Mastodon: Reword direct message warning to set proper privacy expectations

This is related to #6986, correct? Honestly, I don't think anyone needs to _know_ that a moderator or system administrator can read direct messages. Perhaps we can communicate what direct messages are better the first time you send one, or include information about them in onboarding.

That is, everything on switter can potentially be read by someone who is staff or operates the server, there is no end-to-end encryption. We'd only have that potentially if we introduced such a feature, but even then, you'd be able to "report" a direct message, and by doing so share that thread with staff.

I was working on something to list the users in this message, e.g.,

This toot will be sent to @john, @fred and @jess, and won't be able to be seen by other users

But I couldn't figure out the localisation syntax with react-intl to do the "a and b" vs "a, b and c" type formatting.

Yeah, it's in part related to #6986, but not only, as even with such changes, the administrator can read the messages.
Related poll: https://www.strawpoll.me/15387726/r

In which case it should be explained in onboarding, not as a warning each time. The @ mention thing is more because in Twitter DMs you can mention another user safely, but in Mastodon DMs you can't.

On 4 Apr 2018, at 9:06 am, ThibG notifications@github.com wrote:

Yeah, it's in part related to #6986 https://github.com/tootsuite/mastodon/issues/6986, but not only, as even with such changes, the administrator can read the messages.
Related poll: https://www.strawpoll.me/15387726/r https://www.strawpoll.me/15387726/r
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/tootsuite/mastodon/issues/7030#issuecomment-378502030, or mute the thread https://github.com/notifications/unsubscribe-auth/AAB4a1DGLIyNo9mSTlM5Bwc6sAhyZ4Fpks5tlHEOgaJpZM4TFeGj.

It doesn't need to be a big scary warning, but it needs to be mentioned somehow.
I don't think the onboarding dialog is the best place for that, as most users won't see it ever again, and they should still be informed.

There's a vocal few who are adamant that we should warn everyone that admins can read your DMs, but to me it seems like common sense - admins need to be able to see this stuff in order to moderate effectively. If admins couldn't read DMs I would be very worried about the harassment implications, and victims of harassment would be put off reporting people because they'd have to take screenshots - and anyone could fake a screenshot of a harassing DM and the admin would have no way to check it.

So, I feel like if you went to any forum or messageboard or blogging service or something and said to the users, "did you know that the service providers can read your DMs???" they'd be like, "er well, yeah, that makes sense...?"

If it is going to be mentioned anywhere, I think it would be appropriate to put in the terms of use/code of conduct thing on /about/more (which would be an individual admin decision) or in the privacy policy. I agree that it's not necessary to warn people every time they send a DM, and that kind of warning over and over again is also alarming and off-putting for regular users, the vast majority of whom really don't need encrypted messaging for DMs. The people who need encrypted messaging for DMs are smart enough to check the privacy policy first.

I just checked and it is in the proposed privacy policy:

Please keep in mind that the operators of the server and any receiving server may view such messages, and that recipients may screenshot, copy or otherwise re-share them. Do not share any dangerous information over Mastodon.

Edit: Having said that, I do understand that there are plenty of users who don't understand the nature of federation and don't understand that DMs are readable by every admin of every instance the DM reaches. If there is a warning while writing a toot, it should probably only appear when the DM is going to a non-local instance?

the operators of the server and any receiving server may view such messages

I would object that the person having the role administrator or the role moderator is not necessarily "the operator of the server"

Maybe something like “This toot will only be sent to all the mentioned users and stored on their respective instances.”?
I can also see some value in enumerating the mentioned users, but I'm not sure how to do that with react-intl.

I feel like "operator" is not very clear to the average user, who is used to terms like "admins" and "mods"! So maybe it could say "the admins and moderators of the server and any receiving server may view such messages"?

I'm gonna post this on the privacy policy PR.

@ThibG do most users DM with users on other instances? I feel like if you're contacting another instance you know that that instance may store a copy of the toot.

On 4 Apr 2018, at 3:27 pm, ThibG notifications@github.com wrote:

Maybe something like “This toot will only be sent to all the mentioned users and stored on their respective instances.”?
I can also see some value in enumerating the mentioned users, but I'm not sure how to do that with react-intl.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/tootsuite/mastodon/issues/7030#issuecomment-378599323, or mute the thread https://github.com/notifications/unsubscribe-auth/AAB4azevTyta-U7-yV2L1_3UPx4ilQ1Zks5tlMpNgaJpZM4TFeGj.

@ThisIsMissEm I don't have numbers to back that one, but yeah, I think it's pretty common? Since the federation is designed to be seamless…

I feel like "operator" is not very clear to the average user, who is used to terms like "admins" and "mods"!

I like "operator" because it also includes sysadmins.
I would suggest the following wording: "This toot will only be sent to all the mentioned users. The operators of your instance and any receiving instances may see this message.". What do you think?

Do we give a similar warning for other toot visibilities which may go to other instances?

Perhaps it’d be better to just link to a FAQ page explaining how DMs work, and how they’re distributed?

On 9. Apr 2018, at 03:07, Sylvhem notifications@github.com wrote:

I feel like "operator" is not very clear to the average user, who is used to terms like "admins" and "mods"!

I like "operator" because it also includes sysadmins.
I would suggest the following wording: "This toot will only be sent to all the mentioned users. The operators of your instance and any receiving instances may see this message.". What do you think?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

Do we give a similar warning for other toot visibilities which may go to other instances?

No, but users don't expect the same level of privacy for the other visibilities.

Perhaps it’d be better to just link to a FAQ page explaining how DMs work, and how they’re distributed?

I don't think so. The purpose here is just to warn people that, like in any other service, DM can still be read by the operators of the instance. People were consulted on that last week and the result was adamant.