It has come to our attention that one of our admins may have abused admin privileges by reading the private messages of other users. We acquired tangible evidence of this, for the first time, yesterday. Forum admins met in a conference call to discuss the situation and figure out the best approach. The initial conclusion was reached that the admin in question should have his admin privileges revoked. That has been done.

We also decided that we should get the admin in question’s side of the story before publicly sharing the final result. That is what we were in the process of doing when one of our mods divulged this sensitive issue without conferring with the remaining admins. That person is no longer a mod as a result.

The extent of the breach of privacy is limited to one small group of users according to the log data available. Unfortunately we cannot tell you more than that because we would have to go into the conversations ourselves to find out more and we, by policy, do not do that.

In the future, we are asking our mod pool, community council members, and all forum members to pass any sort of sensitive findings regarding misconduct of forum staff directly to the forum admin pool. That will allow us to handle the situation in a more productive way. It is important to understand that the admin team may or may not take immediate action, though we will respond to you as soon as possible. If we tell you we’re handling it, we are in fact handling it. Once we have handled it, we will notify everyone of the final result.

The floor is now open for comments and questions. Please regard this thread as Serious, because it is.

Do you/can you save logs of who reads private messages? Might be doable at the database level depending of what the queries look like.

I bet just having this logs saved would be enough to discourage people from reading them, and you can audit them as well if needed.

We can now see when it happens in the logs panel, yes. That is how it came to our attention. We can see what PM thread was read, but not who was in the thread without going into it. That’s the part where we have to say that we don’t know precisely who was affected.

Given that logging was only recently turned on to show private messages being read, how can you be sure that only a small number of users were impacted?

Were you not running completely blind on logs for such events until very recently? What makes you so sure the breach did not extend for much longer/wider?

I ask, because our employees were impacted by this breach directly, so it would be nice to have some clarity on the how/why this happened. I feel it might be a little too soon to declare the extent of this breach given the lack of logs beyond the last week, correct?

@DRI You should have trained your employees not to send sensitive information on a privately owned forum. That’s on you man.

Nice victim blaming pal!

They did not. This is on principle all the same.

Please do not excuse violations of privacy, that is madness.

We were not aware of such a setting until recently. It is turned off by default for some incredibly stupid reason that only the discourse dev community can supply. This is a regrettable situation because the one admin that was aware of it didn’t tell us about it, lied about it, and turned it off as soon as i turned it on. Jamie and Bill and I were under the impression that you had to impersonate a user to see their private messages. We were wrong.

The thread we are aware of is the mk16 thread. I’m aware it exists but have not seen any of the contents and am not a member of that group.

So you have no idea the extent of this breach, truly. Is that correct?

Given the actions that we were able to record, the timing of the activation, and the limited scope of the breach were able to see, yes. You are correct. This could have been happening for some time and we can not with the current limited data say how long it has been going on.

However, given the surrounding context of the situation, i’m pretty sure it was limited to groups containing certain members.

I would call this pure speculation, but I appreciate you conceding the point that the extent of this breach is unknown.

In theory, any number of private messages could have been read over the last 18+ months that Mike Maner was an administrator with this access on Esk8.News

Thanks for taking the time to answer these questions Damon.

My GOD! Sounds like a psychopath.

That is the heartbreaking reality yes. This is why esk8.news became the home of the community in the first place. The builders forum exodus was in no small part due to the owner of the forum playing god and eavesdropping on everything.

That will absolutely not be tolerated here.

You’re welcome. This means a lot from a group that contributes as much valuable content as your group does. We want this to be a safe haven for not only enthusiasts but also developers. That’s why there are no ads on this forum, and why it is community funded, and why we have tried to initiate as many checks and balances as we can.

I kinda just want to know why? Im not really offended that Mike read my PM’s, just really confused. There is not anything in there to get excited over. Not sure if the question of “why” came up in your convos or not Damon, so if not then no worries. Thanks for being open to taking questions and whatnot.

Edit: I guess I can also just ask @mmaner. Mike, why did you read my PM’s?

This is not an easy question to answer, and i can’t really speak to his motives, but i would like to mention that all of us are tempted. This was a crime of passion. All of the admins are able to do this, and its not something we can turn off. Having the power to do this, even if you do have to click 5-6 times to get there, is tempting to abuse. There have been a lot of times i wanted to see what people were saying about me. Even other staff. There’s so much fucking stupid drama on this forum that practically every day is an exercise in discipline that nobody else could understand. But i didn’t because that’s why we left the other forum. My gut says he felt like he had to for some reason, but what that is i don’t know. I just know that it was the wrong choice and this whole situation breaks my heart.

Also i would like to mention that you should not have had access to that screenshot you posted.

I think in the grand scale of things this is probably the wrong thing to be focusing on in this moment.

Unless you feel that it was your sole decision to choose when to disclose that your users privacy was violated, instead of trusting the staff you’ve enabled with this same access.

Clearly one of your staff decided that a user knowing the truth about a privacy violation was more important than your public optics, yeah?

I’m not sure that transparency is something we should be discouraging at this point & time.

-Andrew Dresner
Derelict Robot Industries

Thanks for saying that. I appreciate it. I sincerely hope Mike responds to let me know why he did it.

Yeah fair enough, ill concede that point. What I would like to hear from you is for there to be some rules established dictating when and how a user should be informed of this type of privacy breach and misconduct, if and when it is discovered in the future.

It was a side note.

mods should not go rogue and post sensitive information without consulting us for reasons we mentioned in the original post.

Yes, and in the context of the situation, it was the wrong choice.

We are not discouraging transparency. We are discouraging action without consensus, something you’ve complained about in the past.

This is the first time it has happened. However, i think we will be able to learn from this and create meaningful policy regarding it.

Just so you know, this was drilled into us from day one, and we all promised we would never do it. But Mike screwed us.