP B can confirm that IP address A was handed out at the given time to real person C. again, this is assuming no intentional obfuscation has been performed.
the difference for the forums is there is only access to a part of the data chain: there's no way to 100% definitively tie the users with an IP address to real person C. now, for a community of this size...you may be able to draw some inferences based on the data...so it's not pointless to have it, but I'd argue it has a very limited shelf life of usefulness.
Also, there’s a difference in goals and priorities.
Someone who is intentionally being a fuckmuppet has a vested interest in finding ways to avoid or circumvent anti-fuckmuppetry tools and techniques.
Someone who is just living their lives and doesn’t feel the need to use a vpn and other things that can obfuscate making some of those connections harder.
Basically, most people probably don’t even think about it, and the ones that do likely have a higher correlation with those we’d rather fucked off.
Obvious caveat, no, I’m not saying having a vpn is a sign one is a troll or asshole, simply that assholes and trolls are more likely to be familiar with such things by necessity.
First they came for the Muslims, and we said NOT TODAY, MOTHERFUCKER!
Hard disagree with with any implication that privacy tools should cast a shadow. We should be encouraging more people to know how to increase their anonymity online.
The discussion of security practices around scrubbing / encrypting IP information and what CoRe can do to keep that from a government subpoena seems to miss that we're going with a hosted solution.
So regardless of what barriers our technical admin and board try to put in place to keep that information confidential, if the FBI / Secret Service / whomever show up at Xenforo's door with a subpoena or warrant Xenforo is going to give them whatever CoRe information the subpoena says to turn over. Be it IP addresses, registration email addresses, private messages, etc.
Basically if you have any digital footprint at all you should never assume anonymity from government entities. There are practices that can make it difficult for authorities to determine identities but none of them are really practical for a semi-public hosted web forum.
Hard disagree with with any implication that privacy tools should cast a shadow. We should be encouraging more people to know how to increase their anonymity online.
Yeah, also VPNs are advertised in the most boring topic Youtube videos and a free one is even built into various browsers and Proton offers one for free. They long ago ceased to be a specialty tool.
Hard disagree with with any implication that privacy tools should cast a shadow. We should be encouraging more people to know how to increase their anonymity online.
Yeah, also VPNs are advertised in the most boring topic Youtube videos and a free one is even built into various browsers and Proton offers one for free. They long ago ceased to be a specialty tool.
Which reminds me of today's sponsor..
You should tell that to every captcha that ones me to ID 18 rounds of crosswalks and stairs and motorcycles before telling me I’ve made too many requests
I’m assuming people are responding to me without quoting me, and I was very clear to state that I wasn’t accusing people of good cyber security practices as trolls and ban evaders.
Simply that some of the (perhaps old school) tools to lock out malcontents are becoming ever less useful, precisely because vpns are so commonplace. It’s not that having one is bad or sus, but that we’ve now quite thoroughly established that simply ip banning something is unlikely to be sufficient if they’re the least bit determined.
First they came for the Muslims, and we said NOT TODAY, MOTHERFUCKER!
Hard disagree with with any implication that privacy tools should cast a shadow. We should be encouraging more people to know how to increase their anonymity online.
Yeah, also VPNs are advertised in the most boring topic Youtube videos and a free one is even built into various browsers and Proton offers one for free. They long ago ceased to be a specialty tool.
Which reminds me of today's sponsor..
You should tell that to every captcha that ones me to ID 18 rounds of crosswalks and stairs and motorcycles before telling me I’ve made too many requests
I feel like that's more of a problem of cloudflare being shit.
I would download a car.
+1
QuetziHere we may reign secure, and in my choice,To reign is worth ambition though in HellRegistered User, Moderatormod
I’m assuming people are responding to me without quoting me, and I was very clear to state that I wasn’t accusing people of good cyber security practices as trolls and ban evaders.
Simply that some of the (perhaps old school) tools to lock out malcontents are becoming ever less useful, precisely because vpns are so commonplace. It’s not that having one is bad or sus, but that we’ve now quite thoroughly established that simply ip banning something is unlikely to be sufficient if they’re the least bit determined.
