Privacy expectations in discussion groups (not CC)

[PhilDawson8270]

Not really - it's pretty simple to put some image tag in your posts pointing at a picture on your own server, thereby gathering the IP addresses of readers, and make a reasonable guess at which IP is which poster by correlating the posting times of later comments with your logs. CC also makes it possible to confirm for some target users by checking the "last seen" information on their profile pages. I suspect there's many other options, too, but those are some obvious ones.

That is true, but also as your other posts suggest. The IP address alone isn't really enough to "track" somebody. My current IP address is somewhere near London, yet I am 300 miles away.

However, the IP address with date, time, and a suitable request to the ISP can give you the information that people need. But such an attack I think would be very rare on a niche web service.

However, it is worth remembering that nothing on the internet is truly secure.

 

[marinyork]

The suggestion of whatsapp above suggests maybe people still don't realise that it's insecure and owner Facebook still hasn't fixed the vulnerability months after being told, as explained in https://www.theguardian.com/technology/2017/jan/16/whatsapp-vulnerability-facebook - avoid it.

Yes we all know that thank you.

There was never any pretence it was secure. Just I am in the same boat as op and for other reasons felt we should do it through whatsapp. You should consider there might be other reasons people might make the suggestion.

 

[mjr]

There was never any pretence it was secure. Just I am in the same boat as op and for other reasons felt we should do it through whatsapp. You should consider there might be other reasons people might make the suggestion.

Of course, but I don't see why you can expect privacy for what you type into whatsapp any more than an obscure discussion group on a website, so it doesn't seem like a good suggestion in this context.

 

[marinyork]

Of course, but I don't see why you can expect privacy for what you type into whatsapp any more than an obscure discussion group on a website, so it doesn't seem like a good suggestion in this context.

You think of a better suggestion for my volunteering I am all ears.

There are other ways the OP can mitigate the risks and this is what we do. Forums people tend not to look at unless it is a very large and vibrant community - in terms of discussion not from a privacy point of view.

 

[PhilDawson8270]

Yes we all know that thank you.

There was never any pretence it was secure. Just I am in the same boat as op and for other reasons felt we should do it through whatsapp. You should consider there might be other reasons people might make the suggestion.

An option would be a private sub-reddit. You can sign up for a username with no personal details, not even an email address is required if you do not wish so.

Only accessible to members of the group, and no personal details required at all.

 

[classic33]

Not really - it's pretty simple to put some image tag in your posts pointing at a picture on your own server, thereby gathering the IP addresses of readers, and make a reasonable guess at which IP is which poster by correlating the posting times of later comments with your logs. CC also makes it possible to confirm for some target users by checking the "last seen" information on their profile pages. I suspect there's many other options, too, but those are some obvious ones.

You're fairly easy find.

 

[mjr]

You think of a better suggestion for my volunteering I am all ears.

There are other ways the OP can mitigate the risks and this is what we do. Forums people tend not to look at unless it is a very large and vibrant community - in terms of discussion not from a privacy point of view.

Those other ways are the most important thing. People tend not to look at anything unless it sends them notifications somewhere that they'll read it - and for most people, that means emails or texts and then you can kiss privacy goodbye for whatever goes in the emails.

You're fairly easy find.

Yeah, I pretty much gave up hiding when I was elected and although I resigned rather than live outside the area, it's difficult to put the toothpaste back in the tube... which is part of why I now don't mind splattering myself across the media to promote cycling, co-ops or care of the chronically ill.

 

[marinyork]

An option would be a private sub-reddit. You can sign up for a username with no personal details, not even an email address is required if you do not wish so.

Only accessible to members of the group, and no personal details required at all.

I don't think either of you are quite getting where I'm coming from. My experience of several small organisations/charities what tends to happen is they appoint an 'IT guy', this is someone who either knows how to do things but hasn't got the time/can't be arsed with the miscommunication that goes on or else doesn't really know that much but the leaders think they do. They refuse to implement things like this, everything stays the same. When someone says well can't we have a private sub-reddit - a glaringly obvious solution - they say erm no my brain will explode that would be work and other colleagues will say we can't offend our 'IT guy' it's always worked like this.

I've been through all this the last year or so (again).

 

[mjr]

I don't think either of you are quite getting where I'm coming from.

Likewise, I don't think you're getting my point: the other ways to protect privacy are more important than using facebook-whatsapp rather than a simple web forum.

On the appointment of a useless "IT guy" - that's a social problem and you can't fix it with an app.

 

[PhilDawson8270]

I don't think either of you are quite getting where I'm coming from. My experience of several small organisations/charities what tends to happen is they appoint an 'IT guy', this is someone who either knows how to do things but hasn't got the time/can't be arsed with the miscommunication that goes on or else doesn't really know that much but the leaders think they do. They refuse to implement things like this, everything stays the same. When someone says well can't we have a private sub-reddit - a glaringly obvious solution - they say erm no my brain will explode that would be work and other colleagues will say we can't offend our 'IT guy' it's always worked like this.

I've been through all this the last year or so (again).

In that case a different guy needs to be found or serious questions asked. Regardless of the size of the site, or the intended usage. If identifiable information is stored in any way, they are legally bound to protect that data.

Many small companies, or charitable organisations seem to forget this point.

 

[marinyork]

Likewise, I don't think you're getting my point: the other ways to protect privacy are more important than using facebook-whatsapp rather than a simple web forum.

On the appointment of a useless "IT guy" - that's a social problem and you can't fix it with an app.

That's my point, if you are agreeing that's fine.

As it is the opening post who is questioning this, then they can always self implement their own policies - if other people overule or blurt it out there's not that much you can do. I have found that other people haven't always followed the guidance given by the organisation.

 

[Tin Pot]

Quick straw poll.

In another life I volunteer. I don't want to give too many clues but crucially the role requires separation and privacy from those we come into contact with and there is a safeguarding aspect. It's not mental health or suchlike, though.

The organisation that runs us has set up a discussion group - a small part of a larger site - to enable the volunteers to share methods, experience, best practice, etc.

Am I naive to expect that the group, member user names and profiles should not be accessible by the public? And I don't just mean logged in site users, I mean anyone with access to the internet.

Only as naive as the vast majority of the population.

At a guess I'd estimate of the entire British population maybe a few hundred actually understand identity, privacy, anonymity, the web, Internet forums and information security - let alone know how to do it properly.

If there is something about you or your work you really don't want other people to know, do not put it online.

 

[HF2300]

I think this is getting rather off the point, if not more than a little esoteric.

 

[Flying_Monkey]

The suggestion of whatsapp above suggests maybe people still don't realise that it's insecure and owner Facebook still hasn't fixed the vulnerability months after being told, as explained in https://www.theguardian.com/technology/2017/jan/16/whatsapp-vulnerability-facebook - avoid it.

It's not 'insecure'. That Guardian story was alarmist bollocks as most of my more technical colleagues in the field agreed (and wrote a long letter explaining why). At least they have had the decency to change the term 'backdoor' to 'vulnerability' but really, compared to just about every other way of communicating, WhatsApp is as good as you'll get without it being practically unusable. The issue that the Guardian wrongly rounded on is not a significant vulnerability.

 

[Flying_Monkey]

As for the OP, yes, you do have the right to expect privacy in this context, and personally I would not involve myself in a discussion forum of that nature run by a moderator who didn't get it to the extent that you describe.