Rocket.chat: Login as [user]

I'm not sure if I like the idea of an admin being able to easily view a users private messages. Currently the only way to do this would be to browse through the database (which means they would require server access and the mongo password).

@alexbrazier I understand your concerns, but... :-)

1. you should not consider messages as strongly private if there is no end to end encryprion. If you are the admin of rocket.chat you might also have access directly to the db
2. in a company it is quite usual, that the admin or the support team is able to login as you on most of the systems

Sorry @patrickpl there is no 'but' here.

1. The user does not care about end to end encryption and what security measures are in place. It should not be expected that because there is no 'end to end' encryption that their messages are wide open for admins to view.
2. Yes and No, If this feature were to be implemented then the Admin should not be able to see their private messages.

The users have a right to privacy regardless of what you may feel.

@jszaszvari please use technical arguments and avoid arguing with feelings or opinions what is "right"

1. Again. Currently the admin has access to the private messages simply by accessing the database: no change of the privacy level. For sure I assume, that the application admin has access to the db, which should be normally the case.
2. If you have a company email address the admins are usually able to access the account. Even if you send the email only to one person - like a one-2-one message.

@patrickpl I do not think you should assume that administrators also have access to the server and database. In our case they do not, as someone at our company who can add and remove users on rocket does not also have access to the server.

There is also talk of database encryption in #36, #2787 and many others, which would resolve the issue of server admins having database access.

I will also point out that it is not particularly easy just to browse messages in the database and follow a conversation.

ciao @alexbrazier hjaving Axolotl/Signal would be great.

It doesn't matter so much who has access to the database as long as someone has access to the database and the messages are plain text. Also from a privacy perspective it doesn't make a difference if it is difficult. Anyway It should be quite simple to follow a discussion by reusing the rocket chat code.

My argument came from a support point of view. If you have systems installed like Jira, Confluence, Outlook, ... the admin is able to see your private messages/pages. It makes also sense if you have to support a non-technical user. For the sake of simplicity I've not added anything to this ticket like "user has to approve the admin access" or "the user will be informed after the admin access", but maybe this helps to find a solution.

If you are using this in a corporate environment or have your employees on it they have no right to privacy, this has been upheld in case law and is true of corporate email as well. In fact, you will find that most regulated industries are MANDATED to have access to and archive all electronic communication on company infrastructure - including email and chat.

On Aug 26, 2016, at 9:55 AM, John Szaszvari [email protected] wrote:

Sorry @patrickpl https://github.com/patrickpl there is no 'but' here.

The user does not care about end to end encryption and what security measures are in place. It should not be expected that because there is no 'end to end' encryption that their messages are wide open for admins to view.

Yes and No, If this feature were to be implemented then the Admin should not be able to see their private messages.

The users have a right to privacy regardless of what you may feel.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub https://github.com/RocketChat/Rocket.Chat/issues/3927#issuecomment-242758218, or mute the thread https://github.com/notifications/unsubscribe-auth/AOVtMNrRih3-I70TynbiNNi4-gNMwDZcks5qjv5EgaJpZM4JdbTl.

Hi all, I am happy to see that so many of our users are so passionate about our features. Let me join the discussion with my views:

Considering:

1. We have created a very flexible roles/permissions system so organizations could chose how the system works for them. This is better than we trying to enforce what we think it right.
2. Making it just "harder" (but not impossible) to break the privacy, may be worst for the end user, as giving a false sense of privacy is worst than making it clear that there is no privacy so they can act accordingly.
3. Our usual approach it that if enough people find a feature useful, we build it, and make it optional.
4. We do need to provide a easy way to have end-to-end encryption for private message.

My opinion if that:

1. We should create the feature, and make it as verbose as possible to alert end users about privacy. Maybe add a step on the registration with the terms of service to be agreed. (Slack has something like this when you turn on the feature on the enterprise accounts)
2. Create a new permission for that feature.
3. We should create a new role, like super-admin or god that has this permission.

@engelgabriel I think I would be more comfortable with it if it functioned like the slack Compliance Export feature in both how it alerts the users and does not export any private conversations prior to the feature being turned on.

https://get.slack.help/hc/en-us/articles/204897248-Understanding-Slack-data-exports

The last thing RocketChat needs is to become known as "The Chat client that makes it easy to spy on your employees"

@patrickpl You mention JIRA and Confluence before having a similar feature. Actually it's only left in the cloud hosted version and they are actively working to remove it. The feature to "Log in as" has now ben a part of the self hosted versions for nearly 1 year now as all your points can be combatted with good user training, Or getting them to send you a screen shot.