Sure, but that's a lot of security measures, all told. It doesn't mean that they don't work, just that they're not foolproof. IP bans have the easy capacity to slow down or discourage some of our trolls, there are still places where it is sufficient. Anyone on here could set up a VPN these days, but might not have it ready to go in the moment they want to make an alt, and that can be enough.
The discussion of security practices around scrubbing / encrypting IP information and what CoRe can do to keep that from a government subpoena seems to miss that we're going with a hosted solution.
So regardless of what barriers our technical admin and board try to put in place to keep that information confidential, if the FBI / Secret Service / whomever show up at Xenforo's door with a subpoena or warrant Xenforo is going to give them whatever CoRe information the subpoena says to turn over. Be it IP addresses, registration email addresses, private messages, etc.
Basically if you have any digital footprint at all you should never assume anonymity from government entities. There are practices that can make it difficult for authorities to determine identities but none of them are really practical for a semi-public hosted web forum.
Pretty much, your first focus should be securing against bad private actors first. So if you can, you want to see if you can encrypt things in a way where an asshole can't just rely on getting Xenforo to comply with their request for whatever reason. Not sure how feasible that is, I mean yes, they are hosting it, but pretty sure you can have encryption they don't have the keys to.
For a shitty government, like a case of the US going even shittier, then best you can do is just making things obnoxious enough that it'll be less tempting for them to go after you as a funcies thing, while also making sure people are doing illegal activities here or being allowed to continue associating with the site, if receipts show up of them doing certain activities off site. Obviously within reason, I know the shithead Christian Nationalists of the GOP are trying to make LGBTQ+ stuff illegal and if they ever succeed, the boards response should be that the right can go eat shit.
Is there going to be a relaxation of the new member / member restrictions for a while at launch? We're all going to be "new" on the forums.
Anyone who migrates their account from PA to CoRe automatically becomes a full Member.
There's no point migrating since we're tossing our posts anyway. May as well start fresh.
Well, if you want to retain any of your PA info (username, join date, post count, status as a full Member), you migrate.
If you want to register a brand new name, you’re free to join up as a totally fresh account. Or you migrate to keep those benefits, but then just change your username.
I don't want to bring any of that. I could care less about stickers and post counts.
We're not moving the forums, we're making a new one.
It would be cool if I could still have an equal say as part of the new community.
Well, again, the easiest way is to just claim your PA username and you don’t have to carry over any of that other stuff. You’re free to change your username anytime you want, even immediately before or after the move.
There’s will be a manual approval/transfer process as well as a backstop, but I’d prefer to leave that for folks who have actual unavoidable technical issues with the registration process so that Delz doesn’t have to spend 2 weeks straight manually approving PA legacy users.
It doesn't look like you can change your username after you move. There is a one month delay that starts ticking after you sign up.
I was hoping to make a clean break between the forums, but I ended up having to register and transfer in order to participate in voting.
I would download a car.
0
minor incidentpublicly subsidized!privately profitable!Registered User, Transition Teamregular
Is there going to be a relaxation of the new member / member restrictions for a while at launch? We're all going to be "new" on the forums.
Anyone who migrates their account from PA to CoRe automatically becomes a full Member.
There's no point migrating since we're tossing our posts anyway. May as well start fresh.
Well, if you want to retain any of your PA info (username, join date, post count, status as a full Member), you migrate.
If you want to register a brand new name, you’re free to join up as a totally fresh account. Or you migrate to keep those benefits, but then just change your username.
I don't want to bring any of that. I could care less about stickers and post counts.
We're not moving the forums, we're making a new one.
It would be cool if I could still have an equal say as part of the new community.
Well, again, the easiest way is to just claim your PA username and you don’t have to carry over any of that other stuff. You’re free to change your username anytime you want, even immediately before or after the move.
There’s will be a manual approval/transfer process as well as a backstop, but I’d prefer to leave that for folks who have actual unavoidable technical issues with the registration process so that Delz doesn’t have to spend 2 weeks straight manually approving PA legacy users.
It doesn't look like you can change your username after you move. There is a one month delay that starts ticking after you sign up.
I was hoping to make a clean break between the forums, but I ended up having to register and transfer in order to participate in voting.
Hm, you know, I don't think we even realized the one month timer kicks in on sign up. Give us a bit, we'll try to work something out on that.
Hell, New Jersey, it said on the letter. Delivered without comment. So be it!
Is there going to be a relaxation of the new member / member restrictions for a while at launch? We're all going to be "new" on the forums.
Anyone who migrates their account from PA to CoRe automatically becomes a full Member.
There's no point migrating since we're tossing our posts anyway. May as well start fresh.
Well, if you want to retain any of your PA info (username, join date, post count, status as a full Member), you migrate.
If you want to register a brand new name, you’re free to join up as a totally fresh account. Or you migrate to keep those benefits, but then just change your username.
I don't want to bring any of that. I could care less about stickers and post counts.
We're not moving the forums, we're making a new one.
It would be cool if I could still have an equal say as part of the new community.
Well, again, the easiest way is to just claim your PA username and you don’t have to carry over any of that other stuff. You’re free to change your username anytime you want, even immediately before or after the move.
There’s will be a manual approval/transfer process as well as a backstop, but I’d prefer to leave that for folks who have actual unavoidable technical issues with the registration process so that Delz doesn’t have to spend 2 weeks straight manually approving PA legacy users.
It doesn't look like you can change your username after you move. There is a one month delay that starts ticking after you sign up.
I was hoping to make a clean break between the forums, but I ended up having to register and transfer in order to participate in voting.
Hm, you know, I don't think we even realized the one month timer kicks in on sign up. Give us a bit, we'll try to work something out on that.
There's a lot more important stuff going on, so please don't sweat it if it's not dead simple. I appreciate all the effort you guys have put in and I don't want to add to it for something kind of trivial.
Is there going to be a relaxation of the new member / member restrictions for a while at launch? We're all going to be "new" on the forums.
Anyone who migrates their account from PA to CoRe automatically becomes a full Member.
There's no point migrating since we're tossing our posts anyway. May as well start fresh.
Well, if you want to retain any of your PA info (username, join date, post count, status as a full Member), you migrate.
If you want to register a brand new name, you’re free to join up as a totally fresh account. Or you migrate to keep those benefits, but then just change your username.
I don't want to bring any of that. I could care less about stickers and post counts.
We're not moving the forums, we're making a new one.
It would be cool if I could still have an equal say as part of the new community.
Well, again, the easiest way is to just claim your PA username and you don’t have to carry over any of that other stuff. You’re free to change your username anytime you want, even immediately before or after the move.
There’s will be a manual approval/transfer process as well as a backstop, but I’d prefer to leave that for folks who have actual unavoidable technical issues with the registration process so that Delz doesn’t have to spend 2 weeks straight manually approving PA legacy users.
It doesn't look like you can change your username after you move. There is a one month delay that starts ticking after you sign up.
I was hoping to make a clean break between the forums, but I ended up having to register and transfer in order to participate in voting.
That's just because your user profile is private so it didn't pull in a join date older than a month. Shoot me a PM over there, I'll get you hooked up with a new username.
So we've just had our first election for CoRe, and it won't be the last. It wasn't perfect, to be sure, but it was done well enough for a first time, and many people pointed out ways it could have been improved.
Given this, I suggest that creating an Elections Executive Officer position would be a good idea. They would be in charge of collecting this feedback and improving the process in-between elections, so that things will run more smoothly at the next election. They would also be in charge of advertising and running elections when they happen. Naturally, they would have to be non-partisan and barred from running in elections.
0
syndalisGetting ClassyOn the WallRegistered User, Loves Apple Products, Transition Teamregular
So we've just had our first election for CoRe, and it won't be the last. It wasn't perfect, to be sure, but it was done well enough for a first time, and many people pointed out ways it could have been improved.
Given this, I suggest that creating an Elections Executive Officer position would be a good idea. They would be in charge of collecting this feedback and improving the process in-between elections, so that things will run more smoothly at the next election. They would also be in charge of advertising and running elections when they happen. Naturally, they would have to be non-partisan and barred from running in elections.
It has been mentioned in other chats, but the Vice President has elections management as part of their functions, so I feel we already have a spot for it.