I'm a sysadmin for a company with 9,000 employees and I cant recall one instance where logging in like this would actually help. All it takes it get up and get the user to show you, or get a screenshot.

This is true, our screen sharing tool will help most of the problems about supporting users.

@engelgabriel Vey good point, I forgot about that!

Honestly what reason is there for needing to see someones private messages other than wanting to read them? I cant think of anything.

If you need the ability to read someones private communication then it should be done in the same way that Slack's Compliance Export is done.

From Slack:
What is included in the approval process for enabling Compliance Exports?

_Slack has put the following requirements in place for Compliance Exports:_

• Access must be requested from Slack by a Team Owner.
• We require an acknowledgement that tells us all of the following:
• The requester is authorized to have this access.
• The company policies and employment agreements allow this kind of access.
• The employer has the necessary legal clearance in their jurisdiction to access employee communications.
• If there is more than one Team Owner, all Owners will be notified of the request upon submittal.
• The request is then reviewed by Slack staff for approval.
• If the feature is enabled, we will notify team members via Slack that the feature is active and that their private messages are now subject to export.

I think thats a great way to do it whilst also respecting the privacy of your users.

The core argument here of "But Atlasssian let you do it in Confluence and JIRA" is no longer valid because they are rapidly removing this feature due to the breaches of privacy.

Reading someones messages is not a "support" issue and nobody in support ever needs to see them. The only time it would be warrented is if it was a HR issue or Legal issue, and thats where a compliance export comes in.

"I can fine account specific issues and help the user to setup the account properly
..... It makes also sense if you have to support a non-technical user."

This is the job of good documentation, training and processes that you give to your users.

@engelgabriel

Yes, I think it is good to notify the user about the fact that someone has logged in as the user. If you do so by sending an email or notify him the user is back to the system In my opinion also the admin should be able to say why he did it (eg. "uploaded avatar as requested in the ticket #1234"). This message can be send to the user as well as logged into an audit log.

Screen sharing tools are the other way instead of "login as [user]", but this is from a privacy point of view even worst. With these tools you can read anything on the harddisk of the user - depending on the tool you can do it even silent.

What about making this feature configurable also from the user point of view and doing it like that: there is a system level configuration that can define the default for enabling or disabling the feature per user by default and on user level you can enable or disable it.

1. On the admin config there is a configuration: Possibility to login as a user enabled:
   
   
   
   • ( ) true
   
   
   • (x) false
   
   
2. On user level: Admin can login as me
   
   
   
   • ( ) true
   
   
   • ( ) false
   
   
   • (x) default
   
   

This configuration should also be the default configuration imho.

@jszaszvari

According to the documentation the information about Jira/Confluence is wrong. "Login as another user" was never part of the server version and it is not marked as deprecated for the cloud version. Do you have any sources for both information?

I think you also need to distinguish between the feature and the consequence of the feature. No one want's to read the private messages, but if you login as the user you can do it. Exporting the data is much more a migration and backup topic than a support topic.

@patrickpl The source is that I worked for Atlasssian and helped remove that feature from the on-premises version and implemented the advanced permissions inspector so that you did not have to log in any more as the user.

With these tools you can read anything on the hard-disk of the user

No you can see visually whats on the screen. Much more visible than having your account hijacked.
Sure, "Depending on the tool" - But most of the time we are talking something like VNC/RDP. Don't try and use scare tactics.

Exporting the data is much more a migration and backup topic than a support topic.

No. This is not a support topic. The year is 2016. You should not have to log in as A user to 'support' them. This is legacy thinking from the 90's.

There are so many other ways to go about this like @engelgabriel has suggested which dont compromise the security of the user and the integrity of the product.

@jszaszvari so we both agree, that this is the right way to go? https://github.com/RocketChat/Rocket.Chat/issues/3927#issuecomment-242841611

@patrickpl I am OK with what he has proposed there.

So it means that rocket chat is working on figure it out how to implement privacy e2e encryption? I'm asking because our company is looking for team chat solution self-hosted (open-source) something alternative than slack. Slack has it's own privacy policy but.. it's not self-hosted, and it's bad for us.

We'll be moving this discussion to the forums.