The fact that the role is not chosen through elections is a nice touch as well.
I would suggest that they probably should have some election roles defined to help them in the process; how the Q&A turned out in the end was great, but that was in no small part due to the contributions of @Sir Fabulous and some changes to how the thread worked... things that should be better codified for the next one. We need an official role for folks like Fabulous to take on the pain.
Yep, I’ve taken a note of it. We have already the facility to stand up sub-committees as required, and there was quite a few people through this process who I thought, “damn it would be great to have these people helping out next time”.
3 years sounds like a long time but it’ll be here before we know it
Posts
Look, I'm not necessarily proposing that we dump all marketers on one desert island with a surfeit of melee weapons and a deficit of food, but I'm not necessarily opposed to the idea either.
the "no true scotch man" fallacy.
This is generally true and I agree. The responsibility lies on each and every user to practice good information hygiene. Anything posted to any part of this forum can be seen (and hypothetically copied and disseminated) by complete strangers.
That said, I think there is a difference in degree if not in principle between the "public" forums, and the private (members-only) ones.
If somebody nefarious wants access to the members-only forums, they can sign up, wait through the probationary period, and then start scraping and grab a subset of data before we catch them. But Google, Bing, archive.org, etc. aren't going to do that.
It's the difference between
Strangers could see this and disseminate it (with moderate effort).
vs
The ubiquitous background processes of the Internet will see this and disseminate it automatically.
(But like you say, we can't guarantee complete privacy even in the members-only forums and I'm starting to wonder if we should rename 'private' to 'members only' to reflect that.)
the "no true scotch man" fallacy.
I might not be communicating clearly what I'm proposing here. We should have a private forum category that hides it from anonymous users (no account created or not logged in). That would include search crawlers and AI art scrapers - they won't have access to private spaces like the art forum.
The point in contention here is what happens when an account is created and approved by mods, making it past our first line of defense against bots and spammers. At this point they are New Members, and we believe them to be humans who actually want to participate - we aren't likely to see a huge volume of these users. They might still have shitty political opinions, granted, we don't know them yet. But the core question is whether they should now be able to see the art forum etc, or if they have to first pass the criteria to become full voting members.
My argument is that they should be able to see the private forums at this point, and that we should offer them the benefit of the doubt and welcome them in. The benefits of doing this significantly outweigh the risks for the community overall IMO.
This does not seem to address the legal requirement that we cannot be incorporated the way that CoRe is without having a barrier of entry that means we are not open to the public.
Perhaps I misread an earlier post, but it seems to be that your argument on that point is "I don't think it matters." Please correct me if I'm misunderstanding or mistakenly misattributing you. If not though, knowledgeable people with expertise in this exact area say it does matter and is important, so what else do you have to offer to override that? Because I'm inclined to trust them on this point since I'm not a lawyer and don't often deal with public policy or tax law and corporations.
I'm not a lawyer so I don't claim to know anything about how those rules work, I'll defer to our TT experts on that. But it seems to be somewhat negotiable because we do have a bunch of forums that are fully public. So if we can satisfy this legal requirement by having just a couple members-only forums, can we satisfy it by having just one? If so I would choose Politics as the one that's most sensitive. I'd also like to know if there have been any other explorations around solving this that would have fewer side effects than limiting visibility of subforums.
It's not just a legal requirement. I'm going to ask again: have you looked around at the world and the Internet as it is today? Do you see how those have changed in the last 10, 15, 20 years? Can you try to understand why some people might not want everything they say, or create, or reveal to trusted members of this community, to be freely available to the general public?
I disagree that politics is the most sensitive, given that we specifically highlighted the risk to our vulnerable members just talking about their lives in chat and the highest personal security risks mostly occur there.
To be honest: we're not sure. That said, it's easiest to only have "non member" and "member" and just have member be all-encompassing for things like private viewing or voting.
My favorite spammer signup remains a military academy trying to do so.
Oh my god why didn't y'all let them through?!
They did get through! This was back before we locked down user signups to manual approval only and it slipped in in the daily flood of new accounts that just signed up to drop their corporate logo as a userpic and their link in their bio. I was catching 5-20 of those daily for awhile in the summer and fall.
Most of them never got so far as verifying their email, much less actually posting.
I had to go digging through 10 years worth of posts to find something I wanted to preserve in the Coin Return Museum. Over the course of 3 days, I found out more than I ever wanted to about individual PA posters. These were posts scattered over all sorts of threads, most of them not even particularly sensitive, but they were there, readable, and allowed me to put together a fairly complete picture of people, where they were, who they were, what they looked like (cause, you know, there are threads where people post pictures of themselves), and much, much more. I'm very happy all of that is getting the big ol heave ho (or, at least I hope PA Corp just deletes everything after we leave, instead of keeping it around perpetually).
Given the current socio-political climate? I personally would want only G&T, and even then probably only the "G" part of G&T, to be viewable to New Members prior to further gatekeeping.
I think relabeling "Private Forums" as "Members-Only Forums" makes a lot of sense as it sets the appropriate context overall, not just in relation to any private information posted but also in terms of the broader forums.
If folks want an example of how deep the rabbit hole can go when you post just a handful of relatively innocuous photos:
https://www.youtube.com/shorts/E6n1Thak8G4
This isn't to say that any expectation of privacy is moot - it's more to just set a realistic outline to the conversation at hand. We can certainly do things to make it more challenging for bots to scrape content, for example. But based on the parameters we've been provided in terms of legal groundwork, sustainability, etc. I think we would be hard-pressed to justify having onerous policies in place for new members in the hopes of preventing privacy breaches.
If anything, like with many crimes, the risk of being identified comes more from the folks who know you than not, particularly given the history of the forums and the kind of behaviors people engage in when they get real mad at each other.
The flip side of that is, all of that information is able to be subpoenaed. Has there been any consideration of not logging this information… So that if there is a subpoena that comes from a hostile party/government/etc. The answer is we don’t keep that information.
Is that technically possible? Or is it something the host keeps and we don’t have a choice.
Again though, this goes back to don't do things that draw legitimize attention to the forum by a government. It's not just don't post shit that is illegal, but also don't go do illegal shit elsewhere online, while making it very clear that you're a member here. It's a much harder for the government to demand certain identifiable information if they can point to any offending content or go "but so-and-so was very vocal about being a member on CoRE and we're going to use that as an excuse to demand all user IP and MAC addresses because they likely tried recruiting from that board."
Edit: On the encryption, by strong I mean something that will both take a really long time to brute force and also can't be easily bypassed by a government going to CoRe's webhost and asking for all that information and the means to easily decrypt it without the knowledge of the board.
i don't know how you maintain functional security without being able to do that
See also: the email address you use to create your account, the browser you use to navigate the internet, etc.
Even if Coin Return wasn't intended to be open and partially visible to the public, the very nature of how internet forums operate require some amount of digital footprint to exist.
If someone cares about obfuscating that digital footprint, most of the means to do so necessarily need to be performed on the individual user's end.
Rock Band DLC | GW:OttW - arrcd | WLD - Thortar
It's very possible to run a script that wipes IP addresses of accounts that haven't logged in after say, 90 days. Reddit does it. If an account is in good standing and they haven't posted in 3 months, there isn't really an use for hanging onto the information.
this is not remotely my area of expertise so forgive me if it's a stupid question
but if that's all the case, then isn't it uniquely fruitless to try and hunt someone down by their IP address online? Isn't the same thing that makes it unhelpful for banning people also making it uhelpful for identifying people?
http://www.audioentropy.com/
barring having made it unhelpful intentionally, it's not the same thing because in theory someone with subpoena powers can correlate data. that is: a post was made by a user with IP address A at a certain time; that address belongs to ISP B; ISP B can confirm that IP address A was handed out at the given time to real person C. again, this is assuming no intentional obfuscation has been performed.
the difference for the forums is there is only access to a part of the data chain: there's no way to 100% definitively tie the users with an IP address to real person C. now, for a community of this size...you may be able to draw some inferences based on the data...so it's not pointless to have it, but I'd argue it has a very limited shelf life of usefulness.
Someone who is intentionally being a fuckmuppet has a vested interest in finding ways to avoid or circumvent anti-fuckmuppetry tools and techniques.
Someone who is just living their lives and doesn’t feel the need to use a vpn and other things that can obfuscate making some of those connections harder.
Basically, most people probably don’t even think about it, and the ones that do likely have a higher correlation with those we’d rather fucked off.
Obvious caveat, no, I’m not saying having a vpn is a sign one is a troll or asshole, simply that assholes and trolls are more likely to be familiar with such things by necessity.
So regardless of what barriers our technical admin and board try to put in place to keep that information confidential, if the FBI / Secret Service / whomever show up at Xenforo's door with a subpoena or warrant Xenforo is going to give them whatever CoRe information the subpoena says to turn over. Be it IP addresses, registration email addresses, private messages, etc.
Basically if you have any digital footprint at all you should never assume anonymity from government entities. There are practices that can make it difficult for authorities to determine identities but none of them are really practical for a semi-public hosted web forum.
Yeah, also VPNs are advertised in the most boring topic Youtube videos and a free one is even built into various browsers and Proton offers one for free. They long ago ceased to be a specialty tool.
Which reminds me of today's sponsor..
You should tell that to every captcha that ones me to ID 18 rounds of crosswalks and stairs and motorcycles before telling me I’ve made too many requests
Simply that some of the (perhaps old school) tools to lock out malcontents are becoming ever less useful, precisely because vpns are so commonplace. It’s not that having one is bad or sus, but that we’ve now quite thoroughly established that simply ip banning something is unlikely to be sufficient if they’re the least bit determined.
I feel like that's more of a problem of cloudflare being shit.
Sure, but that's a lot of security measures, all told. It doesn't mean that they don't work, just that they're not foolproof. IP bans have the easy capacity to slow down or discourage some of our trolls, there are still places where it is sufficient. Anyone on here could set up a VPN these days, but might not have it ready to go in the moment they want to make an alt, and that can be enough.
Pretty much, your first focus should be securing against bad private actors first. So if you can, you want to see if you can encrypt things in a way where an asshole can't just rely on getting Xenforo to comply with their request for whatever reason. Not sure how feasible that is, I mean yes, they are hosting it, but pretty sure you can have encryption they don't have the keys to.
For a shitty government, like a case of the US going even shittier, then best you can do is just making things obnoxious enough that it'll be less tempting for them to go after you as a funcies thing, while also making sure people are doing illegal activities here or being allowed to continue associating with the site, if receipts show up of them doing certain activities off site. Obviously within reason, I know the shithead Christian Nationalists of the GOP are trying to make LGBTQ+ stuff illegal and if they ever succeed, the boards response should be that the right can go eat shit.
It doesn't look like you can change your username after you move. There is a one month delay that starts ticking after you sign up.
I was hoping to make a clean break between the forums, but I ended up having to register and transfer in order to participate in voting.
Hm, you know, I don't think we even realized the one month timer kicks in on sign up. Give us a bit, we'll try to work something out on that.
There's a lot more important stuff going on, so please don't sweat it if it's not dead simple. I appreciate all the effort you guys have put in and I don't want to add to it for something kind of trivial.
That's just because your user profile is private so it didn't pull in a join date older than a month. Shoot me a PM over there, I'll get you hooked up with a new username.
Given this, I suggest that creating an Elections Executive Officer position would be a good idea. They would be in charge of collecting this feedback and improving the process in-between elections, so that things will run more smoothly at the next election. They would also be in charge of advertising and running elections when they happen. Naturally, they would have to be non-partisan and barred from running in elections.
It has been mentioned in other chats, but the Vice President has elections management as part of their functions, so I feel we already have a spot for it.
The fact that the role is not chosen through elections is a nice touch as well.
I would suggest that they probably should have some election roles defined to help them in the process; how the Q&A turned out in the end was great, but that was in no small part due to the contributions of @Sir Fabulous and some changes to how the thread worked... things that should be better codified for the next one. We need an official role for folks like Fabulous to take on the pain.
3 years sounds like a long time but it’ll be here before we know it
Ever tried. Ever failed. No matter. Try again. Fail again. Fail better
bit.ly/2XQM1ke